Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yEB1xvr2rZ.exe

Overview

General Information

Sample name:yEB1xvr2rZ.exe
renamed because original name is a hash value
Original sample name:086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
Analysis ID:1447455
MD5:7e488e4928dd33d8aaf738da2baaba46
SHA1:6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e
SHA256:086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529
Tags:exelockbit
Infos:

Detection

LockBit ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • yEB1xvr2rZ.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\yEB1xvr2rZ.exe" MD5: 7E488E4928DD33D8AAF738DA2BAABA46)
    • 9BAE.tmp (PID: 4588 cmdline: "C:\ProgramData\9BAE.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
      • cmd.exe (PID: 1508 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "\r\n~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~\r\n\r\n>>>>> Your data is stolen and encrypted.\r\n\r\nBLOG Tor Browser Links:\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What guarantee is there that we won't cheat you? \r\nWe are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live\r\n \r\n>>>>> You need to contact us on TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you (available during a ddos attack): \r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\n\r\nTor Browser Links for CHAT (sometimes unavailable due to ddos attacks):\r\nhttp://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion\r\nhttp://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion\r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\nhttp://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion\r\nhttp://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion\r\nhttp://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion\r\nhttp://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>> Your personal Black ID: ED45A38511580A646D8B6D41359938A6 <<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. "}
SourceRuleDescriptionAuthorStrings
yEB1xvr2rZ.exeJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    yEB1xvr2rZ.exeWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x1a21d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    • 0x4b0:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
    SourceRuleDescriptionAuthorStrings
    C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
        C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
          C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
            C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
              Click to see the 30 entries
              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
                • 0x1a41d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
                • 0xb0:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
                00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                  00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                    00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                      Click to see the 4 entries
                      SourceRuleDescriptionAuthorStrings
                      0.0.yEB1xvr2rZ.exe.30000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                        0.0.yEB1xvr2rZ.exe.30000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
                        • 0x1a21d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
                        • 0x4b0:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
                        0.2.yEB1xvr2rZ.exe.30000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
                          0.2.yEB1xvr2rZ.exe.30000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
                          • 0x1a21d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
                          • 0x4b0:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

                          System Summary

                          barindex
                          Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\gqtDmx4Hj.bmp, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\yEB1xvr2rZ.exe, ProcessId: 6980, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper
                          No Snort rule has matched

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Source: yEB1xvr2rZ.exeAvira: detected
                          Source: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/Avira URL Cloud: Label: malware
                          Source: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/Avira URL Cloud: Label: malware
                          Source: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/Avira URL Cloud: Label: malware
                          Source: C:\ProgramData\9BAE.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                          Source: gqtDmx4Hj.README.txt4.0.drMalware Configuration Extractor: Lockbit {"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "\r\n~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~\r\n\r\n>>>>> Your data is stolen and encrypted.\r\n\r\nBLOG Tor Browser Links:\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What guarantee is there that we won't cheat you? \r\nWe are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live\r\n \r\n>>>>> You need to contact us on TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you (available during a ddos attack): \r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\n\r\nTor Browser Links for CHAT (sometimes unavailable due to ddos attacks):\r\nhttp://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion\r\nhttp://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion\r\nhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion\r\nhttp://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion\r\nhttp://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion\r\nhttp://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion\r\nhttp://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>> Your personal Black ID: ED45A38511580A646D
                          Source: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/Virustotal: Detection: 5%Perma Link
                          Source: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/Virustotal: Detection: 9%Perma Link
                          Source: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/Virustotal: Detection: 5%Perma Link
                          Source: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/Virustotal: Detection: 7%Perma Link
                          Source: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/Virustotal: Detection: 11%Perma Link
                          Source: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/Virustotal: Detection: 5%Perma Link
                          Source: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/Virustotal: Detection: 6%Perma Link
                          Source: C:\ProgramData\9BAE.tmpReversingLabs: Detection: 83%
                          Source: C:\ProgramData\9BAE.tmpVirustotal: Detection: 82%Perma Link
                          Source: yEB1xvr2rZ.exeVirustotal: Detection: 77%Perma Link
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                          Source: yEB1xvr2rZ.exeJoe Sandbox ML: detected
                          Source: yEB1xvr2rZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Videos\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Searches\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Saved Games\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Recent\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\Saved Pictures\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\Camera Roll\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\OneDrive\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Music\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Links\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Favorites\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Favorites\Links\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Downloads\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\ZSSZYEFYMU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\YPSIACHYXW\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\VLZDGUKUTZ\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\TQDGENUHWP\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\ONBQCLYSPU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\NWTVCDUMOB\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\ZSSZYEFYMU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\YPSIACHYXW\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\VLZDGUKUTZ\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\TQDGENUHWP\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\ONBQCLYSPU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\NWTVCDUMOB\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Contacts\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\3D Objects\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\.ms-ad\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\$WinREAgent\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJump to behavior
                          Source: yEB1xvr2rZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039400 FindFirstFileExW,FindClose,0_2_00039400
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000394DC FindFirstFileExW,GetFileAttributesW,FindNextFileW,FindClose,0_2_000394DC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00040DD4 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00040DD4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00037AA0 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00037AA0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003BEB4 FindFirstFileExW,FindClose,0_2_0003BEB4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003932C FindFirstFileExW,FindNextFileW,0_2_0003932C
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040227C FindFirstFileExW,3_2_0040227C
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,3_2_0040152C
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003C290 GetLogicalDriveStringsW,0_2_0003C290

                          Networking

                          barindex
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drString found in binary or memory: http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/hashtag/lockb
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.drString found in binary or memory: https://twitter.com/hashtag/lockbit?f=live
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.dr, gqtDmx4Hj.README.txt22.0.drString found in binary or memory: https://www.torproject.org/

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Source: C:\Users\user\Desktop\NWTVCDUMOB\gqtDmx4Hj.README.txtDropped file: ~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~>>>>> Your data is stolen and encrypted.BLOG Tor Browser Links:http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/>>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal IDDownload and install Tor Browser https://www.torproject.org/Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onionTor Browser Links for CHAT (sometimes unavailable due to ddos attacks):http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onionhttp://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onionhttp://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onionhttp://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onionhttp://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onionhttp://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onionhttp://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Your personal Black ID: ED45A38511580A646D8B6D41359938A6 <<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decrJump to dropped file
                          Source: Yara matchFile source: yEB1xvr2rZ.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1592345976.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1608871733.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: yEB1xvr2rZ.exe PID: 6980, type: MEMORYSTR
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: Yara matchFile source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, type: DROPPED
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\gqtDmx4Hj.bmpJump to behavior
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : All your important files are stolen and encrypted!
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : All your important files are stolen and encrypted!
                          Source: gqtDmx4Hj.README.txt4.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt17.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt5.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt1.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt29.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt14.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt12.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt32.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt27.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt11.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt20.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt31.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt0.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt25.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt33.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt13.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt23.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt2.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt22.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt18.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt8.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt26.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt19.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt30.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt24.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt6.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt16.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt7.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt15.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt21.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt9.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt28.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt3.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: gqtDmx4Hj.README.txt10.0.drString found in binary or memory : >>>>> Your data is stolen and encrypted.
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile moved: C:\Users\user\Desktop\TQDGENUHWP.docxJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile moved: C:\Users\user\Desktop\ZSSZYEFYMU\XZXHAVGRAG.pdfJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile moved: C:\Users\user\Desktop\AIXACVYBSB.xlsxJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile moved: C:\Users\user\Desktop\TQDGENUHWP\ZSSZYEFYMU.xlsxJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile moved: C:\Users\user\Desktop\TQDGENUHWP\NHPKIZUUSG.pdfJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Desktop\NWTVCDUMOB\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Contacts\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\3D Objects\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\.ms-ad\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\$WinREAgent\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Desktop\ZSSZYEFYMU\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Videos\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Searches\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile dropped: C:\Users\user\Saved Games\gqtDmx4Hj.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\yEB1xvr2rZ.exe entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\IIIIIIIIIIIIII (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy) entropy: 7.99649190194Jump to dropped file
                          Source: C:\ProgramData\9BAE.tmpFile created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy) entropy: 7.99649190194Jump to dropped file

                          System Summary

                          barindex
                          Source: yEB1xvr2rZ.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
                          Source: 0.0.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
                          Source: 0.2.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
                          Source: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
                          Source: 00000000.00000000.1592345976.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003FC5C SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose,0_2_0003FC5C
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039C88 NtQuerySystemInformation,Sleep,0_2_00039C88
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003D494 NtQueryInformationToken,0_2_0003D494
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003E0AC CreateFileW,WriteFile,NtClose,WriteFile,WriteFile,WriteFile,0_2_0003E0AC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000384CC CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,0_2_000384CC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003D554 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,0_2_0003D554
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003AD98 RtlAdjustPrivilege,NtSetInformationThread,0_2_0003AD98
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003D1E0 NtSetInformationThread,NtClose,0_2_0003D1E0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003B5FC NtQuerySystemInformation,0_2_0003B5FC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003E218 CreateFileW,WriteFile,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,SHChangeNotify,NtClose,0_2_0003E218
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003FA44 NtTerminateProcess,0_2_0003FA44
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003D264 NtSetInformationThread,0_2_0003D264
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003D290 NtProtectVirtualMemory,0_2_0003D290
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003B6A4 NtClose,0_2_0003B6A4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039EE8 NtQueryDefaultUILanguage,0_2_00039EE8
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00038AFC NtQueryInformationToken,0_2_00038AFC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00048B04 CreateThread,CreateThread,NtTerminateThread,CreateThread,0_2_00048B04
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00041F84 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_00041F84
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003FFD0 CreateThread,NtClose,0_2_0003FFD0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00040000 CreateThread,NtClose,0_2_00040000
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039CBA NtQuerySystemInformation,Sleep,0_2_00039CBA
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039CD3 NtQuerySystemInformation,Sleep,0_2_00039CD3
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003AD96 RtlAdjustPrivilege,NtSetInformationThread,0_2_0003AD96
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003B635 NtQuerySystemInformation,0_2_0003B635
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003B64E NtQuerySystemInformation,0_2_0003B64E
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00402760 CreateFileW,ReadFile,NtClose,3_2_00402760
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,3_2_0040286C
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00403478 SetThreadPriority,WriteFile,SetFilePointerEx,SetEndOfFile,NtClose,3_2_00403478
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,3_2_00402F18
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040362E GetLogicalDriveStringsW,GetDriveTypeW,CreateThread,NtClose,Sleep,RemoveDirectoryW,3_2_0040362E
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00401DC2 NtProtectVirtualMemory,3_2_00401DC2
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_004031E0 NtClose,3_2_004031E0
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00401D94 NtSetInformationThread,3_2_00401D94
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,3_2_004016B4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003C4AC: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,0_2_0003C4AC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039EE80_2_00039EE8
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000370940_2_00037094
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000403680_2_00040368
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00036B7F0_2_00036B7F
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00036B840_2_00036B84
                          Source: Joe Sandbox ViewDropped File: C:\ProgramData\9BAE.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess token adjusted: SecurityJump to behavior
                          Source: yEB1xvr2rZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: yEB1xvr2rZ.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
                          Source: 0.0.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
                          Source: 0.2.yEB1xvr2rZ.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
                          Source: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
                          Source: 00000000.00000000.1592345976.0000000000031000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
                          Source: 9BAE.tmp.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: classification engineClassification label: mal100.rans.evad.winEXE@6/223@0/0
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_004032E8 SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,3_2_004032E8
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\ProgramData\9BAE.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\b43c26a2bc99bb6941bc00f1b170d580
                          Source: C:\ProgramData\9BAE.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: yEB1xvr2rZ.exeVirustotal: Detection: 77%
                          Source: unknownProcess created: C:\Users\user\Desktop\yEB1xvr2rZ.exe "C:\Users\user\Desktop\yEB1xvr2rZ.exe"
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess created: C:\ProgramData\9BAE.tmp "C:\ProgramData\9BAE.tmp"
                          Source: C:\ProgramData\9BAE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NUL
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess created: C:\ProgramData\9BAE.tmp "C:\ProgramData\9BAE.tmp"Jump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NULJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: activeds.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: adsldpc.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: gpedit.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: dssec.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: dsuiext.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: dsrole.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: ntdsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: authz.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: adsldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: propsys.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: edputil.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: appresolver.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: slc.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: userenv.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: sppc.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\ProgramData\9BAE.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
                          Source: yEB1xvr2rZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: yEB1xvr2rZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: yEB1xvr2rZ.exeStatic PE information: real checksum: 0x2f715 should be: 0x2e994
                          Source: 9BAE.tmp.0.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003544F push 0000006Ah; retf 0_2_000354C0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00035451 push 0000006Ah; retf 0_2_000354C0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000353E7 push 0000006Ah; retf 0_2_000354C0
                          Source: 9BAE.tmp.0.drStatic PE information: section name: .text entropy: 7.985216639497568
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\ProgramData\9BAE.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\ProgramData\9BAE.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Videos\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Searches\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Saved Games\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Recent\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\Saved Pictures\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Pictures\Camera Roll\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\OneDrive\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Music\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Links\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Favorites\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Favorites\Links\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Downloads\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\ZSSZYEFYMU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\YPSIACHYXW\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\VLZDGUKUTZ\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\TQDGENUHWP\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\ONBQCLYSPU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Documents\NWTVCDUMOB\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\ZSSZYEFYMU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\YPSIACHYXW\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\VLZDGUKUTZ\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\TQDGENUHWP\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\ONBQCLYSPU\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Desktop\NWTVCDUMOB\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\Contacts\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\3D Objects\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\Users\user\.ms-ad\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\$WinREAgent\gqtDmx4Hj.README.txtJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeFile created: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txtJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Source: C:\ProgramData\9BAE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NUL
                          Source: C:\ProgramData\9BAE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NULJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003AFF8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,0_2_0003AFF8
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000310B0 0_2_000310B0
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_00401E28 3_2_00401E28
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000310B0 rdtsc 0_2_000310B0
                          Source: C:\ProgramData\9BAE.tmp TID: 5052Thread sleep count: 96 > 30Jump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\ProgramData\9BAE.tmpFile Volume queried: C:\9F37464C FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00039400 FindFirstFileExW,FindClose,0_2_00039400
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000394DC FindFirstFileExW,GetFileAttributesW,FindNextFileW,FindClose,0_2_000394DC
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00040DD4 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00040DD4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00037AA0 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00037AA0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003BEB4 FindFirstFileExW,FindClose,0_2_0003BEB4
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003932C FindFirstFileExW,FindNextFileW,0_2_0003932C
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040227C FindFirstFileExW,3_2_0040227C
                          Source: C:\ProgramData\9BAE.tmpCode function: 3_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,3_2_0040152C
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003C290 GetLogicalDriveStringsW,0_2_0003C290
                          Source: yEB1xvr2rZ.exe, 00000000.00000003.1642200848.0000000000732000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5k^
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\ProgramData\9BAE.tmpThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000310B0 rdtsc 0_2_000310B0
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_0003789C LdrLoadDll,0_2_0003789C
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess token adjusted: DebugJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeMemory written: C:\ProgramData\9BAE.tmp base: 401000Jump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeProcess created: C:\ProgramData\9BAE.tmp "C:\ProgramData\9BAE.tmp"Jump to behavior
                          Source: C:\ProgramData\9BAE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NULJump to behavior
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_000310B0 cpuid 0_2_000310B0
                          Source: C:\ProgramData\9BAE.tmpCode function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,3_2_00403983
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeCode function: 0_2_00041F84 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_00041F84
                          Source: C:\Users\user\Desktop\yEB1xvr2rZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                          DLL Side-Loading
                          112
                          Process Injection
                          1
                          Masquerading
                          OS Credential Dumping311
                          Security Software Discovery
                          Remote Services1
                          Archive Collected Data
                          1
                          Encrypted Channel
                          Exfiltration Over Other Network Medium2
                          Data Encrypted for Impact
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading
                          11
                          Virtualization/Sandbox Evasion
                          LSASS Memory11
                          Virtualization/Sandbox Evasion
                          Remote Desktop ProtocolData from Removable Media1
                          Proxy
                          Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
                          Process Injection
                          Security Account Manager1
                          Process Discovery
                          SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                          Obfuscated Files or Information
                          NTDS4
                          File and Directory Discovery
                          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                          Software Packing
                          LSA Secrets124
                          System Information Discovery
                          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Indicator Removal
                          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          DLL Side-Loading
                          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          File Deletion
                          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447455 Sample: yEB1xvr2rZ.exe Startdate: 25/05/2024 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 8 yEB1xvr2rZ.exe 2 38 2->8         started        process3 file4 20 C:\Users\user\Favorites\Live.url.gqtDmx4Hj, DOS 8->20 dropped 22 C:\ProgramData\9BAE.tmp, PE32 8->22 dropped 24 C:\Users\user\Videos\gqtDmx4Hj.README.txt, ASCII 8->24 dropped 26 10 other malicious files 8->26 dropped 44 Found potential ransomware demand text 8->44 46 Found Tor onion address 8->46 48 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->48 50 5 other signatures 8->50 12 9BAE.tmp 3 8->12         started        signatures5 process6 file7 28 C:\Users\user\Desktop\yEB1xvr2rZ.exe, data 12->28 dropped 30 C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy), data 12->30 dropped 32 C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy), data 12->32 dropped 34 24 other malicious files 12->34 dropped 52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Contains functionality to detect hardware virtualization (CPUID execution measurement) 12->56 58 3 other signatures 12->58 16 cmd.exe 1 12->16         started        signatures8 process9 process10 18 conhost.exe 16->18         started       

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand
                          SourceDetectionScannerLabelLink
                          yEB1xvr2rZ.exe77%VirustotalBrowse
                          yEB1xvr2rZ.exe100%AviraBDS/ZeroAccess.Gen7
                          yEB1xvr2rZ.exe100%Joe Sandbox ML
                          SourceDetectionScannerLabelLink
                          C:\ProgramData\9BAE.tmp100%AviraTR/Crypt.ZPACK.Gen
                          C:\ProgramData\9BAE.tmp100%Joe Sandbox ML
                          C:\ProgramData\9BAE.tmp83%ReversingLabsWin32.Trojan.Malgent
                          C:\ProgramData\9BAE.tmp82%VirustotalBrowse
                          No Antivirus matches
                          No Antivirus matches
                          SourceDetectionScannerLabelLink
                          https://www.torproject.org/0%URL Reputationsafe
                          http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion0%Avira URL Cloudsafe
                          http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/0%Avira URL Cloudsafe
                          http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/0%Avira URL Cloudsafe
                          http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion0%Avira URL Cloudsafe
                          https://twitter.com/hashtag/lockbit?f=live0%Avira URL Cloudsafe
                          https://twitter.com/hashtag/lockb0%Avira URL Cloudsafe
                          http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/0%Avira URL Cloudsafe
                          http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/100%Avira URL Cloudmalware
                          http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion1%VirustotalBrowse
                          http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/5%VirustotalBrowse
                          http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/0%Avira URL Cloudsafe
                          http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/9%VirustotalBrowse
                          http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion1%VirustotalBrowse
                          https://twitter.com/hashtag/lockbit?f=live0%VirustotalBrowse
                          http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion0%Avira URL Cloudsafe
                          http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion0%Avira URL Cloudsafe
                          http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/5%VirustotalBrowse
                          http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/100%Avira URL Cloudmalware
                          http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/7%VirustotalBrowse
                          http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion0%Avira URL Cloudsafe
                          http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/100%Avira URL Cloudmalware
                          http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion0%Avira URL Cloudsafe
                          http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion0%Avira URL Cloudsafe
                          http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion1%VirustotalBrowse
                          http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/12%VirustotalBrowse
                          http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion1%VirustotalBrowse
                          http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion1%VirustotalBrowse
                          http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion1%VirustotalBrowse
                          http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/5%VirustotalBrowse
                          http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion1%VirustotalBrowse
                          http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/7%VirustotalBrowse
                          No contacted domains info
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drtrue
                          • 9%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          https://twitter.com/hashtag/lockbit?f=liveyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.drtrue
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drtrue
                          • 5%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          https://twitter.com/hashtag/lockbyEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drtrue
                          • 5%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drtrue
                          • 7%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          unknown
                          http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.drtrue
                          • 7%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drtrue
                          • 12%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          unknown
                          http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.torproject.org/yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.dr, gqtDmx4Hj.README.txt2.0.dr, gqtDmx4Hj.README.txt22.0.drtrue
                          • URL Reputation: safe
                          unknown
                          http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/yEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.dr, gqtDmx4Hj.README.txt23.0.dr, gqtDmx4Hj.README.txt.0.drtrue
                          • 5%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          unknown
                          http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onionyEB1xvr2rZ.exe, 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1612643477.0000000000772000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1605088995.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, yEB1xvr2rZ.exe, 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, gqtDmx4Hj.README.txt4.0.dr, gqtDmx4Hj.README.txt17.0.dr, gqtDmx4Hj.README.txt5.0.dr, gqtDmx4Hj.README.txt1.0.dr, gqtDmx4Hj.README.txt29.0.dr, gqtDmx4Hj.README.txt14.0.dr, gqtDmx4Hj.README.txt12.0.dr, gqtDmx4Hj.README.txt32.0.dr, gqtDmx4Hj.README.txt27.0.dr, gqtDmx4Hj.README.txt11.0.dr, gqtDmx4Hj.README.txt20.0.dr, gqtDmx4Hj.README.txt31.0.dr, gqtDmx4Hj.README.txt0.0.dr, gqtDmx4Hj.README.txt25.0.dr, gqtDmx4Hj.README.txt33.0.dr, gqtDmx4Hj.README.txt13.0.drtrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          No contacted IP infos
                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1447455
                          Start date and time:2024-05-25 03:15:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 30s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:16
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:yEB1xvr2rZ.exe
                          renamed because original name is a hash value
                          Original Sample Name:086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
                          Detection:MAL
                          Classification:mal100.rans.evad.winEXE@6/223@0/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 91
                          • Number of non-executed functions: 5
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, MoUsoCoreWorker.exe, VSSVC.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          TimeTypeDescription
                          21:16:48API Interceptor93x Sleep call for process: 9BAE.tmp modified
                          No context
                          No context
                          No context
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\ProgramData\9BAE.tmp71p2xmx6rP.exeGet hashmaliciousLockBit ransomwareBrowse
                            98ST13Qdiy.exeGet hashmaliciousLockBit ransomwareBrowse
                              c8JakemodH.exeGet hashmaliciousLockBit ransomwareBrowse
                                Document.doc.scr.exeGet hashmaliciousLockBit ransomware, TrojanRansomBrowse
                                  Rcqcps3y45.exeGet hashmaliciousLockBit ransomwareBrowse
                                    LBB.exeGet hashmaliciousLockBit ransomwareBrowse
                                      lockbit_unpacked.exeGet hashmaliciousLockBit ransomwareBrowse
                                        maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                                          maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                                            abc.exeGet hashmaliciousLockBit ransomwareBrowse
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Reputation:low
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.4644883018342485
                                              Encrypted:false
                                              SSDEEP:3:uZ+rVbuagfeYy48z6Yb/TQK4dvE0RdOQn:uZ+rVb2y4i6OLedddOQ
                                              MD5:FD0ADB8C2B197B0484118AB3C6E7CCB9
                                              SHA1:9D5DA3C4520D53ED6FD8E028592A0E7A058BFC4D
                                              SHA-256:A1765531440A772B590B28553D43F581BA7BD5B8996E0FBC4A34870753EE7764
                                              SHA-512:D133BE7D3A9E97132D0C4A2DF691B2B53D03E32AF6A19F0E3134912A89C3D1E2E861D2B9A9BB57A542D3F6CDCD7D9A2B115C56BC2BCB5B212877D02330BB4402
                                              Malicious:false
                                              Preview:O...:..{..e .\E.7.....$ks2.2...k.z..@..I..n.)8.,.Ay..Z}....iD..w..Z.(5.K..~..1.5........U... .^n....?&."F........GxZK$N...+.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.547859522781251
                                              Encrypted:false
                                              SSDEEP:3:nGFtdHgZu91jUzIORyyrdWy3pLD4a3XOlrDQ7qn:nU2Q9iyEWye3x07q
                                              MD5:19D9EAD0E4A505335FF91A5B6312591A
                                              SHA1:31024F88942D06AC928C6C72B969F6955DD1FA05
                                              SHA-256:51BFC614E8CE9A44F2B421A45A8D5AA333D69AAA4372E2685DDEAA55A8D569A5
                                              SHA-512:4546915929150E6B46B8891778FA552697DD6ABAC258EF5A264AE1C7AA6BC4CD20E9BEA8691952AE10E017D95C2744D9C3A166DB7576E264F131AAFC54BACAED
                                              Malicious:false
                                              Preview:z.m.5.*...C. M. ^L.......G`2<.u .R.}p.R...vp.a>F1-...4..A..j....`...W.s.......8.D.....C...?]..n.i..fR....._....&W....sw...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):129
                                              Entropy (8bit):6.664290143003372
                                              Encrypted:false
                                              SSDEEP:3:VcQeOwSkHNV3N/P+jshoKD7cMO4NI0AcNg/XBwANn:VcQeOwjtFY4L7cMO4NI05Ng/Rjn
                                              MD5:A4CB56B281D3DB2CA7D387FAC6908DEE
                                              SHA1:BE3B8903DD5DE5D620B2CCD28C299D89BD8E8029
                                              SHA-256:31ECB11A89633A4D0B62DFFE682A1E3E4124865FDC8DB7D75D7111DD60CBBB7B
                                              SHA-512:02C739F5B1BA2A0D52CE254C589FEA9BEDB55D209B42BC65C3DEDE6F5547F6AB9404F413A6C97EB599354BDEA3012C4CFB28A2E93683FEB91623E7832EE11488
                                              Malicious:false
                                              Preview:M.?E]...nZ<...................r;&.?.$..&j..2.9.5=B.....+LF.......d.rT..s..(.....J"...m...mGR../P.Bc..7.....E...F.#..U.*t`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: C:\$WinREAgent\Scratch\gqtDmx4Hj.README.txt, Author: Joe Security
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14336
                                              Entropy (8bit):7.4998500975364095
                                              Encrypted:false
                                              SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                              MD5:294E9F64CB1642DD89229FFF0592856B
                                              SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                              SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                              SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 83%
                                              • Antivirus: Virustotal, Detection: 82%, Browse
                                              Joe Sandbox View:
                                              • Filename: 71p2xmx6rP.exe, Detection: malicious, Browse
                                              • Filename: 98ST13Qdiy.exe, Detection: malicious, Browse
                                              • Filename: c8JakemodH.exe, Detection: malicious, Browse
                                              • Filename: Document.doc.scr.exe, Detection: malicious, Browse
                                              • Filename: Rcqcps3y45.exe, Detection: malicious, Browse
                                              • Filename: LBB.exe, Detection: malicious, Browse
                                              • Filename: lockbit_unpacked.exe, Detection: malicious, Browse
                                              • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                              • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                              • Filename: abc.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 16, image size 2621440, cbSize 2621494, bits offset 54
                                              Category:dropped
                                              Size (bytes):2621494
                                              Entropy (8bit):0.20417131690350954
                                              Encrypted:false
                                              SSDEEP:12:GKm71jTv37T1BNrdVRd3fF3bdJf7vhpnzBxD1fJ/tBfJvTLtFFdF9tlFNtnvDdFP:2
                                              MD5:081D9379DA8701EC3278DBC2BCEDD412
                                              SHA1:B46A98B4395D4CCBC36800B70EED0927F04B7D16
                                              SHA-256:2871210103DBEC222FC8A41617DFF07978C76DBDF7706F25716297022D734FA4
                                              SHA-512:84358F7DE3AA57BC677F4B7FB0BEF6849F5A108D4AA7A2258CFB1C6F490C85D06FBC6450E50E36A358564BCF8C4919AD5F30C8E0C2A9A6F905D3F9333ACCE15E
                                              Malicious:true
                                              Preview:BM6.(.....6...(.....................(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):15086
                                              Entropy (8bit):4.262047636092361
                                              Encrypted:false
                                              SSDEEP:192:jpBaAlHSa2vU9G/8MMBD7O1lXFMB8VMJP7:jpjmkMYD7IFMRx7
                                              MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B
                                              SHA1:CE9F87183A1148816A1F777BA60A08EF5CA0D203
                                              SHA-256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
                                              SHA-512:ABAFEA8CA4E85F47BEFB5AA3EFEE9EEE699EA87786FAFF39EE712AE498438D19A06BB31289643B620CB8203555EA4E2B546EF2F10D3F0087733BC0CEACCBEAFD
                                              Malicious:false
                                              Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):239
                                              Entropy (8bit):7.0786764587589275
                                              Encrypted:false
                                              SSDEEP:6:0YfMIVM5nzWjEOFHT14qZze1713RJkp6r:0aMg4zB+z14v175RS6r
                                              MD5:9E8E2F5C0C66CAE5DE50C625026B2A78
                                              SHA1:E902D69C7857432F88795A13BFE58129B48A4EA8
                                              SHA-256:F12117E3691E93F663C078D40F05258A2BAA9E62E1C1A5E92E1A50038CD673B3
                                              SHA-512:D2812B14E8B44A5199F6D23530521AF5A91C1047E35312F96847ED8A0FBBC16981EAB5A597337688C859861ED2B1BC729945396FDB181DDA71C10BBCEC915C96
                                              Malicious:false
                                              Preview:.w.}..I.J...[r..S^E....}.{-...[....H..U.N6.Z.|.P..S........7C....).....t......[.6..{]s....a!u.....a.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.832160122531599
                                              Encrypted:false
                                              SSDEEP:24:5+LlnZa2eqH3TZ38kcz2Zbl8gU+UlPjVE98+3IWTK6YcPN1nUfv/ImxON75RS4:5gVZbe63dBKaZ8llPjW98yO6Yc1ovMxp
                                              MD5:42E6ED0EF7FA565D02ADE4A3DE689E77
                                              SHA1:174636FCFD197E140645B47AE047C29B6BF1576D
                                              SHA-256:740E830F02AB4EB5BF415E9B57647769F27213074641A771656ADCC5BE3B799D
                                              SHA-512:CF6E1572502165434F253AEFC40DA4D03D5D84BDE1D388EDA67A33A1CBD7D22DB6FDB6BA5DBB5C78BFA144668C111AD4E6282649BDA0E436D4792FA481E34553
                                              Malicious:false
                                              Preview:.-.g....@.4B.Z.].....%..uUO.....Kx. ...;]...55...V.r.s~#D.4eaKQ.B..V.........z.d7@..1#=3..>....P.>.........[K`.c..CI_8....h.{)...v.;........!ee^-....(..X>..i. D..8...,'..R...W!.C.I.N......75......mP...n*.f+.wH.e...m^.k..<?..5..:...>..W.|......).+.s....Z.=].E.W.....5..kPR.....^p.!..."[...: ...M.o.d`:V..5agP].E..S.........v.b?@..1),0..(....W.3.........SKq.x..HLK(.......]c....0...-B....q........i.....g....w.(~.%..,....yH....'y.z.vs.B".h....T.....j.=...Cr.8...:K"L.=Vsg..$.TavNEUO..r........A....".x...(......v.......r.......5}.@................SPQRH...b....S..-'.~A.yC.L..'.Cc..f.M9.....7....Q...k.,.m..J.eh.e......A|.1..;..."N....|........t.....e....v.1z.!.......wC....5i.o..qz.W%.d....V.....f.9...Fs.1....8D?H..Lng..".XypIWEC.6p.....c.@ cqW..Z...L........;tsa}S...E?.f&$.....^J*....k[.T.~i....Y.R...hf."..<......0r.*>@....Y...m!.....#Q(..1|zR.v=...@O....cH...j@.p@.....t..,...E.....m...]..JU~GD.?.....g.v....S.....KG..LFr...?.....=Z......4........U..U1.9.c
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.8248730690362205
                                              Encrypted:false
                                              SSDEEP:24:2eDBXrsxrTowgcXbRhtgpGOmrcgLdaMTna9gHycqx4ooeHzLbkRwON75RS4:2eFoZZv9O0cgLdaMTpS1xOeHXbixS4
                                              MD5:4D4547CBB10D74156B3C67D721EAFC35
                                              SHA1:5BBB66B75837B4E373B6E84F448A81C31B14B2B3
                                              SHA-256:849176C9458A3D3C8FFBB99438825D38D10E8A74D49EB419E7DC63BD8F422989
                                              SHA-512:7EEA411DF72AB1FDC33C56E36DA3909484F90B82F7CFA8166BE097EA15F1C8E3CD130F819287507702C7DCFC4AF88D83165119BD3935C097CA523E03BCFB21BB
                                              Malicious:false
                                              Preview:..q.".%.W_.......i..........$= ^Wd..K..H#..&M".D.6.....,L1i.)..J..[7..pG...+/o....K.R..O./.2D.?1.......:.<.<.K...P.41.f6H..OE8.i...._...r....'...4E.3.~.B.j..1.]:8..7zm.iV...9X. f.....fQ.."2.j..k.....gVQ....5.,..1.2...|..:R.8...7.5(...)fk.T...}...?.^@.......b..........79,K_x..W..N$..9B7.O.-...m.2U#v.(..Q..\7..sD...:&o......P.X..X.9.<D.&6.......9.!.<.J...[. !.j#A..m...U.&C..%...}SV.X.ZY........mz.f.Ww.IN.C.U.$...Z.....R9..NI.vUjq..=I.1}'..o[......OM.2...a./].<'.nu.......7.B....i.... ....0.w.p1%aqA.DPsf...d.6...(FY\....,..F.L...nH.]...I...UZ......u....)...8.l.Y.....5.@Y]j...L/...X!....PM...{. .7.,.Q.X.E%.d...J.9M..>..`US.U.UX........jx.k.Uj.[O.Z.H.-...A.q...B ..^T.eBmx..:B.)a%..rM......ES.3...w.,_.!#.}o......./.E....q.......P..w..&&)...R.YA..D-.;..w.4.br....Z..u.:..&r..DH.x..W.....x./tu.~>..N.,.Pi .^..=.0.):..b.@.........{.*Ymv(...F.|..)7...Y..F..."_.)`.@.p.M......\{`.....#.....jC...h......lmAq.j!tr".l....%..;...6d.2...I.j.=....O1j.. wa..]..K.
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.8605488891818425
                                              Encrypted:false
                                              SSDEEP:24:X6oCbxfhxRXBrI3NS+g7zm5N6Dy3AqpCFRVtsP+g0yBXYMSRyDEbON75RS4:+xZxxkIIN65Xhts90yBIMAKxS4
                                              MD5:C2C602C9ECF5DA8B96F1611871B3832B
                                              SHA1:9C7EEBA99147A35C086DD838EDFBC546C1DC9842
                                              SHA-256:583A9F9772210F9A578470C4E01A7599EABD1C0AF87950359EA5E5C14A17A078
                                              SHA-512:4CACE6C17AED911C681303A5C93C34CD9A434CABB4F52801F9B27F4DD5DED207AD37BEE840F1779C6FF817F1945ACC4BD7FA2EFED7FD8246B61E826F3D8C7FD1
                                              Malicious:false
                                              Preview:...s...\.$'........U<_d+.).....tNs3.1..^..X...6..LF.....=.C...x....1..i@'.f..........._...ns...f..L9...N...).:mV.?..Q3.k.....6.Z.Yqd;D..{....b.(....hB...X.K...9....|W..5.sM...k..8.]......@-l.........N....'D..O..'.&....A..P..........8@..O.....h...E.%%.........Y9Ei$.'......~Ya$."..B..[...)..CA.....<.D...{....3..vX-.j..........E...e`...x..@;...Z...%..gC.-.^9.d.>+..,.v.z(.U..M.m<:..R|.<....R;.......n.*+"..5...p..~....\.?....v......N..,....-.......2Su....f....FI..Pn.....4.|...TH..K/.........9.. l..`....^-.......?.U.n..U.,C~......h:.:!.e.7x...Y..a.&....\[....~.....g2V.w(..l........vQ..V.W!I76..T>=u.=(..;.x.y+._.R.h56..Ja.+....S,......p.=56..<...t..m....J.0....}......Y..3...%.......,]h....z....SU.>Gc.....+.v...SB..D.....@A...p...84.C9n6.,..d.Tt...+/....&.jF.O.<@....Rz...a*2z..F.7.*....l......xK....zJ...$Q..o.?.a....~. ..Bwl.MM....dK{.s5......Cd.P.....'..2..P.,.<.D...y.7.....U.LH<.\....7.I..........sq'7n.O......$.Pt@...5...sj..@.[..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.842340004259138
                                              Encrypted:false
                                              SSDEEP:24:c2urkClI1LMuGFsbBFIKyHGo0hU6EGl73D2f15BQNN3YON75RS4:QPlI1LM5FEB1ymo0hU2X2JQNN3txS4
                                              MD5:50E39D1A31AA2373FA4A4B805CD06439
                                              SHA1:949C3F3491224B79432551215DEF2555B7D1F09F
                                              SHA-256:3203AAAE7413A308F7DBCA7817F6033DE60E21700555C04D7718003B6B6839DC
                                              SHA-512:80CB1B895153D946099F6D6AFA6D7BB82B8DBF6B6C81092A6883BDC2DC0BBCE7EFBE48989FE034E1E5D7C1D8F086D93BA66B62829C2A6E64A02D1FD3D173AE30
                                              Malicious:false
                                              Preview:F...........#.'Hx...........B..LH:.Ag.rW..$;.p.J.......Y3...7.....d?.gJ..........+..'i.n.h.7_..=g.)...>..@Xp+.ecO........o%..U.e.z....+.%.o2.O.k..i.n..........j,r_.....2...]J3......9.4.....!L.Bm..X9x.....?L.$.Q.q.<;.;..O........L.lVkfg.w.xxD...........8.3_r.).........[..IT3.Gd.q\.. 9.y.E.......U#...0.....c?.hS..e.......5.."b.u.g..J..'e.-...?..EY.3.ylL.....A.....>.Z....P....4Gm.....d..D..5._o>X...s......]..4...ur....4..A.O....#....>....;g.; ..`jb.aC..1...u....!.@Oy..I...................$.gz].;.ns...K....W......e.u]h.?...Y.....s.d1XZ....E.v/.......j7d`%....T.+..~.9I{.Wj....k...?.......-@.ZT7..u.xP.....4.R....N....=K~.....x..C../.Yf<A...j......U..6....g......-..^.U......#.... ....*y.'9..jym.iM..6...h....".Z\i..N..............b..L..ZK.....<k4...Ai.i....?W:.g..x...Yr[)..m......-..,Y..%)..|......Lx...w.w..._......yy4..2./....T..@...9...t\.>|.^....#V......s.i$........{.JG.....iEZ=E.j.....4.k........F...l...c.......d_.L..M%]%H+.....Th...a.7<
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.864605723265431
                                              Encrypted:false
                                              SSDEEP:24:9C5s0UfGVRU+ftgvsO7lVaTcAEMrJAjrVOUKCnDrveZvXqqEON75RS4:ws0UWU+6sO7baTTEM9KVrDrvKv6yxS4
                                              MD5:8C27A31B48022480008EED5ED4509086
                                              SHA1:09783884A10D6B858B869A78132DFD50C43D2DD8
                                              SHA-256:0324E3F6774E3D99C77A7566D717E81336D5BC8590DBA2761FB2C0980C635292
                                              SHA-512:78381B9939F6D5A8D5FDF72842EEFEBE7E2713C7992AC28369FEC4C331C97ABEF5BBC7597E8661B094C22F520A13D13733F070297B8190D3C1C6BCA2476FF2E2
                                              Malicious:false
                                              Preview:S..}......j0e......i.lgpY.....[.P...P..Mh.H...}cI....q.S..... .........(.;K......O/..*.D.2|....n~......{.....h5?'....3B.AH../..w..A..nR...\F.u.E.m&s....X_..M....s.Qw.F....K.b.9.8.......F 1bY0Z.Rw..ZC..gD.^.-......&sp.9_..H....4..dO>.Jt....8N..q......y5..k/...l.klm].....R.M..._..D{.X...o{S....{.^.....9.........).6G......@,.6.S.0}....bp......k....v/6-....*N9.x.....H0RI..m..ju.jE.&!.....OH.Y.....o.:..zDtl...^..1Me..A..........T...s6.S....=.............4..LVn.2x..hC..3L...8./H...G...+..P-.<~usb.....7..X\T..D..eR:..........P.r&.P%`.1Xyf.. .e,p.......6A.C.4.\J.]Z...R.._X..".Z.R....d+... ....."...r..K'.h.......V1ZA..m..lm.tN.*(.....JH.C.....y.=..aAod...L..)Wy..Zt........E...y&.P....7............6..MEi.:o..`].. T...2.2^..i......W.m.:..ub..q.{...c.M..=.....3*Mq........Z.......\....V.U.pj.gyzy.Y[.%w^H............#.F.@..._.q.cikC..........#.o0..S..N...S..:....C....*...? xY.h.T....O.i...w@:.av!........`.4...FHh..wWk.n,..|.)2..cpQ.:hx...N..{8_
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.881022955413606
                                              Encrypted:false
                                              SSDEEP:24:jW764wMMsR4R7e30eMD2XJekS0XeYPV1QPrUj8YLvvuON75RS4:j9zML4R7eEeH08XegQ4jLvvnxS4
                                              MD5:91478AA87AC833D5FB8408E7F61EC01A
                                              SHA1:0E9D42EEE186B2CF990FD9679C77B69706B1A2B1
                                              SHA-256:DE262E6080BA0A7483622612AB106866F09B7CD78A100361A8B6FAC1CCAE4723
                                              SHA-512:2CF6E45893654EA084685B83892B3768477D3BB2D487F9A267C5056BE426B6EC7857E0AE0208292355BF4C19788E133548923A6B24037180548CC4622FB0327B
                                              Malicious:false
                                              Preview:.a.L...'......#.s?....C..7.\.''J8...,.?6#...1.#..C...gc...m.1P..zU.u..R..L.........RH.).. QPM..E.q.YQ...f......^!o.(...,.3.9..TYF..p.7..G&.......}E'.....H......e+...^.....T......h.+1..|..c.&c....|..W.y...^#.-.n..T..R...%]..E..-i..v.e.x....y.K....2....#.r5....N..<.E.,$Q!....*.388...:.-..D...|~...p.#@..cD.l..\..\........VO.9..=TIF..V.l.[V...l......V,w.9...(.p..1......u...I..T..Y........9...N..H.Tt.r.bo8.=..g.....#e..k...+.h.[l..r0...B.....As...K.O&.....Q.3..........9-#..a.Ol......./.s.u.@.G..IjU..C.........{Zo..{..#...;a.v!@.......1.Q..i.H... `..3.4..6W.5...C..d.3....q...=...CK....f.n0._..l..&.....~...N..^..S........2...B..J.Ue.b.hw9.4..c.....5l..t...".~.[}..o0...C.....Mb..._.W#....._.$.........0%"..v.Fm..L...l.(....%.p.C..o......b..I.N.<|`.}.)p[.k.W6.....'.'V5]...E.$.++z..m..f.:..v.wqo.Eh.jS...-..6j?z.<B..H..hZ@{...F...d..R>..*T.&.7..Y..12Y.D....sdW..xcb."....o.yo..J...Qu!...X!-.&".F.b2..O.3.s>...c.%!.#.K..Ati!'..c5Y..#`..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1275
                                              Entropy (8bit):7.85157938945047
                                              Encrypted:false
                                              SSDEEP:24:xxXYT7laCMdubl/tzs6PpMQ4BnCIF88zQmlKEleh32hRhSJxON75RS4:3YTAdittPwfzQmz1vhpxS4
                                              MD5:B493F5889323784CE955520F87AD9045
                                              SHA1:4B2C8A707B9520C94B5BC9DDEDDA1DA8084EA95C
                                              SHA-256:14E942B9D5A6C38904F1AB675B209321ED13F940F497B5A645EE09D80ADE7680
                                              SHA-512:2E0D0A8AC2868B9DF537D5892071B16DB8AC47A0267013A841F7E5C38FF4AA3DC934A3D5B6FB8686F6E75B61E8949D64883C5C6C3057BCC1ED564792A2F1EF29
                                              Malicious:false
                                              Preview:..x...rFz..Q.......OV.P.Q.l.g....eLIz..E....=R....s........}.\?I.A.../_qN.B.$z..<.j.^.s9.90....... .J.FPx..........S._...{../`*l.....|.]}6z.._Z1y....Oj|..U.`.!.....T.f.a.....w_...RA.`xc...j.A...W.I.!X......!.v..X4....0....*.y7..Zo..b..Y.......w...}Bg..W......UM.T.K.x.u.....{MZq..W....<V...n........a.Y"R.A...2K}X.N.;v..?.`.@..+.&$.....<.<.N.BMm..........H.[...eo]....Z'..... ......'..PV.#.._.*z......J......z. .....tX(O=.8...M...#.j..V...U.....o.....{.cyXQ4l;~u..6..."...B&..}&.t.~.p..%!.s.o.....P%...dL..|......en....?..d....8......f4!..%|.5.........eI.q.......E........qt..=.C.\V.3...q..7..?%E..,..*&A._..j._#....+>......*..@F.4..O.)`....Q......j.#.....aA=Y7.1...P...6-c..A...\.....~.....k.leX]8m*yi..."...,...^#..l5.v.e.l..'w...zV.....9..S].......M..D.9.Z........#dV;T.....'Q..r.^....p.O.......=.#..q%..J.$9.>#.\z.&.ni}.cq......*z.`..o{..z.......).U.....-.. J......V.Q..G/B.%..(.%.Sn.*.t..=.T.N.0M..b.8A]G..(J.JN.0.zP.O.y...#.k..3....O..2 ..e...<.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:OpenPGP Public Key
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.8354546595914725
                                              Encrypted:false
                                              SSDEEP:24:1lwD+wU552eJgUsoQJ0yfuPc4uoj+2ecV57pC3jlscR/y/YT+AmOON75RS4:/wD+5JJgdJ0yf8kbLcbMTlscYY61xS4
                                              MD5:CFEDDA4F192F44E833D91232DFA863B4
                                              SHA1:60084A42C4A8459F89167E48846402B1DB2FA385
                                              SHA-256:B332B680DF242F10B1AE48AFB865560D1BD5F8B9E0BEE6C75D98D657A5D5600C
                                              SHA-512:3B75EA0A0159AF2133AEA9571195FFEC710DF262727007416F2B830607F05DEE397E1DA086B711F8850385622EDE5F323502695D9B97F3D3AE544E9E3EC46BC0
                                              Malicious:false
                                              Preview:..u".Vn.&...C"..C...%.9p..W.6.(...Y..[....-.....0.....f^.........X.dk.R.SI]M...w....jTL...D.@.e.6.KK8..IT.........kqrD......*.....{.....F....=..Jm.K...7p..L/.z.`.ptH....H..^./.s..8....i....[.S !1#g.>...[.}{..;GG0)..M.E.....}.R5.]..kCF.{E..y6.Yb.<....W(..R...%.<m..^.2.=...A..\...!8.....-........`E.......K.lz.R..UA]Y...f...8.dTC...Z.C.c.5.VC8..RU........i'...."..+.f....lxp.?.a...Y.=.=G..t....U.k..RMXF.$2.S.[0..+S...@.H.|.X..K.....og.....M..|.e.Q.(.r.-...MX....n3......N..CQ.k....."...i.%)b....K..H.;....nUm.....i^..4..E..msb.+.M~sk. Z5.Lf..j.3}#j.}5....&.t<../.Ezc..(..T.8...U..#.c......h...O.6....=..%.f....j}w.&.`...Q.+.:E..`....G.r..OIQA.?,dX.P0..2X.....W.A.i.S..W.......ch.....D.j.f.^.,.a.0...PT.....b6......X.PN.C.k@.%.T,f..k.(.Z....U...M.^.Y...k.#S.....W9...s..<...F ......47..d.7.e............]...K.F...h..b..DD4Z...,"..+.7.ry....|...L..[.cP..`H.|.J......M..J`....\.}..^.hLy.j..K%.'*.F.F.)~.}ofR..hn8.....VE......jrJ.1|.2.ya..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.856924827556877
                                              Encrypted:false
                                              SSDEEP:24:lNf9/+mhRBAYNU5Omv61yTvcybmiv3gWJ68mREke8m/4dZZDY6yDQxWHON75RS4:lJ9xtAT5hmbw7U8mVs2ZXTxS4
                                              MD5:6507FFB67DA709891222596EA9F5E297
                                              SHA1:5CC535AC1B0771787307852C661A78243F73C8A4
                                              SHA-256:892E96CF1242F93F2E8D189A5FC16A1762789C71311580597D85AD27367573EC
                                              SHA-512:6A0C182D2947C7212F262F0404FD0143F8FAD350CF22923B955F210BB33B69F2C5969EE23931B1FE7DEB70CA61F6E3D63003543DCBF0AC18FB529C18FBBF1DFC
                                              Malicious:false
                                              Preview:zn.G?....E...&.^...26..Vc..q.....6..F&&.=..I^.......M.E{T.(b.E..$.i.u..C..*s0O5. Ay.m.<VaQ.i..w|._.i...N!h....}.....i...........EmX....Q{..y.r.%/....lN.6...\.}...*v....?c..|..w%...r..u8.{......||.W......rY.:.W..[i.2{C..B.@...b.K3?\.=k.Z...p.....%ux.\(....@...1.K...4$..Sy..t....0..T1+.'..H]......J.ZuK.)d.V..'.f.d..T.. y<O$.?Ra.i +Q{A....th.^.q....K-y....g.....{..........R+G...7C....2..8.u.U.....-0*..(o....R.?E.I...)..3...sv.p-..0.;.h...S.\..nV..J(...Z.Oo..v....T.'/.^.h...x...[G..g......:..0.-._....D..AM?.0.-fc....."`....%.@ww............5m.\..}?.hc.8..`.#......H7..gc...{4H=@N?0..n......1>..ml..zS......i.~>.:X~.....M(P...4@....-..1"h.M.....11=..>.......L.)T.@...-.. ...t`../..;.1.w...D.^..v]..K*...X.Qa.z....Z.0=.C.t...u...OK`.m......5..O+P...lC~...}`....t...0zs`..\.....X....k.3MI...v.T|Q`...W...;[3......".....j...D........g.K.4..k..... Y7.....p..M 6.cx..u.?g..z.Tu.x..'b_....e...".....2......x(-.>*......W^....W6.<]...N.k...h1..{S.o.&.e.0...'...z\P..I.M
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.8554864992272195
                                              Encrypted:false
                                              SSDEEP:24:ohhzNPVBqTr9X5fEqiiMMEBj4MIlBGw+QhzbHFtaWb7rrHuYAdqvfX5UON75RS4:YhPS/YqiXTIlBG6PltaWbrOqvrxS4
                                              MD5:4BD08A9D5F365C33F2992134AE6744AD
                                              SHA1:9289E90F95926F0FDE856529579AC483B37E4093
                                              SHA-256:B8AD7E5E139BAEF6885D71FB08C6D63A88A05A3290C62E6242E33D43593751D4
                                              SHA-512:0593DEBCF5668E87A47E4A9306928A8800A0B3BD8DE39A8F79F5B56EDDF85ED2623604C58D49376B0DDE31D04A7AD2AF71D7A1A68A984DE61952533446D90C55
                                              Malicious:false
                                              Preview:%9.-...-..<......pk..._.0m....F5M|...7|.Q-i.8.Q2.wPO.Z..1d.....>.x.V..S..X\>-&.6.....V.....f.4....2yyu.....s...H.=R..6.......:.K3..~..c.sx..y...Q/:........).s.'.L..$....."..n.x...z.S..........<.*..(..O..p._....@...o6.&;.s..{.eX.2..F.[.$..m<!.*...8..?......zx...Z./p....M6Ve...$z._6}..3._>.pVG.G..,qb....1.a.R...]..H[=(*.%.....Z.....m.=....1usj.....{...Y.>U..2.d..~. 4.% .7u.$m........N]........N.T..*.].n.:....&..a.w".^.U.R.1/h..b...yv.o...-1..5........."CK.` ..w..v....7..S...j.S7...]l.Q97.`..Q.....^....iZ....n\z.=.V..OB5...E.$..z4..e.k......p.y.]..3,...;.v..4...f....o.m%........&..K.3.S.V....%...o.x..i.7;.-?.0y.#`........SS........].^..(.Q.v.;....-..c.~&.S.T.V.22y..b...yd.p...=1..?.........2BV.r7..g..i.~..>..B...x..7\.9.5.."f_....P.2...../......8.....=..5.....|... .=..S.H.......%[.+6..3...g!.........@..;/..Z.D.q.[.$).~M.C.M.....[.. .6..EJ+.*P...."...{..O.BD.A.T..../.."q.1"...^.N....z..)..ct.......P`.z#..`..o....Q.,.Q....{3m..tN..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1275
                                              Entropy (8bit):7.822342232883735
                                              Encrypted:false
                                              SSDEEP:24:7OmjRkWzmEG8VVa5YMjcnjlRErfhpLTON75RS4:7OmFmEyWSchRErfhp2xS4
                                              MD5:028736D3CDB7EE77083882D37C967939
                                              SHA1:619699B861F7836DA8C446E7E1EFA21FCCEFF461
                                              SHA-256:9C1933B283F8A18DD722D0817FB342B185832A43D63475F0793E60FFE4EB4DBB
                                              SHA-512:1DA33F972B4AB74F6E04E57878D17D8AB2D630E520DF8E6CA0D6532F761DB022A32EECB424CE65614B5ACD51F805218753901A2667C9801414292EDF3303B451
                                              Malicious:false
                                              Preview:.....J..z...R......j.6.@\......1.@...+.n.....K..Z...=.8.Y..Q..4..5..Y|.........G.xA.GHT...f...8I._...pSs...%J........2sV.....1.`.h...,.c+K...P<..6.c.^...U..................I.r...~..;..T..C....z1.a)........J.....6.@.X.K.Qp..c..I:....H.;..TY.Z+`".....E..}...B....d.n..:.RX....".E...).~.....^gbL...&f..Y..L..4..$b.Uj.........Y.s_.KZH..p...*O.H...mF{..>\..........:yH.q........*R....'$......K!............%.......D.x.....0j7.....t...%..>J<.`Z..Q..sj.~!...W.M.t...e..`W.3:..=B..9?,5...._..n,..Ax...>..hR........o..S.v..&rI."..^..c.L....r..*...g....K..E..0.............~.U.Mc..9..Q...J..R.[.....A9H.@...C._..9.\..s........<I....57......[3............:...->..T.{..... .......~...7..=C0.g^..T..ln.s#.G.B.t...t..}W. 9.."W..8=6$....A..u5...2..Z.+2(....x5..,.K~.K.+...:|.^^.JP.W.<.7&...a.,..%.n..k...]P)6".O....*....[...]..$.Z..L..........)e.R..U3.c..5..g....T...%1.e"C...1.B.9.;.*.X..y..v.../.*..+\..7Ria.w[......r....s.....?...F...w.j.<...w...c.....~`.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.851240711313422
                                              Encrypted:false
                                              SSDEEP:24:Bu8reNvlETqXOz0UTYlOVWuR74lnhLjjhMON75RS4:B6FeQ3lOUlvJxS4
                                              MD5:38B23A5DD5D65A84D3BC25B34382D058
                                              SHA1:FEA289C144B719C0456B215876CB08C11141EE60
                                              SHA-256:C888CCB466074F433968D1405D032B14ECEEA5B0A47C81311D78DB11C580DD58
                                              SHA-512:6A4441B9D331E3F74C44FB1693953F94E29D5DE290856DB94D6FD9DE944644705664A8A0F362A325957AC3F0EA214878C050804171F0793C296EE08D7E6812A7
                                              Malicious:false
                                              Preview:...LJR..6.[..._...w.Hl-.G.K..j.v.tH...DX...o',..... ...P.s.>..g....5.....$.^..>....m...>..\.L#z<.lC..m.LV6.K[..Cg.."...:.. :L.`@...._......'.7o+(^EH...~2L..7x*.&Y*.....4..'.HW.lO.......V&..%..5..?..m.w.S>..D'9..9...$..{..U..7..FJ.zu).......x$..P.....R^P../.X...X...p.[e'.\.G...q.u.nP...OO...x>).....;9...W.`./..b....#...../.P..0....r...2..B._>g".mB..z.CA?.NV..N}..+...'..-d..(....F.V..n.... E`.B..m.Y..|..`.E.c.>j....Y.HG/]D...4.&..`v.....w.J`,..fK....D.....Y.q]iI;;.3...n...........z.M.7.S...U5..^.F.......V.......Gl.E.Q.JW..u...i.o.Cot-..."=.V..3j0N.Ni.lf0b..=.bD2...=s.%X.3|Q.....6a...O..VGoM.y..t.(n.?8..s.={..5..M.M..w...."Yb._..b.A...j..u.O...<z....I.K@7S@...'.4..jw....i.]z7..`J....\......Z.g_y\;(.=...n...........i.O. .]...-.C.D.:?.+.....f.Y..W.g...e.7..X.S.v..=.[.....&7=D..-r....Z.l..77Q......WL..Hh?|.o..!.!.U%..7`.o.......}J.G.l2..<.7.K E.]<Ty.W....'O&Y.,opa....Z.E....D.U./.%...Q.&.Ej....)..|68|..~.Y_m..;.v...q....\X1dC. /8.....k$..o....X
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1269
                                              Entropy (8bit):7.847567018335597
                                              Encrypted:false
                                              SSDEEP:24:F6S+USwoinKHEDUKEN6371YWaIe9lxWaGON75RS4:FDzS7x61YbzWavxS4
                                              MD5:4858F5ACE82166BA66EC765FCEAE0EDC
                                              SHA1:7107DFBF7FBE74926B6FF392AA5A400AA0887E1F
                                              SHA-256:1E0133A2C9A6F728E5EE014BE723A885FE4E4CF30600EA9B62078BE2E8F22814
                                              SHA-512:6DF1696B3046D036FFF586FD73E94D18BDBC121D6A1BDB6CC919A27C7D6339CDD9B4DB86795F4D5C6DBB26E98379DE67FABCB0F9A03B6544DBD9031EA6E7D432
                                              Malicious:false
                                              Preview:.5f.J...S...Z...[Q...2jd.pX...1..'........q.U]w.Kq.....7..H.Z].!.P.........u-...|a\.9...rmeH..}P.^.=GD.?....9..;9N(...[.|......-(_ ...Et...'.Q..y.W.S....z.7.......-.ah.]B>.V.S..n.1.t-.......!.O.T+. ...nY..K.....g.6...7w.B....!.....5.2F\...../s.B...R...A...]R3..!.h.g\...(p.*........u.[Gk.Fj..q..;..Y._E.=.X.........p,..}hU.<...}~fK.k\.X..%^P.?....9..%)Z6...L..*...TO...g...og.+..i.j.....'..a7.x.mi..c?.d..........[&.H.p.;..%.u.9..'~:...>.rN(N..\<5......=b*:|.QI.&.]P....3.........`.... .....e.......[:.2...k...D..........Y.w....).......C....7..[..A@.A...Zo.k-..pWj....5..z.O..P...#$....I.6.O...6.....j...?.n.PT...o...r|.(..u.f.....;..x".i.k}..q-.|........K".\.a.&..%.h.?..>k1...5.`V0D..W92......>m&;q._N.$.UK....".........{.....S..b.J..>W..6......F..,.o0p?]8... Ul.w`'....S<....~.8;.N..dX.S..I.L.%...........5m..&Wy.......Ql.q..H#..za..{..OZ.@+....f...+9x..v/.$D..}...j....>..g.27.%..)..u.<y..\....R.X.a.e.bIUb..S..76...Z...3......H9n...b..e...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.836357645818244
                                              Encrypted:false
                                              SSDEEP:24:8WENjA6LTwYZqA9xL9M15bLfIAhuLR9i9umfbyVyPD35q1+sEON75RS4:8CuwYZqA7xI5bbFeRwfbEyDsFxS4
                                              MD5:140C9A31907ADA38A1B8B16175DF0F2F
                                              SHA1:B2A3518CE7D2B5EC7E5B2BB50537E111D4167C08
                                              SHA-256:E0B326F01C02A185465623EC84CDEDED3421D50B32218BDAB31DDFF6069BE39C
                                              SHA-512:98D953865211451188BF129186F1551C9CBD283B0EB181014F2AB14C26A5983B1343343B403A025476E83C49460C882A8D7A68BE22D8227595F8C70CC5E0402D
                                              Malicious:false
                                              Preview:......%.U.....3fP|......m....?.....[..1.P.\.....t..o..D......#Q8q.V..[......>.g..'.B.>2.8..P{Qn.&.gEr.@..q.Z.?V...Xp........:..g._vP....5.*.pr/..v...Y..3_.7......[..=.cU.P7....C.O..X.BY'.b..........#...j....}'........-.y...Y....<?.....H.|s.)..9......'.N.....*fWz......b....(....@..2.G._.....l....g..D......0W:o.R..C......%.}..%.L. ).1..@tYy.2.yCp.G..c.O.1Y...[v...........QY<....7t.d.....4.0.e...9.D....o..O...S..........b..iX.a5.5...........+9 b~s4.1.....2z.q.6_zqX.1W..=.i.~x....zh.r.+1My.{./q7...l.....pY.....XE......w....!&...S....v..V.`+k..0@...g1.Pj1.....).Os..vq....!as..z..$....#......Um.8Q:...k u..P...ZJ)....3k.h....?.3.u.../.K....t..Q...\...........w..dP.u=.-...2.......1(2`or8.,.....4s.g.(IsnN.1C..6.g.jw....`n.a.:)^m...T.`....7eO..kCA\.c\..8>......].l.o.m..)...........NhC"'k...n..0....I.w..{.7.$....X......a%.+...#J.....$<V{.q@Uo..-.../...m=e.'......9...~.4...J.[..m..u..R .,......B......Y..P.3.yU.6z`..9.s.+....p.I.5A k=#..9.......
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.866158040889017
                                              Encrypted:false
                                              SSDEEP:24:sTZ3PY25UfNBfYZ1qTuxWQHgY8BExaIbAf8OQSQlFAlUnh4y7ZON75RS4:sTq25yNqZgTuxFC4acA1QFKUyEkxS4
                                              MD5:9356A27404ACD17C139179E0FE93BE04
                                              SHA1:FD991ADBF99888A7152A85B4BDD6BBA5507C2B1F
                                              SHA-256:9440E5B009258D659D5844346B51185E1ABB679B4229186971909D530FAD93DC
                                              SHA-512:8EA14ACFFBD67059D9EC41F3DC95E06F2A33B0446FE19CA337DD2BC919B3A4198A7AE1CBD58C08B9CA1C42E6FB3AB0B0474B702DCF6BA8FB9F40A8D189757AF1
                                              Malicious:false
                                              Preview:.......l.....t......F...M..!..."@<.......op...O.?...|w...d...&.....!.l..y.7..{vB...A.DKKhG.......Zkqi..kW..%h.2]XjW..x.6$..IM?.R.....'j..@u...R...)...)#.Gu..,3.Bt..b.:dk<...4.]_B....Y.....t..'X.q.i:..X..y...80u...$5W>3,...f..g......,...............u.....}......O...E..>...![&./...tg...B.&...rd...h...&.....#.l..r.9..u{C...A._GWtY.......[ko...d@..(z.?GWo^..e.$`.R..R..E@e....A].k.6.z.t....(..U..Z...(......S.....6..A!h$...C`.NY.+:T.!9.MK....Y..J.f..H.F>N...#.....%....hz.U`'...u.....w.]....3..S.. .n_...._....B.A....<b.+...X..r;...&....R..u..s...._F....I"...lMOJ^.a....2u..AV."..cqq.....J."....T..~Y.<.,.7p.C..Y.._Kw..TF.`.%.d.{..6.=..H..P...*.......P.....#..J3~#...Vu.P@.1!T.'8.\Z..a.N..F.e..J.S>].../.....%....yw.Ds,...f..........r...../..iN....Gi<...,.....;|..+K.1.j'..*\...........#...X.H..)L-...N58tQ...8.F].b..<n.....-S.2._...^....%.X....y.L..z.9.F>..@..L.P).....-w.y....Xc..... ....F...75'L[.ZZl._.jB..3.N4...b.Q..3"..p....'.....^u.E.....
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.854218419282432
                                              Encrypted:false
                                              SSDEEP:24:1Kd7jvBb5fBdnytvO5YW04eqgqgQQuEBtpnpekIk7hiu7DON75RS4:0dvB5zyIRBehuEBtJj7QxxS4
                                              MD5:AA14C2D5DFF3584067B02DA28FEEA8DF
                                              SHA1:E8803CF30D9335FCB5A7A51DC8EF0826569AB51D
                                              SHA-256:C99F4A6BB6CCAE6904B8927DCC79BFE5B28912A11D9E999D58B515457D6E8CE1
                                              SHA-512:021C304684272369081A1B2E734422655FDCF471E4845A3822C1F83DA5AE44996FC0D12D2B376454208972DBAB9BA27F4021479801C53A9BCE9C65C0B8941789
                                              Malicious:false
                                              Preview:U......K...>ohd..c..i....=O...b..@x.y..u.m.q..N..f..G......:..'..%..m...o*zL^.;-..=f...`w.k.k'.......G.*+.....^.r.-SI.Z..{U.......a.^...+A...#..*..I.\.j..=........`.*v.$.r.....p....j.r.........3.>.A..i`JT.L.+:.....J>...p:R.B..c.J...4D....PZ.\......R....foh..u..z....5C...y..[b.x..~.n.f..M.....^......+.."..>..{.... eGY.59..<i...ul.w.x:........H.#=.....D.w.#ES.D..B.#...{+c...A.!..\aY.Q.<.)\..K...#L...m...3....p\s.,..o..9etJQ"...u.3:ae...D7.8}..8..2.....oS."-...^.A.....}PJ......f..yVvM..`.<.R...a...;s6X..?..6c._Q.$`..E.......d....y.,..<..m=>..gDb....#o..kEU.m_q.K.lP..c...0l.f.$....r.g.~.J.m.;.5..$....S.(..p9x...T. ..@cJ.O.6.1\..]...9P...l..........yIh.'..h..8fa_H4...o.39gd...L/.:j..4*.*.....{]..!...@.G.....uAY......w....~.<...xN.).=2.Go.:$...[A..........[.O...n.?',...1..-...A..m...c.=.......=9.Gn M..C8.R8!(m/.........'...$ ..1..d.k.A..J..Q%...A......%....d.l.X...../;.....G.B.K8.......G.....A...>v.3..*m.x....-.V..u-..Y...hw $X<.3?.z."
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.821591800057207
                                              Encrypted:false
                                              SSDEEP:24:Vo7KPl2Sf1fDGlWpuOohqXTSvnbwn8AtwriyxHw+8iKZ6ZNGbRVXnION75RS4:6mPl2wt65iTSvbw1OQjiTURzxS4
                                              MD5:FE2B738EB1BE4F65844D22ED7483E6E6
                                              SHA1:0FD375D2F9C6E280341E3BE12593934D66DB1E9D
                                              SHA-256:04E7298C08E7A3680B34848C96651B26E99844AB0ADFFCA4DF1B2338CFC73173
                                              SHA-512:FDC855F48089BC6C39F6B5BC3466BC9B0FE5B8161B8019058177955CF998C48F010E44366542473D9719BE939A389095B693A73DDDE863F43DBCC9B25FF4541C
                                              Malicious:false
                                              Preview:...d....ea..w.u.}..&Z.....J...{,>...{I.1...N.g5...p.q..E6..(5.....c+.>..td.R.&........<...e..f.&......q..h..!.0....h....../P....+ce.w...d.(..Q.G..p5.d......b..."..N..t.pn..W..n.x.i..c.T....s.... ..(..a.c.u.....Q"..9......Oy../...Q........+........j....df..l.q.t..;M.....N....{!'...w[.:...Oq})...z.{..]9..--.....t!./..ez.W.!........2...f..w.*......e..|..!."....n...U.1...lJbj..0(')..>..,.p..p.x.I...^.bCy%..e`'.-v4i...9.3....f..V......Nk.+...].pH.;ij...3l....93Y+5.D..QI....!.....y..\.L..#0.o.W.....P..q...I./.....Meyn..P..9...z...>..D.7.v.F..........733}.m[..y#....lymw.I..W.R.s...xZ..4..P..7.E..x.{i..s.....U..U.$...dKj...+4$3.."..!.j..l.m.Z...J.`Qk$..`p7.'v>j...+.=....f..K.....Ea.-...E.pC.<mf... o....!=^+7.L..OS....7.....b..AG.+].E3p..J.V..F.....~......h......9.|(....9.....q.%...#._Op..$..)z[..-../;[g........C.Js.Z...T..o...n'.E..J.qz.Z.(f..Gv...`.z....x..f..]0....L.X$z.oG..I....[....sf9..4.H..Q.ynY......=....6.|.|.......e..3...)..0.k..uA.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1269
                                              Entropy (8bit):7.856700010741315
                                              Encrypted:false
                                              SSDEEP:24:Ofacll5BG03uhkMzS9qI+d2LeowF8gg8VUvfEmJarmupu6mrUAbI4RsON75RS4:OfaYoAQX2btPwJV+fnJarmup21pxS4
                                              MD5:C803AF31AE58956A297CD32E87D91DFF
                                              SHA1:5CF70D96CCB749BCA31139AE77DDED44A1E45214
                                              SHA-256:D92C189C2BD5CFCADFA53AE97AD528B4CA2FFCFEC6B470A0A3B262EFB0A39794
                                              SHA-512:C031E3E8B10352BDB5586AED5D7B39D1AD6164D0A25C4254A0E2C65339BC89FE0235EAABB94DAD785DD285E2941C893BA76C4FBDD7572BB98D966066A189C9CF
                                              Malicious:false
                                              Preview:2.....ee.<j+.H.....K..(...q...I#.H...#.....1X.v...5..py..Z.k.l..p.%.h=....p/..u...>....R.E...F.ITX.N..._E......n/....x;.G..Iq..%Nh....mcc....:.gj.'.~.'.q..p.>..7.f...MW..I...j.9.q..c..j.....L...YA.q.!......4....RpO...O....Z...4x....h....w$2.....vo.;w7.Y.....V..$....cf..D:.H...+.../?B.....?..su..K.n....~./.y0....u...|...<....].F...P.FRO.V..._W.......~;....o%.e..g...'*1...Q.H.$....U.J..W..y..r.:'.......M.,.@B.......N..p..N.gdzV......t....kF.....K#..}.......b..iF.....t..u....&........}F...C.Z....'x.u.<....n......b..Q8.a"}J..SU.. ..M..&".....M{.x.B*9...f...o...S.&...T..C....~.s6.......\....2..t....p..r.d./+9..:L.T.>....Y.@..Y..l..a./!........]...@H........_..o..R.gbjP...........aS.....W1..r........j..s[.....x.t....l.....Z..T...bd4N....xM.X...?..D..7.S...S1u......\,.9.3.......={@W...(..)#.."......6..+..4.?c.$.....a.0.b...."....@;>.aK?.a`....B.}3:...M?.S.R.......@..:...."_DOi.]I?.vo..Udh4K..v...L\...0....'.S.+.-.....$.q..,.A-...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.837252406510161
                                              Encrypted:false
                                              SSDEEP:24:9Blbs3kJCzx+RlTxClgV0IzWwxk5ws/m/mQwq6HlJlcjDTRWLbQX8eYON75RS4:vlbeAHDP6usFQUFJKjDFwbQbxS4
                                              MD5:0D55C5660430DE7CEAFA9C22BE065FD2
                                              SHA1:7EF12EC122DC3C25266CF247A04C481A0A43E43D
                                              SHA-256:944309B1756208F988CACB8112C6AEE0603612648337F4E62509AE005D47522F
                                              SHA-512:9E76C36B98B143D26EFDAF144AEE51E7BC99E56289B682C96D20A6713019B137083C4FC3731A7BBE22119B91ABD9F4109E6F8A54FF5C79D02C6FA9B50CA5BAD8
                                              Malicious:false
                                              Preview:5j........l...d)..../*....V.JV.Q..O.9.h..KZ.<.x.wF..?Yb@....B..F..$.f=.oo.\..|1P>..&....{g2*..H....:@.\....!.,E5M6.s...7 t..;,.jU..\...Pu....WT.(M$....l....|...lIT.H.....a.......K.C:.lC...}Mi;.2{.}..0..N.b.[]...*=....!9(..I./.5w....PZ..T'<T...<l.......e...p#.3..9:....G.YR.D..W.".n..AE.).s.lZ..-N|Y....F..J..!.e>.g~.\..t1D%..7......{h+-..V....>C.A....:.5N0Y&....yR...mA....p.<....T.TZV...Y.../J9.........1.s.(`Pd.`...$..B99..rH$ICw.zp...HK.3..d.>.....&..{{.IW.....{...P...o..>..R...}...Z..m.p...!W..p..Y..#.C...+E...x...l....uU....!.js..z7........l...{.g.........G.S..z?.K..Q*.\GO>.Q..@7.......D",..$F..iN.3h[...rB....k.3....Y.[[_...C...(H#.........(.n.!gR..{...$..[2+.3g[3NJm.}{...J\....c.2.....#..rv.DT}!...h...R...w..,..W...}...TO.73..G#B...oQ....!....8..I.3.t.<g.m...3.|...;.).V..O....*he.-.. .;.....f..I...J.I].Y(.$,."A2U...L.[.....{U .........g.=.......7.M.=.;i.po...<*.1..........YtLD....b.....jmS....E....<..}..5.+.G...6n....%..~..!9..5 ..j9S\P!
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.84610916822481
                                              Encrypted:false
                                              SSDEEP:24:yqeiVibEE/nz4jXEgR6fOswueK99hpJnExnLjJLncxdB2BQ8DvrUkNON75RS4:yxoPknMXXg3pnujJySQ6YkAxS4
                                              MD5:390EA03857FB5F6FFB140A92F8D459B1
                                              SHA1:EF84CD8A2B68ADA796487159DBBAC73DC26B5B21
                                              SHA-256:11C9A6B6022978000869FAB4ED0179E644C12BE59759A6CE305F2E4295785A46
                                              SHA-512:18A6CFB12DD97C4ED2D2430E8916112EE0192448696460A0ABA866D1B7D29F521F3CCDB4EE37BDE3DD62588F16E58119A6083E12303D4A6CED93128FA6FEE066
                                              Malicious:false
                                              Preview:.Src..P.we.B...J^"..>...B....9.2.u........7.H....cUy.,.9H5.`.s#......2u.,../....x...Q..]02..0.`n.....8.t..t..8...Y_.(.r.?....D.p..U..&P._....g.e. 0..]:...{[k%...Jq.....0a..!3_k... @...4x.ZaY....e)._!i.(.|....7..............B.k...O..B.`..L.B....G}h..D..c..Y...@G%..8...@....2.8.e..v..... .L...!xSa.&./D%.`.t,......=l.#..&....t...]..N13..?.y{.....<.s..u..9...V\./.d....$=SF.,b.!w.I..q...H;.1c.~um.v.5`3z%Jg.6..D...]...POH+...m.-.........?.qe.?......v.. ?._w....WK.".fya.. ..W.T.4.0...8.N.L.....' ..j.)`C..{...(...HY..\..Q....D"..{......V.....*`S..v &k?.4l..D..9.d..E..2.4....1@^d..3g.\;..2M>....c.U..`..,..../1MF.$h.6z.J..|....Q+.6..nrg.l.3i1c$\c.!..H..._....EV^%...p.9.........?.i|.!......j..#5=Pc....PX. .n|b..!..G.S.3.$.d.?....gkfQ,.../.D...@Bc=.6.c....X.>.M..5.....n.9..r....;..$.oY&%...Z..=^...~.}Q../2p..O../..yh..c2|C....$..a8....G?.R..N.=...........3.baA[. ..=/@....)gFX..[.f.....].....XBR.........M...#,..D...2.....D...X......]...z....EE.+=.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.859171784199948
                                              Encrypted:false
                                              SSDEEP:24:x0LdvpMaEsKEMayUXor1+8rLIQe7h3HlswJcgJXzoeZvUqQiJwON75RS4:xSRBErzaDv8rLFelVcgJX0KvJQiPxS4
                                              MD5:9F55B6D07BF2F1527EA41715C568BB5C
                                              SHA1:77B900220FF6FDDB2AD8975FE35166754FD3A656
                                              SHA-256:F06FB6DA3FED26728206F778C01B18C99FC13F5553571C4B8DAB6F2F1E3B0FA9
                                              SHA-512:36E6AF7A4BE72EF25212F394809044E32A2D0D72F72FCE7011D8ECF631853F07D88FEC5EC4300869E348880CE7E30D4D3E070FB18CD648CA3D0A97E23F5F2494
                                              Malicious:false
                                              Preview:t..n..}..g....[J.../.~:^...q{.A..<D....$w5*I....-.YG~ ._....5..:..........T..<N..\.....P0...e...j.W.K8.8n....;...Ny.$:@.9.C.2.3.......)g.p.y...u....x..H....&....7.'..P.^.P4E....|2H.d.V..2./Z.......t...}.Y...F....Tm......p*....4.46.f....E......dIi..j..z..a....]^...6.f=U...}h.H..!O....+}6#Z....2;K_d=.Q....)..?..........A..=\.._......S4.r...|.T.^4.!k...."...Vg.-0V.0.Z..H..{.$.Z...P7Z.5.Q.....z.!:('.3p/<.s..q.0...0];..#.....|..`...r.....?H.8.B..!~.:+(..J.z.t....Y....n....p.9....m.75P....sj..p...B.t.q..`.........P..:.-.!Ax,...0...[KFv.+...V...c.*.....cY..A....3c....3x.9R.........m.7..v...O...s....u.t..+'.7t..6..X..v.<.D...P/A.-.Z.....u.>?(".9x<8.e..k.+...7C7..2.....g..e...n.....'B>#.E..+l.&!,.3T.o.g....Q....l....n.2....p.+$Z....+........!...>!^.-.G..j.....aU...7Y.mC.W..ic8..<.....)Y....,.H......_".~..M. b..n.r....'....jhy%u.>.BC..S.s...1n..../?.=~R....J..".<T....#~q.......".U..l....?.._.'z.z..S][.....p.~.k0...5....h.B.0.[Uj3n.R..0....9=../LBTX...F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.84018241244774
                                              Encrypted:false
                                              SSDEEP:24:/oiyNHuY7+/Y74HzYCGWwmOa3OKqlGVOWm+i/AmZqwUdo2SnyPDAON75RS4:2xiw7yZGWwmrOgOd+j9e2cyhxS4
                                              MD5:A9FFCC6AB4312834AED280AD72A709E7
                                              SHA1:7A64758EA8F4B358ED43D3206C1468C90FE9FF37
                                              SHA-256:24A0B25F37631B80B69E7F211FBD2CC8D06E10555876280F0019C3E2215E42D7
                                              SHA-512:43E8CCD3F71C7C44692DB11FE3E4EF26CC362089DE33F11D658F506AED10844CFE515156F9F40EB65412BCB06FF535AE8D8214C8B3366B7089D8B16EE539309C
                                              Malicious:false
                                              Preview:.k....Ft.C.$?..eve.h....:..W.R.D<,K..zz..]C..*8&.S../P.8.|....N..$8.,T.....Y...u...8.Sm.p..4.=....E9e.>/.fZ.H.L.Z...839p..X...c"?H.....<[........V..o.>.@.{u.;b|.*..Q....e..#....t.tC|.....>...A.n..I.....o-...A..'..A.d...S{=...ki.>...J.....d....D`.C.+ ..|vb.n.... ...D.E.R:1[..sf..J]..,!6.K..0W.'.|....[..&&.(R...U...l....8.Mv.y..$.5....C;j.:*.nO?F.R.O-..8#8l..\...R.w.C....V.....Gw...o..k..~.{z..........N4...f..K....B...."}.....i.+$.B`h..5.7...I.][...5..K...C.M>U.9.N.MH...L.DEu....*.p:<.vS=.wE=+............{8.d...M..%.....c.(..$K0n..............[..(.K...|.K.^z>..%.]5].W.S.:...ln...E..P...O...[.j..L[...Y.d.Q....T...Vg...y..|..e.}d..........B%.....|..P....M....0q....s.9&.Clw..-.?...R.[E...#.._..H.C9A.?.Z.WN...D.\Va..T.z.H;(.%I.N..~....`.........R.+.`..d.........J....B..}?....b~...B........C).'Z...<....L.{D V.j..}..X3. b.{..}..;,@.y+f..+...x<...-P...>..X.z..M.....j.aD....L3.... ,..bR.Z..W.:..^...'...RR......+..9...J_.;~.N..kn...{./......qy.6
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.8374662340545305
                                              Encrypted:false
                                              SSDEEP:24:tQf46VRMTo/K2wWDxwG35KVJuJ/Sfs3w3H6TwVQzhOYpiHbghWdSIntON75RS4:ifLRYp8xTobius3wXmwmVZpi7grIgxS4
                                              MD5:8C698263485D8493FCC7D10D3003FB31
                                              SHA1:FA2CBFC8EF9E02DEF824272FB1C8A1763933DF58
                                              SHA-256:515D61E545A9355B663288C0A1865831B6CCB8CCE2FAB00626EEBC6A0C882335
                                              SHA-512:7AEAFBC27E9F109EF92870619500101620DFDAA36B5CFC2A374AA1E41C825DE3121ECA289C0D690058384C795DC039B0F90C63D1222C8E7EE91DAD004D61976A
                                              Malicious:false
                                              Preview:|R......}..*m;....K.#....z.EU./.)..S...Y%......4...7...1"e..g].7.....Z....~1j*q.Qr....+...v.....V...t..S..J........*.uVck..n7.".?.!S4....c.b.u.LT*<....*./6.o.h.k.-...r.....1Y%..I....2}...:..........q........wB....,.....c..-.Af?= .!%..'.eW.AsB.uM....d../}2....L.0....r.OJ.4.*..K...R2......7...'..."%h..v_.2.....X....a:m$.._.....+...j.....K...u..E..E........0.p_m}..p%...Ee.:.........6.........A.X:/.....f+.hcXn..>+.8....w...S..D\.%f.~..$..KF..C...Y.X..-.7^..i.1.."=..N...wf%...........^......[S..L..j[....j.!.}$.J....}\I...-.X.....5J{L.|.....E.................z.u...O;....R.W.R.H.V.gE-Pb..Vj\..i.L..v .X.......Xn."....v...=.........Y.H/9.....|7.xb]n..#(. ....l...E..N].0s.h..3...H@..R...G.Q....!\..i.%...1..U...ki4.....t.....J..=..<...>......a.tjh...fw..$.*.*..M.......Y.8D.=...Sc6......U..:.b..o..A!......6.~...tB.i.1.........)<JEq(..{e..x....v...O...L..Y..`..q...|.<X.....8}.V..)|...qAZc./.k..#.Fk_..+Y.VHJ...?....I...l..?IC_..N..........
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.838159587919094
                                              Encrypted:false
                                              SSDEEP:24:KNwpqbp0445jwHDWyu9P+LMxYrstM7hek5ROTSsvUGb3vON75RS4:KNwElU5jOgdQvD4TSsf3mxS4
                                              MD5:6E21F31DC8F50F07A9E93315C2C75819
                                              SHA1:19EE4FBC3D0D45234FB76F557F5F17616A56EE98
                                              SHA-256:262A18C72098198A9A4A349F48B59CAD0CBAF8002B8E70814282FF4E6DC07CB8
                                              SHA-512:2C4339B992984A745AA4487697B2DEF56408517A1C681038502D03C68D865F0B78AEBE2DFC960DBC0410098FB5FBC74E70F2615BA8ED6A8EEAC0755BDB63B795
                                              Malicious:false
                                              Preview:D..D........*4....._..p.M..[..:7......d..........v.E.H...Mp.4....TJ.f.E..B....a.Z$... ..:X..}F.A.....l4..Bv&..P.h.x0..z.EKP.N.+..T*qhe.E.UL].........].^.......!n#.zZ..7..M.;j%I+.`P.'HyY.[%.\.M.cL....b..0....^"..Y...j.2.i0.~.AQ.$...-.hA.....H.D..J........1%....B..c.A....S..57......v......2...c.K.K...\c.,...Z].n.H..\....s.[-...%..0W..~T.W.....t-..Bd2..P.z.h$..d.S\N.B....N.0...S.T.fmQ{.f...}..7#o...tj.0.6..^!K...Pv..5:......7..x.K.....:.CD.....u.<.......F.gj(.k..w.."..`..qTp..<....Rg..v...kb..^...T.\R.w.)..^.B...U.&-H..]...8.Q.....+..>..L6y.N.l....>.W.+U.6S.o.3GY.U..-.0N....h3.r........W.:.1~....eto.W....Q.1...H.W.zkMy.k...s..":z...ah."....N1C...Hk>.'..?....7...~.^.....9.[\......q.3......K.im(.u..a..?..a..}F...'......7v.y...8......%.9.z4.Xp.&V..t60.....F.H.@....:...=n]....~..w.<}..R.........U.!...G........Mq0....*....$..D.2..8.y........._n...2...h.%..`45CW.Z.@a70.......CT+7.Z....5.X.......D4....W.].Z.,%^.9o..?.{e:d.V.#.#0.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\ProgramData\9BAE.tmp
                                              File Type:data
                                              Category:modified
                                              Size (bytes):164249
                                              Entropy (8bit):7.996491901942782
                                              Encrypted:true
                                              SSDEEP:3072:rXmYrDLzEpl6lmzfgZGwXmYrDLzEpl6lmzfgZGwXmYrDLzEpK:rbrlmU4wbrlmU4wb9
                                              MD5:B43FD98C3B390A7D5655400A10BEA424
                                              SHA1:23961406D245FE7104A04370B81F3C8DF5B55AF8
                                              SHA-256:148F3893E1CE821128BEE0BB7367D1BDA4B9F6A2F0DBE69AF100EDA2B41E7FD9
                                              SHA-512:51452D42F2BE5FDF63E3335B1AA727978E39D1BCD6230F3248F998C6128A43F520A33A7161AB4F29676F8FBF3E71E85E4FC9E33BE90792350F06F90649E2C728
                                              Malicious:true
                                              Preview:..^....."...K.I...TJ......._4K<:@(.O."....<|...:Z.I...-...I.....)..'.W..{....C.JER.\.u.4.!.L.5`..y....."R.......'R>..5.)e.wX.....<..i..P^..2..f..M....~........G.'8...c.E.....y.m.P...a.I...R...n(.U...m.}.t...d.Vz..wx...R..9.\...R=...(..<.y.H5-.i.@..=t...8.Zy...EF.}I4...Fi....(GF....\X.h...K.q...:...)nU.z...d..C.t.V...~]..].X...C`F.M.ZG...w..P.....b.l.....da..G.ol.Fo.p,.v.}}.`".)<]tN......~....(..D..I..U..3..h^..{....nz4.W.T..T...%.%9i..$..IL..K.a(...P..k...&?....efu.5|..8..s.d.8t..W.T/,....|..e.>!Ly..O.>b7....j...`.2.G.(f..gp.T....J...h.ftwR}.....0'o..8*]...q.{..#..'|.........kK{q....".'t.q.........x.[IZ.e]|.p..\..4&.....IV.~:....k..L.ayy...L>xs.%L.]\.v).X"j.+x..).[....).{2.y.*.U....1..:...T.{.M..U..P...NE..Z.j......$..4..Py..f..{...C.Lr.......y.....o.F.D.gw.......cR.....Z.....sS.j@".Z..j...<.........pM.n..../G.t..........\v...-....#.R...~:k|.6..g...5.S....... .)_.B|7.r..NU..... jD..Y"1.........h#X..!.5`.w..n7k.#..1:.<.+G.JLR...U@.W1..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.855519584202156
                                              Encrypted:false
                                              SSDEEP:24:XtAsI02IXUa1lzTArwhq5fY40bcxAIs3Eqsz1wEV/Ui75FA5lkRci/PUYON75RS4:XtAsI0aa1p1hqH0bcxA790/z5hRcOPUx
                                              MD5:62F4D129ABEF1016D8AFF7E6C9E32887
                                              SHA1:02EA4EBB5A8621C3E66BF65F6EE20125861F6860
                                              SHA-256:D0168E559151F69C20B29564924C16B3FCC774C4808207E82C53B57BF57C0363
                                              SHA-512:E88CF9898CD8372AE99A77D0D805F199D0EAFDF321D66FA5EBB0B464DD41FB9BBDED6244FE745F73402627A1BD2DB7ADF354F478F44E4B0CDE6FF4615981FA72
                                              Malicious:false
                                              Preview:.......6Iy...E.-..E.y.EMZ._L.G1[..x..7TA>c..|F..`...$.[r.|...3.CL...(..3&.Q-.{K...Q..[J-qg......$....E..0.$.....y..+iKp...\oE..q....+D...L.D...-.G}.......]|.I.c<.y@d"...d.)...y....o.UBA...Bbm..R._.E.....g....?QL...!...\..mpH.qb...GV.....I....'......,]p...Q.*..N.i.ES_.H].T5W..d..+OX8d..cI..k...9.Ie.e...2.EW...(..7%.@%.rK...Y..Q[.fr......#....F..4.8.....b....}[g...^....<..Bp..0!.q,.P..du...t.G0..2$.U.5. Q..e..*}i......3.i.....&....C-6zl.M.R7...Ya$H0..#2.A.L.U...T...},...E..c;..|m.}.+...#....:5...N...s..z.Y.Kg..A... L...<d....E*.L....& .@.....&K.%).P...H7H..b................&....w.L..c.I.b..W..Y#.S+.=. ..... ..]~..0:.~ .U..}z...|.Q!..0>.W.0.2P..a.#zk......./.p.....5....V*=vt.O.P*...Un G:..";.L.O.Z...G...j....]..q+..am.s.%uN(....f....t..%.=.b.{...@.U.)-..T.,.A..+s.WSC+.C.%D>.Ny.4uF.J.9..S..-...?".ND...2.B.t.uO....6.....{.t.,.~aO..3af....6J&x...s9.D.+.P^sUn..J.7..bJ.9.kt..BW....l..h.U..3C.-'.4..gc.B.....I-.S0Y;Z.S.F9z..N....a.v..\.([.Z}f......
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.843008442619415
                                              Encrypted:false
                                              SSDEEP:24:aHrA6j9PlA6WL3ZmCy+gFf9VYMk7y/mOLbmLxZON75RS4:SjBlA5mCy+gfh/mIbmtkxS4
                                              MD5:1E70F3E947FEC06C37311937FF0DEAEC
                                              SHA1:6B49AE311D0721FA4475E367C7E21D87D8C997E4
                                              SHA-256:F0A47B3CFA60F12327605082EF3D659A7E0ACFDBDEAC604C9ABA5F518FCF67D1
                                              SHA-512:EC9EEB7D643B2777E9F227BCCE230C9FFAACCB1288BF835B7E00B47178CE25A2DCAA6DE00FF4CC48BCAB846A4032CFBF0A0BC1A059B7C8F2860E345205EDFD25
                                              Malicious:false
                                              Preview:...\.a.I...]....x..E.F....n4...U.....D.-I....%Y.)E.R.{fW....ua.$U.....!..t...YI...... ]...j.C.k..Ck.....G...H@!......h...T....N.........@A6KO.R....g16.).;8...-.G..=...D)8...w.Q.W .....46.....Wf..M[-...d.4........8.Op!..~Z..........i.4#......H.n.X....Q....i..U..X....g'...]....].*E....4R.2Y.N.lxN...qg...#U.....2..t...QI......7H...e.D.f..Rm.....G...IY*......a..+j..}^t....!.K1.<&...-YT.d.a....3T r.\...<.$....<....`.....}Y*...Pi......5h<....2..]7.=~...f..\..f.lq'..Z..5H..d55....km....3>..}d..i........p...G/.Q..5=.0.....:...s.|...$.MS4e.......S..&z.eBJv......&......~t..wQ:V#N4w.SG/.....x.Q&/...u...."f..b]k.....-.M4.1?...-D\.r.|....'V=w.N...8. ...."....`.......hJ=...En.......(~*....=..T>.0}...b..F..d.q}?..J..-J..z;#.......^.]..e.O..% W.,.[.._"..O2...KB......-.....N....M...Bf..L.l..5.V.p..i......s.k.....y..C...=~.vf ..s..I.....;.....1....$.p.3..+(..*....h.....$..t-M..(.....Hd6....-*..;.E.j.p..I[.....?2o#...{9.tF...oB...\[!xW.....
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.844497959952516
                                              Encrypted:false
                                              SSDEEP:24:LRbWy74JJKptP2ED/QqBVmW80eDlVZzaY08FEA6zqR6ysxyDprpYxON75RS4:DWKptOED4UmWX27OUqtzqR4mrp/xS4
                                              MD5:BD706D5EDAB21268EE4762305F52CDDC
                                              SHA1:83405C5483B2CBB80C7E97D8083F34F82373C548
                                              SHA-256:977BF5187955C026F3EC8E0DEAE9F984AB9E0CB814C4BB1C7979DFEC9A4AE479
                                              SHA-512:B5ED7F60DC8368D73490E2C6F7EACCD93DCAD76E331ADFD450FD4182908F2DE3FFD3350B6677F5313EC4809BD6A1AA8406C8116F7ACA462628C89A11C5981FBF
                                              Malicious:false
                                              Preview:.....%..9wL.D..|..t....p..Y...IS.0.r..+....j.ft."M.;..g.....;...O.&.u.+P.T&..Bp..k.R.@.D.CR.d.q...I.)...k%..o.L..n.t.../..!.B...Q..Q..{k..q3.i.9%..}....+..4..HC..8../...;.....e{...T_.pM~DF.r....@..&J...e..7G]......O:K.Qm...I..T..ZS........`.......+.. rM.S..i..f.....j..\...FK.+.e..&.....k.ey.=O.4..x.....<...^.).w.<O.^,..Sl..s.V.W.^.ID.w.e...I.%....0..u.G..{.f...%../}.r.}..8Ld.^.M.....m.........]...VF.........t.*t...@5`..y....Da-....hq.ws..cm....8.X.F.aP>..!../..9...&$..g,.........m.f.h.@......Vm5VaNX...7...;/[..r.....7...J.u...Q..]...<..e..l.qc......3.....>#s>...+....].....}......F.. *..2....e .[.6~.m.j..4Og.T.Y.....m.........J...F_..........f..|...U>g..v....@k5....y.h|..ce....*.F.[.mK4../..=..,..1)..`8...........C~....N.D#..0a^..`#.i.}..9...F4..".8H._.o..}g.b../x.....!..@=.u..V..PP^..r.k.1.v.X./1.H.....l......n..ty...93....xU\Z..b<...\.8....y..#....+bI.4l..)$z`L...#..^...s....D....A..7.Sj..]u#).......V...A...j..W.6...*.x...}.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.850902716530809
                                              Encrypted:false
                                              SSDEEP:24:cMqj7I5BbIMtMHto1TyjB4ci9cXcM03xFil0mPeVjRCkhomBQUiB5AON75RS4:cMqwbI+Mk214NSXcBxFil0mPeVAUQU4r
                                              MD5:661951D8F980E29A49A2E03FB7837FBC
                                              SHA1:02B43BB706B46D3D3DFA76E51018CC7226079E9C
                                              SHA-256:4F488FB03B98C4F4CE8E2FAFC1F7E8A27AF010DF3ADCF7613D166F8DFFADA1A7
                                              SHA-512:46C354A0FBE4597B008D5C6B09F9984EF6AE5EB7C632ACB34B09D988E2FEEFB1F2B241CD5B1B78D4EA1421A92FD9EC3627CC6F00FBD6D598A0C3F662F325EFCE
                                              Malicious:false
                                              Preview:VP..%...Z+.V..L.a.........K....6{(.....T.l.yR...|9....G....S...\.r.....K..Q.QQ._.6....r.(.xpJ..7D...c.'.*)..f...De}...@..\.i..H..s2..^.. ..>.NU..*..(f*lv-.. Vb..nX.E..4...9...C.M........*O`.Z..[6...RR...i#..rx.. ..*..-Ne*..B:...gr..G_.d.`....9..:.TD.,...R-.@..X.k.........M..../q$.....R.g.rE...e0...._....C...S.......R..K.X].X.:....~.#.yqQ...Q...a.#.8...g...Eje...C..O...O.....s.0.5[..n...za....F....V.|..f.-..&;5.%S:PG.......`:.X..K&.+z....Ra.$.......|..O.}.m.e.!....'.C".....I..}..o."..}....z.A./7...vH...{s......P.[...3$.l.....^..rj.p,.Y+V.|.......) #>d.4......'.z..i.;I.>..s+..9.'._.a2.h..F}.,...-o........S.....k.:."V..u...vr....A...x\.f..o.4..?,1.)Q=XC.......n/.Y.._'.?`....Rp.<......|r..E.d.n.j.)....&.^*.-...Z..z..{.9..|=L....^.2ENk..6.-..A........=.=.$.Y...._...+~Zo...v...t..p...]..D.a..8:Qz..@....#d....\.. .Z+..D........g..G.)...q.<z<.N...;M...............U.g....b10..Z...J."+B..W=.O..,w.!s...g.r.yI.cy..1(.....l...o..L....k.*+@Z...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.8399580518975736
                                              Encrypted:false
                                              SSDEEP:24:PiJqdILFPf+LvVHkqgV1bkATPWvI4/NTzldHkeWZvvX7ZMON75RS4:qs2RPf+L9Hkv11zC1/N1ivTZJxS4
                                              MD5:E75B50D07A56D16B5B7F691D3C6CC9FA
                                              SHA1:C2EC87A23AE3DAE32C964D7FAB084EA7873337B5
                                              SHA-256:AD0E28888F8ADB3ECA6FE7AD034383FAA44AF7FFB210F803ED469BDCEAC148AF
                                              SHA-512:45C8F3F5D82F89377DC6C021625F452EBEEA5382D31087BA0C903D12F731589463FEF53A80BBCF77CC931BEF09960E57A0F5762681AB014FD31822CC01A444E5
                                              Malicious:false
                                              Preview:.....B.P9.-..@...G.`..k....a&O9*.D...c"..X.D.-W...0..P.........f.J.J.n.....: .d....dB..J}.BA9v....z..lB..G.2.tb;....X.4[..rC..r....f..Z....y...Yjp....+.....K..s...&.N...H. .Vw`....F.R.h.....P7....c..........,U..@......Z.!..iLl.nZ...5.].......E.H?.>..F...^.x..v.....|-R$4.K...a,..G.V.7J...5..].........k.E.W.{.....7,.z....`]..]w.CW0u.......lR..Z.*.nk1....A..?...S.x.... ...=.%..B...\.i...y...0..QjII.Nvh.^..(...`..I.z{.QXG.._..k0....}..$u.}..`..$.|.4Ax.E`&....B#..-.D@].3.A.~0n...J.AZs>h.......U....v...Wl....Y...Q.l.S.G.I.;.../.7 ......9....C.&[,..D.J..f../5.h5L..VZ.......^.F....-...>.N(C.....-...I.`....(...%.#..\.."U.|...|...8..G|UN.Mmm.V..$...x..P.ap.WFW..Z..y".....q...g.a..t.=.d.!Zi.M`'....Z7..&.\AZ.0.P.i-x..>.|:`.H...xk..=U..D.5.\C....%I......X..@7hcbAo......:o(%w.R..-&....'...b....K.n .j,..#..q..o............9..~.^_.cG....F...}M.BK,.b.Nd...U|S.....k.k.<vT..+w..n...;.....V....jR..I[........-G&.)W.|.(|u.>.T..a...3|[
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.81317894480061
                                              Encrypted:false
                                              SSDEEP:24:cEe2prHrzrEyv6GWok/IORiJ1sw/B+QSYR2Mj+8zZtmzDSliR3s9vZVI1ON75RS4:cEeuHvY86GUdROx/BvR2MK8TmnkiRCvr
                                              MD5:B621E9BBD6038C618B22E63143E32E33
                                              SHA1:D14DA8B95AB71C5F4E499D9C546132721142A438
                                              SHA-256:6061E8189102ED8ACC1DD7DCCB5B95AC9051787BBF584A899A93A659F2F7C962
                                              SHA-512:DC19F9AA843D12AD76CCFE788328ACDDA41E189E37E7BD2F1840E9DD434EA72E5F5A73C342ACF1B1C82704C83F601D2C2B65A019603757FE3FD48E736AA93A4E
                                              Malicious:false
                                              Preview::-.....A.x.W)...E...2.[8E1,..L.......&0..r..'.P1l........P..$Hp/.8.].........SE...y!%h.C...n].....K....1D.YO.........\pTk..!..){.)P(Gt..(..U.z..\.O..yQ..vN...5..".K!....v.u..u*...g.d......fk.V...B.r...n...5B.y._.p..).[....{`.i...m.......Pl../ZN.Y#5.....[.y.T0...Q...(.I=H.1..U.......56..i..,.^=w...6....E..9Fb?.).L*........P@...z !o.S...wV.....A.....;[.ZV........._wBw.....%.z....d.._{]..?...E..,..4B!.#{I..(........svs...=.....d..t.Ic......`p.........:..T.ir....F.h...1~/..-.c...G.a[...q..Ry,..~y..*Hy.&I`.L.B..ZG....t.(.E.h.W.s....RTF..../.d.../0,....1...s......:u.z.i....i.m..=F.D.u.j.....c...l..fd9....?@. ........2.m....{..SxZ..5...L..:..-H*.>nE..*........rwz...6.....`..k.Cg......`a.........-o.D.c~....R.p...!.2..:.k...X.`Z...~..Wn>.......^..J3.5u.c....u\.V.r-.j...{...r.....z....w.*c.9S..........2JN&;Z"....,.#....W.1W.n..93b..IZP..1.(..PK}x!.$.,..*......j2.=..'....._.V..s.)s.K.P.-..ZO..@.....m}..I............R....e.~Y..g...~%}.6y#...Cb.W...6.G/
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1275
                                              Entropy (8bit):7.850462785196827
                                              Encrypted:false
                                              SSDEEP:24:JKoaNppWXfUHNH83f3k9CdomcZk9o+jTOvqv6k7Z5cePxRhK8IX5aON75RS4:NaNH68tcldNcGo++vit5ce5RhKbxS4
                                              MD5:68B857FFE71B32A5FA7D4C991AD39D25
                                              SHA1:88A9E1617A70F405B1CBE0D00E5ABE36E4B3C70D
                                              SHA-256:DB04A438AA1DBA1E79CBF12A8A6241A1355F4B93AA1C36A0E556C3D4535BBAB5
                                              SHA-512:E305DD4F62D82A6680A884F36E36555231B6D30BFA79054D6EA24F667BB76AAC0956D9A59A187773DBAAB1107FD36388A91AA0A4E47FE4D2526E38DFE2494A7E
                                              Malicious:false
                                              Preview:......`B..d...GD..t..<.yg.]..Im.......P..0.K.L....0.w.|...9.A.%.P_X.=...f...r...~.8..7*3.!..>y...Yw..#........s......:.r./..Z#(....._.p.5M.uS....0..............4...$.....M....G..zY..+.<.....2.I.X&..........WuP..nH.H.y.f.7.o..w...{....u....U"........}E..b...WF..o..1.us.O..Fs.......R..1.C._...".b.e...%.D.>.PGW. :..}...~...`.3..%6,.:.n!k...]t..6........{......,.x....Lo<. R.B..~....}$).c..V..Y.&...9.K"a....pri&\...)....Y.y_.n.......cg..'.5g#w..D.k..|g..^....(y.....@,...........VT.i.7.Z%....}DlSF.......#...d..R8p.e....Z..g-.*.._AO..gd_n.u.0B..F..lq..U.qt.i..,.gG.....s..G..M.<q.".y.8&m@.J..+...Z.S. ..G......Iz-.$M.T..z....`),.s..Y..D.<... .T9}....ebh%N.,.:....O.vV.d.......o}..#.<b"t..U.i..jw..B..".9~.....S/.........CV.w.".As2..5.X..o...dq;V....V".]...jB..s.K...On@ .zb.W..W....'....*$..$.....n......`.y....O..,;\.....4..j.._k)...HYv...9.....I,j.(.l.....{......CY.......Q$.......Gt$`...!.P..R...5...bM..T &.O....0$...0..z.~.v.....s.v\".s..H|.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.852188338204404
                                              Encrypted:false
                                              SSDEEP:24:ZdsSazpymhM1BO51nmq//fCYT4KiNJNk/b2Mm/suON75RS4:7sE251hXqYT4KipY2/snxS4
                                              MD5:4478C247E93ADEB4CF3A787B4FA64B23
                                              SHA1:5B8FFD7BD8C02EDC6425A813538A92EA08CDCACF
                                              SHA-256:F982718E459E45FEDC2AAEE061A8A5DE513B57E2EC016B5AB73A600F195B1FCD
                                              SHA-512:4582C8BD6715C86474EB0FE0F34B6533DB94AE03272A9BC6068ED2EAA42D6B53166F96522872BC7A66162B13F00C8D30EFEDFB2A087B4BED34FC7E92C6D3471F
                                              Malicious:false
                                              Preview:..r4r.b9..N?E.....Flst?.i\...Y.U%\I.c.7..Y.x..Xh.... .7..4..aO......so..i9..k~...V..;..@.p..*K..4.}....fw........B.".j.casxT....Im...4..{....]9V,&..R.i.j.Jk......p."e*.fM..$..7w.O..gg!.NA.~H..-nj........7...(.1.r..=.B..f(....M.`1.w..1....x....#.QB..~ ~.n(..G I.....Mzc.?.lA...J.Y0TU.{.,..^.r..Ic....2.)..+..eI....vk..z(..b~...^.. ..Q.g..+E.p-.r....wq.........C.).~.tmfqVe.G$#YY-x..E...Rq.n...b.W;*.B. ?..[..;.m.K.....z.#.6..../.j^..N.DSH$...U.....b........n...@...8..2...W...,e.J..@%._t....b.-*.T.......VxR...Qdy..hzM..H.....O.r.B..b*...;g./Ui.X....j.....G-._......YB..R a.|.z....I}._^.*V".U....1a..t.K.?FZ2v..E...^lyk...c.W&".T.=8..O..>.l.R.....x.=d=....?.aL..[.STA>...M.....t.........o....M...%...(..U...4c.X..E=.Bt....j.!c.D.Er|..%.6.8k...*T*L..DC....~H(.~#N...R.j...@..E_...I....Q..K.*|0n.mn.q.e..l5.ho<.N......^..H. ..n.?uD......mi.=v..|....5...S.....U...04F...8o.\.<K..d.v...R.Z5.......J.......c2;Hx..:.v.n..u......_..w~..l(....kB.wm.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.853053262823782
                                              Encrypted:false
                                              SSDEEP:24:U0LiwXLVHGk/gV7z2zQMrsRr0w36tCcsRoRpiHvL2EyDsByHYON75RS4:B7bVzQ4sdn6AcRRUHviQGxS4
                                              MD5:15F5DA4A9B33B3F4DB3C618A8C263E52
                                              SHA1:B436398AB493A88EF960EC28A3E7D95AFFAE4A92
                                              SHA-256:CCDBF3C8A900AD7FE976AE613A33A86EB5B3F2349981C73B1845533A5E3C18FC
                                              SHA-512:BBA7EC46ABA4E0BC78783D4AD2F90831D9D240BFA779A5F93D5D6AC3813C977A91EFD8E6A261F918D9340E5B82B3A7B2E2A186785BBCD92F1930A07DBEB534C8
                                              Malicious:false
                                              Preview:.k..C7...f.}..nD....s*...Q%K..........$..W....ph..qf....).^..._4...#....V..M.T{T-..7 .....R.sh|,..X.m(..~...bq{...qa.....8im.!$...6...*h..[l..H.....h^...-.]....P..4.be}..HR....4ti.]$./N..E.Ii..m............+P...+...Kq../..G.M'g....W.%h?.UR.JHP2..}..T9..g.j..{Q....|&...^ E..........7..K....}p..~a....(.Y...\%...!....\..\.KhL3.. '.....A.gn}2..E.o-..j...x}p...hs.....7g.).....%k.....x]7.$......N.O.h@.....d.... G.r.....n..:.M.X.>$...X6..?$..s.Mm2..........p..n.J..Lwi..~wc.p....u....8.4.fzJ.y.\...j.."E..M.M>.......C......(s.K...D.E.z.XS......O.t..'y.I..S...%..n..)...]....1..S...F..|.87....BqL..$........:.@.D.*)..*.....+g.....lB4.-......A.P.iW..o..g....4Q.b....w../.J.G.<0..\<.`"=..{.Rb*..........n..y.Q..Py...cb..`....r."..2.$.apP.v...W#..|.....9...5........W5..!q..k.~../.A.M....6.TY.8......B3$.p6-@........'=qiv o8.3fC.(...:....N. ......n7..@...KR`.BC'.."...=U.....k{..M....;..;&.GE)..].E.. ...WCX.y1S._.Y.{.T....'.{....8.G$13h].@.@...6]m....~j)z|..h3
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.859059997004788
                                              Encrypted:false
                                              SSDEEP:24:5Wffh5FZEl0FA4lTQVLVLE4cmwMflkIuE99CueEUI/vZ8QDON75RS4:5uRZ0r4luw4UMiIkuwevCxS4
                                              MD5:A45672E4A5727381E5A9700008B50EC3
                                              SHA1:7A593FC21E1DCCB633B2B0689312E30D879E87AA
                                              SHA-256:116F8EF7B9D7E21108DA9C37CAC8D449F5302D5B4FAF27B2461A30AC117B083E
                                              SHA-512:09517FEF4F7EF1A2E5EA6FFE69FD81CEC6E4C784D0BE9CBD9C9CD7B4FAA13D7B0CA6386BAD365269AFDA4448835CD56BE5FF075240804D5554703B7E90652A22
                                              Malicious:false
                                              Preview:V.nP..msmG.7YgH.eMa.!..H.v?!...mS..;.eQ...T|..d./..H.W..r<?..f~...,..D......{.r....;...2....Xd...K....d....|..J..F.E...S...c.M,..x.....H...]..C.^.[$........f......<+t.4......ka{...s[|<r.sU....9...a[#............X5%......#.........j...a.#. ....O.iW>.qixF.4@uK.qLk.;..M.i"*...fP..0&{B...Zg..y./q.S.Q..o!$..{o...<..]......{.b........3....T|...I....n....v..I..G.M...B.....V3..&3m.'~V.3.6...9>..a............._g..`dW...i..!....-.%.ixr.Q..t......)c.x^c|...."g..4lgR...W9.N......ZK.........z'y[....x.0..(...^.\.9^9.OT<6..).......(.7....;..T...pq....'.."F.Y..\@)...D.....i.r........;.=...f{.I*_.$.7.Vq..*.,?.....:...;.L/..15z.+l^.8.:...=4..k.............Le..bt[...h..!....(.3.mm..P..}....8g.e^qk....2g..>`vN....O<.K......ML.........r&vJ....q.!5k?.T.8......l7......Q/......(....}.....}sA....J?..._..,+l....~.-......3J[vk....xf_....Lx.W......?..es.j.."j.FU,..8.8.P..I..s/iX<.Iv-W./>[o.YcH..>..}.1..@8..]..j..'.)A.C.k...:_....l0:..V.k.....n.\|..!k.....~.1."....y.0.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1275
                                              Entropy (8bit):7.845043000600241
                                              Encrypted:false
                                              SSDEEP:24:upMJ/hDkKRybxabt7nCe+BSEYWKERog+QGz7nT21KhfNON75RS4:oM32bWt7Ce+5KEeQGHT2wh4xS4
                                              MD5:5723D323D061A8702861D75A59B0FA21
                                              SHA1:7E25CF3943A6AA1C6956B0AA415736AEA8AA7A72
                                              SHA-256:431029BF942037C91586C7C5E272CD61C0A220F3C67A7BFC9A9C670A7426EBE4
                                              SHA-512:4ACCBEB28FE238356542E0D1E993EA3ED7FFBBA5EBCCB9C3CA116EB52738200D3B75FF2B5EB7F0524E01041B355BA6A6F6CA45CE8D7206459552B609EF2D7260
                                              Malicious:false
                                              Preview:...:.f..L.{..D......)on.{.h..*i.rW.t..........j..i.AI..o.-..NPP...g....l"C..(.8...1.....v..Nsq...8..H.k.pkG...T3...+f8......'...:.A.;I..Y.%. |..r..........A...3.)?.?....i...Y!#....35aw......Wm../..h.v.j"X.<...N..4...J{W.d.h..r..[.?..<...D...,.m...K.}.._.......-bt.o.z..>c.lV................P\....o.!..ULP...z...`6\..9.;.../.....m.._lc...<..U.c.ipQ...H7.../p0...}.Z.~.F.m.|...:.9>'.n...2.zrJ. .<.>O. .......t.K...j.5.0._.].@.Z.n..../..f...<........(.1....CRZ.h.X#..}n.l,`F...i..*.$J...B.?E{.L..9?3...D....5.L6..W...u.ZN...R....7x.'P...mi......a...A.*.gQ.......*.=6KT].\.7}...o*{.a.=...8...q..Lm.Z.}...._.o.B.l..~.....).$3".~....=.gqP...%.%S.#......v.X.....?.9.U.@.R.O.g....+..c...-........(.=....GOZ.{.L-..hr.m.zW....w..6.p.....28....?`u1..`..).UCjkK.%.Y....$.>.f.b.}..^...Hh...J1......C...^..^....J...."..]V.L1.d"..f.DV_.`.5.hR..1.K.K..|jrO.*..[.......H.B!p.S.R.....I.[...o...2.b.1+..I..9<.s....lg....."5..x...~.A.n......s.ZJ..s..\>.s@:x2.M6.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.828704425421753
                                              Encrypted:false
                                              SSDEEP:24:oyPq9UW3FNhEtcML/APQzrOqG4kYfxKntekCMVAqDaWcsHZUdQlfoXjhjIUnhPqw:oyPUfhefSQneT9ekCGTBckGK2ljIUVxp
                                              MD5:A82D3A122F084E373A9CCD5C921A7893
                                              SHA1:DDD761C8E6830C618C3C37FFC8FCB4A68547220B
                                              SHA-256:1B374C6DFF63C63DD342104773E11A0FB79EB42753D3CAA158CFBFF91DA09A7A
                                              SHA-512:B0E9CA3A91E53A55B737405CE45DEFA06879B4DECAC1BC71704C518FC88E52A9FA21E45E95D3A257C1B2F14209B79A73FDBDE7E81E260BFEB3D5622345251CA3
                                              Malicious:false
                                              Preview:..6....<....../V.~....o$..........r.N../.M.N...).|..%...5.>...A...F..<...|M.(.r.....k...5X...V$..rV...|..?U.^...S.b..8...&..9%.e.H..7.k......H?.......`Z......dZ..X.p......nN.+......c..........d.-..UK..YL[;h4.....}h..)m...p.{...S.z.C...[g.mk..~..4....%......(Z.x....f..........i4V..2.Z.M...,.q..5...;.9...P...F.. ...}M.".y....f...*X..sJ8..aK...}..)B.Q...V.p.."...(..$;.n*.q|m?|..^.v.>..=4j>.(&gb;&.u...z......3.............{-.y..J..Mg!.....$....c.Z........34.....Z.d.*Is{}.........A.<.=..K.z.....u.,:*...<..S...S.m..A...*.X[.z..LZ.Cd5....TZ....2.7.5^..x..A..^kmQZ....gr..nV.t.:....JqJS.~Kx..s.o..-..\.]..~5.paf%d..L.c.'..<?h".;;yw4,.m...l......1.............p?.~..I..Tq?.....%....{.X.........#!.....V.v.4Iugr.........R.(.:...[s....k..o..;.].IJ.......w.g..K5...y'..$j8..{....y.....-.|.....4..^.d..P.5.........b..C.....Bf2.b2.5u.CO.M.......@.R.CL..xR.H..<s....B..,.....O^.U'.(.......}q..p.....~].]J...1..8.g......0a...d..r.;_..C.R.....8.N.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:OpenPGP Public Key
                                              Category:dropped
                                              Size (bytes):1269
                                              Entropy (8bit):7.8646803613820415
                                              Encrypted:false
                                              SSDEEP:24:S3cVtzIXiGLQaqpQj9SG/by4xlPYM78i/JNNvzxu0xGON75RS4:xtZlRgWIlwxIr4kxS4
                                              MD5:65AF47824FDFB23E4062399B88C0CB49
                                              SHA1:6695C9943BFA6F4E6DD4498FA560490242A09CC3
                                              SHA-256:D8D63B104CFC355F5A9A0C39AFE9C4B33739C38007D85AE7DC10579D83238C03
                                              SHA-512:FE275263200207A2DE15E3CD090B6F343CA2A2A2EEA5D19F501DE546A45FEF58FD8407A8354E4F6BE4DA0E0311DE1A9523739E3A2EDB7F84A253972A90E3B035
                                              Malicious:false
                                              Preview:.......S..2....:.&..$..(70Q..|.....9.....R./....4..a..JQ.q..%.-.d.SC.i;.`.(..b.8.~.E...i.O.... .....v..[.RY..HT..S.zyW..L.4.Ch ...C'....U`.....<VG..".....1Y.....P.|Lm..O?.Z(@..ef:.hm..C.I....6....y......i%.>..X...~.%.R..iZ<.t.|..G.AiQ.h.......Y../....>.*..9..;"<O..~.....4.....Y.;....=....o..R^.b..9.%.s.[R.s*...)..k.:.{.R...j.^....7 ...v..H.RJ..\J...E.d.V.PH{s.....%.p..P9`!T..J.j.1...&r..G.R.w!D.^f".zL...|.5..~E..i.?.R.....o.H.QN.M..Ue...\.?.#.V....%....y~_....H.Q.y<.Ub.. }2.^.......P.........a..BV....j..V.i c..\*...2.!.....8.._....8d/4....:......l...;gv:..blhg.BV.4...^.n3...!....[B.....9R`.C.A].h.....<.m..S#|'H..G.p.?...3a...S.@.v9^.Nv*.pL...l.'..oZ..i.#.R.....e.N.R\.U.Un...P.#.0.Y....."..w.o`E....S.C.x!.Nl..s.6X.....>..b....j..v.....Uf.....$L*l/[.N.ej..!..W....}.0_'c.1..X........V... ......p..G7T........0.Oq.......5......5....j.k..&=p..+......MDN.G...\..eD-...&.G..:.......).S..zY.2.t.d....J....A.7FS.,=.t..R.....K..|....rw.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.867213146573291
                                              Encrypted:false
                                              SSDEEP:24:AXXamqZuqnIcUDuwAeGwCBJsOYxFdb1+yyPDc4XTON75RS4:A6mOuCtHuZbcyyExS4
                                              MD5:E3C30AB2DEB1006522CD518F4BE91FD5
                                              SHA1:62CF2CC435288B253BB0212D395680697C9B0EE0
                                              SHA-256:C7859A868ED86FE531FDF363BB1BF023E68A2C6918D3016DC215C7B282AA8B05
                                              SHA-512:84A8844DBA8B057A97278025EF7357091C457BAA933DE31F77A7963B9D6487416AD5DDB19D55D7BAE3FDF7A871A0A41C4BD4BDACD3FBB6757BB8F935F27003C4
                                              Malicious:false
                                              Preview:q......J.{..q6T..?cN;e3....Y..}.c.iT....v. ...Ed..,.._..H...Q...........'7.O(z...vE..t.7..O.[..lK.|..m......!TV...<.....!.+....>.W......cW....0..W......pJ6M.X9.W.m..4L.-.".. Mx..>3...P...Q...t..(wh..C6n[..(n.9..*.=....a.A...l....5...i..V..h.n......^..y..v<M..9eP,m0....J..c.e.yO....d.>...\t..#..W..H...R...........68.F'a...gG..{.,..J.K..a_.b..j....../[X...:.....'..2..Jhu..Iq"..,..!..O..0..3)ZC..#.....`....D...+.0n....h....G.V._...........>.......}+7..._.....$..G..V#.vO~..C.UL..yo:&..+4q....|.]........*.f.L..\@.'%..5..^..D=....j...Y.3.i...|..|o.....@.{uHg....~..$...TAQ....X.]..X.?.L<......@.z!.f.G.ZK<.=..A{`..Jc&.. ..#..D..!..)?PL..$x....k....B...!.!r.....e....C.Y.Z...........,.......u,$...Y.....+..]..],.q[q..W<OJ..vg+>..?....4..P.......G..K{2qH.....%........:..7.Z0..Q...I..........^..Q....g"...;...F..,.... $............_....E..z..?.E.j....U.....$l~<g>{rx..'.x.(.X.B..+|.W..^...L....6^..}....5`..d.{^...:.J....8.M..1.....J......0.a7....
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.855266989970745
                                              Encrypted:false
                                              SSDEEP:24:hUKGa5sMNdrs6SpArjSC1FaNsuDj3HauhArzcUPRsVhtcnh/cuON75RS4:hxGaWlXudTuBA/1sS2nxS4
                                              MD5:B4AC961F654967682F7850ED62722D19
                                              SHA1:68024614CE1BDEBEEADAF5737ACD7D75DA897F38
                                              SHA-256:42D645BE0E4FE83DD63DA791569C4699C2A71B0569303F7A790A54DD2C471078
                                              SHA-512:B73142C3171E38082C52D3AF539A93875CEB23B5945AE5B60C4B0D107C0F345EE9F03A20166F7D67BDEE551311BA41D030EE8F2D89CFB1FE387564AF43A40811
                                              Malicious:false
                                              Preview:..k.8. l..o.Zhh85m...X.&K...._|u.0...#C*.k.-}..j"...8.gB..C..=..r.......?o.(.}.'n..wr.3'....#k...*.{..v.....>......{H..n`a.F.Y..r.m4T-.V.A...."..T..:"..W.q.."...K......o.7....T..x..6.9'/.<m.....aT....M.....)...z8..ie..}...8Kp.=x....qU....l.F..u=.....i.,..u..l.Jao4+k...K.,B....@ln.3..."Q7.|..f..o!...#.eL..N..,..w......}>o.".v.)`.zs. 8....?w...7.e..w.....1......yE.!kio.\.G.19..H..../]...|k....b...?.i..........]).."....`..Nxi.../.4.u.M.\..#.{..C....Q:......n..J.rh../.;V...oxU....jb..t.-.a/R...v.....v....I.....X......;.Bj..A.t.h...!..tZ..v{..N...v...f-c...d.+.y5Aw}..........,...ZdF.P[....O...H).R.....f9J.{v.z'!&.U....$O...e~..........5.q..........N+..'...c..@|`...=.3...N.I..=.l..@....@2......b..R.px..<.5Q...}cK....{s..e.&.m8A...qj...q..v...f...g.).hH....w.c ..G..$m.x....>.....3.v.........cL....j...`....F...$:S...9RN(..J.}b."3....U.....Z_.p.S"...bMd0.9.a.3M.......kS...^......M.sC..u.8....)!..nu..F.i..M.}z.I.f...q.....Y.($|V..... ...;.hY....I..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.854116873468038
                                              Encrypted:false
                                              SSDEEP:24:fISxn98u1lKkhYgP1xBLsWhjqyv8TyPPN3qti25rhx3zXp7RXOhEctYON75RS4:fISIiY6BL3vv82P1n25tRV7RXO7xS4
                                              MD5:27543B68E4BE7E6DF1D999A93A362D5E
                                              SHA1:0094FF626CC3C43A3BA57D29297C309FB6C6C9B4
                                              SHA-256:101949C595DFA0988443F2C5D36E690D9FC3D95367B4D6B7408D2E9D6B401142
                                              SHA-512:65570726CE1CFDF02354082287C3705EACE8FEAC3F3EA3F70F7CA82ACA8B3AE55753E148298E0DFE722BF636C871578B98C89B3FFA1AB6DAB9F1CD5BC99DD4AD
                                              Malicious:false
                                              Preview:.....5.t.j.....X3..7..Z...K..#{.)AV......`....G.w...l.L....*....-t.:w./...e@....wo.T.9.(>.HH'mn....".tx.\.....|].....G,..x...}....}.z....q..i.9.S.u..).,.....7.zI.A.r/KU.......'.'................2.M8j,:>..3s)q.k...+rKA6.e..B...>f.Z.y.X{U.tFf.Oo.......7.m.t.....T-..0..S...A..8w.2[N......c....D.f...u.B....;..../o..,u./...nG. ..zn.K.,.$".U[:pp....<.c`.K.....~P.....Q6..j.....~..,.$._.[..s....89...3Q.;.I..I.....g...W..r.=.....%.*...R.2.\ .'......b.|]H.7n.....3t.FH._.(.+.....y...t...|n..FriK.7>r.p92..aV..]...Ie..b...A.4n[t..M...b.....7O..U.4...C.B..Z..&....#.*....[.o%&r~+.7xj.....eP...Y6l.(?..xb.'.. .$........u..6.6.J.B..r....+$...9G.;.\..\.....f...G..u.3.....7.-...Q.'.B9.=......s.dCJ.<g.....1d.F[.Q.$.+.....v...|...~b..HfxL1ZRxI.F...gy{....K..[./.1..#......px...5&4./... .Yb..((..U.FB...t.!.j....@.....\....pD.....V!..........ye..\..M.`.v.c.4....^.C.n..b.h....e#..+..kP..'..hv....o...e.>J.Q.]!.6.......(`+....<3.....i........H.p#y...'.h$...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.828748672913199
                                              Encrypted:false
                                              SSDEEP:24:dSDANOp48WH24awMi3CcprRd9LBwAK8RH1JZ/vB7RzqLXGbUBON75RS4:dSh4HH2TwZ3C6rNG8rJZ/vVRzggrxS4
                                              MD5:52D56C334B681F1BCA7FCADA68AA8F74
                                              SHA1:F3E55C5623DE8EAE3E4A8FCB29EFB3951C679F48
                                              SHA-256:89B85ABCDAC93DC3C9A70DAF6F0233FE9216706531B5B97976A24907E2832B21
                                              SHA-512:B888479B30E5B313BABBDC5B39A483898901FF879FE32B31285767B43A6FC3674D2CF9B6515A0B09FB93C9CB83C257792B6DC9631FE03C9A7C3A56139A059F06
                                              Malicious:false
                                              Preview:U..,3.....s......9v....%..........k..........X.|P...&...%s..$.~...w..;...sl.l..tz.....y.v1<%<....s..M:.%...(...'3..hE.O?U..pA..$e.?...i...y......1[.D.MSP.8..;..:.M..,...;rU#.5r..;.....G...h.F..Z.....p.....B..`..n.aXX....'J,....YE..YUT..%U..";.....o......:k....;..........l..........D.qK....%...4`+.7.k.......!...rk.e..}x.....v.u2.4*......j..M(.6...6...!%..[..=wM..CYD6..IM..9M..R7..\.gf..v;..Q~.}.w.G...f nJS.\R.i. ...'g...I.(.. .n..#....{..5`.#.C....%....>...(.$.(.X.uG..C../.h.7jz.h......;^%.......L?..i.[...z..x...}.@...~....@(P.y...9,.....i.y|n..m5....`..<.Q....(.....+...kYI.....<P....0..o....k..U..,bI...BQQ/..RQ..%K..^:..D.{h..c(..Wj...e._...v(l@S._J.y.2...8z...U.(..9.e..%....c...>e.'.L....*....0... .2.2.I.tQ..Q..2.s.*.yx..h.=....y..V...T....;..IK..)...z......J...J3..sq.X...s.......QeIq..h_..@LN........Z./9.....}y[$..<..-...v.G.j.8.......Fi.....+`.,.>.......T.......e. . ...............aZ...p.s.6.\...{9..U%....g.....6YQ.Y\.v..z.jfF.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1269
                                              Entropy (8bit):7.844432189324978
                                              Encrypted:false
                                              SSDEEP:24:szCGwe//Jat4gEfmbnjxZflvuzd2lkdty7XiAeGA0DvtKON75RS4:szCGwYxat4LmXvIdtgiAeGltLxS4
                                              MD5:FC2D4EBDCDE0ACC9632463CD0D0810D1
                                              SHA1:9BEFD0AAB97290C4C6AA8886D4C77173FF28C718
                                              SHA-256:2E0E7ADA180207484D000C5CD48A30251332C516566328408AAFE43077F7F940
                                              SHA-512:421441601CD3F1CB1A86BAF8878CCA4DE8BF084FD5B285E98D35999651C937C2CD10DED472DC181973C9171182506EA2D2927066F4B17421928E6512992FDE60
                                              Malicious:false
                                              Preview:............!2.Y......i.....9)..o...R.....M,>0ct3...q.P.e...._7v....0.f.k.n8..G!l..M.2...\.ahX0.d.bc.9 Q.r.{ei..2..."..;.......6Y4+#ne.F~......)...v....%....~~..Fc{.>.\..,....0U....Q/.v .N........y..N....p.-.5......+.Q.{.....t+.d.c.T...K91...............:#.]......v...=+..v...K.....F7*4bz)...j.^.f...L2n......:.w.q.p'..U(m..O.7...O.bzI&.k.l{.-1Q.f.zez.."...$..%u.K..K..&....}...7f..<p..".......;...U2a...q..9...'.......m..&.(...e....x...=<....:}.-2.XC._4..G.,}2...DEJ..t...f.3....B.(...@..v.Cs..D.`..y.O.6...U...N....\D.i.+f.92..4....y.......;.....Y......|.r=....I...PLJ..x...m.;....y".(...;...FLI~.{;K..O..'....`...-z..1z..,.......=..}G `...a..3...?........p..&.5...p....{...7)....5a.>1.TB.G:..E.$f$...UIK..x...{.(.....x.6.Wc*.a}=........4.K...s..IE..cp...(.gz......vO.9...R.......5.V.!&..3.3.0A..!.bl..8..U....p.Rh..Y../..G.Dj.37...nn...1....[.3.H.w..#.....5.\;{.=.<....G.$(.F.d>.}....l....W..WL?O.t&n_"^....2.s.Q.V&..T..kF S.4.;|5MT...V
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.8342769204169524
                                              Encrypted:false
                                              SSDEEP:24:ieWcwupjdMmbBbm0ujLg+TZY6Em725SITijB+mX173Lbpt9ON75RS4:puij7bBbm0uuxm79ITUB+mtbbpCxS4
                                              MD5:EE3ED8BF043F3DACF5B7D9583E20A9E6
                                              SHA1:A727168883CBB933DD27E1CA0982B1724EB3EF07
                                              SHA-256:CDC91193BD1A795B83927F1616353904D5FFAE8D2FE111CFB5131402DE10D151
                                              SHA-512:D69F2B305B3045F148163FB71714E2AF7403870ED37D827DDC8A4C72600C60880CEDF433B420EC8B0901AC4B113E3A87C9C1912335C98CD49CB8A26DEB14D1E7
                                              Malicious:false
                                              Preview:.....Q.F.Pn.%4N<...t.....T;S..XD.b.t..KaU%ud................c......f=>,8Up.....!..J..A?..@...|e;..Kn.9r....R.e.V......I..dk..`....aq..[1..Z..kK..s...g;^0s!.o..A.5.b..f...Q......g....>.d..s....*..f..SE.x.7v.%F.JW....,c.i..9q.}...v...K.6Yv..@.N-..'Q.......^.W.Dg.)+Z6......t..Q&D..K@.w.h..WzL#rh.................b...)f=;(;Vc.....-..B..Z?..C...}k;..La.'s....Q.x.V.....%L..sg...Q.Km..Q>..........{..n.....i..9..-..O.ju.L2=nq`.X.$.A...?.K...P.66.$...{d..(..I.m..b.Ws.....J.02UE... O{c..z...z3...#.Nq.....$J>X .I..N...W>..{>o;..S..%.d8...z*cc`z.6\.....Z:q..z.`>.Y..:...;Z..@w.7....{$... h.......q..].@.6..m.....-...DV..U.I..X.Aq..N0............b..g.....x..;../.+\.kl.H/9gvb.F./.J...4.[...G.?,./...lf..>..E.i..|.Vz.....Hp-6UV...7M}~..|...v6...=.X.e^Ygq..n2.+PO..A..].~.v:.J...nd.....>e.|.2!.)..A0]&V....c.B(.m9V..[..|...-?}.E>.z..j.>S..*'4...])....mr.S%..!..G.V.0.KpY.Z.8..l,....Qx....b.h.a..?...ug..S.....E.4...J.z.....m......c.h.!W..b..o..d.x......[..Q.Jq...#..B..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.833676733358708
                                              Encrypted:false
                                              SSDEEP:24:zxLCyylFkN+gDL+n1STyZ/DH46hKoR9K+FB3hNqYXdlSXXn/o7RYBQiEON75RS4:zxVy6c1zz46hhBTXdYXX/y0QiRxS4
                                              MD5:9BA85A5015069AD66E98920414BB5B6E
                                              SHA1:4F715149C9CCE396FD0B0F09CD27AE1CB0946B59
                                              SHA-256:D354156C09388E0AEFFEC866CF4DCAEC132C288E66DC4F56075D8FC24CCB3DEE
                                              SHA-512:E7CE5D9F609ECBA6181014FE77D88BA52365477EA133AAFC65E06869F62C0B9D11D1D04BF50CA7DF7EC2A80135BE9830522A95C2BCC33BAB0865AAAE46D9F93D
                                              Malicious:false
                                              Preview:...5....ZC>.....)u.8!.`.MM........;.pS....A.57..V..+."I.M9..g.....'9..m.^lk.?pJ...>.m..P...\..5S...m..L%..^...T.e....5....5..F@.C."......n.....&P*..B.e).|"%.e."./\.A......b.p...n......&!!.o;.Y<J{-U........1.f.B.._@<...$.9a..B.xO.2..a..{3......>....RE".....#l.8..q.LO........'.eU....V.15.._..-.(^.A)..{....7>..b.Wcq.6|C...$.x..[...V..,F...o..G7..T...U.}....2...~^L....$.z....e%..C9.Y...'..z./s.A.n.....=*...d/..X...7..0...DL.....N[.f..Q....y.2.B..2Q..Q.*.........>&...1..0..h5...h.K.|....v........p..J..W..%...5.F..2.Il.6....~}.....eai.h..!a..O......z......v...Ih.."8.<..=.!..e}O..;......3......eB/..s.tBG....<.p....f>..J5.I... ..j.%s.J.g.....$=...f(..]...=..&...YU......FW.f..I....s.<.\..+J.$B.>.........=%..."..7..|+...i{.,..q...2....6.}T....[}...n?&.........U)`....'..&r.o..'...`.B....ll$.%1.<n....[.t..(....a.9.r...:5....a.X..[K.....;bR2.`./..Mc..*r_....m<..C.G.2.I.]...y2..k.......%...uq.....m.BV..C...T.G.,r......A..m.,W4r.h.*..~F...G.l
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.838910122203209
                                              Encrypted:false
                                              SSDEEP:24:mDrr0Yqg9kzpbJ5FfDPkakUI1RDlw2GEknMocTZvjDGON75RS4:ErXRsJ5hPkakbRD+Kkn1Ovj7xS4
                                              MD5:4450E1DB52F3CE500D6E4603ECA6C65F
                                              SHA1:5CFE8B5F6729FEF2D10DD005BB1FE2DE78CA5586
                                              SHA-256:3940C55379E03EE395577C869BDC57F99985F3DD04332EE5EED3CF7903C6C93C
                                              SHA-512:741A2675C6C547197685552B30965B54A1D7460597AD1BAF7BDF464A2496F9121B4D95BC296D698C0AA201B980E59F5059A1569F1A389638D2B526F42CB29192
                                              Malicious:false
                                              Preview:#kk..3..E.y..;.I.f...F}..mCV..?}......H5.J..k......E..I....Dm.)n-..P&BM.O..CN.b.._.M..!hE...Rt.+.....`..@.d.u#.F[....P.!R.c3...v..r..ocaR.d.p.~....s.....O.j..qn.s.KzJ.M.@W._MXb#.....+iy....9.h9...o..3..}.....i?..a..<..]1W.7Dt6.w|.Ph...D;..^.Q8..p'.{>om..(..].y..!.].d...^z..iNZ..6e.......G?.C..e......W..L...Bg.+}9..]:M\.D..MW.p..\.]..(gF...Bcu)....u..Y.z.a#._G....J.+D.j#..;s8.._r.8..FA....M..*zQ...,A_=.)2{.....2.R............&....\'.....m#uh.B......5Q.m..t{.\.......RC...6.lR..6..x.9...........Pnv.]7.tQ-.6..0.S.&-....~D'..F.I..0.U...........:M..<".R.?N..S..N@P...d/&....6Z.G..a......k..1.kK...F.\.@."...h......H.....%t.%a(..Rh. n.GI....V..*dZ...9TP>.,2~.....$.N............7....N<......?pz.P.......9N.g..hq.H.......IR...%.nZ.."..v.*..........Wu...^N.... ...Z.v_.^...<...y.L.y.d.....-.c_...?../.D..!....n.ozE..;1..>...J.8:.....:..j.6. ..Q.z..._*....Y.G.....Ti...M....:.\f..........v.-..7..}jLpM.s._.+..h..4..A.D%R.\u.=Fs?.q..L..3.c...Z..R.3.Kn...dx,...~-.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.847264321024578
                                              Encrypted:false
                                              SSDEEP:24:lA61ivsSC7imiSGIu2PgQNtmJ8okR+/VVH3FmnoAyPDIpxtON75RS4:q61ivsd77RGIu2PjYOt+YnnyexgxS4
                                              MD5:A53FD671BF94F8C53134887535660C7F
                                              SHA1:11EB373C934B27816246D7336882AA71E9B4B8F5
                                              SHA-256:7B1C805290DE09D7A9A4B43D6827D34DC822F7129CC25F56CE6329B6A1991482
                                              SHA-512:1D7D8830F4F4DF6F8AFBFF457B759D494CEBC81BC2B1D00F20B2EB64E95E9C84D6254DEFAB4B52B5B266DCE1B011CF6695F74E30F087D9105B01491EDF535FB1
                                              Malicious:false
                                              Preview:..Q&<..L.|$lll...+/...a.q......1..J.y<mP.-?.........;.}..p.........v..z9.Px..Z...gN*BH.>.._....m.g....Bdq.lT...W....!....y..d......>..F.%.....]o...Qn..mQ..]m...d.._b.....=.p....L..........WL.Y..7..h.V.........X.#`..!eH..J..eN...f...\4.....J24..X.|&csk...,)...i.k......7..Q.p nB.3<........$.}..e........n.u5._c..K...hP1XA./..W....s.e....Pld.b[...B.... ...G%..&4.zbe.e&..0u...Z-...;...r..P.Z..oG.5......V.x...0..2'..9..E...Z.MN...Y..6.I.ND.. .}ZJ...0T$.,}. |.A...@.z^.w....0..P.ZBHM.h...U.$.a[T.v&.B40.#Z..So$...1..>K.H.W...:bQ.F..<......R5$.<.....".%.4,......l..c+..fR..........Hu.B.....%C...Td..!@*..-'.idf.a9..1h...Q8...,...x..B.]..iY.7......@.t..<..(*..1..J...F.AM...R..$.X.B[..8.u]Y...&R:.%b./|.[...O.}J.q.....8..X.BQ\R.b.7&l..E........Kd.W++.h...S.....0.K'iE;M..G..[.O.e/.Ev>..a..q-....\'p.{.Z.r-..0...,.}_.h.....W..V..)3...:..2....=...H.$x.p...`."2jh^.'.....m".s...u..:..;.....w....w..t.#.ST..x4./..J..'@..c....}..84..@.%.m....x...Lsl..u.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.853220415176089
                                              Encrypted:false
                                              SSDEEP:24:9O6+LiJxoHTd1Ci70Nf6jXeS7Y5LMbjEzbQ8WYoOsBllh6pK2ION75RS4:9OviIOi70x6jXJ7qtbuY9sBllYpK2dxp
                                              MD5:E25010FC7F0E6950CD1E9EA5D7CE8658
                                              SHA1:802C8CBB86429B14D2668D5A1AFB3A69E0D1FFB2
                                              SHA-256:7A2929CAC2D5E1873A12A4894B6AC7A4DDD639809CFBAA5CF835EB9B28972454
                                              SHA-512:D4FD2CB15B2FC3BCDEDCF9432996DE06065D7884E33E6CA6C4E23BE1BF96CABC17C3B5F4BAF32F3808AFB82834293D68B6E64286A6C63319DBADE6B1471EAE26
                                              Malicious:false
                                              Preview:.@f.J%.dq.....]...).T&+...6s....o.....R.am(.$.].iQ....3...k.....R9.n..`X.Wn.*...O}.?......#..t..3.w....Xc........\.[...w..........k...\..k.L3_.F......^w.L..._./...n6..D.q... P}..'.......'Gy5.+........6.....Q5...........yj.I].*4...1)q..I.v....._da^'.}h.....Z...?.W5"...>......t.....Y.bn3.=.^.xH....=...x.....R;.r..bY.Gd.!...[s.>....../..j....i....Fu........Q.T...a.....A.$69...Y....t...K.)$<.l.`G....E.....W:..UHp_..4.H.6..(."..W......G4..9...gU%..p.......&*.....;...'.......Rz..'K.ET.g.....?3.....{...6.y....>...I......x.!..V.S......|+...n=t^|r..8........2tMi.l...m...X.a.$.).gug&..S..i.m.u..q..74RKW.6m..J.^.%+2...K....o...W.:9".f.xG....X......U*..UU`B..,.L.#..#.4..].......^#..9...v]=..g......$:.....<...5.......Zk..+\.K@.`j..@..../.._..:!.NW}.E.<....b. ...K.1.J....i.i...|..).I...2f........m......l.'..7{.4..F.M9...]f....w.`.)....!J.......:...qh.....^Ek....lI\'.(..N.G.?.:<K.F.?@yM....|.e...7y.....u0...3a.Zn.E.d&M.i..>.....54F..s..2
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.873523952403723
                                              Encrypted:false
                                              SSDEEP:24:II0bvLhRI+TZJ0qTbijaZHAdYJR/TXqZdCyNd8lGboZrRON75RS4:f0bv1R9TtVT/TXqZnNdT+sxS4
                                              MD5:B70A7DB3E4B61935F854DA3159567642
                                              SHA1:40D4DD85F45CFD23D619AB4CA2ED93EFA6070014
                                              SHA-256:0E5A8DA2693F1013FDE931D3DAACEE71AAA69F119E54B29F67EB825E6ECFF342
                                              SHA-512:FFCF48CE0F1E339D5ABB871A00954374622BD74133D167F6F7D8B48DAE080B51C25FC0136E222C2313B39F2CCAE233FD19947A46D786092304D1A33E9E5778E1
                                              Malicious:false
                                              Preview:.7..+..i|...T5...7.)..~.@..8z#.......s...1h@.co.c_Xv.5...dEc1w.F..=.z....G..LZ...3Jq.. ../.....}.....u!h..i(i.}...Wtd.?JX...}....~wZ..ap../`^.Bw...2....#...s.J..A..9..G|{..N.j...v!..RE..P;J..k...&....W.....g.tF-.....)OH..L..........ZQG.[.'.../.-.&8..h{...P1...*.6..r.W..0h:.........w.*|D.mu.jRCc.?...kTp4o.S..*.r....Y..M]...:Cs..7..<..m..q......a0h..z)i.o...Itz.)]FA...ZdP...hOD.g+[.!D.9.LK.i_H.]....j...k=..&..i..V...N[Pqs?|....H.m^..$jyg.&.%P...X......C.......P......q..9...t....[..N....A.P.[.....D..\.C...i..........R..X=a....p5.a(.ZV.[[.\.F..eD...G.....~TI..k....4...D....w.v....Bx....a.;......S3.D4e"O...O`K...`Z].z0G.;X.%.@F.sGF.S........i/..>..y..T...VF@ua+r....T.kN..1asj.-.7H....S...s..Q......g^......o..(...o....F..@....h\Yi=lD...e1..V.._no..X.C. Mo....1...eo.@B.0...}...gQ.M......>......>...3..*....D.......g...j...C.[.X.9.e._.[..^^..i,?(`<...U......Rn..=..._B7z.bW....?.Y..$..q6.......U.i(...f......f.xpjlF....@..7.&w.n.[4NY.N.L.p...P....
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.839472323009049
                                              Encrypted:false
                                              SSDEEP:24:0vQWkbto/ADy0oTK8tnydws0EFAL/Blbi4amsSHunsbeZ7i0/Izl9ON75RS4:0MZoo7ornydMEFAL/nbi4BsSHusCZ16o
                                              MD5:26FE837EF342633643DDB4CC2C05B72B
                                              SHA1:C486AB298C3D99A7C797486CEC40B917511188C5
                                              SHA-256:9320A255AB115F81BB79EE46C1E228B7CC7D12CA2807FD0C33A9C721C171F863
                                              SHA-512:E152BA73A2553BE47DB4A7DA8B2B20E852DFFE9D53CDDCCFFFF694933F42231C17A7EA677EF9B768475BB8CB159FA3F19040E4A5FE046BF0253E8F285D696F8B
                                              Malicious:false
                                              Preview:1..p.H.U.w0a.DvN.Nu.F. r.w1M...Gy.OI.t}.~.Di.}..i....S.P...7...k.z.j...._>z....Q.~F!.....G.#.r...xD...e...r......o.>...6..f..;..|%..yA?...P1..B...=....S1..V]......k..38W....`.E.. .G.R..R...h `....Y...h..[...5.."-..RB........w.Et.1.0.......Pc`.".k8..d.G.D.c9~.[bD.Sd.P.+r.r,Z...Cu.GU.la.g.Ce.b..x.....O.G...(...m.v.m....\=i...Q.u@)....uV.4.d...aC...d...v......n.?..."..s......H*.~...f...V.B.F..H`...m..$..2.@...........$...?..c..7.K...z!..%H:...WX.....i.*.~]x~R.-..2..D...Dr..q..&..DI>...:..)...|...Ua..ol.......b..!...;`....`...NZ.wF.X..>O...5u......Vj.t......U.a.`..#.H..X}.&j.H(...jE.q...)dU ].Z....&...@E.;.'.R.....T5.a...f...Z.D.A..Ga...w..9..?.B...........&...1.....<.[...}(.."C6...@Z.....e..ptC}.[. ..1..Y..l^o..s..*..C[....8...?.~..&...<..}z..}r.J9e,.>..[X=R1.....CbL.X.........1..y.*..U$K..(."..).Eo"..kD.z.Q.........p.q1....;.. 0.*.<<..i.!/..h....>+..0*B{...........*...u.X.N!f..@....,.6'.....P..c.Wp#.^.S...>..n....Z.{^..P....g......L........z.l.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.849010227228498
                                              Encrypted:false
                                              SSDEEP:24:Qp48L5SpXYoykykJgamRPK0inp5M/C+l45C/Lb8s+ON75RS4:248LApRykyk25PK0ip53+GsbNxS4
                                              MD5:B83CCFF19411F67AA11591553781C066
                                              SHA1:7C782E9C6474CA48AEAE70C54AB232D5A21E7666
                                              SHA-256:E024B7A1E362D142723BAF555C0DF040F7732FB4A8698DCA183C7C336E8A145B
                                              SHA-512:B2A9812E633758F7198C8DD77784894013540651926D5B6C4E415AE9103651547DE9C32EAC837E346A2C0657B4970B1E68750D56B92D2A80A0CDB7125A99BB42
                                              Malicious:false
                                              Preview:&2Q.^9_.Fl1....21....]hZ.................y7N?.V#.S/.QA...[B*..C..~.oY..x.:/........V..6l5...$....1.. .e.8%..qB!R$...p.7....K.Z..q......-.<.=..f.Q/.zy...r..@t....?&.@`.Q.FP..R...N......!s..P.#-.U.....M...$..K.n..&..H)..S.j.S.Y.......8f...;../4].R6S.\x8....86.......CmG.................r?U#.J1.M6.N^...@N*.C..}.|H..q.6$........U.. m;...#....2..$.y.0%..jC8Y!...|.>...).nH..|o...........iV.L!.]QN..".t....t..;Kb..Y.$6g.%B..RW..f....~.|..L....k....OH.he......$........Yp..J3...[..U.rA*bQ..e..L....E........*.l-.T.U.RM. ..v.,q&....yo...:qH9...G.....a..{..........x.F....{..0..x.}`.e.z.?.+...^..Y.s.c...:..v/n...y..|2E...#.qK..rd...........fW.L<.GG_.. .y.b.g.."Rf..P.&-y..L..NG..t....i.u..K....i....YO.dj......-........Yc..J$...W..R.bM/zS...k........q2..T.{.[.lu-'.U9...F...4....,S.t...\.+.4...../...nL..i):..1...)aI7Y..E.._.D.lY..L2.e)N..AQ..J6.U...iH.3.0..08./.3.[.i.V.{pI.2.u.......vn...;. ...j%.aF.vV.0L.._..x?.....%........n.......V..y...Gx..X.)uZ......... K).E.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.857701582900447
                                              Encrypted:false
                                              SSDEEP:24:/wgp2t0hVs7jWSgXljdB1ltlynEYl5e2voc0Qo6IcRSdE8hH33NdiwdKXdyDj3Or:P0jkVNzlyEYl5e2D9FUdlNRdKX1xS4
                                              MD5:E8A2CF4A12EF6C32ECD7E8F8F9550C4F
                                              SHA1:C972F98E3E62A4D284F4110709E5A8FCA38C3868
                                              SHA-256:16000E74F7373D613984ED4089C52E98DCBDB09ED9147D7D6011FBD2D65ACC23
                                              SHA-512:4CE59A84D0E94C8D47ACAA9E333CA26A7EDDFCD2FFE905F2F31B84FA2AC2F64EA197E6505B351AA5C5EC97D7D95A03142E48604AFE80986CBAD187FDDC3D1B96
                                              Malicious:false
                                              Preview:.*6..;.....*.0)79G...}J..i.|.3..CV.1M....B.\.*WA........8xR..8......Jn"4.D....p..N..#.....m..!p9......<....h...2.U.i.#zjJB.DEy%..9...x....^....C.#..@:ix.s..Q...u/......-.{ .W2...eo.......S.#A!r...P..]..,.^u.y.P......{..h.y3...@w..54K......X..<7..5.....(.'.",P...rF..d.y.%..[P.;Z....X.@.+TB........'zS..+......[l;#.\....a..]..'.....g..2s-......9....o....8.L.f.,pwELn.nc..Q.W$.3.UA}/....."2....\..%....oI>k...<jl)/.........y.G...W.....$...{..R.3o..W)j.@......D...@N......D ./l..[G...RpR......z9k.....uA.k/.d.9.h.u.:.,a0.D.^%&.@.g...h..|E..+4......i.Q...{5..\..?....l...e.X..j.i.}.p=..~J..xn!......./.Ai.po&m.u|.._.T'.9.A^~*.....2%....]..-....lW |...,c~/2.........{.F...O...,...c..Z.1u..U0t.].....cJ...BS......I'.#s..^W...Hk].{:,K.'O.D[..x(..(.o.BV..H._..7. ..E.5...4blc63W......jU9.z..P|..rB..v@.-...`...C..H..J.%..T.....N.:qD..E4..|.........9.V.s..&j......._.\.&+u...vU..t.s....!.........O&.....zF..C....&.<)..l...=v..*..%u.'..n.....Kj.G8..K.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.81489423342129
                                              Encrypted:false
                                              SSDEEP:24:gzbwQURj/PoXjqm4WOd5qy3UJnVJfgidhQko9W52tIkyEBQH7ON75RS4:ewQU9sj7D9V1t5jKQKxS4
                                              MD5:68EA2F18461CAE31824C84F5529A60F8
                                              SHA1:49F27E353537BC39748813C6F3B9D32109F92381
                                              SHA-256:4C14BE78219C29E19E74C2B3AF61F76DD30E3D803DE0396893EA16E34BBC752E
                                              SHA-512:934B38F4323934CA966BE2809424293E65F09AA578E01009889880216F37C7E9A4D5F84838F96BA5AE772BA263CDF68CB22E11647A6BAF3F684307A1C3252A42
                                              Malicious:false
                                              Preview:}a?P.D].}z.h.#......x.|...l...A..j.8...h....u....eq.V..0f>y......MF~.I.....3..P\VL....-...".a..&........"....../.]#.p6.E..-Mf.d.7g..c;.\fw.c...*.{...A......U..v....Y....j..S.5.._\J?.u.......\.F....N&.....@.4...S;.G.=g...y/I<....-./K.yf..s..9.u0[.EI.u|.s.7......i.}...o...K.>o.1...k....w....}u.A.. v>e......MVq.@.....4..FFHY....,...-.x..+......(......4.R .w%.]..^..^.........e.LgS...VW.6...qW..O......g..o..._.RV.4v.!...t.....V..y...@U..9.;....l8X...5E-..;-.=..\...YR),D.(.,6SXdf.4{.F.\.N7..ph-.v.......8D..Y.o.~.....k...K.....&..q...ha.&..4.VnNy.. ].PX.z....e.|..ow.......'/I.|.5"Z.d:.k..i........t.f5...B..@...........c.Ek@....QK.&...k\..M......c..h...].HN.!o./...m.....J..c...XM..'.1....p!C...!M#..<>.?..Y...XH:<^.=x0"MCea..<.j.]..fy<?.....[.I.sc.\0a.......V...U.4..Bl...x.~....L........pU.....5.^.2.M.4[.....X(7...K...Y.....=..j^H...N....%...[...&Z.U...Mz.a.;8...........Eo@.Z..a..P._J..H..2..-T .29.I.Z.!..kXg.w......Z.e:..io!..'.UQ..z..l.i.SC
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.869133982553183
                                              Encrypted:false
                                              SSDEEP:24:5y5R3xbPkWdbvE/koeSm75KVywaKD+SoFcKm+1u34U+IYZvbON75RS4:5y5RBbPksP5KVwKDP6Tm+gc9vKxS4
                                              MD5:97C8E489AE564C198A30F3630AADFBC8
                                              SHA1:28AFF8B9006787C09C0D31F3886D7CE80BB4DC8F
                                              SHA-256:9054EA65C6E09EB7004A2394F69AE07E4FCCBB2DCF18B30E8B701377A7D7C13A
                                              SHA-512:1222E909792170160BF662B987B42C1070692EB102390CFDC9EA3F59E287DF106897E5F8E7A7722DECCC396E355205E528AFF10DE1156260F5BE143A0B38047E
                                              Malicious:false
                                              Preview:.....r.U..A<.Wb.ETq.09..y(5..|h...&..1B~.s..>G.@.......]kpS.6......f..9H=.e...C..K.s..5../...(Bt^.`N.e....eH.qD gWl*..4?U.tb..9(..O.S..;...p!.d.....4.$...j..n....'.B[...R..f.%.........j/.O.aKy.d/3....k....M.|..G..%<.....h*7.mDT....'.S....8W6.......i.M..R9.Cc.UMt.72.t$&..da...;..>H}.`...@.U.......Wf}O.3......w..,T3.d...@..H.z..)..%...+\aR.yK.p:..yU.iZ:n]z!..-......+...<wH....6...0s*..W.>..yP.Cf.+....p.{.../.`.3I..I..d..D.k.jZM..)G.g.dq.......z...l.......z=^....q.YW.V..k.cQA..~._..h.j..{.iI.e.pT.......h|W.\C.n:..-....1..Bv.lb....].Ki...5.....g|....$..G.l. ....@..Y.u.....%4....d..G}.\...O.....C.........&...-iI....6..(s4..[.+..fU.F|.#....w.x.+.'.~.!E..S..v..A.u.xFH..;_.w.gv.......p...y.......{.Y....e.GY.E..l.`MP..c..93...$...V...C;.(-...t...?.%+S^...-.C....gS~...4R.Y.1.IK......T.<......c.$ N@.t.&................6)p.t>=ZL...p....a4.....Yr`.hB..>..RBG....hi.9....Y1....;1...J..T.=Y.iu.RGuP.~..4..{.!..Ra....y......s.`E...G.#2.o..m....G..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1272
                                              Entropy (8bit):7.85079459395749
                                              Encrypted:false
                                              SSDEEP:24:vAXOVLGl+n/vC8F1e+YHYn8RUalSySU2f9FFNZcuX87JTXokVTXQGvvPwqON75Rp:vA+VLGUn/b0THxRllS999lCuX87RXLTA
                                              MD5:09D19A77D17D4AA58963A784A2BB7F7F
                                              SHA1:B95BD2CA8A7C9E537A893E4696B6BA6925DF4FF7
                                              SHA-256:C3B0DAE075F07466C9630784B50075C9432B101C208DBBDAEA6ECE40607A03B6
                                              SHA-512:18C25E0E88DED35C03ECA9276F38CAD99749EFD08F7B76D4F87A93BBB3F4959A91C7D8E07118E62F321E448E5E56E8E917DC8A46779ACBF863CDA3E6E0E35B57
                                              Malicious:false
                                              Preview:f...fV...O2.8.^.D7.s.LhlR5..S...W.qc......#."C.....]-.......r!.>Z*.j.A=I.&+o.../.`Fj`..sY...m.]2. .gN.1........|.. ........d......9...U}...&RWSR...^?..p..c.F.{....C......{...i..Q;^.../..g..y.7.r...#... .2K......../....Q..].. .GH.Jsb.~.!..Q%......vF...N9.!.].P6.`.Lzi_*..J...L.zk......8.?H.....U5.......|3.1K3.n.^/G.6,l...6.aBmi..kD....f.T/.".eM.;........d...#...u]k.#.f.D..+i....W.x.....'.J..L.....w....).tj..}..&....r.../....wh..|...........R.w.rNC..#..b....F.5y.os.n.K..%...........+.h.[.&.(..>......>.V3....../....R{s.S..:kO..B....{:).'..J2....0..r..C.C]+....@.N..Z..}7..d!.C.h.7...J.|^.8uL.d..I..~.t%AoAd.4.q.H..4b....S.|......:.S..A.....u....%.lk..v..-....{...0..{.tu..}............R.b.~__..7..g....[.;k.h{.`.T..$............ ...#.sG.<..lo..mE.;}.W.@.g....L.....U.....gK....(...k.e..?.&.)v?..........6b..Lm...........+t...i...DA 0.d*......P..c.$.q.Z.$.A......^.^&[.Sv..:.n:.K...A....c....R z..D..az.. ..}"s..H9|.&....#...B)l...w.kG./Vhh..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1275
                                              Entropy (8bit):7.871343804637022
                                              Encrypted:false
                                              SSDEEP:24:RArnjJQ28mmfQjZbh6efN/D2LpDAktI2D97Cj5NehUcxON75RS4:4jq5QjhhffgLNtr9QMhDMxS4
                                              MD5:591AFE56FE9A5428A35DEC855FAC7423
                                              SHA1:6E30349982F2674DBAE2C3A663B493A9877B1628
                                              SHA-256:567B99BE5D4F4D8D72F0F249D0EED052F779ABE6D88C5378434819EE1DE4639F
                                              SHA-512:54D38B878E23BDF040787E21D43D5664071BB5F4B55F9DFBA21FCBA6C5FFF5834D2B5CCF908BC99B27D6092F4233DB2A9A0150614AB096D9A15DF9B5161ABDAA
                                              Malicious:false
                                              Preview::.`CP...2...;K..eM......9/-.....j~m.......;~@....\..7<SG8......./.....Y.;Xm.I.'... .A5..?.S%{..d.J........~$..cD...!....9#..E...4..........v..I...~...@......z.W..8....H.(..E{.....(!..4l@l.a.K...4...P.m..mv#\......#2..4=..".f..r.............,.oUT...56..$P..gM......-7?.....kmf.......:zH....A..."'JQ%.........>.....M.7S|.J.-...,.]*..).B:iy..`.N........k)..gS...7...c........;..]............~...)S.......d..bD..iO2.a+...-.....R.^..)..8.|...Ri....")....Jq....R.m.8..P(.5..A..............a~...E{..R&..V...n..x.D/. )\.x.o.Z=vn..N.=.|F.(_...ByJ &.....|..jk.R&w.e.,....0....Hm.w.h.)Z/..lz!.k..rj.Z...@P..y..N.;*xbtt!s........-..X..............q...*I.......x..r[..hL .c0...4.....E._..;..;.p...V|....=-....]g....^.l.?..M(.&..E..............tb...o.]k.......0.e....CT4.@...N....'.-;^u.&...gQ.2%].B.06.9.s..)..Q.6.'j.mH./..&3:...0B.q...Q.r....../tS.IK..9V.'...}.A.\.YC...H=...'..IKs s.........1.y.{.i.:..>.L.<..j...80E+..w/.ta[3....^.[ds|%R.{j?T.m.[.a..........G.qm.o
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.855481627885648
                                              Encrypted:false
                                              SSDEEP:24:YzhQYHmgHL95KlPGipAYhQTcL0F29HThYBgkYl2/BkqydQ6Isj2MhyPDrugON75L:YzPHNHL95K3AYHLrbYBgkTBkqxQy3ulr
                                              MD5:F65B4DFCCCDD22C1FB7CD81A960A9227
                                              SHA1:B283743FBF44633759985D35B44CDD7662B7804C
                                              SHA-256:EA7D5538F425FF435819F29A9FFD91F0825814475F43100A1E880FD356EC2071
                                              SHA-512:2CAA92BD10BEC7B09CB39107E12D02AA6D014EE96AEC13FFCD05E3696A6001985A5307C3FB1D5463ADF0E8B89BBADEFC002870FDFF5A2DB71F601F4901F561A0
                                              Malicious:false
                                              Preview:e.H3./bf.;...a..........2.....Z..<q'........<^.q...........`,..)L.aT....%.J9..3>.."0d.... ..[.0..0..[k.f..D.gh.....[{$Q 6....!..3r..q.8]....S.<YpL.......o.{.w..9..!...d...7~<B./Ol....v.....J..... ......p0...x.......l.II....r..U.......3..5.:....LNz.S'.?`r.;...f..........(...M..:l7........?I.h.........m;..<_.cJ....=.[6..<%..?!f....;..^. ..'..Lu.d..@.u`.....Eb1R&#....'.5....1.........z.......*..p.6.E..q....ifZ...*..q..b^.v..&.:k'.J...;...u.6,..E,.Q.....5........tO.a....Y....9..8+Q....W.;.|.^].mI.~.h.t.]4.+C..>&..A............H.:..Q..VG.....6x..Bk)k.r...9...~...n....A..{R<..}..v..a..@..$...RZ...r.......iL.T.'.ZT..2....".........g.......:..j.<.R..v...bdA......{..~H.c..+..c#.E...'...u.&'..W..P..... ........bF.w....Y....>..>$E....D.#.h..l.wA=.._=.... g.B.C...2..Jd..C..s....oagj.....x....T...[9...o...5..V:.V...)-(.A./..a...A}Wd.....c.3.$d)n.g.}l"..D..A..O..|.3~...vX.'.1..5PM..-< .'..D......j1@..z....Z..4F.r.>....P\^<dj...O6..~.+)P..m..x.....@k&.W.F...z.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.853211256771208
                                              Encrypted:false
                                              SSDEEP:24:9kyBOM7XwedWQJl60oIkSL4mguwUSnhqXqON75RS4:xBOGwewQb60o3I3gsXrxS4
                                              MD5:798DF663DBD0A3C105527FC0DD9D4784
                                              SHA1:060C55ECCA95A947D0698768F560EA245664FB70
                                              SHA-256:4BC674E48C531ACC919CE7AB111712B911321330ECE3E6898C475D78BC0A4058
                                              SHA-512:50023C2E9B183035BB761416AE773E48D664B9E74A1DBEB42564056251E8B334E841B434E8FA53E3DA86A792DBFDF8477295B2DC4D3FC486E99F52FE23906E62
                                              Malicious:false
                                              Preview:~v...hkP......).?}I.ek....^.4..xSlu..kh..u...Ao@m4bG..$!\...+....=.O..j].d...*~T&q.....aP.3.._..W....)$...p.._9..e...C3.....w..]..v^.....y.W3..n..Q1t....j.CI'...N..\...wo.P.....Y7v..n*S].x...*.P.$..=_.`....-ab..M.......d..7.2.>.).|.....[.|Y.}n".^..wi..jeI.....%.9kN.vb....R.+..tPwo./yu..v...XjC`%{W..&/O...:....&.C..k].n...$p@(|.....tK./..B..J....):...g...M;..j...U)....../.U..C."...}....\.z.s~....*..#...K..h ...Uw`w.'>.~B.?.n...._...Y9.\..u...O{....#..."._3....r..m)*?.|n.t......T..waH..bY....,.....J..:J../I....z..].,:.-.Foi%....e.......G............l...wV:.t=./8.......S....?.}.([g.R...iER...%..,...u.\....7........^.Y.0...d....^.x.mk....*..5...[..t3...Pw}g.$9.pF.$.e....U...L .B..o...Iz+...=...+.[0...g..y'-3.nu.t.....E..um_..vH..B9n.)....b...Ev..k.O..G..@q0\..m'.<$V ....#1...Er..!.N~...z...,O.n.'...[.)/..qs..4..)9...5....]..Z.}r...(..K..M........4...-.g.\.c......r..)...M..=.w.u.Q..V&.....R.6y.vO..E..\....0..~#0..{.ZT...|.Mj/..i..,F.....j$. =..
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1270
                                              Entropy (8bit):7.845526874927091
                                              Encrypted:false
                                              SSDEEP:24:+k97YEPowFvW0xr/eQPnyDQGFJsQCs4D9UxKUduiPwdcxhjEPwON75RS4:+ilFvzhe3DQGFJ0j9UxXduIUcxidxS4
                                              MD5:6EDAA8D25E8C892FCB5339EBF150F8F9
                                              SHA1:D2A85E41062C0526083BB90E46737D05279110B3
                                              SHA-256:5626ECDB2B509D6D2B55D4E574A179340D3B45BB2AB60C44A6639CACC7E92512
                                              SHA-512:552369EAFF908C4F5420BC32833FA2C2631D30CF673698E391E1EBA6793527DD431E1636D94DD86523831B2F7D10860521DBFD3D6E5AE85CE6DC1D12B267191A
                                              Malicious:false
                                              Preview:Da.....p!0e.q...f...2XR.h..o..(.}..W?..2.[.^.RoI..AR.\...Q....A....V[N9. ..4=..9.0.V......)u}....f..l..b..r...{....bG...$OJ"..ju.....A.U%|..i...WsHG:.s......5.5L...o}.@6...L....q.....8|.....|. ....}.2D(.Uxq..Fo..........}.......:..7.N.m.U.|..M~...}.i8.f.a...x...1K[.a..c..8.~..O>..9.X.E.KjJ.nXB.E...V....D....ZML8.0..?:..-.=.Y......5k`....t..r..z..d...y....lQ........j.9......i.;....y|..h..2..._D..@vs...XT...W'....4e.+.}.........0.!Q.?E....<G.:l0..x..F...w...b......J.\a4.....kq....aT#.Q.(..@..NWD.."..M!B."......L...}x@....f.R....^.T...>..^W.n=5K8._..~x#<R.+...?.X.%\A8.....=...q....`..;..W.?.\ry-....a.!......p. ....db..b.2....JT..\eq...XI...P?..../v%9.z..........'.:Q.9D....>P.3`4..z..F..p...p......[.Qi%.....zv.5...^e2.-Y.........j....q...m......n[....^....O..8..y..........ePBR..t.~.$.8]...;.O.~.s~.(yv.X.mNS;3*.6;6......4.t..?#.|........w..IZ.]5.Q`$]$=WW...\.Mas..R....q:.?^...WJ.Y...;.....-.ZP)].(...(...m........[b3....c...U..].Z'.
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1271
                                              Entropy (8bit):7.846835951822244
                                              Encrypted:false
                                              SSDEEP:24:8Unu/sVoWyQ7DBvRCKAxvGUgctHqOztE+yT/zK+E4XDnCIS3Qpjx71Gb0pFON75L:8UnuOyQfBvRR+e5cXPpFKDnnS3Qp5aKq
                                              MD5:4E0C5D2106B5F5BA54549750702D4FD0
                                              SHA1:C2D13D4C4CDD455FB79D5490D216EE3AAAFB221B
                                              SHA-256:014DE638E8C632BE3BE03DDC4338874909CBD20EDFBC429B19E8392236B7356C
                                              SHA-512:7C2B4DACA03A5F0FC1A539202199F8B7EF711206DE627E3E288AB959D1C1A8AA9FE565264D801E12AB825346BE07133AE05A8D214D253FC6663D5EC05C5B6469
                                              Malicious:false
                                              Preview:..*<..&....hK.`^uN...S.).Ne.s....77x...|...'d.H..{f)....U.1...M3[.j.y ...a...........\QYL.&.W.,.j:...`r........i..h..A......tb.cJOo..}...,...G..D..Rm....n..*.L.T.....r...<.9DiA.m.1t..-t...*.[..c.I.-...ixz.J]..%..FV/!X..V....(.E......$g%.....?2..,....sZ.dWyH...@.%.Jg.a...$x...t...#e.R..v}<....Y.>...^/N.d.s(..p...........RFSC.%.E.:.e<...yf........{..v..G....B...'.f...loG.U.f../.4.....q63".....}qL."...H.....e.OCY&.1..... or$..(SV.q....j.....1.B..ZWM.9....c.<.._w;.`J.O..5..~`.....d.2{.....D..) .A?V.g..v4..!...`....B.h$.....^.24dtM....r..)<............%?F...F.O...v}....v.a......'.?...!...d....J.W...<.n...u{Z.I.|..#.>.....d/&1......c^.:...X.....f.RS]4.?.....<rr"..1F].|....r.....4.F..HDN.5......a.4..Am&.lK.T..4..en.j]..l*.m6w..d..Z...B Y.g.k%.K..N+..sE../.....\@V3..5..i./R...Q......O.....Y.jo...[.+.k(&....@...-..TF.e.".t......ti..:...aw..]b.+.W'....,.[.z~..v./|.d..$...6.$.m$.........O<.%...&.x..bBL..L3G.a]...C.X[..........7..I...
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1269
                                              Entropy (8bit):7.847916308002609
                                              Encrypted:false
                                              SSDEEP:24:Ssy8xYx2TR0eRqp8B9eCIQ7AmGZSesWNCFmST8aON75RS4:+EouBhx7NONCoSwxS4
                                              MD5:DBB99C49758CBC91D24D6A00F617E103
                                              SHA1:DE56B6DC0B2CCF7CAE84E2D02B05ED528C7385BA
                                              SHA-256:E3E604D64F2CA70BC358C02A719AA52E116BE47C73FDC1465B8564B372C6A3FC
                                              SHA-512:9AEB211B63286356072EB993311D9248CA72BC4BDB3954904A14B40986A80288842688EF40F2430251A1FEBACF05EB6AF57F4081B2C1DA0763A3A8C16128A761
                                              Malicious:false
                                              Preview:..d.........V .+.2t|1{.H........B........2..P......=..T...n@.}g. R........p.c~O.-..1.............Y..qf9.."./.C.-..Bi.M...o.Z'A.E.I....V.d8r.~....mL.M.. .....L#.?0.."g_A.o.`.!....jP.6GH...1.....V&..5.Y.......b.0._<..3i6l.....s..C...../i...X...q.........M1./.>r.,l.[."......[........:...T....(..^...aQ.x..5Z.......n.by].,..3..............N..hr(..6./.Q.=..Bw.[.......p.7".i.....(.3j..GX4.t.H..3...9....^...P..x.2H}.>.s."el..L..p..(.kg}.V8...P0.=..'..+FI..Se.y.~>....*.^'.Z.+?..~..h94....X}.9...'.....U.0@.Oez.+Bi.....b..CI..<Q..e..=..Dj..vp$.r.sX.t..E..4=...w...y~(0y..B..#Y.7w.-.........$}..L....&yO..~".......k.?#.|.....2.5v..JR..z.].. ...,....F...@..r.8Ke...a.,ts..L..p....~lw.P3...H:.=..#..7TZ.._d.a.y>....<.D:.V.=$..q..s":.q3^Y.B....34./.Mqp.3...]@....d....c.(..o3.RY...aX>.{...D..G...o.....T.....JJ.a?...lKb..mM..zLsx._. .}..J...,".M...-J.@p..}.....x..t..n..ik...:e7..= .C..|..2.Q...*......i.....{.!#........az.b?..-X.b\]...,...,..(.......:2
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):350
                                              Entropy (8bit):7.44756592455235
                                              Encrypted:false
                                              SSDEEP:6:AP7SGMwTRbT22ExfhAF8Otju9j5SEFHT14qZze1713RJkp6r:qTFT2VlP/NPz14v175RS6r
                                              MD5:946B8D9FFD7304A36D2A406B26EB8FED
                                              SHA1:27B35257AD19304D6B6EAF076A33F02DCB90AD0B
                                              SHA-256:FD79EB3EE417BB399BEB52EAB87E97C5C1A0A28C760EC3B9806911D8BD2626E2
                                              SHA-512:A9EDEB8426185ADC569FDD064A96ACB6C260727C555EC655F5388DBE0B817D9481E8C55FBBC2BB5B75CB4814E9CA116E8F81C5559B8BC0081E65933E882E4F91
                                              Malicious:false
                                              Preview:....K2.m.~P...?.`B./..7....H!.w.....C...=j..16...c...~.t3..0..)b.'.....L.3EB\(<]./....L.qTP.u...l....m).$%...Or..Pe"5V....AX..[......H..YO.s.R....E.....-.gr&..."Sv),.a.U.]...x.b.N.X......V.R.7G.......eQd%3i.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):443
                                              Entropy (8bit):7.539823006097166
                                              Encrypted:false
                                              SSDEEP:12:UUMQtZrjLXFl3ktfygAq8R/sVz14v175RS6r:UK/LVl320hsVON75RS4
                                              MD5:73ED1875D0D08F81E62400DE2D47713F
                                              SHA1:79A94DA96F437A0A32F888A24B7972698CDB3958
                                              SHA-256:185866137070803A75D45A71676F0D25CCB84ED621FD20C6FB8B51B6B2B392EA
                                              SHA-512:FD3B9EE7D5A7B0E593F71E070FB07976EA6987604D5E5DA8FB157E960C87BA4953184A7B6DB4EE804096329FE5B290E1017FDC98D541AEAA71EFBECA8407D460
                                              Malicious:false
                                              Preview:.}0..I....0SG.(..........h..A.*...L.......%.j.Z..l$.oJ~PF._...Kx..V...:.....|.-.*.....u..U6..9Ahl6v.n"..O..k.zc.....!t...i.q......4.?k.0....zyh.........9........`4i..t<...d.N.l.Z\.\Y%i...p8QJ....&...@r...e95.....y-...[....H..ZO.seT.y.S<..3.NR...R..\|...\....K.S.p...*...wE.v.../...Zf\.s.oe.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):355
                                              Entropy (8bit):7.44882727492274
                                              Encrypted:false
                                              SSDEEP:6:aJTbQc6xNl6cIl2IXymkoFsOuz2U7YAIX+2ejUUFHT14qZze1713RJkp6r:4T8VNl69Omk22z2U7cX+5j1z14v175Rp
                                              MD5:FF858E0AD670C946F06290653A2650DC
                                              SHA1:2D4FA41A9E4A425EC7CBFDA410761FCD24DD645D
                                              SHA-256:F4B0E9D67F2320793AC14CE85276B51C8AE9C85E9115791B8703AE18AB2E5D2D
                                              SHA-512:81CC9F22A33EC9385E69465EE6A9F9C30770D62CDAC564D09094C856AA9A69C433C83EA325F5FE92B29B7C39CD32C8066E18480DD0B15A8870B1E07047D73C49
                                              Malicious:false
                                              Preview:..U.k/.C..2.8kB..;...aY(..P.F3S.0$....6..,i.E_.4..L0.3B.-......2...&wL.f....-3....m..SG.As..K.t.A......nw...."...Mr..]e#.}..\..#..@....H..ZO.p.R..K............l-y...%.O...a........k$..ZX.!.;c..q..<..@..yD..)l.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):347
                                              Entropy (8bit):7.351728786348503
                                              Encrypted:false
                                              SSDEEP:6:Lhjwiu2QtCrIaCExPZklBnq1Rz2kSJ5mFHT14qZze1713RJkp6r:LOiu+rxPZQq+/5Wz14v175RS6r
                                              MD5:EEE54D81994265F7212FE5F2DFD5514E
                                              SHA1:45AB93CC52D0345341778183C0B3ADC85EF6B5BF
                                              SHA-256:E9A16740723EE99EB3A98E58BFE48A44FC9CC9AB53A2D9B4B0760413F7961759
                                              SHA-512:7CCBC329422C80D0EDDAAB0D4FD38FD6D6D6273D3AD3887A4DE2CE7FC6EB1085A3E23FED471E97C8BF83379A399A1FF196903DF3F75426DEAD4389AED26D9A6B
                                              Malicious:false
                                              Preview:'......8.....m......o*Z...g+.x...x.R.k....&[b..#$A.........5..;y.UO..}.A.&:.v.k...l-j..@...z....:...h_.x.#...+..31.B.v...../...[....K..ZO.s..N.&6*f.....w..*....u.%?...t..Q..D..3....S..d.tv...alJ9."..R.f.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:DOS executable (COM, 0x8C-variant)
                                              Category:dropped
                                              Size (bytes):344
                                              Entropy (8bit):7.297397605107646
                                              Encrypted:false
                                              SSDEEP:6:ghmiDQcVlaMWKihGeUn5uwEqRUMY8/OZDRBOlVFHT14qZze1713RJkp6r:ncQcVfWK8Ge3HMSDRBKz14v175RS6r
                                              MD5:4F655A88FA26878FEF1DA76B5DF75A3F
                                              SHA1:11ACDB38838E09EB1A7B7CD204417A21B8735F38
                                              SHA-256:5592DDB613761EAEBBF9728C4366A7D3D3BF0BA79D2179B81BBD23F14C8E1722
                                              SHA-512:667794F488D5A27BA9044F67D4B5B849907AECA50FD56C2A6423CDDAA4A39B135040C344E3FC9ED52D1FE3351C2C4C5D8722304120B11D63C300A68894BA7681
                                              Malicious:true
                                              Preview:...7> Q...).J...].@......k.......C...W..X..G^.zX./S..}Te...i..A.yz...!....Y. ....;..*qN.j......L.(...Xr...e95.....y-...[....H..ZO.s....O....w.X.C .......-..S.#...I. ..C...g..... .V5........e.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:OpenPGP Public Key Version 6, Created Sat Jul 24 00:34:41 2027, Unknown Algorithm (0xe3)
                                              Category:dropped
                                              Size (bytes):353
                                              Entropy (8bit):7.332221683556888
                                              Encrypted:false
                                              SSDEEP:6:vGuih+QyBMq7aU3BJkMKxjs6J+QcF3nTCnXA6xEFHT14qZze1713RJkp6r:goB9ZkZl9+XFXTCEz14v175RS6r
                                              MD5:D9AE7D904CFA1B6E8DDC72D80E5F89D4
                                              SHA1:6D51DC9B323067DF689DCD1EBAC5855116340B6C
                                              SHA-256:0F09B70896EED3BB47797DDE89D2CCD81523B4528D7FA54BC991AC60F534D186
                                              SHA-512:4846D5F45681ED40CD7DA3F171B40CC47F0AD18C1985B09F01E5F9A94C99374BBBDFBA3B115FEB9397B8EFAB730C7504247D6584276CBFC73AAAA86715B20F79
                                              Malicious:false
                                              Preview:....lC......FD[.k......)#-u.U.JN..d..^.........X+zt..J..d...qsw.;I.....&...@-Gz..a.U.a0..:..@I.+......n.X.C..*...zr..Re)5...._Y.}.....H..ZO.s.R..K..L.$m...S..Q...L..&"....-!....Do......Q..d. >.. .........@W.k.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):349
                                              Entropy (8bit):7.305089352428363
                                              Encrypted:false
                                              SSDEEP:6:A1bcjceY4lqnzAeglysnFUzgZ5gcTN+X9lhgr+DsbDEd9o2PnPE6EFHT14qZze1t:A5cbY4OEt4snF6T2CDsbYd9o2Pbcz14r
                                              MD5:54F4C5B63D10A6ECB06C8F9E61C22224
                                              SHA1:552B3D7338C57133DBDA5129C728F4818E2EC6CE
                                              SHA-256:9E88BDE16CDFC27E73B5A19E8327697793572287CE44B6387C92F658A5AFDDFD
                                              SHA-512:B36083E2F269257E9D193680862FE96AAA055A4B9313FD2E2262492910ACAD132F575414ADF15FDE01DEBBF4092A58BBA15B9C6AB9B26D0BA583D5593758DD23
                                              Malicious:false
                                              Preview:.........$9...........[f.o.....S....kD..h^.-r%Gu....7...b..|....2...)....(..k.Z.Z..>.'.j}...*t2.'\G.H&6..>6...J\.61.B.v.....6...M....H..ZO.s.R....a.2<.F......Y..b..#..!.-.F...8.75xQ .......L..X.F..O._h.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):350
                                              Entropy (8bit):7.411594237507253
                                              Encrypted:false
                                              SSDEEP:6:GxG+oATojL3JeAlOI4FkW9lhgr3UT3q2lhEJ8PywzE6EFHT14qZze1713RJkp6r:gG+hIllHYX2LUjq2lhFLI6cz14v175Rp
                                              MD5:1D1E7B148F577BF7022434F1F1873D1F
                                              SHA1:FD4C5B4D0A7B0CC47952512C7712D92EC31F934B
                                              SHA-256:6FBA7959E93E0F3BD5BEF4F0CB6F25FC6193B89ED6D39A4EC56A10256863DA0B
                                              SHA-512:702D4ECC0479643CF6B12FF197B3B0763A5D95CB0D9FC9EA8B8096C7FB8B6E38EE3A263CC9C64514CB824137E9DAF7756B73FABEB35E97E7885FA5CCA95BE47F
                                              Malicious:false
                                              Preview:#4.}...}....0.._tr(.}I.+.J. ^.^.u.q6D.D..k.F..E...w.....\...I~....GPw1I........S..p..j...|.N...5.[y.JK.])8.0...Gr..:.B.v.........M....H..ZO.s.R.I...L.B.........C..z......g..]..Z.y....W..E.....$......Ph.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):356
                                              Entropy (8bit):7.378738963548679
                                              Encrypted:false
                                              SSDEEP:6:is0AFqXQeRH5z6ucij4JpCIu8Xo72ZLtvb5Sj7+D2FHT14qZze1713RJkp6r:isdFTmHtZcijDIK72JXDDGz14v175RS4
                                              MD5:C9CE3DAA161D15CA389B824455D39798
                                              SHA1:47F6AC4CCC1F46AA2FE2D3B0251F43D589E2E7E1
                                              SHA-256:226756E30D4BBB58B5FDC52ED4F6385E7629FA6E3593CDABB27F5496F32B4C67
                                              SHA-512:409A25AB342C42C4FCF4EE340DFBD4E4CBDC9274D6CCA9016545FD2ADD62F01FCD58EB7983B26402B399ABB0D14FD3B1D3CD787288E6AF3B14F40F5486BD14B4
                                              Malicious:false
                                              Preview:.Q.....oe.O9..&.........A_$T..Lm.9=[Z\..$f...;..V.>$e1)....VI9......w....,j..`fm...?.d.F.r....v/RD8J.WD4.y.@...%.3...E\./1.@.i..\Y...W.Y.....H..ZO.p.R..K........3.....3.........Y4.p.Q.XL..J.'K.i......;..p.M%.......M \l.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):350
                                              Entropy (8bit):7.362607817428035
                                              Encrypted:false
                                              SSDEEP:6:B3JNnJvuWc8WqHQBUmBAlTjpelhgryN8SHiCA9GIqUw/bEFHT14qZze1713RJkp4:BLEW+qCsTju2fSyq3cz14v175RS6r
                                              MD5:75FC56A7F5B2C6351A1C5A6A948F42CD
                                              SHA1:5512FF433FB46E9A2E472890C6BE64D305ACA6C8
                                              SHA-256:8150B6253A589E943274059B11554113FCAFD540BD143AED6B281875E7D30711
                                              SHA-512:ED2EDF9E3A3AE67656EB07E76A97B6886E3B5C926A5F02A0EC330A8BB92A50D3A7A28F50CB36770A8F7670BC1FB4D6E78F06E36996B08683A9043A984923D56C
                                              Malicious:false
                                              Preview:.E..c.....$.IZ.0L|...+....O=1..U..~......GpnV...IU....s.Qg....A.3^KI.`..Li.h.{. ..io/..?...'..k...h....B.z..=...[r..6.B.t...Y.....M....H..ZO.s.R... ..}.V[.k.ZX.L.Y....8..J.'.|...<.o....6F...T.......j.....+h.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):497
                                              Entropy (8bit):7.575465900714034
                                              Encrypted:false
                                              SSDEEP:12:ou2WlsUgjfU/oLVTYbnfNfOZOp36Pz14v175RS6r:vflsUw0UYRGZHON75RS4
                                              MD5:A2EF0FE81AEA189300407BEA92DCF8DA
                                              SHA1:A5D9C7F5AE3EA77C9C09C1569ABFC09A6FA35A08
                                              SHA-256:218E478D87AA8F940C4AC41F32457C34E2DDFCC2263DA96B3A84125C704EC6F2
                                              SHA-512:B6576D33A4F18CAC6A3FEDAF321F6494A80E91126212CB4941C05B653E7087C67D26C091E171A4A9701E32568C093536C9442220B693F8E6E35BB5982C220268
                                              Malicious:false
                                              Preview:!....8u...u...d...<..>m.Z...&.qo........b...W.....^2.X..>..7.YL.s.zQR..\.....L;.1v...X(I......i.".z....L.L.nT...M.8..sx.r....R!....qd..C..g...L...I.%..~.B.C..p?3Q..{...+rQ....{..B..n5....5..".F'...M..L..6.D...f....9......{.F.e!...Kr..Fe;5.S.J.U...h..o.i..{O.s.R..K.......f...U../4..NKh..mX.b.?.4....`....<.....xI3...&..%...~B.E).n.".1..s.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):511
                                              Entropy (8bit):7.5548289147368815
                                              Encrypted:false
                                              SSDEEP:12:4ksmqps2POw2NWyuVXU7LUxT0IAbUL5sl4Dz14v175RS6r:4ksmqps22wiuUccbULkKON75RS4
                                              MD5:5732DFFFA658BA7BAFE00835BAB58EBC
                                              SHA1:0F53C9B7E962B54631C847503E36A983AC599B17
                                              SHA-256:0616F4A60BF54914FD3D24BFF16A13C9B74CF7D6A9DB12300F0BE4653D21AD9E
                                              SHA-512:50B0C3A2F678396F0733EDD24F4E335BBF024DE68F1444FD79448CC74007B76E441D6B3765DBA73B13B4661F0A50295E3E7CB0C4004510074A1ECB79F6BF3008
                                              Malicious:false
                                              Preview:|.....kG.....}^.y[.;.t>.-...J....2..1.;...:%c.L...X......"....V,(.hP.p..Lx.....P.U.<..D&.0}..kx..c6.:..kM..lX..9....[?(.....J....=~.:F.` *..kPk.xY..2'tbC...U.Y..r.v..Q.V\=T.BQHIK... . .;f.7..1.E.f"Q.."..'...b....t..`...,...3/..xn^'...1-...Jr..G\E.X9...Nx.]/(. ...wfC..k.K%:..}g$.g...f......l-....../c..&..5.7.,.M?$..j&...<.\..u\,:..BXB.K.......a..<Vd..i..^Ar..l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1174
                                              Entropy (8bit):7.826158272498981
                                              Encrypted:false
                                              SSDEEP:24:shnJebX8acYaHM0pgFad91SQCyYr9qKC+4TvnGON75RS4:shnJebX8aNggFqSlyYtC+YvnvxS4
                                              MD5:63A529992520748B26E271F843E1A5E3
                                              SHA1:6C5A3FD804B36CA6ABEB60579774340373C3CB0C
                                              SHA-256:A0FEFDD95A3AAE84A64E9B870A1D5B80413E8ADED9B064EE092B06A448D53AE2
                                              SHA-512:8E6FEB2D482E965F93145B0D0C9A4AF7988D93BD77F2F9A4D258B5B5808B4730E6227B07387FA81291BC33E76F33BCEF515E2A8A3D39421BDD07797D5969170F
                                              Malicious:false
                                              Preview:e......//..X(.c..Jf....,%m.M.=.xD.g8r.Y._y.......m F.2..*T~..n..y.f_.......($.T>.{.~........8..`..{....r.,Yi..G&?.N....u..y......<`:.H..bB.....k..-;\.u.....-....V<...e..E....!..h...(Cv.....X.....a@.6>...]#...A:O.;l..'....6.*..`!.R:.......}..[.un5.."8.....36.h..m..Bx.....,6W&.q.`F.eS..N.L_..;....<c..3...`#..3...I.T...K.._.?.9+.n..C...........t....p.3./...o#.".E..i..l.b<..O.m...0........d.J.!.f.r..5Le`.=VI..z..........q.....^4.T....c.A;.....A.7..H...*.z2.UYZR.N..._8.v..YUc.U.(.*uh3;.~p.a...u.w.n.o.....<y..h_N#@.7.8JCF..p.....T..|... #....3..w..M5..R?..aw#./......;.z.7Z+[....ysrVCg.......}.@...>.8v*.+.E..`?..m.r..|....k..8.|...^..... ...Y 9....f..j.g.q...h.|.d.'......3:..yx.|..t.x.a..e.(.|a.n0..Y....VUs.R.(.%ud6;.{`.a...C...235.j.h.......-.Q....z..{.\.|......(...............E......|..O5p..m.?.|@....{r.l.;.....@r..Kea.}..!.J..i..]...P...z..9a...13>5..Q...c8.`F!.....?..{.kB.W......n...[.M.sl.=...)..q.....g../...g.u..'..0.G......x[\j..F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:true
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):239
                                              Entropy (8bit):7.088569881255166
                                              Encrypted:false
                                              SSDEEP:6:GMIVccJWuSzEW2BN6m7FHT14qZze1713RJkp6r:GMgtJ2R2BN6mxz14v175RS6r
                                              MD5:7AAD2FE7098A4039EA6BC05A8B5BB20E
                                              SHA1:E5A47A4D56C0A1611A357CE49FE45D1F6DB7D2AB
                                              SHA-256:CC997D983CB972FA98CF9C8128BE1C349370CB73B8A63CD6913C24B6558320C7
                                              SHA-512:F8B0D22E1CE1DADDFD569C53FE8FA130B5DB7FDD8823AE095703C1B0031284959AB0F6413D3848E2C09E699BE108F280E11FE4919AA60CF5CFDD358AF9058C0B
                                              Malicious:false
                                              Preview:.=.....e;...[r..S^E....}.{-...[....H..E...=....+.E..i..s./...E...B..9Q...@....*...wy...*.D.h.;.!RN$.a.l..^_!.@.+.".....<X6......%z.2..9{..t....Sb.|.b.I..H5.$5...h.....t ...2.M.m`......6...S.y..v....\..}..S.{....U......U..r.%.F
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:ASCII text, with very long lines (657), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3113
                                              Entropy (8bit):5.073662186370686
                                              Encrypted:false
                                              SSDEEP:96:sW0YHo/AHJmubKS1yx0TydEminWKws1zLq5nPAvYzmlxSU/svS:sWbwub300PmuQkzG5nPuYzmlxSU/sK
                                              MD5:0F14542975A6489947F44B38181C14C8
                                              SHA1:C5814F8D9AC315C1FE70060843D6A66A315617A1
                                              SHA-256:EF07E80DFC629CE55A0D377CE08B1215EB64512425F90ACC555BA7EC84CEF3AB
                                              SHA-512:FF3124D19C1DFA420F3A1475F29B31A833F3BB141B4BC9C560C85170CE18B46D946222A936AD395D46B5A2B549946197EC8BE96E254E445D8286E23859FD6C06
                                              Malicious:false
                                              Preview:..~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~....>>>>> Your data is stolen and encrypted.....BLOG Tor Browser Links:..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What guarantee is there that we won't cheat you? ..We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situ
                                              Process:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):3.7022085933443503
                                              Encrypted:false
                                              SSDEEP:3:ETlVlYDI2Y1AnO5lmFRR:EpPY4GEyRR
                                              MD5:D6E851E7ED7CF499AE146A3975D459D2
                                              SHA1:7F72CFF22DE5A6675AC0E75A1B53DB13C669D3A3
                                              SHA-256:00FA92D00948C85240D506389368EC012F2791D97C26E996C0414174308A9B08
                                              SHA-512:9C8179D486E02E513425F2950062386AE5B607C46B4AB1E1F58E97E8106F27C5CDE792CCCB4E3E54234A96F252984185780AE1E94C6CDA2E5EAD37502254AB8E
                                              Malicious:false
                                              Preview:....2.1.6.0.4.1.....\MAILSLOT\NET\GETDCCF2D1F9E............ ....
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):22
                                              Entropy (8bit):4.186704345910024
                                              Encrypted:false
                                              SSDEEP:3:otltOus:otHOT
                                              MD5:17E1E6115211333003DBE7703E978693
                                              SHA1:D979F42F52D022C4DE10DC6EC8F3A605E24263B8
                                              SHA-256:CD27BD20EBC9ECAB8CFA4BC1F89FAC843C9470BC564C675A1A62C6ABAEF80B50
                                              SHA-512:8159EBC73122E7F4D74933BACB72F398F9EDB54ADAF1A19C5B0138D2369A002DD7B2852A1F07B6E2966B1098404D8836987192964D59BB8C1E169B6DB1B46A80
                                              Malicious:false
                                              Preview:C:\PROGRA~3\9BAE.tmp..
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.1041925348557875
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.94%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:yEB1xvr2rZ.exe
                                              File size:164'249 bytes
                                              MD5:7e488e4928dd33d8aaf738da2baaba46
                                              SHA1:6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e
                                              SHA256:086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529
                                              SHA512:643e834c0281803f44e85e8a3e50f0795a2f41c1bfdd62873cc509536e8752b736729a7ab6c8af4177ae0bbe90229d31f5fffe1d1d4539b710d9aa94acce931b
                                              SSDEEP:3072:JDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368DCH2C+7cSFaCaqWGnW:D5d/zugZqll33n7CKW
                                              TLSH:EDF37D31B152E137CA6634F5A72AB3B073899E2C12A8A467F6D4CF4B34738236F15947
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.b............................o.............@.......................................@...........@....................
                                              Icon Hash:90cececece8e8eb0
                                              Entrypoint:0x41b46f
                                              Entrypoint Section:.itext
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x62A4657F [Sat Jun 11 09:50:55 2022 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:3bc510de773c954bd69d33670cb624d6
                                              Instruction
                                              nop
                                              call 00007F391CCF4580h
                                              call 00007F391CCE178Fh
                                              call 00007F391CCE4D2Ah
                                              call 00007F391CCF2439h
                                              push 00000000h
                                              call dword ptr [004275C0h]
                                              call 00007F391CCF3D9Ah
                                              call 00007F391CCF3D89h
                                              call 00007F391CCF3D90h
                                              call 00007F391CCF3D85h
                                              call 00007F391CCF3D7Ah
                                              call 00007F391CCF3D6Fh
                                              call 00007F391CCF3D64h
                                              call 00007F391CCF3D4Dh
                                              call 00007F391CCF3D48h
                                              call 00007F391CCF3D49h
                                              call 00007F391CCF3D3Eh
                                              call 00007F391CCF3D39h
                                              call 00007F391CCF3D40h
                                              call 00007F391CCF28D5h
                                              call 00007F391CCF28D0h
                                              call 00007F391CCF28ADh
                                              call 00007F391CCF28C0h
                                              call 00007F391CCF28AFh
                                              call 00007F391CCF28C2h
                                              call 00007F391CCF2881h
                                              call 00007F391CCF2876h
                                              call 00007F391CCF2889h
                                              call 00007F391CCF287Eh
                                              call 00007F391CCF2873h
                                              call 00007F391CCF2886h
                                              call 00007F391CCF2887h
                                              call 00007F391CCF2888h
                                              call 00007F391CCF285Fh
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1c2200x50.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a0000x1128.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1c1100x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x1c0000x60.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x1983c0x19a0077f1d0aea9e9462b32efcd4d44dfc4c0False0.4443692835365854data6.632719440409723IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .itext0x1b0000x5180x60020ecbfcc87e53c78ea8ce9c0dd66c6bcFalse0.234375data2.7807255627049052IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x1c0000x43a0x6009ca82a61ff7ef48f91aac3b0abfa7802False0.3372395833333333data3.2050103933604612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x1d0000xadc00xa0007e8249c7d415d465538bec56fd2748d6False0.98251953125SysEx File -7.9865833293143424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .pdata0x280000x14990x160032a78437ec88e522eca94a6f11786778False0.9465553977272727data7.781552568221316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .reloc0x2a0000x11280x1200d1fc67767f0df03587cc49406db85585False0.8107638888888888GLS_BINARY_LSB_FIRST6.62355195676201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              DLLImport
                                              gdi32.dllSetPixel, GetPixel, GetTextColor, SelectPalette, SelectObject, GetTextMetricsW, TextOutW, GetTextCharset, CreateSolidBrush, CreateFontW, SetTextColor, CreateDIBitmap
                                              USER32.dllLoadImageW, GetClassNameW, DialogBoxParamW, CreateDialogParamW
                                              KERNEL32.dllGetCommandLineA, GetAtomNameW, LoadLibraryW, GetFileAttributesW
                                              TimestampSource PortDest PortSource IPDest IP
                                              May 25, 2024 03:16:39.317981005 CEST5356458162.159.36.2192.168.2.4
                                              May 25, 2024 03:16:40.017615080 CEST53532051.1.1.1192.168.2.4

                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:21:15:51
                                              Start date:24/05/2024
                                              Path:C:\Users\user\Desktop\yEB1xvr2rZ.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\yEB1xvr2rZ.exe"
                                              Imagebase:0x30000
                                              File size:164'249 bytes
                                              MD5 hash:7E488E4928DD33D8AAF738DA2BAABA46
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.1609094196.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.1606567763.0000000000703000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.1669835858.0000000000703000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.1592345976.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.1592345976.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.1608871733.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              Target ID:3
                                              Start time:21:15:59
                                              Start date:24/05/2024
                                              Path:C:\ProgramData\9BAE.tmp
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\9BAE.tmp"
                                              Imagebase:0x400000
                                              File size:14'336 bytes
                                              MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 83%, ReversingLabs
                                              • Detection: 82%, Virustotal, Browse
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:13
                                              Start time:21:16:57
                                              Start date:24/05/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9BAE.tmp >> NUL
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:14
                                              Start time:21:16:57
                                              Start date:24/05/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:19.2%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:17.5%
                                                Total number of Nodes:1739
                                                Total number of Limit Nodes:9
                                                execution_graph 11687 413c0 11689 413a2 11687->11689 11688 386a8 RtlAllocateHeap 11688->11689 11689->11688 11690 413be 11689->11690 11691 414e2 11690->11691 11692 386a8 RtlAllocateHeap 11690->11692 11692->11690 9308 41002 9309 41007 9308->9309 9310 386d0 RtlFreeHeap 9309->9310 9311 4100f 9310->9311 9314 386d0 9311->9314 9313 41041 9315 386d8 9314->9315 9316 386e6 RtlFreeHeap 9315->9316 9316->9313 11153 38208 11154 3820f 11153->11154 11155 3821e 11153->11155 11156 37968 3 API calls 11155->11156 11157 38226 11156->11157 11158 383c5 11157->11158 11159 3822e RtlCreateHeap 11157->11159 11159->11158 11160 38249 11159->11160 11161 37968 3 API calls 11160->11161 11162 38265 11161->11162 11162->11158 11163 37c1c 8 API calls 11162->11163 11164 38280 11163->11164 11165 37c1c 8 API calls 11164->11165 11166 38291 11165->11166 11167 37c1c 8 API calls 11166->11167 11168 382a2 11167->11168 11169 37c1c 8 API calls 11168->11169 11170 382b3 11169->11170 11171 37c1c 8 API calls 11170->11171 11172 382c4 11171->11172 11173 37c1c 8 API calls 11172->11173 11174 382d5 11173->11174 11175 37c1c 8 API calls 11174->11175 11176 382e6 11175->11176 11177 37c1c 8 API calls 11176->11177 11178 382f7 11177->11178 11179 37c1c 8 API calls 11178->11179 11180 38308 11179->11180 11181 37c1c 8 API calls 11180->11181 11182 38319 11181->11182 11183 37c1c 8 API calls 11182->11183 11184 3832a 11183->11184 11185 37c1c 8 API calls 11184->11185 11186 3833b 11185->11186 11187 37c1c 8 API calls 11186->11187 11188 3834c 11187->11188 11189 37c1c 8 API calls 11188->11189 11190 3835d 11189->11190 11191 37c1c 8 API calls 11190->11191 11192 3836e 11191->11192 11193 37c1c 8 API calls 11192->11193 11194 3837f 11193->11194 11195 37c1c 8 API calls 11194->11195 11196 38390 11195->11196 11197 37c1c 8 API calls 11196->11197 11198 383a1 11197->11198 11199 37c1c 8 API calls 11198->11199 11200 383b2 11199->11200 11201 3d264 NtSetInformationThread 11200->11201 11202 383b9 11201->11202 11203 491a8 2 API calls 11202->11203 11204 383c0 11203->11204 11205 3d290 4 API calls 11204->11205 11205->11158 9317 4b46f 9318 4b475 9317->9318 9325 38214 9318->9325 9322 4b47f 9423 48ec8 9322->9423 9326 38226 9325->9326 9327 37968 3 API calls 9325->9327 9328 383c5 9326->9328 9329 3822e RtlCreateHeap 9326->9329 9327->9326 9376 3b7b4 9328->9376 9329->9328 9330 38249 9329->9330 9468 37968 9330->9468 9335 37c1c 8 API calls 9336 38291 9335->9336 9337 37c1c 8 API calls 9336->9337 9338 382a2 9337->9338 9339 37c1c 8 API calls 9338->9339 9340 382b3 9339->9340 9341 37c1c 8 API calls 9340->9341 9342 382c4 9341->9342 9343 37c1c 8 API calls 9342->9343 9344 382d5 9343->9344 9345 37c1c 8 API calls 9344->9345 9346 382e6 9345->9346 9347 37c1c 8 API calls 9346->9347 9348 382f7 9347->9348 9349 37c1c 8 API calls 9348->9349 9350 38308 9349->9350 9351 37c1c 8 API calls 9350->9351 9352 38319 9351->9352 9353 37c1c 8 API calls 9352->9353 9354 3832a 9353->9354 9355 37c1c 8 API calls 9354->9355 9356 3833b 9355->9356 9357 37c1c 8 API calls 9356->9357 9358 3834c 9357->9358 9359 37c1c 8 API calls 9358->9359 9360 3835d 9359->9360 9361 37c1c 8 API calls 9360->9361 9362 3836e 9361->9362 9363 37c1c 8 API calls 9362->9363 9364 3837f 9363->9364 9365 37c1c 8 API calls 9364->9365 9366 38390 9365->9366 9367 37c1c 8 API calls 9366->9367 9368 383a1 9367->9368 9369 37c1c 8 API calls 9368->9369 9370 383b2 9369->9370 9482 3d264 9370->9482 9372 383b9 9485 491a8 9372->9485 9377 3b7b9 9376->9377 9529 38dac 9377->9529 9380 3b7cc 9565 3d2fc CheckTokenMembership 9380->9565 9383 3b7fb 9566 38ba4 9383->9566 9385 3b80a 9386 3b818 9385->9386 9569 3d990 9385->9569 9386->9322 9387 3b7dd 9387->9383 9613 3d31c 9387->9613 9390 3b824 9572 3d528 9390->9572 9397 3b837 9401 3b8c3 9397->9401 9643 3cfcc 9397->9643 9404 3b902 9401->9404 9409 3d494 NtQueryInformationToken 9401->9409 9402 3b860 9402->9397 9626 3cc94 9402->9626 9585 3e218 9404->9585 9415 3b8f0 9409->9415 9415->9404 9664 44cb8 9415->9664 9416 3b89e 9416->9401 9418 386d0 RtlFreeHeap 9416->9418 9419 3b8ad 9418->9419 9420 386d0 RtlFreeHeap 9419->9420 9421 3b8b8 9420->9421 9422 386d0 RtlFreeHeap 9421->9422 9422->9401 9424 48ef2 9423->9424 9425 48f08 29 API calls 9424->9425 9426 48f13 9424->9426 9438 48f22 9424->9438 9729 3b9d0 9426->9729 9430 49094 9798 43b2c 9430->9798 9431 490a1 9432 490b6 9431->9432 9433 490a7 9431->9433 9436 490c6 9432->9436 9437 490bc 9432->9437 9435 3b9d0 15 API calls 9433->9435 9439 490ac 9435->9439 9441 490e5 9436->9441 9442 490cc 9436->9442 9882 48e1c 9437->9882 9438->9430 9438->9431 9849 439c4 9439->9849 9443 490f5 9441->9443 9444 490eb 9441->9444 9893 48a70 9442->9893 9448 49148 9443->9448 9449 490fb 9443->9449 9920 453dc 9444->9920 9452 49157 9448->9452 9453 4914e 9448->9453 9451 4912a 9449->9451 9927 48878 9449->9927 9451->9425 9941 41f84 9451->9941 9973 3c158 9452->9973 9456 4868c 2 API calls 9453->9456 9456->9425 9460 4918c 9460->9425 9977 43ef8 9460->9977 9461 3c158 2 API calls 9463 4917b 9461->9463 9463->9460 9464 49180 9463->9464 9465 3b9d0 15 API calls 9464->9465 9466 49185 9465->9466 9467 48b04 129 API calls 9466->9467 9467->9425 9469 3797a 9468->9469 9472 37994 9468->9472 9470 37968 3 API calls 9469->9470 9470->9472 9471 37968 3 API calls 9474 379bc 9471->9474 9472->9471 9472->9474 9473 37a86 9473->9328 9476 37c1c 9473->9476 9474->9473 9496 37900 9474->9496 9511 37aa0 9476->9511 9478 37c31 9479 37c47 9478->9479 9480 37968 3 API calls 9478->9480 9479->9335 9481 37c57 RtlAllocateHeap 9480->9481 9481->9478 9483 3d278 NtSetInformationThread 9482->9483 9483->9372 9486 491c4 9485->9486 9526 386a8 9486->9526 9488 383c0 9491 3d290 9488->9491 9489 386d0 RtlFreeHeap 9489->9488 9490 491d4 9490->9488 9490->9489 9492 37968 3 API calls 9491->9492 9493 3d2b5 9492->9493 9494 3d2be NtProtectVirtualMemory 9493->9494 9495 3d2db 9493->9495 9494->9495 9495->9328 9497 3795e 9496->9497 9498 3792c 9496->9498 9497->9474 9498->9497 9503 3789c 9498->9503 9500 37940 9500->9497 9501 37954 9500->9501 9506 37850 9501->9506 9504 378b3 9503->9504 9505 378e1 LdrLoadDll 9504->9505 9505->9500 9507 37880 LdrGetProcedureAddress 9506->9507 9508 3785f 9506->9508 9509 37892 9507->9509 9510 3786b LdrGetProcedureAddress 9508->9510 9509->9497 9510->9509 9512 37ab3 9511->9512 9513 37acd 9511->9513 9514 37968 3 API calls 9512->9514 9515 37af5 9513->9515 9516 37968 3 API calls 9513->9516 9514->9513 9517 37968 3 API calls 9515->9517 9524 37b1d 9515->9524 9516->9515 9517->9524 9518 37b65 FindFirstFileW 9518->9524 9519 37bd6 9519->9478 9520 37bb3 FindNextFileW 9523 37bc7 FindClose 9520->9523 9520->9524 9521 37b95 FindClose 9522 3789c LdrLoadDll 9521->9522 9525 37bac 9522->9525 9523->9524 9524->9518 9524->9519 9524->9520 9524->9521 9525->9478 9527 386b0 9526->9527 9528 386be RtlAllocateHeap 9527->9528 9528->9490 9668 38c4c 9529->9668 9531 38dc4 9532 3909b 9531->9532 9533 386a8 RtlAllocateHeap 9531->9533 9532->9380 9562 39ee8 9532->9562 9537 38de1 9533->9537 9534 39093 9535 386d0 RtlFreeHeap 9534->9535 9535->9532 9536 386d0 RtlFreeHeap 9536->9534 9537->9534 9538 38e64 9537->9538 9540 386a8 RtlAllocateHeap 9537->9540 9561 39085 9537->9561 9539 38e97 9538->9539 9542 386a8 RtlAllocateHeap 9538->9542 9541 38eca 9539->9541 9544 386a8 RtlAllocateHeap 9539->9544 9540->9538 9543 38efd 9541->9543 9545 386a8 RtlAllocateHeap 9541->9545 9542->9539 9547 386a8 RtlAllocateHeap 9543->9547 9548 38f30 9543->9548 9544->9541 9545->9543 9546 38f96 9551 38fcd 9546->9551 9552 386a8 RtlAllocateHeap 9546->9552 9547->9548 9549 386a8 RtlAllocateHeap 9548->9549 9553 38f63 9548->9553 9549->9553 9550 386a8 RtlAllocateHeap 9550->9546 9554 386a8 RtlAllocateHeap 9551->9554 9551->9561 9552->9551 9553->9546 9553->9550 9555 39008 9554->9555 9555->9561 9671 38d48 9555->9671 9557 39030 9558 386a8 RtlAllocateHeap 9557->9558 9559 3904f 9558->9559 9560 386d0 RtlFreeHeap 9559->9560 9559->9561 9560->9561 9561->9536 9563 39efb NtQueryDefaultUILanguage 9562->9563 9564 39f21 9563->9564 9564->9380 9565->9387 9567 386a8 RtlAllocateHeap 9566->9567 9568 38bb9 9567->9568 9568->9385 9570 386a8 RtlAllocateHeap 9569->9570 9571 3d9a1 9570->9571 9571->9390 9573 3d535 9572->9573 9574 3b82e 9573->9574 9575 3d53c RtlAdjustPrivilege 9573->9575 9576 3d494 9574->9576 9575->9573 9575->9574 9577 3d4ab 9576->9577 9578 3b833 9577->9578 9579 3d4af NtQueryInformationToken 9577->9579 9578->9397 9580 3d1a8 9578->9580 9579->9578 9680 3b5fc 9580->9680 9582 3d1c5 9583 3b84d 9582->9583 9691 3b6a4 9582->9691 9583->9397 9625 3d2fc CheckTokenMembership 9583->9625 9586 3b917 9585->9586 9587 3e238 9585->9587 9607 400a0 9586->9607 9588 38c4c RtlAllocateHeap 9587->9588 9589 3e249 9588->9589 9589->9586 9590 386a8 RtlAllocateHeap 9589->9590 9595 3e265 9590->9595 9591 3e465 9592 386d0 RtlFreeHeap 9591->9592 9592->9586 9593 3e456 9594 386d0 RtlFreeHeap 9593->9594 9594->9591 9595->9591 9595->9593 9596 3e2b9 CreateFileW 9595->9596 9596->9593 9597 3e30d WriteFile 9596->9597 9597->9593 9598 3e328 RegCreateKeyExW 9597->9598 9598->9593 9599 3e351 RegSetValueExW 9598->9599 9601 3e383 RegCreateKeyExW 9599->9601 9602 3e44d NtClose 9599->9602 9601->9602 9604 3e3fe RegSetValueExW 9601->9604 9602->9593 9604->9602 9606 3e432 SHChangeNotify 9604->9606 9606->9602 9608 400bc 9607->9608 9698 40138 9608->9698 9610 40112 9611 3b91c 9610->9611 9612 386d0 RtlFreeHeap 9610->9612 9611->9322 9612->9611 9615 3d331 9613->9615 9614 3b7f2 9614->9383 9619 3d8dc 9614->9619 9615->9614 9616 386a8 RtlAllocateHeap 9615->9616 9617 3d36a 9616->9617 9617->9614 9618 386d0 RtlFreeHeap 9617->9618 9618->9614 9620 3d8f1 9619->9620 9621 3d986 9620->9621 9702 3b564 9620->9702 9621->9383 9624 386d0 RtlFreeHeap 9624->9621 9625->9402 9627 3ccdf 9626->9627 9638 3ce94 9627->9638 9706 3ca48 9627->9706 9629 3cced 9630 3ceef 9629->9630 9631 3cddb 9629->9631 9629->9638 9633 38c4c RtlAllocateHeap 9630->9633 9630->9638 9632 38c4c RtlAllocateHeap 9631->9632 9631->9638 9634 3ce0e 9632->9634 9635 3cf1e 9633->9635 9637 386d0 RtlFreeHeap 9634->9637 9634->9638 9636 386d0 RtlFreeHeap 9635->9636 9635->9638 9636->9638 9639 3ce30 9637->9639 9638->9397 9639->9638 9640 38c4c RtlAllocateHeap 9639->9640 9641 3ce76 9640->9641 9641->9638 9642 386d0 RtlFreeHeap 9641->9642 9642->9638 9644 3cfea 9643->9644 9645 386a8 RtlAllocateHeap 9644->9645 9647 3cff5 9645->9647 9646 3b87c 9646->9401 9657 3d3d8 9646->9657 9647->9646 9648 386d0 RtlFreeHeap 9647->9648 9649 3d016 9648->9649 9651 3d170 9649->9651 9716 38c7c 9649->9716 9650 386d0 RtlFreeHeap 9650->9646 9651->9650 9653 3d126 9654 38c7c RtlAllocateHeap 9653->9654 9655 3d14b 9654->9655 9656 38c7c RtlAllocateHeap 9655->9656 9656->9651 9659 3d3ed 9657->9659 9658 3b895 9658->9401 9663 3d2fc CheckTokenMembership 9658->9663 9659->9658 9660 386a8 RtlAllocateHeap 9659->9660 9662 3d426 9660->9662 9661 386d0 RtlFreeHeap 9661->9658 9662->9658 9662->9661 9663->9416 9665 44cc8 9664->9665 9667 44d26 9665->9667 9719 44a28 9665->9719 9667->9404 9669 386a8 RtlAllocateHeap 9668->9669 9670 38c5d 9669->9670 9670->9531 9672 38d6f 9671->9672 9677 38cf0 9672->9677 9674 38d8f 9675 386d0 RtlFreeHeap 9674->9675 9676 38da3 9675->9676 9676->9557 9678 386a8 RtlAllocateHeap 9677->9678 9679 38d13 9678->9679 9679->9674 9681 386a8 RtlAllocateHeap 9680->9681 9684 3b61a 9681->9684 9682 3b61d NtQuerySystemInformation 9682->9684 9688 3b633 9682->9688 9683 3b650 9685 386d0 RtlFreeHeap 9683->9685 9684->9682 9684->9683 9695 386f8 9684->9695 9687 3b658 9685->9687 9687->9582 9689 386d0 RtlFreeHeap 9688->9689 9690 3b696 9689->9690 9690->9582 9693 3b6c9 9691->9693 9692 3b792 NtClose 9694 3b79b 9692->9694 9693->9692 9693->9694 9694->9583 9696 38700 9695->9696 9697 3870e RtlReAllocateHeap 9696->9697 9697->9684 9699 40144 9698->9699 9700 40151 9698->9700 9699->9700 9701 386a8 RtlAllocateHeap 9699->9701 9700->9610 9701->9700 9703 3b576 9702->9703 9705 3b59e 9702->9705 9704 386a8 RtlAllocateHeap 9703->9704 9704->9705 9705->9624 9707 386a8 RtlAllocateHeap 9706->9707 9708 3ca6d 9707->9708 9709 3caa3 9708->9709 9710 386f8 RtlReAllocateHeap 9708->9710 9715 3ca86 9708->9715 9711 386d0 RtlFreeHeap 9709->9711 9710->9708 9712 3caab 9711->9712 9712->9629 9713 386d0 RtlFreeHeap 9714 3cbd0 9713->9714 9714->9629 9715->9713 9717 386a8 RtlAllocateHeap 9716->9717 9718 38c8e 9717->9718 9718->9653 9720 44a39 9719->9720 9722 44bc7 9720->9722 9723 3d1e0 9720->9723 9722->9667 9724 3d1f2 9723->9724 9725 3d1ef 9723->9725 9724->9725 9726 3d239 NtSetInformationThread 9724->9726 9725->9722 9727 3d24f NtClose 9726->9727 9728 3d24e 9726->9728 9727->9725 9728->9727 9730 3b9e3 9729->9730 9731 3ba7e 9729->9731 10014 39dec 9730->10014 9738 48b04 9731->9738 9734 3ba31 9735 3ba51 CreateMutexW 9734->9735 10018 38750 9735->10018 9736 41f84 14 API calls 9736->9734 9749 48b1b 9738->9749 9739 48bc9 9740 48be4 CreateThread 9739->9740 9741 48bff 9739->9741 9740->9741 10563 3ad98 RtlAdjustPrivilege 9740->10563 10024 392d8 GetLogicalDriveStringsW 9741->10024 9743 48b86 9743->9739 9748 3ba84 3 API calls 9743->9748 9747 48c19 9750 48c27 9747->9750 10031 39b14 OpenSCManagerW 9747->10031 9748->9739 9749->9739 9749->9743 10168 3ba84 9749->10168 9752 48c30 CreateThread 9750->9752 9753 48c48 9750->9753 9752->9753 10578 39c88 9752->10578 9754 48cc5 9753->9754 10037 3d554 9753->10037 9755 48cef 9754->9755 9756 48cdb NtTerminateThread 9754->9756 9757 48d13 9755->9757 9758 48cf8 CreateThread 9755->9758 9756->9755 9763 48e02 9757->9763 9764 48d33 9757->9764 9758->9757 10558 3b458 9758->10558 10193 43404 9763->10193 9768 48da9 9764->9768 10113 3f820 9764->10113 9766 48ca5 9772 400a0 2 API calls 9766->9772 9777 48cb8 9766->9777 9770 3d494 NtQueryInformationToken 9768->9770 9774 48dae 9770->9774 9776 48cb3 9772->9776 9779 48db2 9774->9779 9780 48db9 9774->9780 10091 41758 9776->10091 9784 400a0 2 API calls 9777->9784 9778 400a0 2 API calls 9785 48c96 9778->9785 10189 3a790 9779->10189 10128 3a060 9780->10128 9784->9754 10060 42508 9785->10060 9787 48e00 9787->9425 9788 48db7 9788->9787 10162 3b464 9788->10162 9791 48c9b 9793 400a0 2 API calls 9791->9793 9795 48ca0 9793->9795 10067 426b4 9795->10067 9796 41f84 14 API calls 9796->9787 9799 38798 RtlAllocateHeap 9798->9799 9801 43b44 9799->9801 9800 43bdd 9800->9425 9801->9800 9802 43b75 9801->9802 9803 43b66 9801->9803 10657 39298 9802->10657 10631 41ad0 9803->10631 9807 43bd5 9808 386d0 RtlFreeHeap 9807->9808 9808->9800 9809 386a8 RtlAllocateHeap 9844 43bba 9809->9844 9810 43bf2 9811 386d0 RtlFreeHeap 9810->9811 9811->9800 9812 3c0a0 NtSetInformationThread NtClose 9812->9844 9813 43c66 9816 386d0 RtlFreeHeap 9813->9816 9814 3c158 2 API calls 9814->9844 9815 43e3f 9817 386d0 RtlFreeHeap 9815->9817 9816->9800 9817->9800 9818 43d5e 9820 386d0 RtlFreeHeap 9818->9820 9819 43d71 10669 3c1fc 9819->10669 9820->9800 9821 43d41 9825 386d0 RtlFreeHeap 9821->9825 9822 43e71 9823 387e8 RtlAllocateHeap 9822->9823 9829 43eca 9823->9829 9825->9800 9826 43d95 9832 43df3 9826->9832 9833 43dfd 9826->9833 9827 43e52 9827->9822 9828 43e67 9827->9828 9834 386d0 RtlFreeHeap 9828->9834 9835 386d0 RtlFreeHeap 9829->9835 9837 387e8 RtlAllocateHeap 9832->9837 10673 388d8 9833->10673 9834->9800 9839 43ed3 9835->9839 9836 43d88 9840 386d0 RtlFreeHeap 9836->9840 9841 43dfb 9837->9841 9839->9800 9845 4243c 11 API calls 9839->9845 9840->9800 9843 386d0 RtlFreeHeap 9841->9843 9842 3c988 NtSetInformationThread NtClose 9842->9844 9846 43e0e 9843->9846 9844->9800 9844->9807 9844->9809 9844->9810 9844->9812 9844->9813 9844->9814 9844->9815 9844->9818 9844->9819 9844->9821 9844->9822 9844->9826 9844->9827 9844->9842 9847 386d0 RtlFreeHeap 9844->9847 10663 3c778 9844->10663 9845->9800 9846->9800 10677 4243c 9846->10677 9847->9844 9850 437f8 2 API calls 9849->9850 9851 439d2 9850->9851 9852 439d6 9851->9852 9853 439f7 9851->9853 9855 439f2 9852->9855 9857 41f84 14 API calls 9852->9857 9854 3b464 2 API calls 9853->9854 9856 439fc 9854->9856 9855->9425 9858 43a00 9856->9858 9859 43a0a 9856->9859 9857->9855 9860 48b04 129 API calls 9858->9860 10686 3d2fc CheckTokenMembership 9859->10686 9862 43a05 9860->9862 9862->9425 9863 43b26 9863->9425 9864 43a85 9865 43ace 9864->9865 9870 3ba84 3 API calls 9864->9870 10687 42900 9865->10687 9866 3ba84 3 API calls 9866->9864 9868 43a0f 9868->9863 9868->9864 9868->9866 9870->9865 9875 42968 3 API calls 9876 43b13 9875->9876 10735 42c40 9876->10735 9879 3a060 15 API calls 9880 43b1f 9879->9880 9881 4317c 2 API calls 9880->9881 9881->9863 10774 436b8 9882->10774 9885 3a060 15 API calls 9886 48e2f 9885->9886 9887 3d494 NtQueryInformationToken 9886->9887 9891 48e48 9887->9891 9888 48ec0 9888->9425 9889 3b464 2 API calls 9890 48ea0 9889->9890 9892 41f84 14 API calls 9890->9892 9891->9888 9891->9889 9892->9888 9894 45424 RtlAllocateHeap 9893->9894 9898 48a82 9894->9898 9895 48af1 9896 48aff 9895->9896 9897 386d0 RtlFreeHeap 9895->9897 9908 4868c 9896->9908 9897->9896 9898->9895 9899 48ac6 9898->9899 10788 47f60 9898->10788 10806 45970 9899->10806 9905 48ae7 9907 45970 2 API calls 9905->9907 9907->9895 9909 486a0 9908->9909 9910 4886f 9908->9910 9911 45424 RtlAllocateHeap 9909->9911 9910->9425 9916 486b0 9911->9916 9912 48756 9913 48861 9912->9913 9914 386d0 RtlFreeHeap 9912->9914 9913->9910 9915 386d0 RtlFreeHeap 9913->9915 9914->9913 9915->9910 9916->9912 9917 386a8 RtlAllocateHeap 9916->9917 9918 48778 9917->9918 9918->9912 11114 48158 9918->11114 9921 45424 RtlAllocateHeap 9920->9921 9925 453ee 9921->9925 9922 45412 9923 45420 9922->9923 9924 386d0 RtlFreeHeap 9922->9924 9923->9425 9924->9923 9925->9922 11124 45254 9925->11124 9928 48894 9927->9928 9929 38c4c RtlAllocateHeap 9928->9929 9930 489a5 9929->9930 9931 38c4c RtlAllocateHeap 9930->9931 9940 489ae 9930->9940 9932 489bf 9931->9932 9938 38c4c RtlAllocateHeap 9932->9938 9932->9940 9933 48a4b 9934 48a59 9933->9934 9936 386d0 RtlFreeHeap 9933->9936 9937 48a67 9934->9937 9939 386d0 RtlFreeHeap 9934->9939 9935 386d0 RtlFreeHeap 9935->9933 9936->9934 9937->9451 9938->9940 9939->9937 9940->9933 9940->9935 9942 41fb9 9941->9942 9943 38c4c RtlAllocateHeap 9942->9943 9944 42032 9943->9944 9945 386a8 RtlAllocateHeap 9944->9945 9946 4203b 9944->9946 9950 42052 9945->9950 9947 42400 9946->9947 9948 386d0 RtlFreeHeap 9946->9948 9949 4240e 9947->9949 9952 386d0 RtlFreeHeap 9947->9952 9948->9947 9953 386d0 RtlFreeHeap 9949->9953 9954 4241c 9949->9954 9950->9946 11142 41e08 9950->11142 9952->9949 9953->9954 9955 4242a 9954->9955 9957 386d0 RtlFreeHeap 9954->9957 9955->9425 9956 42083 9956->9946 9958 420a4 GetTempFileNameW CreateFileW 9956->9958 9957->9955 9958->9946 9959 420e9 WriteFile 9958->9959 9959->9946 9960 42105 CreateProcessW 9959->9960 9960->9946 9962 4216f NtQueryInformationProcess 9960->9962 9962->9946 9963 42193 NtReadVirtualMemory 9962->9963 9963->9946 9964 421ba 9963->9964 9965 38c4c RtlAllocateHeap 9964->9965 9966 421c4 9965->9966 9966->9946 9967 42228 NtProtectVirtualMemory 9966->9967 9967->9946 9968 42254 NtWriteVirtualMemory 9967->9968 9968->9946 9969 4226e 9968->9969 9969->9946 9970 422d1 NtDuplicateObject 9969->9970 9970->9946 9971 422f9 CreateNamedPipeW 9970->9971 9971->9946 9972 42365 ResumeThread ConnectNamedPipe 9971->9972 9972->9946 9975 3c17b 9973->9975 9974 3c195 9974->9460 9974->9461 9975->9974 9976 3d1e0 2 API calls 9975->9976 9976->9974 9978 38798 RtlAllocateHeap 9977->9978 9982 43f10 9978->9982 9979 3c158 2 API calls 9979->9982 9980 3c0a0 NtSetInformationThread NtClose 9980->9982 9981 4408c 9983 386d0 RtlFreeHeap 9981->9983 9982->9979 9982->9980 9982->9981 9984 43fab 9982->9984 9986 43fbe 9982->9986 9987 43f8e 9982->9987 9988 440be 9982->9988 9992 4409f 9982->9992 10000 43fe2 9982->10000 10004 43f96 9982->10004 10009 3c988 NtSetInformationThread NtClose 9982->10009 10011 386d0 RtlFreeHeap 9982->10011 9983->10004 9985 386d0 RtlFreeHeap 9984->9985 9985->10004 9990 3c1fc 2 API calls 9986->9990 9991 386d0 RtlFreeHeap 9987->9991 9989 387e8 RtlAllocateHeap 9988->9989 9993 44117 9989->9993 9994 43fd1 9990->9994 9991->10004 9992->9988 9997 440b4 9992->9997 9998 386d0 RtlFreeHeap 9993->9998 9999 43fd5 9994->9999 9994->10000 9995 44040 10001 387e8 RtlAllocateHeap 9995->10001 9996 4404a 10002 388d8 RtlAllocateHeap 9996->10002 10003 386d0 RtlFreeHeap 9997->10003 10005 44120 9998->10005 10006 386d0 RtlFreeHeap 9999->10006 10000->9995 10000->9996 10007 44048 10001->10007 10002->10007 10003->10004 10004->9425 10005->10004 10010 4243c 11 API calls 10005->10010 10006->10004 10008 386d0 RtlFreeHeap 10007->10008 10012 4405b 10008->10012 10009->9982 10010->10004 10011->9982 10012->10004 10013 4243c 11 API calls 10012->10013 10013->10004 10016 39e05 10014->10016 10015 39ebe 10015->9734 10015->9736 10016->10015 10021 38724 10016->10021 10019 386d0 RtlFreeHeap 10018->10019 10020 3875f 10019->10020 10020->9731 10022 386a8 RtlAllocateHeap 10021->10022 10023 3873a 10022->10023 10023->10015 10025 39323 10024->10025 10026 392fb 10024->10026 10029 3969c CoInitialize 10025->10029 10026->10025 10027 39304 GetDriveTypeW 10026->10027 10222 3932c 10026->10222 10027->10026 10030 396d1 10029->10030 10030->9747 10032 39b42 10031->10032 10036 39b71 10031->10036 10034 386a8 RtlAllocateHeap 10032->10034 10033 39c25 10033->9750 10034->10036 10035 386d0 RtlFreeHeap 10035->10033 10036->10033 10036->10035 10038 38724 RtlAllocateHeap 10037->10038 10039 3d55c 10038->10039 10040 3d562 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 10039->10040 10041 3d5a4 10039->10041 10042 38750 RtlFreeHeap 10040->10042 10043 3ffd0 10041->10043 10042->10041 10046 3ffdd 10043->10046 10044 40042 10044->9754 10044->9766 10049 3c4ac 10044->10049 10045 40012 CreateThread 10045->10046 10290 3fc5c SetThreadPriority 10045->10290 10046->10044 10046->10045 10047 3d264 NtSetInformationThread 10046->10047 10048 40033 NtClose 10047->10048 10048->10046 10050 3c4d3 GetVolumeNameForVolumeMountPointW 10049->10050 10052 3c516 FindFirstVolumeW 10050->10052 10053 3c767 10052->10053 10058 3c532 10052->10058 10053->9778 10054 3c54b GetVolumePathNamesForVolumeNameW 10054->10058 10055 3c57c GetDriveTypeW 10055->10058 10056 3c61d CreateFileW 10057 3c643 DeviceIoControl 10056->10057 10056->10058 10057->10058 10058->10053 10058->10054 10058->10055 10058->10056 10059 3c420 6 API calls 10058->10059 10059->10058 10061 42562 10060->10061 10063 425d8 10061->10063 10066 42633 10061->10066 10298 3d2fc CheckTokenMembership 10061->10298 10064 425dc 10063->10064 10299 387e8 10063->10299 10064->9791 10066->9791 10068 426c9 10067->10068 10303 3c2a8 CreateThread 10068->10303 10070 426db 10071 386a8 RtlAllocateHeap 10070->10071 10090 426e1 10070->10090 10073 426f3 10071->10073 10072 428da 10075 428e8 10072->10075 10077 386d0 RtlFreeHeap 10072->10077 10076 3c2a8 6 API calls 10073->10076 10073->10090 10074 386d0 RtlFreeHeap 10074->10072 10078 428f6 10075->10078 10080 386d0 RtlFreeHeap 10075->10080 10079 42710 10076->10079 10077->10075 10078->9766 10081 386a8 RtlAllocateHeap 10079->10081 10079->10090 10080->10078 10082 4272b 10081->10082 10083 386a8 RtlAllocateHeap 10082->10083 10082->10090 10086 42746 10083->10086 10085 387e8 RtlAllocateHeap 10087 427a2 CreateThread 10085->10087 10086->10085 10088 387e8 RtlAllocateHeap 10086->10088 10089 3d1e0 2 API calls 10086->10089 10086->10090 10311 3bfe0 CreateThread 10086->10311 10087->10086 10321 40dd4 GetFileAttributesW 10087->10321 10088->10086 10089->10086 10090->10072 10090->10074 10092 41784 10091->10092 10093 386a8 RtlAllocateHeap 10092->10093 10094 41791 10093->10094 10108 4179a 10094->10108 10477 412fc CoInitialize 10094->10477 10097 41aab 10099 41ab9 10097->10099 10102 386d0 RtlFreeHeap 10097->10102 10098 386d0 RtlFreeHeap 10098->10097 10100 41ac7 10099->10100 10103 386d0 RtlFreeHeap 10099->10103 10100->9777 10101 386a8 RtlAllocateHeap 10104 417c7 10101->10104 10102->10099 10103->10100 10105 386a8 RtlAllocateHeap 10104->10105 10104->10108 10109 417e2 10105->10109 10106 4106c NtSetInformationThread NtClose 10106->10109 10108->10097 10108->10098 10109->10106 10109->10108 10110 411a8 NtSetInformationThread NtClose 10109->10110 10111 3d1e0 2 API calls 10109->10111 10112 386d0 RtlFreeHeap 10109->10112 10483 38844 10109->10483 10110->10109 10111->10109 10112->10109 10487 3ecfc 10113->10487 10115 3f859 10122 38c4c RtlAllocateHeap 10115->10122 10123 3f862 10115->10123 10116 3f98a 10118 3f998 10116->10118 10119 386d0 RtlFreeHeap 10116->10119 10117 386d0 RtlFreeHeap 10117->10116 10120 3f9a6 10118->10120 10121 386d0 RtlFreeHeap 10118->10121 10119->10118 10120->9768 10121->10120 10124 3f8af 10122->10124 10123->10116 10123->10117 10124->10123 10125 386a8 RtlAllocateHeap 10124->10125 10126 3f8e5 10125->10126 10126->10123 10491 3edec 10126->10491 10129 3a0bb 10128->10129 10132 3a0c0 10128->10132 10130 3a739 10129->10130 10131 386d0 RtlFreeHeap 10129->10131 10133 386d0 RtlFreeHeap 10130->10133 10135 3a747 10130->10135 10131->10130 10132->10129 10530 42968 10132->10530 10133->10135 10135->9788 10136 3a11d 10136->10129 10137 386a8 RtlAllocateHeap 10136->10137 10138 3a1ff 10137->10138 10138->10129 10139 3a231 10138->10139 10140 3a217 10138->10140 10141 38c4c RtlAllocateHeap 10139->10141 10142 38c4c RtlAllocateHeap 10140->10142 10143 3a221 10141->10143 10142->10143 10143->10129 10144 3a264 10143->10144 10145 3a278 GetTextExtentPoint32W 10143->10145 10146 386d0 RtlFreeHeap 10144->10146 10145->10129 10147 3a292 10145->10147 10146->10129 10147->10129 10148 3a32b DrawTextW 10147->10148 10148->10129 10149 3a353 10148->10149 10149->10129 10150 3a48d CreateFileW 10149->10150 10150->10129 10151 3a4b6 WriteFile 10150->10151 10151->10129 10152 3a4d7 WriteFile 10151->10152 10152->10129 10153 3a4f5 WriteFile 10152->10153 10153->10129 10154 3a513 10153->10154 10537 38afc 10154->10537 10156 3a535 10156->10129 10157 3a5b8 RegCreateKeyExW 10156->10157 10157->10129 10158 3a5e9 10157->10158 10159 3a622 RegSetValueExW 10158->10159 10159->10129 10160 3a64f 10159->10160 10161 3a6ae RegSetValueExW 10160->10161 10161->10129 10166 3b48d 10162->10166 10163 3b4bc 10164 3b559 10163->10164 10165 386d0 RtlFreeHeap 10163->10165 10164->9796 10165->10164 10166->10163 10543 3e6e4 10166->10543 10170 3bab6 10168->10170 10169 3baba 10169->9743 10170->10169 10549 45424 10170->10549 10172 3be6a 10174 3be7e 10172->10174 10175 386d0 RtlFreeHeap 10172->10175 10173 386d0 RtlFreeHeap 10173->10172 10176 3be92 10174->10176 10178 386d0 RtlFreeHeap 10174->10178 10175->10174 10177 3bea6 10176->10177 10179 386d0 RtlFreeHeap 10176->10179 10177->9743 10178->10176 10179->10177 10180 3bc31 10181 3d494 NtQueryInformationToken 10180->10181 10185 3bc40 10180->10185 10182 3bd02 10181->10182 10183 38c4c RtlAllocateHeap 10182->10183 10182->10185 10184 3bd45 10183->10184 10184->10185 10186 38c4c RtlAllocateHeap 10184->10186 10185->10172 10185->10173 10187 3bd65 10186->10187 10187->10185 10188 38c4c RtlAllocateHeap 10187->10188 10188->10185 10191 3a7a1 10189->10191 10190 3a99c 10190->9788 10191->10190 10192 3d1e0 2 API calls 10191->10192 10192->10190 10194 38c4c RtlAllocateHeap 10193->10194 10196 43437 10194->10196 10195 43578 10198 43586 10195->10198 10200 386d0 RtlFreeHeap 10195->10200 10207 43440 10196->10207 10552 43388 10196->10552 10197 386d0 RtlFreeHeap 10197->10195 10201 43594 10198->10201 10202 386d0 RtlFreeHeap 10198->10202 10200->10198 10210 437f8 10201->10210 10202->10201 10203 43474 10204 38798 RtlAllocateHeap 10203->10204 10203->10207 10205 4348f 10204->10205 10206 38c4c RtlAllocateHeap 10205->10206 10205->10207 10208 434f5 10206->10208 10207->10195 10207->10197 10209 386d0 RtlFreeHeap 10208->10209 10209->10207 10211 438fc 10210->10211 10214 4392a 10211->10214 10555 43704 10211->10555 10213 439bb 10216 4317c 10213->10216 10214->10213 10215 386d0 RtlFreeHeap 10214->10215 10215->10213 10217 43194 10216->10217 10218 38c4c RtlAllocateHeap 10217->10218 10219 431ce 10218->10219 10220 431d7 10219->10220 10221 386d0 RtlFreeHeap 10219->10221 10220->9787 10221->10220 10230 39400 10222->10230 10224 39344 10225 39376 FindFirstFileExW 10224->10225 10227 393f0 10224->10227 10225->10227 10228 3939e 10225->10228 10226 393dc FindNextFileW 10226->10227 10226->10228 10227->10026 10228->10226 10236 394dc 10228->10236 10231 39420 FindFirstFileExW 10230->10231 10233 394d2 10231->10233 10235 3947e FindClose 10231->10235 10233->10224 10235->10233 10237 394fe 10236->10237 10238 39692 10237->10238 10239 386a8 RtlAllocateHeap 10237->10239 10238->10226 10243 39516 10239->10243 10240 39676 10241 39684 10240->10241 10242 386d0 RtlFreeHeap 10240->10242 10241->10238 10244 386d0 RtlFreeHeap 10241->10244 10242->10241 10243->10240 10245 3954e FindFirstFileExW 10243->10245 10244->10238 10245->10240 10251 39576 10245->10251 10246 39655 FindNextFileW 10247 3966d FindClose 10246->10247 10246->10251 10247->10240 10248 386a8 RtlAllocateHeap 10248->10251 10249 395f0 GetFileAttributesW 10249->10251 10251->10246 10251->10248 10251->10249 10252 386d0 RtlFreeHeap 10251->10252 10253 394dc 12 API calls 10251->10253 10254 384cc 10251->10254 10252->10251 10253->10251 10255 384e2 10254->10255 10255->10255 10274 3beb4 FindFirstFileExW 10255->10274 10258 38509 CreateFileW 10261 38609 10258->10261 10267 38531 10258->10267 10259 38536 NtAllocateVirtualMemory 10260 38567 10259->10260 10259->10267 10260->10261 10269 385c7 WriteFile 10260->10269 10262 38638 NtFreeVirtualMemory 10261->10262 10263 3865d 10261->10263 10262->10261 10264 38663 NtClose 10263->10264 10265 3866c 10263->10265 10264->10265 10277 383c8 10265->10277 10267->10259 10267->10260 10269->10260 10271 385e1 SetFilePointerEx 10269->10271 10270 38685 10272 3869a 10270->10272 10273 386d0 RtlFreeHeap 10270->10273 10271->10260 10271->10269 10272->10251 10273->10272 10275 384f9 10274->10275 10276 3bee5 FindClose 10274->10276 10275->10258 10275->10261 10276->10275 10286 38798 10277->10286 10280 38798 RtlAllocateHeap 10284 383f7 10280->10284 10281 38481 DeleteFileW 10281->10270 10282 383eb 10282->10281 10283 386d0 RtlFreeHeap 10282->10283 10283->10281 10284->10282 10284->10284 10285 38442 MoveFileExW 10284->10285 10285->10282 10285->10284 10287 387ae 10286->10287 10288 386a8 RtlAllocateHeap 10287->10288 10289 383e2 10287->10289 10288->10289 10289->10280 10289->10282 10297 3fc73 10290->10297 10291 3fcd5 ReadFile 10291->10297 10292 3fe92 WriteFile 10292->10297 10293 3ff38 NtClose 10293->10297 10294 3fcc6 10295 386d0 RtlFreeHeap 10295->10297 10296 3fe19 WriteFile 10296->10297 10297->10291 10297->10292 10297->10293 10297->10294 10297->10295 10297->10296 10298->10063 10300 38800 10299->10300 10301 38816 10300->10301 10302 386a8 RtlAllocateHeap 10300->10302 10301->10066 10302->10301 10304 3c344 10303->10304 10305 3c2e8 10303->10305 10319 3c290 GetLogicalDriveStringsW 10303->10319 10304->10070 10306 3c31a ResumeThread 10305->10306 10307 3d1e0 2 API calls 10305->10307 10309 3c32e GetExitCodeThread 10306->10309 10308 3c2f9 10307->10308 10308->10306 10310 3c2fd 10308->10310 10309->10304 10310->10070 10312 3c013 10311->10312 10313 3c06f 10311->10313 10320 3bfd0 GetDriveTypeW 10311->10320 10314 3c045 ResumeThread 10312->10314 10315 3d1e0 2 API calls 10312->10315 10313->10086 10317 3c059 GetExitCodeThread 10314->10317 10316 3c024 10315->10316 10316->10314 10318 3c028 10316->10318 10317->10313 10318->10086 10322 40e4b SetThreadPriority 10321->10322 10324 40ded 10321->10324 10326 40e5a 10322->10326 10323 40e3d 10327 386d0 RtlFreeHeap 10323->10327 10324->10323 10325 3beb4 2 API calls 10324->10325 10328 40e07 10325->10328 10329 386a8 RtlAllocateHeap 10326->10329 10330 40e45 10327->10330 10328->10323 10332 40e17 10328->10332 10331 40e79 10329->10331 10353 3dfbc 10331->10353 10334 3dfbc 11 API calls 10332->10334 10336 40e21 10334->10336 10340 40a38 13 API calls 10336->10340 10339 386d0 RtlFreeHeap 10341 40ea9 FindFirstFileExW 10339->10341 10342 40e37 10340->10342 10343 41007 10341->10343 10351 40ecf 10341->10351 10344 386d0 RtlFreeHeap 10343->10344 10345 4100f 10344->10345 10347 386d0 RtlFreeHeap 10345->10347 10346 40fe6 FindNextFileW 10348 40ffe FindClose 10346->10348 10346->10351 10349 41041 10347->10349 10348->10343 10350 40c94 RtlAllocateHeap 10350->10351 10351->10346 10351->10350 10376 40a38 10351->10376 10354 3dfd3 10353->10354 10355 3dfd8 10353->10355 10372 40c30 10354->10372 10356 38798 RtlAllocateHeap 10355->10356 10357 3dfe2 10356->10357 10357->10354 10358 3dff0 GetFileAttributesW 10357->10358 10359 3e000 10358->10359 10360 3e045 10359->10360 10361 3e05e 10359->10361 10362 3e0ac 6 API calls 10360->10362 10363 3e066 10361->10363 10364 3e075 GetFileAttributesW 10361->10364 10365 3e04d 10362->10365 10407 3e0ac CreateFileW 10363->10407 10367 3e082 10364->10367 10368 3e08e CopyFileW 10364->10368 10369 386d0 RtlFreeHeap 10365->10369 10370 386d0 RtlFreeHeap 10367->10370 10371 386d0 RtlFreeHeap 10368->10371 10369->10354 10370->10363 10371->10354 10373 40c48 10372->10373 10374 40c5e 10373->10374 10375 386a8 RtlAllocateHeap 10373->10375 10374->10339 10375->10374 10377 40c21 10376->10377 10378 40a59 10376->10378 10377->10351 10418 40194 10378->10418 10381 40c19 10382 386d0 RtlFreeHeap 10381->10382 10382->10377 10384 40a71 10384->10381 10385 40a85 10384->10385 10386 40a98 10384->10386 10451 406cc 10385->10451 10455 407b0 10386->10455 10389 40ab3 MoveFileExW 10390 40ac5 10389->10390 10396 40a93 10389->10396 10393 40b1d CreateFileW 10390->10393 10404 40b41 10390->10404 10391 40b00 10392 386d0 RtlFreeHeap 10391->10392 10392->10390 10395 40b46 10393->10395 10393->10404 10394 386d0 RtlFreeHeap 10394->10396 10431 407fc 10395->10431 10396->10381 10396->10389 10396->10390 10396->10391 10396->10394 10397 407b0 RtlAllocateHeap 10396->10397 10397->10396 10398 386d0 RtlFreeHeap 10398->10381 10401 40b6f CreateIoCompletionPort 10402 40b86 10401->10402 10405 40ba8 10401->10405 10403 386d0 RtlFreeHeap 10402->10403 10403->10404 10404->10381 10404->10398 10405->10404 10406 386d0 RtlFreeHeap 10405->10406 10406->10404 10408 3e20d 10407->10408 10409 3e0dd 10407->10409 10408->10354 10410 3e115 WriteFile 10409->10410 10411 3e13a NtClose 10410->10411 10412 3e14c WriteFile 10410->10412 10411->10354 10413 3e173 10412->10413 10414 3e185 WriteFile 10412->10414 10413->10354 10415 3e1aa 10414->10415 10416 3e1bc WriteFile 10414->10416 10415->10354 10416->10409 10417 3e1e3 10416->10417 10417->10354 10419 401ad SetFileAttributesW CreateFileW 10418->10419 10421 401db 10419->10421 10422 401f3 10419->10422 10421->10419 10421->10422 10459 3fc2c 10421->10459 10422->10381 10423 40244 SetFileAttributesW CreateFileW 10422->10423 10424 40284 SetFilePointerEx 10423->10424 10425 402f0 10423->10425 10424->10425 10426 402a3 ReadFile 10424->10426 10425->10384 10426->10425 10427 402c2 10426->10427 10428 40138 RtlAllocateHeap 10427->10428 10429 402d3 10428->10429 10429->10425 10430 386d0 RtlFreeHeap 10429->10430 10430->10425 10433 4082c 10431->10433 10432 4085d 10435 386a8 RtlAllocateHeap 10432->10435 10433->10432 10434 400a0 2 API calls 10433->10434 10434->10432 10436 40869 10435->10436 10443 386a8 RtlAllocateHeap 10436->10443 10450 409b0 10436->10450 10437 40a03 10439 386d0 RtlFreeHeap 10437->10439 10440 40a11 10437->10440 10438 386d0 RtlFreeHeap 10438->10437 10439->10440 10441 40a1f 10440->10441 10442 386d0 RtlFreeHeap 10440->10442 10441->10401 10441->10404 10442->10441 10444 408c6 10443->10444 10445 386a8 RtlAllocateHeap 10444->10445 10444->10450 10446 408f5 10445->10446 10447 386a8 RtlAllocateHeap 10446->10447 10446->10450 10448 409a7 10447->10448 10449 386d0 RtlFreeHeap 10448->10449 10448->10450 10449->10450 10450->10437 10450->10438 10452 406d9 10451->10452 10453 38798 RtlAllocateHeap 10452->10453 10454 406e5 10453->10454 10454->10396 10456 407be 10455->10456 10457 38798 RtlAllocateHeap 10456->10457 10458 407cd 10457->10458 10458->10396 10460 3fc37 10459->10460 10461 3fc44 10460->10461 10463 3fac8 10460->10463 10461->10421 10466 3faff 10463->10466 10464 3fbd4 10465 3fc21 10464->10465 10467 386d0 RtlFreeHeap 10464->10467 10465->10461 10466->10464 10468 386a8 RtlAllocateHeap 10466->10468 10467->10465 10470 3fb58 10468->10470 10469 3fb81 10469->10464 10473 3fa44 10469->10473 10470->10464 10470->10469 10471 386f8 RtlReAllocateHeap 10470->10471 10471->10470 10474 3fa9e 10473->10474 10475 3faa2 NtTerminateProcess 10474->10475 10476 3fab6 10474->10476 10475->10476 10476->10469 10478 414e2 10477->10478 10480 41339 10477->10480 10478->10101 10478->10108 10479 413be 10479->10478 10482 386a8 RtlAllocateHeap 10479->10482 10480->10479 10481 386a8 RtlAllocateHeap 10480->10481 10481->10480 10482->10479 10484 3885d 10483->10484 10485 386a8 RtlAllocateHeap 10484->10485 10486 3887d 10485->10486 10486->10109 10488 3ed18 10487->10488 10489 386a8 RtlAllocateHeap 10488->10489 10490 3ed9d 10488->10490 10489->10490 10490->10115 10492 3ee3f 10491->10492 10493 3ee44 10491->10493 10495 3f27e 10492->10495 10496 386d0 RtlFreeHeap 10492->10496 10493->10492 10494 386a8 RtlAllocateHeap 10493->10494 10504 3ee85 10494->10504 10497 3f28c 10495->10497 10498 386d0 RtlFreeHeap 10495->10498 10496->10495 10499 3f29a 10497->10499 10500 386d0 RtlFreeHeap 10497->10500 10498->10497 10501 3f2a8 10499->10501 10502 386d0 RtlFreeHeap 10499->10502 10500->10499 10503 3f2b6 10501->10503 10505 386d0 RtlFreeHeap 10501->10505 10502->10501 10506 3f2c4 10503->10506 10508 386d0 RtlFreeHeap 10503->10508 10504->10492 10518 3f49c 10504->10518 10505->10503 10506->10123 10508->10506 10509 3eeae 10509->10492 10522 3f2d0 10509->10522 10511 3eec1 10511->10492 10526 3f458 10511->10526 10514 38c4c RtlAllocateHeap 10516 3eeec 10514->10516 10515 386a8 RtlAllocateHeap 10515->10516 10516->10492 10516->10515 10517 386d0 RtlFreeHeap 10516->10517 10517->10516 10519 3f4c7 10518->10519 10520 386a8 RtlAllocateHeap 10519->10520 10521 3f5c4 10520->10521 10521->10509 10523 3f360 10522->10523 10524 386a8 RtlAllocateHeap 10523->10524 10525 3f39e 10524->10525 10525->10511 10527 3f477 10526->10527 10528 38c4c RtlAllocateHeap 10527->10528 10529 3eed4 10528->10529 10529->10492 10529->10514 10531 429af 10530->10531 10532 42abe RegCreateKeyExW 10531->10532 10536 429fc 10531->10536 10533 42aeb RegQueryValueExW 10532->10533 10532->10536 10534 42b1a 10533->10534 10535 42b66 RegDeleteKeyExW 10534->10535 10534->10536 10535->10536 10536->10136 10538 38b36 NtQueryInformationToken 10537->10538 10539 38b1f 10537->10539 10540 38b31 10538->10540 10539->10538 10539->10540 10541 38b88 10540->10541 10542 386d0 RtlFreeHeap 10540->10542 10541->10156 10542->10541 10544 3e705 10543->10544 10545 386a8 RtlAllocateHeap 10544->10545 10547 3e715 10545->10547 10546 3e737 10546->10163 10547->10546 10548 386d0 RtlFreeHeap 10547->10548 10548->10546 10550 386a8 RtlAllocateHeap 10549->10550 10551 4543b 10550->10551 10551->10180 10553 386a8 RtlAllocateHeap 10552->10553 10554 4339e 10553->10554 10554->10203 10556 386a8 RtlAllocateHeap 10555->10556 10557 4371e 10556->10557 10557->10214 10588 3aff8 10558->10588 10564 3b5fc 4 API calls 10563->10564 10565 3add0 10564->10565 10566 3b6a4 NtClose 10565->10566 10567 3ae40 10565->10567 10569 3adde 10566->10569 10568 3ae65 10567->10568 10628 3acfc 10567->10628 10569->10567 10571 3ade7 NtSetInformationThread 10569->10571 10571->10567 10572 3adfb 10571->10572 10617 3abd8 10572->10617 10575 3b6a4 NtClose 10576 3ae1e 10575->10576 10576->10567 10622 3aa10 10576->10622 10579 39c90 10578->10579 10580 386a8 RtlAllocateHeap 10579->10580 10581 39ca2 NtQuerySystemInformation 10579->10581 10582 39cd5 10579->10582 10584 386f8 RtlReAllocateHeap 10579->10584 10586 386d0 RtlFreeHeap 10579->10586 10580->10579 10581->10579 10583 386d0 RtlFreeHeap 10582->10583 10585 39cdd 10583->10585 10584->10579 10587 39d70 Sleep 10586->10587 10587->10579 10589 3b0d9 10588->10589 10590 3b29d RegCreateKeyExW 10589->10590 10591 3b2d1 RegEnumKeyW 10590->10591 10592 3b2f7 RegCreateKeyExW 10590->10592 10591->10592 10597 3b2fc RegCreateKeyExW 10591->10597 10595 3b412 10592->10595 10596 3b3ec RegEnumKeyW 10592->10596 10605 3aeec 10595->10605 10596->10595 10600 3b414 OpenEventLogW 10596->10600 10597->10591 10599 3b32a RegSetValueExW 10597->10599 10599->10591 10601 3b34c RegSetValueExW 10599->10601 10600->10596 10602 3b42c ClearEventLogW 10600->10602 10601->10591 10603 3b36a OpenEventLogW 10601->10603 10602->10596 10603->10591 10604 3b382 ClearEventLogW 10603->10604 10604->10591 10612 3ae6c RtlAdjustPrivilege 10605->10612 10607 3afc4 10608 3afe5 10607->10608 10609 3afdc CloseServiceHandle 10607->10609 10609->10608 10610 3af05 10610->10607 10611 3fa44 NtTerminateProcess 10610->10611 10611->10607 10613 3b5fc 4 API calls 10612->10613 10614 3aea4 10613->10614 10615 3aeb2 10614->10615 10616 3b6a4 NtClose 10614->10616 10615->10610 10616->10615 10618 3b5fc 4 API calls 10617->10618 10619 3ac03 10618->10619 10620 3ac10 OpenSCManagerW 10619->10620 10621 3ac29 10619->10621 10620->10621 10621->10567 10621->10575 10623 3aa41 10622->10623 10625 386a8 RtlAllocateHeap 10623->10625 10627 3aa7d 10623->10627 10624 3abcc 10624->10567 10625->10627 10626 386d0 RtlFreeHeap 10626->10624 10627->10624 10627->10626 10629 3b5fc 4 API calls 10628->10629 10630 3ad15 10629->10630 10630->10568 10682 4106c 10631->10682 10634 4106c 2 API calls 10635 41b50 10634->10635 10638 41b78 10635->10638 10640 4106c 2 API calls 10635->10640 10636 41de3 10639 41df1 10636->10639 10642 386d0 RtlFreeHeap 10636->10642 10637 386d0 RtlFreeHeap 10637->10636 10641 386a8 RtlAllocateHeap 10638->10641 10652 41ba1 10638->10652 10643 41dff 10639->10643 10645 386d0 RtlFreeHeap 10639->10645 10640->10638 10644 41b98 10641->10644 10642->10639 10643->9425 10646 386a8 RtlAllocateHeap 10644->10646 10644->10652 10645->10643 10647 41bb3 10646->10647 10648 3ffd0 9 API calls 10647->10648 10647->10652 10656 41bc6 10648->10656 10649 38844 RtlAllocateHeap 10649->10656 10650 41d5d 10651 386d0 RtlFreeHeap 10650->10651 10650->10652 10651->10652 10652->10636 10652->10637 10653 411a8 NtSetInformationThread NtClose 10653->10656 10654 386d0 RtlFreeHeap 10654->10656 10655 3d1e0 2 API calls 10655->10656 10656->10649 10656->10650 10656->10653 10656->10654 10656->10655 10658 392a3 10657->10658 10659 38798 RtlAllocateHeap 10658->10659 10661 392b1 10659->10661 10660 392d4 10660->9844 10661->10660 10662 386d0 RtlFreeHeap 10661->10662 10662->10660 10664 3c7a3 10663->10664 10665 3c2a8 6 API calls 10664->10665 10667 3c7ba 10665->10667 10666 3c7e9 10666->9844 10667->10666 10668 386a8 RtlAllocateHeap 10667->10668 10668->10666 10670 3c21f 10669->10670 10671 3c239 10670->10671 10672 3d1e0 2 API calls 10670->10672 10671->9826 10671->9836 10672->10671 10674 388f1 10673->10674 10675 386a8 RtlAllocateHeap 10674->10675 10676 38907 10674->10676 10675->10676 10676->9841 10678 3ffd0 9 API calls 10677->10678 10679 42447 10678->10679 10680 3d1e0 2 API calls 10679->10680 10681 42498 10679->10681 10680->10681 10681->9800 10683 410c6 10682->10683 10684 3d1e0 2 API calls 10683->10684 10685 410e0 10683->10685 10684->10685 10685->10634 10685->10638 10686->9868 10688 4295d 10687->10688 10689 42918 10687->10689 10688->9863 10693 42ed0 10688->10693 10690 3e6e4 2 API calls 10689->10690 10692 4291d 10690->10692 10691 386d0 RtlFreeHeap 10691->10688 10692->10688 10692->10691 10745 42d10 10693->10745 10695 42f11 10696 38c4c RtlAllocateHeap 10695->10696 10721 42f15 10695->10721 10704 42f24 10696->10704 10697 430b0 10699 430be 10697->10699 10700 386d0 RtlFreeHeap 10697->10700 10698 386d0 RtlFreeHeap 10698->10697 10701 430cc 10699->10701 10702 386d0 RtlFreeHeap 10699->10702 10700->10699 10703 430da 10701->10703 10705 386d0 RtlFreeHeap 10701->10705 10702->10701 10703->9863 10722 43230 10703->10722 10704->10721 10767 430e1 10704->10767 10705->10703 10708 38c4c RtlAllocateHeap 10709 42f6b 10708->10709 10710 430e1 RtlFreeHeap 10709->10710 10709->10721 10711 42fa4 10710->10711 10712 38c4c RtlAllocateHeap 10711->10712 10713 42fae 10712->10713 10714 430e1 RtlFreeHeap 10713->10714 10713->10721 10715 42ff1 10714->10715 10716 38c4c RtlAllocateHeap 10715->10716 10717 42ffb 10716->10717 10718 430e1 RtlFreeHeap 10717->10718 10717->10721 10719 4303b 10718->10719 10720 38c4c RtlAllocateHeap 10719->10720 10720->10721 10721->10697 10721->10698 10723 38c4c RtlAllocateHeap 10722->10723 10724 43261 10723->10724 10729 43388 RtlAllocateHeap 10724->10729 10732 4326a 10724->10732 10725 386d0 RtlFreeHeap 10726 43360 10725->10726 10727 4336e 10726->10727 10728 386d0 RtlFreeHeap 10726->10728 10727->9863 10727->9875 10728->10727 10730 4329e 10729->10730 10731 38c4c RtlAllocateHeap 10730->10731 10730->10732 10733 432d9 10731->10733 10732->10725 10732->10726 10734 386d0 RtlFreeHeap 10733->10734 10734->10732 10736 42c60 10735->10736 10737 38c4c RtlAllocateHeap 10736->10737 10744 42c65 10736->10744 10740 42c71 10737->10740 10738 42ce9 10741 42cf7 10738->10741 10742 386d0 RtlFreeHeap 10738->10742 10739 386d0 RtlFreeHeap 10739->10738 10743 38c4c RtlAllocateHeap 10740->10743 10740->10744 10741->9879 10742->10741 10743->10744 10744->10738 10744->10739 10746 42d3f 10745->10746 10749 42d52 10745->10749 10748 38c4c RtlAllocateHeap 10746->10748 10746->10749 10747 42ddf 10747->10695 10750 42d5d 10748->10750 10749->10747 10771 42b9c 10749->10771 10750->10749 10751 38c4c RtlAllocateHeap 10750->10751 10753 42d75 10751->10753 10753->10749 10755 42d84 10753->10755 10754 42e06 10756 38798 RtlAllocateHeap 10754->10756 10757 38c4c RtlAllocateHeap 10755->10757 10759 42e15 10756->10759 10758 42d8d 10757->10758 10758->10695 10759->10747 10760 38798 RtlAllocateHeap 10759->10760 10761 42e47 10760->10761 10761->10747 10762 42e8d 10761->10762 10763 386d0 RtlFreeHeap 10761->10763 10764 42e9b 10762->10764 10765 386d0 RtlFreeHeap 10762->10765 10763->10762 10764->10747 10766 386d0 RtlFreeHeap 10764->10766 10765->10764 10766->10747 10768 42f61 10767->10768 10769 430e7 10767->10769 10768->10708 10770 386d0 RtlFreeHeap 10769->10770 10770->10768 10772 386a8 RtlAllocateHeap 10771->10772 10773 42bb2 10772->10773 10773->10754 10775 436bf 10774->10775 10778 43620 10775->10778 10777 436d7 10777->9885 10779 386a8 RtlAllocateHeap 10778->10779 10780 43637 10779->10780 10781 4366d 10780->10781 10782 386f8 RtlReAllocateHeap 10780->10782 10786 43650 10780->10786 10783 386d0 RtlFreeHeap 10781->10783 10782->10780 10784 43675 10783->10784 10784->10777 10785 386d0 RtlFreeHeap 10787 436b0 10785->10787 10786->10785 10787->10777 10792 47f86 10788->10792 10789 480c0 10789->9899 10790 386d0 RtlFreeHeap 10790->10789 10791 47f9e 10791->10789 10791->10790 10792->10791 10840 47bf4 10792->10840 10807 45a74 10806->10807 10809 45aa5 10807->10809 11101 45868 10807->11101 10810 45b36 10809->10810 10811 386d0 RtlFreeHeap 10809->10811 10810->9895 10812 45fd8 10810->10812 10811->10810 10813 45ffe 10812->10813 10831 46002 10813->10831 11104 445c8 10813->11104 10816 386d0 RtlFreeHeap 10818 46154 10816->10818 10817 46162 10821 46170 10817->10821 10823 386d0 RtlFreeHeap 10817->10823 10818->10817 10820 386d0 RtlFreeHeap 10818->10820 10819 386a8 RtlAllocateHeap 10822 46023 10819->10822 10820->10817 10821->9905 10832 46178 10821->10832 10824 3b464 2 API calls 10822->10824 10822->10831 10823->10821 10825 46036 10824->10825 10826 412fc 2 API calls 10825->10826 10827 4604f 10826->10827 10828 386a8 RtlAllocateHeap 10827->10828 10827->10831 10829 4606d 10828->10829 10830 386a8 RtlAllocateHeap 10829->10830 10829->10831 10830->10831 10831->10816 10831->10818 10833 46189 10832->10833 10834 4638a 10833->10834 10835 3b464 2 API calls 10833->10835 10834->9905 10836 46197 10835->10836 10836->10834 10837 38c4c RtlAllocateHeap 10836->10837 10839 461b1 10837->10839 10838 386d0 RtlFreeHeap 10838->10834 10839->10834 10839->10838 11072 47b78 10840->11072 10842 47f20 10844 47f2e 10842->10844 10845 386d0 RtlFreeHeap 10842->10845 10843 386d0 RtlFreeHeap 10843->10842 10846 47f3c 10844->10846 10848 386d0 RtlFreeHeap 10844->10848 10845->10844 10849 47f4a 10846->10849 10851 386d0 RtlFreeHeap 10846->10851 10848->10846 10850 47f58 10849->10850 10853 386d0 RtlFreeHeap 10849->10853 10850->10791 10863 477f8 10850->10863 10851->10849 10852 386a8 RtlAllocateHeap 10854 47c78 10852->10854 10853->10850 10855 47c3c 10854->10855 10856 386a8 RtlAllocateHeap 10854->10856 10855->10842 10855->10843 10857 47d19 10856->10857 10857->10855 10858 386a8 RtlAllocateHeap 10857->10858 10859 47d69 10858->10859 10859->10855 10860 386a8 RtlAllocateHeap 10859->10860 10861 47e14 10860->10861 10861->10855 10862 386d0 RtlFreeHeap 10861->10862 10862->10855 10864 4785f 10863->10864 10865 38c4c RtlAllocateHeap 10864->10865 10872 47874 10864->10872 10870 478eb 10865->10870 10866 47b5f 10868 47b6d 10866->10868 10869 386d0 RtlFreeHeap 10866->10869 10867 386d0 RtlFreeHeap 10867->10866 10868->10791 10873 46730 10868->10873 10869->10868 10871 38c4c RtlAllocateHeap 10870->10871 10870->10872 10871->10872 10872->10866 10872->10867 10874 386a8 RtlAllocateHeap 10873->10874 10875 46763 10874->10875 10881 386a8 RtlAllocateHeap 10875->10881 10885 4676c 10875->10885 10876 468eb 10877 468f9 10876->10877 10879 386d0 RtlFreeHeap 10876->10879 10880 46907 10877->10880 10882 386d0 RtlFreeHeap 10877->10882 10878 386d0 RtlFreeHeap 10878->10876 10879->10877 10880->10791 10886 47554 10880->10886 10883 46796 10881->10883 10882->10880 10884 386a8 RtlAllocateHeap 10883->10884 10883->10885 10884->10885 10885->10876 10885->10878 10887 386a8 RtlAllocateHeap 10886->10887 10889 475ad 10887->10889 10888 4777a 10891 47788 10888->10891 10893 386d0 RtlFreeHeap 10888->10893 10923 475b6 10889->10923 11078 4644c 10889->11078 10890 386d0 RtlFreeHeap 10890->10888 10894 47796 10891->10894 10895 386d0 RtlFreeHeap 10891->10895 10893->10891 10896 477a4 10894->10896 10898 386d0 RtlFreeHeap 10894->10898 10895->10894 10897 477b2 10896->10897 10899 386d0 RtlFreeHeap 10896->10899 10900 477c0 10897->10900 10901 386d0 RtlFreeHeap 10897->10901 10898->10896 10899->10897 10902 477ce 10900->10902 10903 386d0 RtlFreeHeap 10900->10903 10901->10900 10904 477dc 10902->10904 10906 386d0 RtlFreeHeap 10902->10906 10903->10902 10904->10791 10925 47284 10904->10925 10905 475de 10905->10923 11081 46500 10905->11081 10906->10904 10908 4760a 10909 386d0 RtlFreeHeap 10908->10909 10908->10923 10910 4762c 10909->10910 10911 46500 RtlAllocateHeap 10910->10911 10912 47645 10911->10912 10912->10923 11084 46578 10912->11084 10914 4768d 10914->10923 11087 466d8 10914->11087 10917 386a8 RtlAllocateHeap 10918 476c2 10917->10918 10919 38c4c RtlAllocateHeap 10918->10919 10918->10923 10920 476da 10919->10920 10921 386a8 RtlAllocateHeap 10920->10921 10920->10923 10922 47703 10921->10922 10922->10923 10924 386d0 RtlFreeHeap 10922->10924 10923->10888 10923->10890 10924->10922 10926 386a8 RtlAllocateHeap 10925->10926 10927 472cc 10926->10927 10928 386a8 RtlAllocateHeap 10927->10928 10949 472d5 10927->10949 10939 472e4 10928->10939 10929 474f2 10931 47500 10929->10931 10932 386d0 RtlFreeHeap 10929->10932 10930 386d0 RtlFreeHeap 10930->10929 10933 4750e 10931->10933 10935 386d0 RtlFreeHeap 10931->10935 10932->10931 10934 4751c 10933->10934 10936 386d0 RtlFreeHeap 10933->10936 10937 4752a 10934->10937 10938 386d0 RtlFreeHeap 10934->10938 10935->10933 10936->10934 10937->10791 10950 46920 10937->10950 10938->10937 10940 386a8 RtlAllocateHeap 10939->10940 10939->10949 10941 47413 10940->10941 10942 38c4c RtlAllocateHeap 10941->10942 10941->10949 10943 4742b 10942->10943 10944 386d0 RtlFreeHeap 10943->10944 10943->10949 10945 47474 10944->10945 10946 386a8 RtlAllocateHeap 10945->10946 10947 4748d 10946->10947 10948 38c4c RtlAllocateHeap 10947->10948 10947->10949 10948->10949 10949->10929 10949->10930 10951 386a8 RtlAllocateHeap 10950->10951 10955 46968 10951->10955 10952 46b35 10954 46b43 10952->10954 10956 386d0 RtlFreeHeap 10952->10956 10953 386d0 RtlFreeHeap 10953->10952 10957 46b51 10954->10957 10959 386d0 RtlFreeHeap 10954->10959 10958 4644c RtlAllocateHeap 10955->10958 10986 46971 10955->10986 10956->10954 10960 46b5f 10957->10960 10961 386d0 RtlFreeHeap 10957->10961 10969 46999 10958->10969 10959->10957 10962 46b6d 10960->10962 10963 386d0 RtlFreeHeap 10960->10963 10961->10960 10964 46b7b 10962->10964 10965 386d0 RtlFreeHeap 10962->10965 10963->10962 10966 46b89 10964->10966 10967 386d0 RtlFreeHeap 10964->10967 10965->10964 10968 46b97 10966->10968 10970 386d0 RtlFreeHeap 10966->10970 10967->10966 10968->10791 10989 46bb0 10968->10989 10969->10986 11092 463f0 10969->11092 10970->10968 10972 469c5 10973 386d0 RtlFreeHeap 10972->10973 10972->10986 10974 469e7 10973->10974 10975 463f0 RtlAllocateHeap 10974->10975 10976 46a00 10975->10976 10977 46578 RtlAllocateHeap 10976->10977 10976->10986 10978 46a48 10977->10978 10979 466d8 RtlAllocateHeap 10978->10979 10978->10986 10980 46a5d 10979->10980 10981 386a8 RtlAllocateHeap 10980->10981 10980->10986 10982 46a7d 10981->10982 10983 38c4c RtlAllocateHeap 10982->10983 10982->10986 10984 46a95 10983->10984 10985 386a8 RtlAllocateHeap 10984->10985 10984->10986 10987 46abe 10985->10987 10986->10952 10986->10953 10987->10986 10988 386d0 RtlFreeHeap 10987->10988 10988->10987 10990 386a8 RtlAllocateHeap 10989->10990 11000 46c13 10990->11000 10991 471eb 10993 471f9 10991->10993 10994 386d0 RtlFreeHeap 10991->10994 10992 386d0 RtlFreeHeap 10992->10991 10995 47207 10993->10995 10997 386d0 RtlFreeHeap 10993->10997 10994->10993 10996 47215 10995->10996 10998 386d0 RtlFreeHeap 10995->10998 10999 47223 10996->10999 11001 386d0 RtlFreeHeap 10996->11001 10997->10995 10998->10996 11002 47231 10999->11002 11003 386d0 RtlFreeHeap 10999->11003 11012 386a8 RtlAllocateHeap 11000->11012 11071 46c1c 11000->11071 11001->10999 11004 4723f 11002->11004 11005 386d0 RtlFreeHeap 11002->11005 11003->11002 11006 4724d 11004->11006 11008 386d0 RtlFreeHeap 11004->11008 11005->11004 11007 4725b 11006->11007 11009 386d0 RtlFreeHeap 11006->11009 11010 47269 11007->11010 11011 386d0 RtlFreeHeap 11007->11011 11008->11006 11009->11007 11010->10791 11011->11010 11013 46ccf 11012->11013 11014 4644c RtlAllocateHeap 11013->11014 11013->11071 11015 46d00 11014->11015 11015->11071 11095 46394 11015->11095 11017 46d2c 11018 386d0 RtlFreeHeap 11017->11018 11017->11071 11019 46d4e 11018->11019 11020 46394 RtlAllocateHeap 11019->11020 11021 46d67 11020->11021 11022 46578 RtlAllocateHeap 11021->11022 11021->11071 11023 46daf 11022->11023 11024 466d8 RtlAllocateHeap 11023->11024 11023->11071 11025 46dc4 11024->11025 11026 386a8 RtlAllocateHeap 11025->11026 11025->11071 11027 46e0d 11026->11027 11028 38c4c RtlAllocateHeap 11027->11028 11027->11071 11029 46e25 11028->11029 11030 386a8 RtlAllocateHeap 11029->11030 11029->11071 11031 46e51 11030->11031 11032 386d0 RtlFreeHeap 11031->11032 11031->11071 11033 46ef7 11032->11033 11034 46f05 11033->11034 11035 386d0 RtlFreeHeap 11033->11035 11036 46f1a 11034->11036 11037 386d0 RtlFreeHeap 11034->11037 11035->11034 11038 46f2f 11036->11038 11039 386d0 RtlFreeHeap 11036->11039 11037->11036 11040 46f44 11038->11040 11041 386d0 RtlFreeHeap 11038->11041 11039->11038 11042 46f59 11040->11042 11043 386d0 RtlFreeHeap 11040->11043 11041->11040 11044 46f6e 11042->11044 11045 386d0 RtlFreeHeap 11042->11045 11043->11042 11046 46f83 11044->11046 11047 386d0 RtlFreeHeap 11044->11047 11045->11044 11048 46f98 11046->11048 11049 386d0 RtlFreeHeap 11046->11049 11047->11046 11050 386a8 RtlAllocateHeap 11048->11050 11049->11048 11051 46fbf 11050->11051 11052 4644c RtlAllocateHeap 11051->11052 11051->11071 11053 46ff0 11052->11053 11053->11071 11098 46490 11053->11098 11055 4701c 11056 386d0 RtlFreeHeap 11055->11056 11055->11071 11057 47049 11056->11057 11058 46490 RtlAllocateHeap 11057->11058 11059 47057 11058->11059 11060 46578 RtlAllocateHeap 11059->11060 11059->11071 11061 4709f 11060->11061 11062 466d8 RtlAllocateHeap 11061->11062 11061->11071 11063 470b4 11062->11063 11064 386a8 RtlAllocateHeap 11063->11064 11063->11071 11065 4712b 11064->11065 11066 38c4c RtlAllocateHeap 11065->11066 11065->11071 11067 47143 11066->11067 11068 386a8 RtlAllocateHeap 11067->11068 11067->11071 11069 4716c 11068->11069 11070 386d0 RtlFreeHeap 11069->11070 11069->11071 11070->11071 11071->10991 11071->10992 11073 47b98 11072->11073 11074 38798 RtlAllocateHeap 11073->11074 11077 47bd8 11073->11077 11075 47bc1 11074->11075 11076 38798 RtlAllocateHeap 11075->11076 11075->11077 11076->11077 11077->10852 11077->10855 11079 386a8 RtlAllocateHeap 11078->11079 11080 46455 11079->11080 11080->10905 11082 386a8 RtlAllocateHeap 11081->11082 11083 4650c 11082->11083 11083->10908 11085 386a8 RtlAllocateHeap 11084->11085 11086 46588 11085->11086 11086->10914 11088 386a8 RtlAllocateHeap 11087->11088 11090 466f7 11088->11090 11089 386a8 RtlAllocateHeap 11089->11090 11090->11089 11091 46724 11090->11091 11091->10917 11091->10923 11093 386a8 RtlAllocateHeap 11092->11093 11094 463fc 11093->11094 11094->10972 11096 386a8 RtlAllocateHeap 11095->11096 11097 463a0 11096->11097 11097->11017 11099 386a8 RtlAllocateHeap 11098->11099 11100 4649c 11099->11100 11100->11055 11102 386a8 RtlAllocateHeap 11101->11102 11103 45882 11102->11103 11103->10809 11107 445f1 11104->11107 11105 445f5 11105->10819 11107->11105 11108 44424 11107->11108 11109 4444b 11108->11109 11110 3b5fc 4 API calls 11109->11110 11111 4445b 11110->11111 11112 3b5fc 4 API calls 11111->11112 11113 4446f 11111->11113 11112->11113 11113->11105 11115 48186 11114->11115 11116 481e4 11115->11116 11121 38c4c RtlAllocateHeap 11115->11121 11117 48674 11116->11117 11118 386d0 RtlFreeHeap 11116->11118 11119 48682 11117->11119 11120 386d0 RtlFreeHeap 11117->11120 11118->11117 11119->9912 11120->11119 11122 482bc 11121->11122 11122->11116 11123 386a8 RtlAllocateHeap 11122->11123 11123->11116 11125 45277 11124->11125 11126 445c8 4 API calls 11125->11126 11141 4527b 11125->11141 11128 45292 11126->11128 11127 453b9 11130 453c7 11127->11130 11132 386d0 RtlFreeHeap 11127->11132 11131 386a8 RtlAllocateHeap 11128->11131 11129 386d0 RtlFreeHeap 11129->11127 11133 453d5 11130->11133 11135 386d0 RtlFreeHeap 11130->11135 11134 4529c 11131->11134 11132->11130 11133->9922 11136 412fc 2 API calls 11134->11136 11134->11141 11135->11133 11137 452b4 11136->11137 11138 386a8 RtlAllocateHeap 11137->11138 11137->11141 11139 452d2 11138->11139 11140 386a8 RtlAllocateHeap 11139->11140 11139->11141 11140->11141 11141->11127 11141->11129 11143 41e20 11142->11143 11144 386a8 RtlAllocateHeap 11143->11144 11145 41e41 11144->11145 11145->9956 11715 3d4e8 11716 3d535 11715->11716 11717 3d53c RtlAdjustPrivilege 11716->11717 11718 3d53a 11716->11718 11717->11716 11717->11718 11604 419ab 11607 41822 11604->11607 11605 386d0 RtlFreeHeap 11605->11607 11606 38844 RtlAllocateHeap 11606->11607 11607->11605 11607->11606 11608 411a8 NtSetInformationThread NtClose 11607->11608 11609 41a41 11607->11609 11616 4106c NtSetInformationThread NtClose 11607->11616 11617 3d1e0 2 API calls 11607->11617 11608->11607 11610 41aab 11609->11610 11611 386d0 RtlFreeHeap 11609->11611 11612 41ab9 11610->11612 11614 386d0 RtlFreeHeap 11610->11614 11611->11610 11613 41ac7 11612->11613 11615 386d0 RtlFreeHeap 11612->11615 11614->11612 11615->11613 11616->11607 11617->11607 11760 381fe 11761 38208 11760->11761 11762 3820f 11761->11762 11763 37968 3 API calls 11761->11763 11764 38226 11763->11764 11765 383c5 11764->11765 11766 3822e RtlCreateHeap 11764->11766 11766->11765 11767 38249 11766->11767 11768 37968 3 API calls 11767->11768 11769 38265 11768->11769 11769->11765 11770 37c1c 8 API calls 11769->11770 11771 38280 11770->11771 11772 37c1c 8 API calls 11771->11772 11773 38291 11772->11773 11774 37c1c 8 API calls 11773->11774 11775 382a2 11774->11775 11776 37c1c 8 API calls 11775->11776 11777 382b3 11776->11777 11778 37c1c 8 API calls 11777->11778 11779 382c4 11778->11779 11780 37c1c 8 API calls 11779->11780 11781 382d5 11780->11781 11782 37c1c 8 API calls 11781->11782 11783 382e6 11782->11783 11784 37c1c 8 API calls 11783->11784 11785 382f7 11784->11785 11786 37c1c 8 API calls 11785->11786 11787 38308 11786->11787 11788 37c1c 8 API calls 11787->11788 11789 38319 11788->11789 11790 37c1c 8 API calls 11789->11790 11791 3832a 11790->11791 11792 37c1c 8 API calls 11791->11792 11793 3833b 11792->11793 11794 37c1c 8 API calls 11793->11794 11795 3834c 11794->11795 11796 37c1c 8 API calls 11795->11796 11797 3835d 11796->11797 11798 37c1c 8 API calls 11797->11798 11799 3836e 11798->11799 11800 37c1c 8 API calls 11799->11800 11801 3837f 11800->11801 11802 37c1c 8 API calls 11801->11802 11803 38390 11802->11803 11804 37c1c 8 API calls 11803->11804 11805 383a1 11804->11805 11806 37c1c 8 API calls 11805->11806 11807 383b2 11806->11807 11808 3d264 NtSetInformationThread 11807->11808 11809 383b9 11808->11809 11810 491a8 2 API calls 11809->11810 11811 383c0 11810->11811 11812 3d290 4 API calls 11811->11812 11812->11765

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 9 41f84-42039 call 31630 call 38c4c 18 42040-42059 call 386a8 9->18 19 4203b 9->19 27 42060-42073 call 4a6c4 18->27 28 4205b 18->28 20 423b9-423c0 19->20 22 423c2 20->22 23 423ce-423d5 20->23 22->23 25 423d7 23->25 26 423e3-423e7 23->26 25->26 29 423f2-423f6 26->29 30 423e9 26->30 38 42075 27->38 39 4207a-4208a call 41e08 27->39 28->20 33 42400-42404 29->33 34 423f8-423fb call 386d0 29->34 30->29 36 42406-42409 call 386d0 33->36 37 4240e-42412 33->37 34->33 36->37 42 42414-42417 call 386d0 37->42 43 4241c-42420 37->43 38->20 48 42091-420e2 GetTempFileNameW CreateFileW 39->48 49 4208c 39->49 42->43 46 42422-42425 call 386d0 43->46 47 4242a-42430 43->47 46->47 52 420e4 48->52 53 420e9-420fe WriteFile 48->53 49->20 52->20 54 42105-4211e 53->54 55 42100 53->55 57 42120-42125 54->57 55->20 58 42127-42168 CreateProcessW 57->58 59 42129-4212b 57->59 61 4216f-4218c NtQueryInformationProcess 58->61 62 4216a 58->62 59->57 63 42193-421b3 NtReadVirtualMemory 61->63 64 4218e 61->64 62->20 65 421b5 63->65 66 421ba-421cb call 38c4c 63->66 64->20 65->20 69 421d2-4224d call 4b2f4 call 4b348 call 4b41c NtProtectVirtualMemory 66->69 70 421cd 66->70 77 42254-42267 NtWriteVirtualMemory 69->77 78 4224f 69->78 70->20 79 4226e-422ca 77->79 80 42269 77->80 78->20 82 422d1-422f2 NtDuplicateObject 79->82 83 422cc 79->83 80->20 84 422f4 82->84 85 422f9-42361 CreateNamedPipeW 82->85 83->20 84->20 86 42365-4237e ResumeThread ConnectNamedPipe 85->86 87 42363 85->87 88 42380-4238b 86->88 89 4238f-423ac 86->89 87->20 88->89 90 4238d 88->90 92 423b0 89->92 93 423ae 89->93 90->20 92->20 93->20
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: D
                                                • API String ID: 0-2746444292
                                                • Opcode ID: 0ac57a4b1c212add70ea4d3bb04197e4f9458b0714064b5e660c212ec66e72c8
                                                • Instruction ID: c4733cb711b3766a4e91ced62559bc070b2aa3f505a5352777737f6f3729fad3
                                                • Opcode Fuzzy Hash: 0ac57a4b1c212add70ea4d3bb04197e4f9458b0714064b5e660c212ec66e72c8
                                                • Instruction Fuzzy Hash: BEE15FB1A00218EFEF619F90DC49BEEBBB8EB04305F5040A5F608B61A2D7795A84DF55

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 231 3aff8-3b2cb call 31228 * 5 RegCreateKeyExW 242 3b2d1 231->242 243 3b3ad-3b3b1 231->243 246 3b2d8-3b2f5 RegEnumKeyW 242->246 244 3b3b3 243->244 245 3b3bc-3b3ea RegCreateKeyExW 243->245 244->245 247 3b445-3b449 245->247 248 3b3ec 245->248 249 3b2f7 246->249 250 3b2fc-3b328 RegCreateKeyExW 246->250 254 3b454-3b457 247->254 255 3b44b 247->255 251 3b3f3-3b410 RegEnumKeyW 248->251 249->243 252 3b3a5-3b3a8 250->252 253 3b32a-3b34a RegSetValueExW 250->253 256 3b412 251->256 257 3b414-3b42a OpenEventLogW 251->257 252->246 258 3b396-3b39a 253->258 259 3b34c-3b368 RegSetValueExW 253->259 255->254 256->247 260 3b440-3b443 257->260 261 3b42c-3b437 ClearEventLogW 257->261 258->252 263 3b39c 258->263 259->258 262 3b36a-3b380 OpenEventLogW 259->262 260->251 261->260 262->258 264 3b382-3b38d ClearEventLogW 262->264 263->252 264->258
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 0003B2C3
                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 0003B2EA
                                                • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 0003B320
                                                • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000004,00000000,00000004), ref: 0003B342
                                                • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000001,?,00000064), ref: 0003B360
                                                • OpenEventLogW.ADVAPI32(00000000,?), ref: 0003B373
                                                • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0003B387
                                                • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 0003B3E2
                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 0003B405
                                                • OpenEventLogW.ADVAPI32(00000000,?), ref: 0003B41D
                                                • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0003B431
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$Create$ClearEnumOpenValue
                                                • String ID:
                                                • API String ID: 1260815474-0
                                                • Opcode ID: f7c3b2f8eb5a580aacb672b227f55d582ac43987a37179effb0c9907dace47ed
                                                • Instruction ID: 914ea1059ba85f31be95dfc19fe63c1022bc2e21b6ea0ea8aaec1ff4f53a5077
                                                • Opcode Fuzzy Hash: f7c3b2f8eb5a580aacb672b227f55d582ac43987a37179effb0c9907dace47ed
                                                • Instruction Fuzzy Hash: 48C125B0400308EFEB51EF58D845B997F78BB26714F1280C8E2596F2B2C7B69A64DF54

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 265 3c4ac-3c52c GetVolumeNameForVolumeMountPointW FindFirstVolumeW 269 3c532-3c538 265->269 270 3c770-3c775 265->270 271 3c73f-3c761 269->271 272 3c53e-3c545 269->272 271->269 279 3c767 271->279 272->271 273 3c54b-3c562 GetVolumePathNamesForVolumeNameW 272->273 273->271 275 3c568-3c56c 273->275 275->271 276 3c572-3c576 275->276 276->271 278 3c57c-3c586 GetDriveTypeW 276->278 280 3c591-3c599 call 31548 278->280 281 3c588-3c58b 278->281 279->270 284 3c617-3c63d call 316d4 CreateFileW 280->284 285 3c59b-3c5e3 280->285 281->271 281->280 289 3c643-3c669 DeviceIoControl 284->289 290 3c736 284->290 295 3c603-3c607 285->295 296 3c5e5-3c5fe call 3c420 285->296 289->290 292 3c66f-3c676 289->292 290->271 293 3c678-3c684 292->293 294 3c6dc-3c6e3 292->294 298 3c6a3-3c6a9 293->298 299 3c686-3c68d 293->299 294->290 297 3c6e5-3c6ec 294->297 300 3c612 295->300 301 3c609 295->301 296->295 297->290 302 3c6ee-3c6f5 297->302 305 3c6ab-3c6b2 298->305 306 3c6c8-3c6d5 call 316a4 call 3c420 298->306 299->298 303 3c68f-3c696 299->303 300->271 301->300 302->290 307 3c6f7-3c711 call 316a4 302->307 303->298 308 3c698-3c69f 303->308 305->306 310 3c6b4-3c6bb 305->310 317 3c6da 306->317 321 3c713-3c71a 307->321 322 3c72a-3c731 call 3c420 307->322 308->298 313 3c6a1 308->313 310->306 314 3c6bd-3c6c4 310->314 313->317 314->306 318 3c6c6 314->318 317->290 318->317 323 3c728 321->323 324 3c71c-3c723 call 3c420 321->324 322->290 323->290 324->323
                                                APIs
                                                • GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000104), ref: 0003C4F6
                                                • FindFirstVolumeW.KERNELBASE(?,00000104), ref: 0003C51F
                                                • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,00000040,00000000), ref: 0003C55A
                                                • GetDriveTypeW.KERNELBASE(?), ref: 0003C57D
                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 0003C630
                                                • DeviceIoControl.KERNELBASE(000000FF,00070048,00000000,00000000,?,00000090,00000001,00000000), ref: 0003C661
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$Name$ControlCreateDeviceDriveFileFindFirstMountNamesPathPointType
                                                • String ID: '
                                                • API String ID: 754975672-1997036262
                                                • Opcode ID: 8389598b1bb699f07804b421f16867dec8fcbdee712dc7fbb4be6ee4c62e2fff
                                                • Instruction ID: e97bbd97cd856453c3c861394bd25f136af155424c679298ac4337837db60bf7
                                                • Opcode Fuzzy Hash: 8389598b1bb699f07804b421f16867dec8fcbdee712dc7fbb4be6ee4c62e2fff
                                                • Instruction Fuzzy Hash: B9719E30904714EFFB729B10EC0AF9A7BBCAF01316F1080A5E549F60A1D7B45A85DFA5

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 327 3e218-3e232 328 3e46b-3e474 327->328 329 3e238-3e24d call 38c4c 327->329 329->328 332 3e253-3e269 call 386a8 329->332 335 3e465-3e466 call 386d0 332->335 336 3e26f-3e280 call 4a6c4 332->336 335->328 340 3e286-3e307 call 316a4 CreateFileW 336->340 341 3e45f-3e460 call 386d0 336->341 340->341 347 3e30d-3e322 WriteFile 340->347 341->335 348 3e456 347->348 349 3e328-3e34b RegCreateKeyExW 347->349 348->341 349->348 350 3e351-3e37d RegSetValueExW 349->350 352 3e383-3e3fc RegCreateKeyExW 350->352 353 3e44d-3e450 NtClose 350->353 352->353 356 3e3fe-3e430 RegSetValueExW 352->356 353->348 356->353 358 3e432-3e446 SHChangeNotify 356->358 358->353
                                                APIs
                                                  • Part of subcall function 000386A8: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0003E2FA
                                                • WriteFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0003E31A
                                                • RegCreateKeyExW.KERNELBASE(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0003E343
                                                • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,?,00000000), ref: 0003E375
                                                • RegCreateKeyExW.KERNELBASE(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0003E3F4
                                                • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,?,00000000), ref: 0003E428
                                                • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 0003E440
                                                • NtClose.NTDLL(?), ref: 0003E450
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$FileValue$AllocateChangeCloseHeapNotifyWrite
                                                • String ID:
                                                • API String ID: 1108940941-0
                                                • Opcode ID: 02f7feee2e3f8c3e51b82f342a58490a0d814071961d28bfdc55ba0872cfea55
                                                • Instruction ID: 7743f36ededf9744a15dcd101507a06495b2aa71e2236d48ee25cd8938244ea5
                                                • Opcode Fuzzy Hash: 02f7feee2e3f8c3e51b82f342a58490a0d814071961d28bfdc55ba0872cfea55
                                                • Instruction Fuzzy Hash: FE518070A04309BBEB218FA4EC4AF9E7BBCBB04701F104164F608A60D1D7B59A58DBA5

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 359 384cc-384df 360 384e2-384e7 359->360 360->360 361 384e9-384fd call 3beb4 360->361 364 38509-3852b CreateFileW 361->364 365 384ff-38503 361->365 366 3862e-38630 364->366 367 38531-38533 364->367 365->364 365->366 369 38633-38636 366->369 368 38536-3855f NtAllocateVirtualMemory 367->368 370 38561-3856c 368->370 371 38567 368->371 372 38657-3865b 369->372 373 38638-38651 NtFreeVirtualMemory 369->373 377 3857f-38582 370->377 378 3856e-3857d 370->378 375 38597-3859c 371->375 372->369 376 3865d-38661 372->376 373->372 379 3859f-385aa 375->379 380 38663-38666 NtClose 376->380 381 3866c-38683 call 383c8 DeleteFileW 376->381 383 38591-38595 377->383 384 38584-3858c call 3848c 377->384 378->383 385 385b8 379->385 386 385ac-385b6 379->386 380->381 391 38685 381->391 392 3868c-38690 381->392 383->368 383->375 384->383 387 385bd-385c4 385->387 386->387 390 385c7-385dd WriteFile 387->390 393 385e1-385fe SetFilePointerEx 390->393 394 385df 390->394 391->392 395 38692-38695 call 386d0 392->395 396 3869a-386a3 392->396 393->390 397 38600-38607 393->397 394->397 395->396 399 3860b-38629 397->399 400 38609 397->400 399->379 400->366
                                                APIs
                                                • CreateFileW.KERNELBASE(00039646,40000000,00000003,00000000,00000003,80000000,00000000,00039646,?,?,00000000,?), ref: 0003851E
                                                • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004,?,00000000,?), ref: 00038557
                                                • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000,?,00000000,?), ref: 000385D5
                                                • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001,?,00000000,?), ref: 000385F1
                                                • NtFreeVirtualMemory.NTDLL(000000FF,?,00010000,00008000,?,00000000,?), ref: 00038651
                                                • NtClose.NTDLL(000000FF,?,00000000,?), ref: 00038666
                                                • DeleteFileW.KERNELBASE(?,000000FF,?,?,00000000,?), ref: 0003867B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$MemoryVirtual$AllocateCloseCreateDeleteFreePointerWrite
                                                • String ID:
                                                • API String ID: 3569053182-0
                                                • Opcode ID: 96dad84e43967505ab69e03fab3af1de764b9992676d2dc1a581272ff4d11c11
                                                • Instruction ID: c8e123a6f3e8071fda02c745e873acbc6bbe13986b14cdbf8830d8f12671ab54
                                                • Opcode Fuzzy Hash: 96dad84e43967505ab69e03fab3af1de764b9992676d2dc1a581272ff4d11c11
                                                • Instruction Fuzzy Hash: 1A517E71900709AFDF62CFA4DC45BEEBBB8EB08311F2081A5F615B6090DBB55A85CB51

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 402 3e0ac-3e0d7 CreateFileW 403 3e20d-3e213 402->403 404 3e0dd-3e0f6 402->404 405 3e0fc-3e10e call 31790 404->405 408 3e115-3e138 WriteFile 405->408 409 3e13a-3e149 NtClose 408->409 410 3e14c-3e171 WriteFile 408->410 411 3e173-3e182 410->411 412 3e185-3e1a8 WriteFile 410->412 413 3e1aa-3e1b9 412->413 414 3e1bc-3e1e1 WriteFile 412->414 416 3e1e3-3e1f2 414->416 417 3e1f5-3e202 414->417 417->408 419 3e208 417->419 419->405
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0003E0CA
                                                • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,Function_00028000,?,?,?,00000000), ref: 0003E12B
                                                • NtClose.NTDLL(000000FF,?,?,00000000), ref: 0003E13D
                                                • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 0003E164
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$CloseCreate
                                                • String ID:
                                                • API String ID: 237505210-0
                                                • Opcode ID: f5762f7b6c99248d46030c8560c63d1451e3569b9f384c773c36f50a7f28109e
                                                • Instruction ID: e2ac454f75a61363b3a621ecde9d9009bb5d79d32777f0d129f84703496eb937
                                                • Opcode Fuzzy Hash: f5762f7b6c99248d46030c8560c63d1451e3569b9f384c773c36f50a7f28109e
                                                • Instruction Fuzzy Hash: 35415E35A0424CEFEB11DB94EC05BEEFBBAEB44312F5041A6EA08E2191E7714F14DB91

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 421 394dc-39503 423 39692-39697 421->423 424 39509-3951d call 386a8 421->424 427 39523-39570 call 316a4 FindFirstFileExW 424->427 428 39676-3967a 424->428 427->428 438 39576-3957f 427->438 429 39684-39688 428->429 430 3967c-3967f call 386d0 428->430 429->423 433 3968a-3968d call 386d0 429->433 430->429 433->423 439 39655-39667 FindNextFileW 438->439 440 39585-3958b 438->440 439->438 442 3966d-39670 FindClose 439->442 440->439 441 39591-395bf call 386a8 440->441 441->439 447 395c5-39601 GetFileAttributesW 441->447 442->428 451 39603-3960e 447->451 452 3963e-39641 call 384cc 447->452 457 39612-3961d 451->457 458 39610 451->458 454 39646-3964e call 386d0 452->454 454->439 461 39629 457->461 462 3961f-3962b call 394dc 457->462 460 3962d-3963c call 386d0 458->460 460->439 461->460 462->451
                                                APIs
                                                  • Part of subcall function 000386A8: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00039563
                                                • GetFileAttributesW.KERNELBASE(00000000), ref: 000395F6
                                                • FindNextFileW.KERNELBASE(000000FF,?), ref: 0003965F
                                                • FindClose.KERNELBASE(000000FF), ref: 00039670
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$AllocateAttributesCloseFirstHeapNext
                                                • String ID: *
                                                • API String ID: 2580701565-163128923
                                                • Opcode ID: 48a8133374249769689e043f660fc64c7a05ab69c9ff2570d3c662ba3f6ad760
                                                • Instruction ID: 3e7097fdee6edb3c2de0295a2fea2949dd97ae93b1f8c0e8a737e54ea6c310d6
                                                • Opcode Fuzzy Hash: 48a8133374249769689e043f660fc64c7a05ab69c9ff2570d3c662ba3f6ad760
                                                • Instruction Fuzzy Hash: 6F411D70C05219EBEF126FA0EC0ABEEBBB9FF00306F044561E419A11A1D7B55A64EF55

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 468 3fc5c-3fc6d SetThreadPriority 469 3fc73-3fc92 468->469 471 3fcc2-3fcc4 469->471 472 3fc94-3fc9c 469->472 474 3fcc6-3fcc9 471->474 475 3fcca-3fccf 471->475 472->471 473 3fc9e 472->473 476 3fca5-3fcba 473->476 477 3fcd5-3fd07 ReadFile 475->477 478 3fd84-3fd87 475->478 492 3fcbe 476->492 493 3fcbc-3fcc0 476->493 479 3fd7a 477->479 480 3fd09-3fd14 477->480 481 3fe89-3fe8c 478->481 482 3fd8d-3fdd6 call 320b0 478->482 487 3ff68-3ff87 479->487 480->479 483 3fd16-3fd1e 480->483 485 3fe92-3fed1 WriteFile 481->485 486 3ff19-3ff1c 481->486 522 3fdd8-3fded 482->522 523 3fdef-3fdf7 482->523 488 3fd20-3fd3a 483->488 489 3fd3c-3fd63 483->489 494 3fed3-3fede 485->494 495 3ff15 485->495 486->487 491 3ff1e-3ff22 486->491 504 3ff8b-3ff93 487->504 505 3ff89-3ffbd 487->505 488->479 524 3fd76 489->524 525 3fd65-3fd70 489->525 498 3ff24-3ff2a 491->498 499 3ff38-3ff50 NtClose call 31074 491->499 492->476 493->469 494->495 501 3fee0-3fefe 494->501 495->487 507 3ff2e-3ff36 498->507 508 3ff2c 498->508 514 3ff55-3ffc8 call 386d0 499->514 534 3ff11 501->534 535 3ff00-3ff0b 501->535 511 3ff95 504->511 512 3ffb9 504->512 515 3ffc3 505->515 516 3ffbf-3ffc2 505->516 507->498 508->499 518 3ff9c-3ffb1 511->518 512->487 514->469 515->475 540 3ffb3-3ffb7 518->540 541 3ffb5 518->541 528 3fe19-3fe35 WriteFile 522->528 529 3fe06-3fe12 523->529 530 3fdf9-3fdfb 523->530 524->479 532 3fd72 525->532 533 3fd74 525->533 542 3fe37-3fe42 528->542 543 3fe7f 528->543 529->528 530->529 539 3fdfd-3fe04 530->539 532->479 533->489 534->495 536 3ff0f 535->536 537 3ff0d 535->537 536->501 537->495 539->528 540->487 541->518 542->543 546 3fe44-3fe68 542->546 543->487 549 3fe7b 546->549 550 3fe6a-3fe75 546->550 549->543 551 3fe77 550->551 552 3fe79 550->552 551->543 552->546
                                                APIs
                                                • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 0003FC6D
                                                • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0003FCFF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FilePriorityReadThread
                                                • String ID:
                                                • API String ID: 3643687941-0
                                                • Opcode ID: fe2f313b6645b50258d2c2f8a0554212ea2f50be64e70c718187f178a11c70a4
                                                • Instruction ID: f5bb17c16d6bab329d2a4b6a117d09f60c8eca7fccc4f06cc38296e75dfe09f2
                                                • Opcode Fuzzy Hash: fe2f313b6645b50258d2c2f8a0554212ea2f50be64e70c718187f178a11c70a4
                                                • Instruction Fuzzy Hash: 00A16B71904606EFEF629F50DD88BBA37BCEF09305F2042B6ED09890A6D7749A44DB51

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 553 40dd4-40deb GetFileAttributesW 554 40ded-40df9 call 3da14 553->554 555 40e4b-40e5d SetThreadPriority call 31548 553->555 560 40e3d-40e48 call 386d0 554->560 561 40dfb-40e09 call 3beb4 554->561 562 40e5f-40e66 555->562 563 40e68 555->563 561->560 570 40e0b-40e0f 561->570 565 40e6f-40ec9 call 386a8 call 3dfbc call 40c30 call 386d0 FindFirstFileExW 562->565 563->565 586 41007-4101c call 386d0 565->586 587 40ecf-40edd 565->587 572 40e17-40e3a call 3dfbc call 39100 call 40a38 570->572 573 40e11-40e15 570->573 573->560 573->572 592 41020-41031 586->592 593 4101e 586->593 591 40ee2-40eeb 587->591 594 40ef5 591->594 595 40eed-40ef3 591->595 596 41039-4103c call 386d0 592->596 593->596 598 40fe6-40ff8 FindNextFileW 594->598 595->594 597 40efa-40f04 595->597 603 41041-41044 596->603 600 40f06-40f0a 597->600 601 40f0c 597->601 598->591 602 40ffe-41001 FindClose 598->602 600->601 604 40f11-40f18 600->604 601->598 602->586 605 40f25-40f29 604->605 606 40f1a-40f1e 604->606 608 40f53-40f5b call 40ce8 605->608 609 40f2b-40f33 call 40d80 605->609 606->605 607 40f20 606->607 607->598 614 40f62-40f69 608->614 615 40f5d 608->615 616 40f35-40f4c call 40c94 609->616 617 40f4e 609->617 618 40f76-40f80 call 3da14 614->618 619 40f6b-40f72 614->619 615->598 616->617 617->598 625 40f84-40fa2 call 40c94 call 39100 call 40a38 618->625 626 40f82 618->626 619->618 621 40f74 619->621 621->598 632 40fa7-40fae 625->632 626->598 632->598 633 40fb0-40fb2 632->633 634 40fb4-40fd9 633->634 635 40fdb 633->635 634->598 635->598
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?), ref: 00040DE0
                                                • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00040E4F
                                                • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000,?,?,?,00057180,003D0900), ref: 00040EBC
                                                • FindNextFileW.KERNELBASE(000000FF,?), ref: 00040FF0
                                                • FindClose.KERNELBASE(000000FF), ref: 00041001
                                                  • Part of subcall function 0003BEB4: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 0003BED6
                                                  • Part of subcall function 0003BEB4: FindClose.KERNELBASE(000000FF), ref: 0003BEFC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirst$AttributesNextPriorityThread
                                                • String ID:
                                                • API String ID: 3755735135-0
                                                • Opcode ID: 528b00f06047a842e17c69900e9e9b581880bd7dd68ded1f7b12546f5b149b77
                                                • Instruction ID: 0acaa61862a5778036bf42772df8f68f84e450f569f697b73cb9ca45207a89d7
                                                • Opcode Fuzzy Hash: 528b00f06047a842e17c69900e9e9b581880bd7dd68ded1f7b12546f5b149b77
                                                • Instruction Fuzzy Hash: 1B616CB0908209EBDF32AF60DC4ABEEBBB5AF00341F1041B1FA04750A2D7754D99EB59

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 668 48b04-48b1d 670 48b23-48b2a 668->670 671 48bdb-48be2 668->671 672 48b55-48b5c 670->672 673 48b2c-48b52 call 3894c 670->673 674 48be4-48bfd CreateThread 671->674 675 48c0f-48c20 call 392d8 call 3969c 671->675 677 48b5e-48b65 672->677 678 48b98-48b9f 672->678 673->672 674->675 679 48bff-48c08 674->679 692 48c27-48c2e 675->692 693 48c22 call 39b14 675->693 677->678 683 48b67-48b91 call 3ba84 677->683 678->671 681 48ba1-48ba8 678->681 679->675 681->671 685 48baa-48bd4 call 3ba84 681->685 683->678 685->671 698 48c30-48c45 CreateThread 692->698 699 48c48-48c4f 692->699 693->692 698->699 702 48c51-48c58 699->702 703 48c5a-48c81 call 3d554 call 3ffd0 699->703 702->703 704 48cd2-48cd9 702->704 719 48cc5-48cc9 703->719 720 48c83-48c8a 703->720 705 48cef-48cf6 704->705 706 48cdb-48ce6 NtTerminateThread 704->706 708 48d23-48d2d 705->708 709 48cf8-48d11 CreateThread 705->709 706->705 717 48e02-48e10 call 43404 call 437f8 call 4317c 708->717 718 48d33-48d3a 708->718 709->708 712 48d13-48d1c 709->712 712->708 758 48e15-48e19 717->758 721 48d67-48d6e 718->721 722 48d3c-48d55 718->722 719->704 724 48ca5-48cac 720->724 725 48c8c-48ca0 call 3c4ac call 400a0 call 42508 call 400a0 call 426b4 720->725 727 48d70-48d74 721->727 728 48da9-48db0 call 3d494 721->728 722->721 740 48d57-48d60 722->740 733 48cae-48cb3 call 400a0 call 41758 724->733 734 48cb8-48cc0 call 40058 call 400a0 724->734 725->724 735 48d76-48d81 727->735 736 48d8a-48da4 call 3894c call 3f820 727->736 748 48db2-48db7 call 3a790 728->748 749 48db9-48dbb call 3a060 728->749 733->734 734->719 735->736 736->728 740->721 759 48dc0-48dc7 748->759 749->759 763 48dc9-48dd0 759->763 764 48ddb-48dfb call 3b464 call 41f84 759->764 763->764 767 48dd2-48dd9 763->767 770 48e00 764->770 767->764 767->770 770->758
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,0003AD98,00000000,00000000,00000000), ref: 00048BF3
                                                • CreateThread.KERNELBASE(00000000,00000000,00039C88,00000000,00000000,00000000), ref: 00048C3F
                                                • NtTerminateThread.NTDLL(?,00000000), ref: 00048CE0
                                                • CreateThread.KERNELBASE(00000000,00000000,0003B458,00000000,00000000,00000000), ref: 00048D07
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$Create$Terminate
                                                • String ID:
                                                • API String ID: 1922322686-0
                                                • Opcode ID: 6c40226c44ac27e5927875fc33bbd6bc436f296eb9e4b499dd666c657e45887b
                                                • Instruction ID: 0f6c8194bced6767d79907a0beac951820a82c73d159c4fa7bc1ccf478c71f6d
                                                • Opcode Fuzzy Hash: 6c40226c44ac27e5927875fc33bbd6bc436f296eb9e4b499dd666c657e45887b
                                                • Instruction Fuzzy Hash: 6A8184B05487457EFB526BB8BC4ABAF3EA8AB04302F144564F259640F2DBB84440EB2D

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 775 37aa0-37ab1 776 37ab3-37acd call 37968 775->776 777 37ad2-37ad9 775->777 776->777 779 37adb-37af5 call 37968 777->779 780 37afa-37b01 777->780 779->780 781 37b03-37b1d call 37968 780->781 782 37b22-37b29 call 3163c 780->782 781->782 789 37b2e-37b32 782->789 790 37b34-37b5e call 31228 789->790 791 37b59-37b5c 789->791 795 37b65-37b80 FindFirstFileW 790->795 791->789 796 37b82-37b93 call 311ac 795->796 797 37bd0-37bd4 795->797 805 37bb3-37bc5 FindNextFileW 796->805 806 37b95-37ba7 FindClose call 3789c 796->806 798 37bd6-37c18 797->798 799 37bd8-37be2 797->799 803 37c07-37c0a 799->803 804 37be4-37be9 799->804 803->795 807 37c02-37c05 804->807 808 37beb-37c00 call 31228 804->808 805->796 810 37bc7-37bca FindClose 805->810 812 37bac-37bb0 806->812 807->804 808->803 810->797
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00037B73
                                                • FindClose.KERNELBASE(000000FF,?,00000000), ref: 00037B98
                                                • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00037BBD
                                                • FindClose.KERNELBASE(000000FF), ref: 00037BCA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID:
                                                • API String ID: 1164774033-0
                                                • Opcode ID: 2e5b8f97b1cee90a2bb5ea354c033f19ecad3222baa04bc1870b4fbd4ba4d9f5
                                                • Instruction ID: 2def6e8c72d2e3e91aa1fbff55e88c5bec276fee46cb1befb2a17dcb45355d19
                                                • Opcode Fuzzy Hash: 2e5b8f97b1cee90a2bb5ea354c033f19ecad3222baa04bc1870b4fbd4ba4d9f5
                                                • Instruction Fuzzy Hash: 014166F0848308EBDF329F64FC49B9EBBBCEB05311F108196E509AA161D7748995EF51
                                                APIs
                                                • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,00000000,00048C75), ref: 0003D571
                                                • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002), ref: 0003D583
                                                • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004), ref: 0003D598
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationProcess
                                                • String ID:
                                                • API String ID: 1801817001-0
                                                • Opcode ID: 6a2edda28d07b7e7fca599d164cf27fc458b76f9f76f95e0abcaea02c35500ee
                                                • Instruction ID: b0141321d9d208c3b25ae19a138cdcdfcd9e1263cf10ea431fa426746bf24909
                                                • Opcode Fuzzy Hash: 6a2edda28d07b7e7fca599d164cf27fc458b76f9f76f95e0abcaea02c35500ee
                                                • Instruction Fuzzy Hash: 60F01CB1244364ABFB22AB94ECC6F623B9CAB06721F200350B335DD0E6D7B485049B13
                                                APIs
                                                • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,CF75D174), ref: 0003D2D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MemoryProtectVirtual
                                                • String ID:
                                                • API String ID: 2706961497-3916222277
                                                • Opcode ID: 8e71fcceed7424691c739dccf48dbe3cdf2092800a9965a8c1c9bf19773167f5
                                                • Instruction ID: 2beec3c6d6a289c41d621e31375e36d000f029e06d913216bd89201838b1901c
                                                • Opcode Fuzzy Hash: 8e71fcceed7424691c739dccf48dbe3cdf2092800a9965a8c1c9bf19773167f5
                                                • Instruction Fuzzy Hash: 5FF090B0904208BBDB10CBA4DC48BDFB7BCAB04325F100295A514A62C0D7349B009750
                                                APIs
                                                  • Part of subcall function 000386A8: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00039CAE
                                                • Sleep.KERNELBASE(000007D0,?), ref: 00039D75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeapInformationQuerySleepSystem
                                                • String ID:
                                                • API String ID: 3184523392-0
                                                • Opcode ID: 78bae6b60bf8da171d231a08ad2d615fdf9502cfc7e67650ea75d6ebe14cc21d
                                                • Instruction ID: 6d5e876cebbc27b86a1e25f888fe67844e5d99df9f63a45d97cc1bfd25c5f27d
                                                • Opcode Fuzzy Hash: 78bae6b60bf8da171d231a08ad2d615fdf9502cfc7e67650ea75d6ebe14cc21d
                                                • Instruction Fuzzy Hash: B4215A70900208AFDF129F90DD45BDEBBBCFF04305F608095E915AA162D7B68A05DF91
                                                APIs
                                                • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0003ADBA
                                                  • Part of subcall function 0003B5FC: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                  • Part of subcall function 0003B6A4: NtClose.NTDLL(00000000), ref: 0003B795
                                                • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,86FC5592), ref: 0003ADF1
                                                  • Part of subcall function 0003ABD8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,2AD8ADAB), ref: 0003AC16
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                                • String ID:
                                                • API String ID: 1903255304-0
                                                • Opcode ID: 9a6390c1750313695d25247da81622b2a88f507579add88e30426c87f7ad98d0
                                                • Instruction ID: b7b25e87d3d6c27de3c1c1a402cdecd879a92bc7ce062bdafa8c19ca486df6c9
                                                • Opcode Fuzzy Hash: 9a6390c1750313695d25247da81622b2a88f507579add88e30426c87f7ad98d0
                                                • Instruction Fuzzy Hash: C4218470B40309BBEF229BA5CC4EBDEBEBC9F05705F104054B605A61D2D7748A44DB52
                                                APIs
                                                • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0003ADBA
                                                  • Part of subcall function 0003B5FC: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                  • Part of subcall function 0003B6A4: NtClose.NTDLL(00000000), ref: 0003B795
                                                • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,86FC5592), ref: 0003ADF1
                                                  • Part of subcall function 0003ABD8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,2AD8ADAB), ref: 0003AC16
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                                • String ID:
                                                • API String ID: 1903255304-0
                                                • Opcode ID: 57ba47bda80bc4b2c7ed8c2172e680bc12d5d65a456921f452449003b24c5e8c
                                                • Instruction ID: f52345209c672879566687f414f5c6fd2aaf2d48660e096326a149cd09f20869
                                                • Opcode Fuzzy Hash: 57ba47bda80bc4b2c7ed8c2172e680bc12d5d65a456921f452449003b24c5e8c
                                                • Instruction Fuzzy Hash: B6218470B40309BBEF229BA5CC4EBDEBEBC9F05705F104054B605A61D2D7748A44DB52
                                                APIs
                                                  • Part of subcall function 00039400: FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0003946F
                                                  • Part of subcall function 00039400: FindClose.KERNELBASE(000000FF), ref: 000394CC
                                                • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0003938F
                                                • FindNextFileW.KERNELBASE(000000FF,?), ref: 000393E6
                                                  • Part of subcall function 000394DC: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00039563
                                                  • Part of subcall function 000394DC: GetFileAttributesW.KERNELBASE(00000000), ref: 000395F6
                                                  • Part of subcall function 000394DC: FindNextFileW.KERNELBASE(000000FF,?), ref: 0003965F
                                                  • Part of subcall function 000394DC: FindClose.KERNELBASE(000000FF), ref: 00039670
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$First$CloseNext$Attributes
                                                • String ID:
                                                • API String ID: 1082676904-0
                                                • Opcode ID: 9e838a444e11646217e5d2603fbd67764259cc9a75a4273671acd69a501a0dcd
                                                • Instruction ID: eb17076708d9a131e2a7925b9e26532b7dfe5db78e91069c406ab41b6e05ca26
                                                • Opcode Fuzzy Hash: 9e838a444e11646217e5d2603fbd67764259cc9a75a4273671acd69a501a0dcd
                                                • Instruction Fuzzy Hash: DD211DB194030CABDF21EB90DD4DFDAB7BCAB14301F0040A1A60DE2191E7B59B59DF62
                                                APIs
                                                • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0003946F
                                                • FindClose.KERNELBASE(000000FF), ref: 000394CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: 89311849164240d22b737fe9423329fc5222620f49e23cb2d8a45738bdee6807
                                                • Instruction ID: afa44c910939f2a18059cf2a9ef9f8b8ca0378039643ebf50e217a4ed993cf27
                                                • Opcode Fuzzy Hash: 89311849164240d22b737fe9423329fc5222620f49e23cb2d8a45738bdee6807
                                                • Instruction Fuzzy Hash: E5210BB0904208EFEB119F90ED0CF9DBBB9FB04306F1081A1E94CA61A1E7759A99DF55
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00039CAE
                                                • Sleep.KERNELBASE(000007D0,?), ref: 00039D75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQuerySleepSystem
                                                • String ID:
                                                • API String ID: 3518162127-0
                                                • Opcode ID: ecfb7731beb6b65e21fa3c4008cf43fe97d28673ab2aeaa1eb0389d3efbf6058
                                                • Instruction ID: 70ca944d94715e68fa81a459c05cea2c8d189ccd29a6ccab6f077c2942c87b10
                                                • Opcode Fuzzy Hash: ecfb7731beb6b65e21fa3c4008cf43fe97d28673ab2aeaa1eb0389d3efbf6058
                                                • Instruction Fuzzy Hash: 2821D871900208EFEF528F90D945BDE7BBCFF04305F609099E505AA151D7B69A05DF91
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00039CAE
                                                • Sleep.KERNELBASE(000007D0,?), ref: 00039D75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQuerySleepSystem
                                                • String ID:
                                                • API String ID: 3518162127-0
                                                • Opcode ID: d66ccd4d2628d1601f24345be36bbf014e51c0e88d298b09f28466018af34ab6
                                                • Instruction ID: 70ca944d94715e68fa81a459c05cea2c8d189ccd29a6ccab6f077c2942c87b10
                                                • Opcode Fuzzy Hash: d66ccd4d2628d1601f24345be36bbf014e51c0e88d298b09f28466018af34ab6
                                                • Instruction Fuzzy Hash: 2821D871900208EFEF528F90D945BDE7BBCFF04305F609099E505AA151D7B69A05DF91
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,0003FC5C,00000000,00000000,00000000,?,00000000), ref: 00040021
                                                  • Part of subcall function 0003D264: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,000383B9,00000000,00057864,00038208,00000000,00000000,00057850,000381F0,00000000,00000000,00057844), ref: 0003D285
                                                • NtClose.NTDLL(00000000,00000000,?,00000000), ref: 00040034
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$CloseCreateInformation
                                                • String ID:
                                                • API String ID: 3895992022-0
                                                • Opcode ID: fca5325f8c338f30c487d1c56509ac4012a62808155ea2e0a0c33f6c66561a3d
                                                • Instruction ID: ed80c4b465787bba3d8a619a7a0d8bf60a208ffc895f1c1dbee5b28a5dee23b0
                                                • Opcode Fuzzy Hash: fca5325f8c338f30c487d1c56509ac4012a62808155ea2e0a0c33f6c66561a3d
                                                • Instruction Fuzzy Hash: EB01F970788715ABF3226B64BC89B9B3698DB04712F200220FB09B62D1DBB4AD05D559
                                                APIs
                                                • NtSetInformationThread.NTDLL(000000FE,00000005,00000008,00000004), ref: 0003D244
                                                • NtClose.NTDLL(00000008), ref: 0003D252
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseInformationThread
                                                • String ID:
                                                • API String ID: 3167811113-0
                                                • Opcode ID: b28aecffb4b63f3a6b425eb7e95c9ec7950d742284cff4d2dbe537845e2020e4
                                                • Instruction ID: aae165baf6f840957a6e9d87a6fae9af4379682ec0e13f9af50385bf28501297
                                                • Opcode Fuzzy Hash: b28aecffb4b63f3a6b425eb7e95c9ec7950d742284cff4d2dbe537845e2020e4
                                                • Instruction Fuzzy Hash: D7012170504208AFF711CF50EC49FABBBBCFB10305F108165EA189A1A1D7B5CA08DB90
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,0003FC5C,00000000,00000000,00000000,?,00000000), ref: 00040021
                                                • NtClose.NTDLL(00000000,00000000,?,00000000), ref: 00040034
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateThread
                                                • String ID:
                                                • API String ID: 562768112-0
                                                • Opcode ID: 264bf9b9dedf1fe45f627c91cdef3b1634ff09fee3d3f6dece2e143b6c93fdd0
                                                • Instruction ID: 9bbbba556edf99e21b5026740b88cb1eb85aa8c1e42718dafb4f47ab479a4519
                                                • Opcode Fuzzy Hash: 264bf9b9dedf1fe45f627c91cdef3b1634ff09fee3d3f6dece2e143b6c93fdd0
                                                • Instruction Fuzzy Hash: DDF0E9B168D705ABE73257607C45B6A3BA4DB11703F2400A2FE0D790C296659C04D655
                                                APIs
                                                • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 0003BED6
                                                • FindClose.KERNELBASE(000000FF), ref: 0003BEFC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: c589a7127dc420ee18385116ec9b66151c9f49139b03df167ea3ba06188f6ad0
                                                • Instruction ID: 559d91e9dfa74c54eaa60c54a11208c861698da1733e936876ab890d4b329add
                                                • Opcode Fuzzy Hash: c589a7127dc420ee18385116ec9b66151c9f49139b03df167ea3ba06188f6ad0
                                                • Instruction Fuzzy Hash: E1F03A74901308EFDB60DF94DC49B9CBBB4EB44311F2082A5E918AB2A0E7B16E91DF44
                                                APIs
                                                • NtQueryDefaultUILanguage.NTDLL(?), ref: 00039F02
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DefaultLanguageQuery
                                                • String ID:
                                                • API String ID: 1532992581-0
                                                • Opcode ID: ea1032aed8279766b4887157162a8fb9b612eb070c1219bc5415d0f6f38db2ed
                                                • Instruction ID: d03fffea2602d21a468289dc1fb62da1f2a8f69263eaabdc4b5f2931ed4f29a8
                                                • Opcode Fuzzy Hash: ea1032aed8279766b4887157162a8fb9b612eb070c1219bc5415d0f6f38db2ed
                                                • Instruction Fuzzy Hash: 8831E816B8A5064EFFFBE09195417FBA38CB3167A0EED1537C68A83181499D1C819A53
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: a899f4085463e970a4263e30ff5151fa1f30261e95b521c7e8fe47e39f026b10
                                                • Instruction ID: 92e5fd04435ef60596054ecf09cdec7a5c3f1223a707aed722d13c8d331a314a
                                                • Opcode Fuzzy Hash: a899f4085463e970a4263e30ff5151fa1f30261e95b521c7e8fe47e39f026b10
                                                • Instruction Fuzzy Hash: F531BA70805208EFEB41CF94D848BDEBFF8FB04309F108159E514AA290D7BA9A49DF95
                                                APIs
                                                  • Part of subcall function 000386A8: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeapInformationQuerySystem
                                                • String ID:
                                                • API String ID: 3114120137-0
                                                • Opcode ID: 77630be7b7838ead9ea95fcf8c3814278f42a208f021081b7a2f44334d81e126
                                                • Instruction ID: 1831bfa7ca3f33f4da4dfd0c36e580e3347ef0bb2c5e6f855af5372aec1798e6
                                                • Opcode Fuzzy Hash: 77630be7b7838ead9ea95fcf8c3814278f42a208f021081b7a2f44334d81e126
                                                • Instruction Fuzzy Hash: 16113A71D0020CFBCF229F94D882BEDBBB8EF14318F6081D2EA10A6162D7765A509F95
                                                APIs
                                                • NtQueryInformationToken.NTDLL(00000000,00000001,?,00000028,?,00000000), ref: 00038B43
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQueryToken
                                                • String ID:
                                                • API String ID: 4239771691-0
                                                • Opcode ID: 3d995e6944461bae52ff623667620942968fd32e4e4c962534bf9dc282058fac
                                                • Instruction ID: 12cf8061ff5826e7d0f3dc37c005a8a91fcd7fca0c821ff1ab4a5db97257e5aa
                                                • Opcode Fuzzy Hash: 3d995e6944461bae52ff623667620942968fd32e4e4c962534bf9dc282058fac
                                                • Instruction Fuzzy Hash: E8112BB090430AEBEF518F90EC88FAEBBBCFF04305F148195F515A21A0DB764A58EB51
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 000378ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: d550dca750ade927b881c3066073441e7f89a8c0aac66b17714978576fd14198
                                                • Instruction ID: 3e88e75f4c04c628c26e9150ef8b9feee68de5f88eec55a8067058fc47263a2d
                                                • Opcode Fuzzy Hash: d550dca750ade927b881c3066073441e7f89a8c0aac66b17714978576fd14198
                                                • Instruction Fuzzy Hash: 58F03C76D4410DFADF21EEA4DC48FDEB7BCEB04315F0040A6E908A3140D674AB089BA0
                                                APIs
                                                • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 0003D4BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQueryToken
                                                • String ID:
                                                • API String ID: 4239771691-0
                                                • Opcode ID: 008430ac432d5ef8307985c46f468f80959246481ac9f0b3a97ee1fb6b07c6d6
                                                • Instruction ID: 5996b90044c5f270ed2595d730f4dde0b84c4b9acfca12d294f5ff0f33d826ab
                                                • Opcode Fuzzy Hash: 008430ac432d5ef8307985c46f468f80959246481ac9f0b3a97ee1fb6b07c6d6
                                                • Instruction Fuzzy Hash: B4F05431604208BFEB11CF95EC85EAEB7BDFB04311F5041A2F914D21A1E775AE449B10
                                                APIs
                                                • NtTerminateProcess.NTDLL(0003AFC4,00000000), ref: 0003FAA7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessTerminate
                                                • String ID:
                                                • API String ID: 560597551-0
                                                • Opcode ID: c9426693b5f2658f51e6d3675e29ae73084743aa3b3da3b9ccab7d9606968077
                                                • Instruction ID: be11d7db0956cad66684c9f64d0083dbadb89e1ff075e107e3f88bea48ebd796
                                                • Opcode Fuzzy Hash: c9426693b5f2658f51e6d3675e29ae73084743aa3b3da3b9ccab7d9606968077
                                                • Instruction Fuzzy Hash: 0B01B471901208EFEB01CF90D958BDEBFB8FB04319F148199D504AB291D7B79A46DF91
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQuerySystem
                                                • String ID:
                                                • API String ID: 3562636166-0
                                                • Opcode ID: 130c926b54d5df0e0617fd0c56fbf704cd25192d6e8a5f3e52b0caf95763f36c
                                                • Instruction ID: 598db8877025211e4d30a4e7652b4901b70ffdebfe446ba41ef517738743d83b
                                                • Opcode Fuzzy Hash: 130c926b54d5df0e0617fd0c56fbf704cd25192d6e8a5f3e52b0caf95763f36c
                                                • Instruction Fuzzy Hash: A7F0D035A04108EBDF529F84D882FEDBBBDEF14305F204091EB05A6152D7765D50EF51
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationQuerySystem
                                                • String ID:
                                                • API String ID: 3562636166-0
                                                • Opcode ID: ee3fec815ccf602d89da47fe5de944a128abe16185276b87c9ab77b40851b02c
                                                • Instruction ID: 598db8877025211e4d30a4e7652b4901b70ffdebfe446ba41ef517738743d83b
                                                • Opcode Fuzzy Hash: ee3fec815ccf602d89da47fe5de944a128abe16185276b87c9ab77b40851b02c
                                                • Instruction Fuzzy Hash: A7F0D035A04108EBDF529F84D882FEDBBBDEF14305F204091EB05A6152D7765D50EF51
                                                APIs
                                                • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,000383B9,00000000,00057864,00038208,00000000,00000000,00057850,000381F0,00000000,00000000,00057844), ref: 0003D285
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationThread
                                                • String ID:
                                                • API String ID: 4046476035-0
                                                • Opcode ID: fc7cbbbcd479df1c55584d0dec731f19b7090f262b687b1668847c3362a40129
                                                • Instruction ID: a25046acfc2a45ef0fa75fc8058fd6581622d2987d60d0832ac0b7943d1d94a5
                                                • Opcode Fuzzy Hash: fc7cbbbcd479df1c55584d0dec731f19b7090f262b687b1668847c3362a40129
                                                • Instruction Fuzzy Hash: DED0A77259420CEFEB209B54FC05FB7375CD335341F104225B60BC5091D7B4E450D694
                                                APIs
                                                • GetLogicalDriveStringsW.KERNELBASE(?,?), ref: 0003C29B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DriveLogicalStrings
                                                • String ID:
                                                • API String ID: 2022863570-0
                                                • Opcode ID: 5632240854d1fe141f6d9f58a69158570481ff7ee63920ff9c5df43fd0995403
                                                • Instruction ID: accc0d5ff2a906eec80f371466620539ecce6f932259f09f619b69c4b2b189da
                                                • Opcode Fuzzy Hash: 5632240854d1fe141f6d9f58a69158570481ff7ee63920ff9c5df43fd0995403
                                                • Instruction Fuzzy Hash: 9CC09236004208EFCB019FC8EC08C86BFE9EB18701700C061F6084B132DB72E820EF95

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$Text$DialogParam$ColorLoadSelect$BrushCommandLibraryLineNameObjectPixelSolid$AtomAttributesBitmapCharsetClassExitFileFontHeapImageMetricsPaletteProcess
                                                • String ID:
                                                • API String ID: 1334329500-0
                                                • Opcode ID: 54bf1f9e5d667ea4b0e8ba0342d4d583c97d44a8d1d2251bfedd30551085e845
                                                • Instruction ID: 80b3dda0895817b27ae00e45899e54d76bd7af96711e56db0af96d9b3ed29e96
                                                • Opcode Fuzzy Hash: 54bf1f9e5d667ea4b0e8ba0342d4d583c97d44a8d1d2251bfedd30551085e845
                                                • Instruction Fuzzy Hash: 45F041E26D9265E8DA12BFF8540B2DF2648CFA3B17B5188BCB584440C32E562707867F

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 94 3a060-3a0b9 95 3a0c0-3a0cf 94->95 96 3a0bb 94->96 103 3a0d1 95->103 104 3a0d6-3a0e6 95->104 97 3a6e9-3a6ed 96->97 98 3a6f8-3a6fc 97->98 99 3a6ef 97->99 101 3a6fe-3a702 98->101 102 3a70d-3a711 98->102 99->98 101->102 105 3a704 101->105 106 3a713 102->106 107 3a71c-3a720 102->107 103->97 111 3a0e8 104->111 112 3a0ed-3a0fd 104->112 105->102 106->107 108 3a722 107->108 109 3a72b-3a72f 107->109 108->109 113 3a731-3a734 call 386d0 109->113 114 3a739-3a73d 109->114 111->97 122 3a104-3a11f call 42968 112->122 123 3a0ff 112->123 113->114 115 3a747-3a74b 114->115 116 3a73f-3a742 call 386d0 114->116 120 3a756-3a75a 115->120 121 3a74d 115->121 116->115 124 3a765-3a769 120->124 125 3a75c 120->125 121->120 132 3a121-3a146 122->132 133 3a149-3a1d9 call 31228 122->133 123->97 127 3a774-3a778 124->127 128 3a76b 124->128 125->124 130 3a785-3a78b 127->130 131 3a77a-3a77d 127->131 128->127 131->130 132->133 140 3a1e0-3a1ee 133->140 141 3a1db 133->141 143 3a1f0 140->143 144 3a1f5-3a206 call 386a8 140->144 141->97 143->97 147 3a208 144->147 148 3a20d-3a215 call 31548 144->148 147->97 151 3a231-3a242 call 38c4c 148->151 152 3a217-3a228 call 38c4c 148->152 159 3a244 151->159 160 3a249-3a262 151->160 157 3a22a 152->157 158 3a22f 152->158 157->97 158->160 159->97 162 3a264-3a273 call 386d0 160->162 163 3a278-3a28b GetTextExtentPoint32W 160->163 162->97 165 3a292-3a2a8 163->165 166 3a28d 163->166 169 3a2aa 165->169 170 3a2af-3a2bd 165->170 166->97 169->97 172 3a2c4-3a317 call 31548 170->172 173 3a2bf 170->173 179 3a319-3a326 172->179 180 3a328 172->180 173->97 181 3a32b-3a34c DrawTextW 179->181 180->181 182 3a353-3a3fb 181->182 183 3a34e 181->183 187 3a402-3a42f 182->187 188 3a3fd 182->188 183->97 191 3a431 187->191 192 3a436-3a4af call 316a4 call 31228 CreateFileW 187->192 188->97 191->97 200 3a4b1 192->200 201 3a4b6-3a4d0 WriteFile 192->201 200->97 202 3a4d2 201->202 203 3a4d7-3a4ee WriteFile 201->203 202->97 204 3a4f0 203->204 205 3a4f5-3a50c WriteFile 203->205 204->97 206 3a513-3a537 call 38afc 205->206 207 3a50e 205->207 211 3a539 206->211 212 3a53e-3a5e2 call 316a4 call 31228 RegCreateKeyExW 206->212 207->97 211->97 218 3a5e4 212->218 219 3a5e9-3a648 call 31228 RegSetValueExW 212->219 218->97 223 3a64a 219->223 224 3a64f-3a6d0 call 31228 RegSetValueExW 219->224 223->97 228 3a6d2 224->228 229 3a6d4-3a6d8 224->229 228->97 229->97 230 3a6da-3a6e1 229->230 230->97
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ($BM$3n
                                                • API String ID: 0-3459654682
                                                • Opcode ID: 3170c5fe52fd1e6857de3437841f4182a86153a0f0683873e55d8a6ad8c5e662
                                                • Instruction ID: 9a1b54463c9d2e7f15afa6dbae85b59366fcd559e1300e44b70678881713821e
                                                • Opcode Fuzzy Hash: 3170c5fe52fd1e6857de3437841f4182a86153a0f0683873e55d8a6ad8c5e662
                                                • Instruction Fuzzy Hash: 1C224870A00308EFEF229F98EC4ABEEBBB8AF09305F104055E155BA1A1D7B58954DF65

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 637 42968-429f6 call 31228 * 2 643 429fc-42a61 637->643 644 42abe-42ae5 RegCreateKeyExW 637->644 661 42a63-42a7f 643->661 662 42ab9 643->662 645 42b93-42b99 644->645 646 42aeb-42b18 RegQueryValueExW 644->646 648 42b4c-42b64 call 38cb8 646->648 649 42b1a-42b43 646->649 657 42b66-42b7f RegDeleteKeyExW 648->657 658 42b81-42b88 648->658 649->648 653 42b45 649->653 653->648 657->645 658->645 664 42ab0 661->664 665 42a81-42aa7 661->665 662->645 664->662 665->664 667 42aa9 665->667 667->664
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00020119,00000000,?,00000000), ref: 00042ADD
                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,00000004,00000004,00000004), ref: 00042B10
                                                • RegDeleteKeyExW.KERNELBASE(80000002,?,00000100,00000000,000000FF,00000000), ref: 00042B79
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateDeleteQueryValue
                                                • String ID: 3n
                                                • API String ID: 1796729037-3125853683
                                                • Opcode ID: 175feda3b21d459d15b3ec087c67b5ccdfaf300a8596b223101637db4ca23ca3
                                                • Instruction ID: c491c6a9c8b39af5bb11ddc266b238563130eebaf6e673e6516474d3a5c6c1d1
                                                • Opcode Fuzzy Hash: 175feda3b21d459d15b3ec087c67b5ccdfaf300a8596b223101637db4ca23ca3
                                                • Instruction Fuzzy Hash: EB514BB0A00209AFEB21DF94DC49FEEBBBCFB04701F0040A4BA18E61A1D7749A54DF65

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 814 40244-40282 SetFileAttributesW CreateFileW 815 40284-402a1 SetFilePointerEx 814->815 816 402f9-40300 814->816 817 402f0 815->817 818 402a3-402c0 ReadFile 815->818 817->816 818->817 819 402c2-402d7 call 40138 818->819 819->817 822 402d9-402e1 819->822 823 402e3 822->823 824 402ea-402eb call 386d0 822->824 823->824 824->817
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,00000080,?), ref: 0004025D
                                                • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00040275
                                                • SetFilePointerEx.KERNELBASE(000000FF,-00000084,00000000,00000000,00000002), ref: 00040299
                                                • ReadFile.KERNELBASE(000000FF,?,00000084,?,00000000), ref: 000402B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreatePointerRead
                                                • String ID:
                                                • API String ID: 4170910816-0
                                                • Opcode ID: 5508a1831528a2bddd51bb763689bd8f65ed70e360ba8c2a7c7a849bf6480136
                                                • Instruction ID: 2b92e7aced1f59a33592dd11b7ca3bd01f04f437676f6c59cdaf7bbe89ce8a95
                                                • Opcode Fuzzy Hash: 5508a1831528a2bddd51bb763689bd8f65ed70e360ba8c2a7c7a849bf6480136
                                                • Instruction Fuzzy Hash: BB114270640309BBFB209FA4DC49F9E7BB9FB04741F108060BB04B61D1DBB4AA559B18
                                                APIs
                                                  • Part of subcall function 00040194: SetFileAttributesW.KERNELBASE(00000000,00000080,?,00000000,?,?,?), ref: 000401B5
                                                  • Part of subcall function 00040194: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 000401CD
                                                  • Part of subcall function 00040244: SetFileAttributesW.KERNELBASE(00000000,00000080,?), ref: 0004025D
                                                  • Part of subcall function 00040244: CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00040275
                                                  • Part of subcall function 00040244: SetFilePointerEx.KERNELBASE(000000FF,-00000084,00000000,00000000,00000002), ref: 00040299
                                                  • Part of subcall function 00040244: ReadFile.KERNELBASE(000000FF,?,00000084,?,00000000), ref: 000402B8
                                                • MoveFileExW.KERNELBASE(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 00040ABB
                                                • CreateIoCompletionPort.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 00040B7C
                                                • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 00040B32
                                                  • Part of subcall function 000386D0: RtlFreeHeap.NTDLL(?,00000000,00000000,?,00049264,00000000), ref: 000386EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Create$Attributes$CompletionFreeHeapMovePointerPortRead
                                                • String ID:
                                                • API String ID: 97630321-0
                                                • Opcode ID: 536de7673e32f1b81fac7864e4499361b722f1c733a6d8b3f3b39572460f3065
                                                • Instruction ID: 8fb8e1cbba533b22614dbead9616cd3e6b7bd8c67cbb74dd6f2714485e3d07e6
                                                • Opcode Fuzzy Hash: 536de7673e32f1b81fac7864e4499361b722f1c733a6d8b3f3b39572460f3065
                                                • Instruction Fuzzy Hash: 70513DB0944708FFEF225FA0ED49B9E7BB9EB04305F108060F619740A2DB759A54EF49
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0094166303b13f293222b682034a61c4e53249b9013501e04b52c45c42496201
                                                • Instruction ID: e6b81b46859aa1f6db87ca7c63f52634551ae454c4f1ffdca8ad29b0572e9431
                                                • Opcode Fuzzy Hash: 0094166303b13f293222b682034a61c4e53249b9013501e04b52c45c42496201
                                                • Instruction Fuzzy Hash: B821C930808248EFDF27AFA4ED4679D7BB9AF15311F2042A1F505651B2C7B60FA4BB46
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,0003C290,?,00000004,00000000), ref: 0003C2D9
                                                • ResumeThread.KERNELBASE(00000000), ref: 0003C31D
                                                • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 0003C335
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$CodeCreateExitResume
                                                • String ID:
                                                • API String ID: 4070214711-0
                                                • Opcode ID: d6cddb5bf5ce5744d146f0f758f91df0ed542fa8f4117e55b84cb2bca5fd6240
                                                • Instruction ID: 190a98c33c7df3c5c0c8752327291739595de1f568ac96113530305337af78c3
                                                • Opcode Fuzzy Hash: d6cddb5bf5ce5744d146f0f758f91df0ed542fa8f4117e55b84cb2bca5fd6240
                                                • Instruction Fuzzy Hash: C611D431904208FFEB12DF94ED09B9EBBB8EB04312F208195F919A62A0D7755B50EB40
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,0003BFD0,?,00000004,00000000), ref: 0003C004
                                                • ResumeThread.KERNELBASE(00000000), ref: 0003C048
                                                • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 0003C060
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$CodeCreateExitResume
                                                • String ID:
                                                • API String ID: 4070214711-0
                                                • Opcode ID: b1003acd5b2d1effe6d53035c182eb35644374146a66eb019815565e43b261c7
                                                • Instruction ID: 4b1891af6d95b14e0a54f5ff004c9d94f1bdbdd90a7682b81fe2a39e8a86d4a3
                                                • Opcode Fuzzy Hash: b1003acd5b2d1effe6d53035c182eb35644374146a66eb019815565e43b261c7
                                                • Instruction Fuzzy Hash: 4311B731944208FFEF529F94ED0AB9DBB79EB04312F204191FA18A61A0EB755B64FF44
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 000396C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @
                                                • API String ID: 2538663250-2766056989
                                                • Opcode ID: 422760119c05bd1544c405fdf5bde4cea6eab4e60b9d3db92076726cf9283497
                                                • Instruction ID: 010d6d2a39c927f04a8bdd8ab7fc57649d24abeac0c4ab5aba29fef6642680c3
                                                • Opcode Fuzzy Hash: 422760119c05bd1544c405fdf5bde4cea6eab4e60b9d3db92076726cf9283497
                                                • Instruction Fuzzy Hash: 11D147B0900209EFDB11DF94C885F9ABBB8FF15700F118695E518AF2A2D7B1DA55CFA0
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,00000080,?,00000000,?,?,?), ref: 000401B5
                                                • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 000401CD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 962bbdea040a610e5f8988c922a7a6b7556c883ab406daf53f0be1883c103610
                                                • Instruction ID: 591a07e3b38854fd893b854ec8dfd10a1dde718946ee44afbb02b3ab698c12b2
                                                • Opcode Fuzzy Hash: 962bbdea040a610e5f8988c922a7a6b7556c883ab406daf53f0be1883c103610
                                                • Instruction Fuzzy Hash: EA1191B0945209FAEB315F50EE0DBAD7BB4EB00721F208276F615781E0C7F51A81EE19
                                                APIs
                                                • MoveFileExW.KERNELBASE(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 00040ABB
                                                • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 00040B32
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateMove
                                                • String ID:
                                                • API String ID: 3198096935-0
                                                • Opcode ID: 333c67bfd5a2285a77d301c558d217281d97a2dc281fc0c0f02ab8238a7b6003
                                                • Instruction ID: 635ece4438e4df434420a3e7ad8ebf94863180d5d8c5d07e31d1e89c3446425d
                                                • Opcode Fuzzy Hash: 333c67bfd5a2285a77d301c558d217281d97a2dc281fc0c0f02ab8238a7b6003
                                                • Instruction Fuzzy Hash: E8F04974A04308FAEB319B94EC55B9DBB70EB00316F2082B2F715B80E1D7B11A50EB4E
                                                APIs
                                                • GetLogicalDriveStringsW.KERNELBASE(00000104,?,?,00000000), ref: 000392EF
                                                • GetDriveTypeW.KERNELBASE(?,?,00000000), ref: 00039305
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Drive$LogicalStringsType
                                                • String ID:
                                                • API String ID: 1630765265-0
                                                • Opcode ID: f817f7be34939fd370a9b12a835d69203bcb06fa004b80fa1b186bd9e490e95d
                                                • Instruction ID: 2bb5312778f2890064597da5f4c2fc21948b63edc9fb74ab703e1308eeaa52cd
                                                • Opcode Fuzzy Hash: f817f7be34939fd370a9b12a835d69203bcb06fa004b80fa1b186bd9e490e95d
                                                • Instruction Fuzzy Hash: CDE02BB250071A57DB6167D4ACC9DE7B3ACDF00301F400550EE49D2191EBE09F4586D1
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,00000080,?,00000000,?,?,?), ref: 000401B5
                                                • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 000401CD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 9f70591f707b81e1e237619b8090bd5b0a7d24e264b625db2e17b7cd04ad0b5e
                                                • Instruction ID: b42eb35aaba6b34da9ac523223f1ea344814d9b71912e31251b3f75241289ada
                                                • Opcode Fuzzy Hash: 9f70591f707b81e1e237619b8090bd5b0a7d24e264b625db2e17b7cd04ad0b5e
                                                • Instruction Fuzzy Hash: 80E01AB0A8560AFAFB311B20ED09B9D3A64AB04B51F204631F716B80F0D7F45981AE0D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: d5f4162f84ecef4bde6342177f22f6ac42e6617867e17c0ff1b3ba9ace5caa2b
                                                • Instruction ID: 04e991d1071a902c6a9e2ee7a93c55e1ae67492d55184f43382cadf7115b9cca
                                                • Opcode Fuzzy Hash: d5f4162f84ecef4bde6342177f22f6ac42e6617867e17c0ff1b3ba9ace5caa2b
                                                • Instruction Fuzzy Hash: 0E617DB0A0530AEFEF219F90EC45BAEBBB4EF04305F604079F501722A1DB795A44EB55
                                                APIs
                                                • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,BF092720,?,?,0004B47A), ref: 0003823D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateHeap
                                                • String ID:
                                                • API String ID: 10892065-0
                                                • Opcode ID: 4c94d22293d3f179305de25ac0e09602ca50bc112fecf2af327760ecf929279f
                                                • Instruction ID: d59958e88b323ddebf212dcc493582c4fdb141cb27edb7b634ac78b2534a6544
                                                • Opcode Fuzzy Hash: 4c94d22293d3f179305de25ac0e09602ca50bc112fecf2af327760ecf929279f
                                                • Instruction Fuzzy Hash: FC3176902DE75538447732A62D0FEDB1DAC8FE7F92F4058A8BB0C7D1874D90584AD2B5
                                                APIs
                                                • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,BF092720,?,?,0004B47A), ref: 0003823D
                                                  • Part of subcall function 0003D264: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,000383B9,00000000,00057864,00038208,00000000,00000000,00057850,000381F0,00000000,00000000,00057844), ref: 0003D285
                                                  • Part of subcall function 0003D290: NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,CF75D174), ref: 0003D2D1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateHeapInformationMemoryProtectThreadVirtual
                                                • String ID:
                                                • API String ID: 2986011945-0
                                                • Opcode ID: 2eb86b37a7b0471f9e2ed91cb8296ba42c0782dc563740d3f435c130ea5e3115
                                                • Instruction ID: f289964fdd85a62ff91a69ffd4d4bde2a97162f3dfaa8ca0b33e1c84cfba7fbe
                                                • Opcode Fuzzy Hash: 2eb86b37a7b0471f9e2ed91cb8296ba42c0782dc563740d3f435c130ea5e3115
                                                • Instruction Fuzzy Hash: 303186902DE76538447732A62E0FEDB1DAC8FE7F92F4058A8BB0C791C74D90484AD2B1
                                                APIs
                                                  • Part of subcall function 00037AA0: FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00037B73
                                                  • Part of subcall function 00037AA0: FindClose.KERNELBASE(000000FF,?,00000000), ref: 00037B98
                                                • RtlAllocateHeap.NTDLL(?,00000000,00000010,00000000,00000000,00000000,00000000,?,?,00038280,00057408,00037D64,00000000,00000000,29667813), ref: 00037C60
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$AllocateCloseFileFirstHeap
                                                • String ID:
                                                • API String ID: 1673784098-0
                                                • Opcode ID: 9cc57c90699d7468f98b3ea184075543cf4284fb8ee7587352e1fa1fd5e0345c
                                                • Instruction ID: 1329ffa4426dd6acd1d6cb531527bf52d1660a95cc6f12ea3d701dce5be37ccd
                                                • Opcode Fuzzy Hash: 9cc57c90699d7468f98b3ea184075543cf4284fb8ee7587352e1fa1fd5e0345c
                                                • Instruction Fuzzy Hash: A931A7716483469EDB728F248880796FAA9BF15360F18D7A9E50D8F293D7B1C4C0C7D2
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000004), ref: 00039B2F
                                                  • Part of subcall function 000386A8: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeapManagerOpen
                                                • String ID:
                                                • API String ID: 963794170-0
                                                • Opcode ID: 7a5aadc1f3f64a7b35ee31651d00a729a66e3f7d480c82839948bdeafa4aff7f
                                                • Instruction ID: c2ab68731a7ddf68f85c97e501a6bc2920ad72e8df7c548a98bd8103997ff56a
                                                • Opcode Fuzzy Hash: 7a5aadc1f3f64a7b35ee31651d00a729a66e3f7d480c82839948bdeafa4aff7f
                                                • Instruction Fuzzy Hash: DB311371950208FBEF129F94ED0AFEEBBB9BB08701F1040A5F201B60E1D7B55A50EB54
                                                APIs
                                                  • Part of subcall function 0003AE6C: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0003AE8E
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0003AFDF
                                                  • Part of subcall function 0003FA44: NtTerminateProcess.NTDLL(0003AFC4,00000000), ref: 0003FAA7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                                • String ID:
                                                • API String ID: 3176663195-0
                                                • Opcode ID: 59e55fe18f4deb5bfa17ca9fb69ca19be5e1f741e68da310de148473fff92948
                                                • Instruction ID: 362f616f587c91ee0e998756ce35c4884d4a5942f429489f1962df80b8805237
                                                • Opcode Fuzzy Hash: 59e55fe18f4deb5bfa17ca9fb69ca19be5e1f741e68da310de148473fff92948
                                                • Instruction Fuzzy Hash: 44313AB0944308EFEB11AF94EC4DBDDBFB9BF05306F0040A0F509A61A1D7B58A54EB51
                                                APIs
                                                  • Part of subcall function 0003B5FC: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,2AD8ADAB), ref: 0003AC16
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InformationManagerOpenQuerySystem
                                                • String ID:
                                                • API String ID: 1910025873-0
                                                • Opcode ID: 80901e9522aede646f43b189c291c73ce8613673192c8d35d3e0da1227bcd07e
                                                • Instruction ID: 07c5fa0690ec2768f6530a44c7c36a02962d583264eb79988f03168eccecaf5e
                                                • Opcode Fuzzy Hash: 80901e9522aede646f43b189c291c73ce8613673192c8d35d3e0da1227bcd07e
                                                • Instruction Fuzzy Hash: 3A3171B0914208EFEF11CF94DA08BAEBBB8FF05301F1154A8E505AB2A0D7748E44DF52
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb761a735043f0dc2aeaca0e580fd79b46b16ef1aea178854b57f66932e46040
                                                • Instruction ID: 9aaeffd6be9ff7207dfab8314637e6c9e314c61547e01dc27e38093e9ee0dbb4
                                                • Opcode Fuzzy Hash: fb761a735043f0dc2aeaca0e580fd79b46b16ef1aea178854b57f66932e46040
                                                • Instruction Fuzzy Hash: 12214A31900308EFDF129FA4DC45BADBBB9FF16305F2080E5F504A62A1EB714A94AB45
                                                APIs
                                                • CoInitialize.OLE32(00000000,?,?,?,?,00000000), ref: 0004132B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 1f93dfdb923a5714ec0dff24f5a6b8dfa2d3d4d5cdb25057eeb3436e50af2649
                                                • Instruction ID: 4ec7d074e197d37ead8d09cdc7cef1c198f9ca2ea508415691d8f8f1ce3f4bab
                                                • Opcode Fuzzy Hash: 1f93dfdb923a5714ec0dff24f5a6b8dfa2d3d4d5cdb25057eeb3436e50af2649
                                                • Instruction Fuzzy Hash: 24C16AB0904208AFEB10EF94E949FDEBBB8FF05301F1084A5E515AB262D775DA94CF94
                                                APIs
                                                • CreateMutexW.KERNELBASE(0000000C,00000001,00000000), ref: 0003BA6B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateMutex
                                                • String ID:
                                                • API String ID: 1964310414-0
                                                • Opcode ID: 473db948d101a469411f05800d32ea97be88bf048b1bd05ce64690f8c7c38ce9
                                                • Instruction ID: 9cfc35f563a0d874ed6a0355cda89311c57b7256af80ad1b53629b501dddd8af
                                                • Opcode Fuzzy Hash: 473db948d101a469411f05800d32ea97be88bf048b1bd05ce64690f8c7c38ce9
                                                • Instruction Fuzzy Hash: D911A574848B08EEFB12DBB4FC097AE3BB9F704306F500151F608951E1E7B84944EB49
                                                APIs
                                                • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0003AE8E
                                                  • Part of subcall function 0003B5FC: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0003B629
                                                  • Part of subcall function 0003B6A4: NtClose.NTDLL(00000000), ref: 0003B795
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AdjustCloseInformationPrivilegeQuerySystem
                                                • String ID:
                                                • API String ID: 327775174-0
                                                • Opcode ID: 1a9fc714383debafb5b4f665e29c770a38b3640dc5f9a434b82c311e48559b6b
                                                • Instruction ID: dca2cc929cf74c8fa4e31116df0051442f4de65a46c2f608b52532433491e463
                                                • Opcode Fuzzy Hash: 1a9fc714383debafb5b4f665e29c770a38b3640dc5f9a434b82c311e48559b6b
                                                • Instruction Fuzzy Hash: FF014470A50308FFEF21DB94CC4EBDEBBBCAB00715F104194B604A61D1E7B88A44DB51
                                                APIs
                                                • RtlAdjustPrivilege.NTDLL(00000000,00000001,00000000,?), ref: 0003D547
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AdjustPrivilege
                                                • String ID:
                                                • API String ID: 3260937286-0
                                                • Opcode ID: 0fab0968d40f58a5b99dd7b556dcbd7dfc706834da2a345365bd3013a9124c8d
                                                • Instruction ID: 7b520bee58155fd2c8c1d2b0088e3e1a7e2dae84f7b8a47425297df4d6b6124b
                                                • Opcode Fuzzy Hash: 0fab0968d40f58a5b99dd7b556dcbd7dfc706834da2a345365bd3013a9124c8d
                                                • Instruction Fuzzy Hash: D8D02E3220860A67EB3216187C01BFB33AE8780325F000393BD07EA0C0EA62BA0406D2
                                                APIs
                                                • RtlReAllocateHeap.NTDLL(?,00000008,?,00000400,?,0003B649,?,00000400), ref: 00038717
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 0057f5f86634c7d0f143ad8995acee2210066788528cafcbc91a8d05566c865b
                                                • Instruction ID: ee0a5b6af84c19000177dd3b3d7458f97d85ed449120466916385db456334e69
                                                • Opcode Fuzzy Hash: 0057f5f86634c7d0f143ad8995acee2210066788528cafcbc91a8d05566c865b
                                                • Instruction Fuzzy Hash: 83D0C735144704AFDB55AF54A805FC63B6DBB14711F418050F6444B061CB75D5A0EB90
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,00000008,00000000,?,000491D4,?,00000000,00000000), ref: 000386C4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 8d7780269e96e9f0f1976645aefc931d50fe751a18cdd63f83c469256b2ae348
                                                • Instruction ID: ee7fb155cf46ac33c72dd32679e2ced423e680188aa21aeef998f9bcf1ad7142
                                                • Opcode Fuzzy Hash: 8d7780269e96e9f0f1976645aefc931d50fe751a18cdd63f83c469256b2ae348
                                                • Instruction Fuzzy Hash: 05D022300403049FC746AF58A806FCA3B6CBB10300F808050B3088B062CF75D890EB90
                                                APIs
                                                • RtlFreeHeap.NTDLL(?,00000000,00000000,?,00049264,00000000), ref: 000386EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: 5ba6a5d08db82d756e85dfbbe099dac0d76aa3682e100405058e6fc0599dbc3c
                                                • Instruction ID: 3654368dbd7f675a70d075b3cc2e9ab1cbf5247f2a1ca23551e34bebe00734e0
                                                • Opcode Fuzzy Hash: 5ba6a5d08db82d756e85dfbbe099dac0d76aa3682e100405058e6fc0599dbc3c
                                                • Instruction Fuzzy Hash: 2BD012351443049FD755AF58BD06FD67B6C9B24700F858450B7084B062CB75E890EB94
                                                APIs
                                                • CheckTokenMembership.KERNELBASE(00000000,0003D2EC,?), ref: 0003D30D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CheckMembershipToken
                                                • String ID:
                                                • API String ID: 1351025785-0
                                                • Opcode ID: f98c32d025a98acc96952a5e6bb6da78e2b9e580b29e580e8dd43539f2582ece
                                                • Instruction ID: 3a39fa7f203eb62efd72e279f9d905a4e16bc47f8410134b9272696dd1a2c3a5
                                                • Opcode Fuzzy Hash: f98c32d025a98acc96952a5e6bb6da78e2b9e580b29e580e8dd43539f2582ece
                                                • Instruction Fuzzy Hash: F3C0123454420CA7D600DAD4BC46A5AB36CD704611F100391BD18922C0E6615F1055D5
                                                APIs
                                                • GetDriveTypeW.KERNELBASE(?), ref: 0003BFD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DriveType
                                                • String ID:
                                                • API String ID: 338552980-0
                                                • Opcode ID: c85f8f1a4f8c84c419b48fdb27484bfa655cc375a77a9caf497e1f28f25fb04d
                                                • Instruction ID: abc5eea349412e3443c11a7b9ca372d6fa4942ba1138cb359c375212d5dabc95
                                                • Opcode Fuzzy Hash: c85f8f1a4f8c84c419b48fdb27484bfa655cc375a77a9caf497e1f28f25fb04d
                                                • Instruction Fuzzy Hash: D3B0123100820CA7C7005B41FC04C467F1CE7102517404021F50C40120A7725421A594
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61ab2f7e6879f81eec3a7869784c9afd532811ff8f431da53eab6dc91c7a5965
                                                • Instruction ID: bf2ed5c7eb81c55751cf34f4afeff91599226c989d45ff6ae2b9bbb0333fe63e
                                                • Opcode Fuzzy Hash: 61ab2f7e6879f81eec3a7869784c9afd532811ff8f431da53eab6dc91c7a5965
                                                • Instruction Fuzzy Hash: 7AE13F76A20D069BE719CF18EC90735B3A6FB8A341F09C938C74587B65D379F964CA80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6023d622a86b431d09a3944e4e8d7d5b885d1df8b917c728afe1e2153142978
                                                • Instruction ID: da1efd7676026d73252eb2967a412d178d05695dadd7e971c0c5d06a4cde8ad8
                                                • Opcode Fuzzy Hash: b6023d622a86b431d09a3944e4e8d7d5b885d1df8b917c728afe1e2153142978
                                                • Instruction Fuzzy Hash: 75D11D76E2094A8BDB14CF98ECD0B7AB372FB89301F098978C61597756C778BA14CB50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a1f10616dec101de1089b09ba56b086fc2d671c59defb7069e64b6e6efee8bc
                                                • Instruction ID: f19c389a8174ad4d40c626d648ca39f6deb636e1677ccf79455e3ec1ba9a1a72
                                                • Opcode Fuzzy Hash: 0a1f10616dec101de1089b09ba56b086fc2d671c59defb7069e64b6e6efee8bc
                                                • Instruction Fuzzy Hash: BFA1A0F4501605CBEB19DF24C91579A7BA2FF85304F14C07EE90A9B3A1EB7A8812CF55
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e405c88d4ce747e5dcfb6d4c648abdefb0aa74efb2196c266e48928f66c68c1c
                                                • Instruction ID: 7f7ee33cd92d7c5af0365340c473f35df25493832cc624c975dd3eae1543d956
                                                • Opcode Fuzzy Hash: e405c88d4ce747e5dcfb6d4c648abdefb0aa74efb2196c266e48928f66c68c1c
                                                • Instruction Fuzzy Hash: E5314976A11E06ABC329CF19D884A25F7B2FF99301B15CA28C959C3B51C374F990CB80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1676001511.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1675981178.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676028235.000000000004C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676052334.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676074308.0000000000056000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676095954.0000000000058000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1676119212.000000000005A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_yEB1xvr2rZ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                • Instruction ID: d4e15b8e8ce6908138adc472cdd551e4670a645666f1f78e2deb0ba8f6a5701c
                                                • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                • Instruction Fuzzy Hash: D7E01ABB20D3425BF928855174533A68287C384675E25849EE4169F1C0EB5BA8A52495

                                                Execution Graph

                                                Execution Coverage:46.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0.9%
                                                Total number of Nodes:213
                                                Total number of Limit Nodes:2
                                                execution_graph 873 403983 876 40389c 873->876 887 402a78 876->887 880 403903 881 403914 880->881 917 40362e 880->917 935 4022dc 881->935 941 4028ba 887->941 888 402a9e 888->881 892 4026c0 888->892 890 402af0 CreateMutexW 890->888 955 4024f8 892->955 894 402729 894->880 894->881 898 402f18 894->898 895 4026e7 CreateFileW 895->894 896 40270b ReadFile 895->896 896->894 899 402f2e 898->899 899->899 959 40227c FindFirstFileExW 899->959 900 402f67 CreateFileW 903 402f57 900->903 905 402faf 900->905 901 402faa 904 4030c5 NtFreeVirtualMemory 901->904 906 4030ed 901->906 902 402fb4 NtAllocateVirtualMemory 902->905 912 402fe8 902->912 903->900 903->901 904->901 905->902 905->912 907 4030f3 NtClose 906->907 908 4030ff 906->908 907->908 961 402e10 908->961 910 40311f 910->880 911 40304b WriteFile 911->912 913 403068 SetFilePointerEx 911->913 912->901 912->911 914 403095 SetFilePointerEx 912->914 913->911 913->912 914->912 918 40365e 917->918 965 403144 918->965 920 403678 GetLogicalDriveStringsW 923 403695 920->923 931 403673 920->931 921 403898 921->881 922 40371d GetDriveTypeW 922->923 923->922 927 40375a CreateThread 923->927 928 4037c6 923->928 923->931 970 40217c 923->970 924 403809 925 40381c 924->925 926 40381e Sleep 924->926 929 403835 RemoveDirectoryW 925->929 925->931 926->924 927->923 990 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 927->990 928->924 930 4037f9 NtClose 928->930 929->925 930->924 930->930 931->921 974 4031e0 931->974 936 402303 935->936 937 402335 GetShortPathNameW 936->937 938 402330 27 API calls 936->938 937->938 939 40235e 937->939 939->938 940 40246d ShellExecuteW 939->940 940->938 942 4028dd 941->942 945 402760 CreateFileW 942->945 946 402797 945->946 951 4027da 945->951 946->951 953 4020bc 946->953 947 402802 947->888 947->890 948 4027f6 NtClose 948->947 949 4027b7 950 4027c0 ReadFile 949->950 949->951 950->951 951->947 951->948 954 4020c8 RtlAllocateHeap 953->954 954->949 956 402512 955->956 958 402760 4 API calls 956->958 957 402522 957->894 957->895 958->957 960 4022af 959->960 960->903 962 402e2e 961->962 963 402e7c MoveFileExW 962->963 964 402e37 DeleteFileW 962->964 963->962 963->964 964->910 968 403155 965->968 966 4031c6 966->920 966->931 967 40318d CreateThread 967->968 981 403478 SetThreadPriority 967->981 968->966 968->967 978 401d94 968->978 972 402192 970->972 971 40222a 971->923 972->971 973 40221b CreateDirectoryW 972->973 973->971 975 4031eb 974->975 976 40321d 974->976 975->976 977 40320e NtClose 975->977 976->921 977->976 979 401da8 NtSetInformationThread 978->979 979->968 986 40348b 981->986 982 4034af 983 4034f0 WriteFile 983->986 984 4035d9 SetFilePointerEx SetEndOfFile 985 403605 NtClose 984->985 985->986 986->982 986->983 986->984 988 402104 986->988 989 402110 RtlFreeHeap 988->989 989->986 991 403349 GetTempFileNameW CreateFileW 990->991 992 4033a9 DeviceIoControl 991->992 995 4033a4 991->995 997 403258 992->997 994 4033fd CreateIoCompletionPort 994->995 998 40326d 997->998 1000 4020bc RtlAllocateHeap 998->1000 999 403283 999->994 999->995 1000->999 1119 4032e4 1120 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 1119->1120 1121 403349 GetTempFileNameW CreateFileW 1120->1121 1122 4033a9 DeviceIoControl 1121->1122 1125 4033a4 1121->1125 1126 403258 RtlAllocateHeap 1122->1126 1123 4033e9 1124 4033fd CreateIoCompletionPort 1123->1124 1123->1125 1124->1125 1126->1123 1001 403956 1002 403963 1001->1002 1003 403976 1001->1003 1010 4019d4 1002->1010 1048 4016b4 1010->1048 1013 4016b4 9 API calls 1014 4019f4 1013->1014 1015 4016b4 9 API calls 1014->1015 1016 401a05 1015->1016 1017 4016b4 9 API calls 1016->1017 1018 401a16 1017->1018 1019 4016b4 9 API calls 1018->1019 1020 401a27 1019->1020 1021 4016b4 9 API calls 1020->1021 1022 401a38 1021->1022 1023 401b70 RtlCreateHeap 1022->1023 1024 401ba1 1023->1024 1025 401ba6 RtlCreateHeap 1023->1025 1040 402812 1024->1040 1044 402836 1024->1044 1025->1024 1026 401bcb 1025->1026 1026->1024 1096 401a40 1026->1096 1028 401c03 1028->1024 1029 401a40 RtlAllocateHeap 1028->1029 1030 401c59 1029->1030 1030->1024 1031 401a40 RtlAllocateHeap 1030->1031 1032 401caf 1031->1032 1032->1024 1033 401a40 RtlAllocateHeap 1032->1033 1034 401d05 1033->1034 1034->1024 1035 401a40 RtlAllocateHeap 1034->1035 1036 401d55 1035->1036 1036->1024 1038 401d94 NtSetInformationThread 1036->1038 1037 401d7a 1101 401dc2 1037->1101 1038->1037 1041 402836 1040->1041 1042 402850 RtlAdjustPrivilege 1041->1042 1043 40284e 1041->1043 1042->1041 1042->1043 1043->1003 1045 402849 1044->1045 1046 402850 RtlAdjustPrivilege 1045->1046 1047 40284e 1045->1047 1046->1045 1046->1047 1047->1003 1049 40176f 1048->1049 1050 4016cf 1048->1050 1049->1013 1051 4016f5 NtAllocateVirtualMemory 1050->1051 1074 401000 1050->1074 1051->1049 1053 40172f NtAllocateVirtualMemory 1051->1053 1053->1049 1055 401752 1053->1055 1059 40152c 1055->1059 1057 401000 3 API calls 1058 40175f 1057->1058 1058->1049 1058->1057 1060 401540 1059->1060 1061 401558 1059->1061 1062 401000 3 API calls 1060->1062 1063 40157e 1061->1063 1064 401000 3 API calls 1061->1064 1062->1061 1065 401000 3 API calls 1063->1065 1067 4015a4 1063->1067 1064->1063 1065->1067 1066 4015ed FindFirstFileExW 1066->1067 1067->1066 1068 40166c 1067->1068 1069 401649 FindNextFileW 1067->1069 1070 40162a FindClose 1067->1070 1068->1058 1069->1067 1071 40165d FindClose 1069->1071 1082 401474 1070->1082 1071->1067 1073 401641 1073->1058 1075 401012 1074->1075 1076 40102a 1074->1076 1077 401000 3 API calls 1075->1077 1078 401000 3 API calls 1076->1078 1079 401050 1076->1079 1077->1076 1078->1079 1080 4010fb 1079->1080 1085 401394 1079->1085 1080->1051 1083 40148a 1082->1083 1084 4014b8 LdrLoadDll 1083->1084 1084->1073 1086 4013ee 1085->1086 1087 4013be 1085->1087 1086->1080 1087->1086 1088 401474 LdrLoadDll 1087->1088 1089 4013d2 1088->1089 1089->1086 1091 4014d8 1089->1091 1092 4014ee 1091->1092 1093 40150f LdrGetProcedureAddress 1091->1093 1095 4014fa LdrGetProcedureAddress 1092->1095 1094 401521 1093->1094 1094->1086 1095->1094 1097 401a5d RtlAllocateHeap 1096->1097 1098 401a79 1097->1098 1099 401a85 1097->1099 1098->1028 1099->1097 1100 401b5b 1099->1100 1100->1028 1102 401de9 1101->1102 1103 401e12 1102->1103 1104 401df2 NtProtectVirtualMemory 1102->1104 1103->1024 1104->1103 1127 402126 1128 402141 1127->1128 1129 4020bc RtlAllocateHeap 1128->1129 1130 402158 1128->1130 1129->1130 1105 4019b7 1106 4019e0 1105->1106 1107 4016b4 9 API calls 1105->1107 1108 4016b4 9 API calls 1106->1108 1107->1106 1109 4019f4 1108->1109 1110 4016b4 9 API calls 1109->1110 1111 401a05 1110->1111 1112 4016b4 9 API calls 1111->1112 1113 401a16 1112->1113 1114 4016b4 9 API calls 1113->1114 1115 401a27 1114->1115 1116 4016b4 9 API calls 1115->1116 1117 401a38 1116->1117 1118 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_00401A40 40 Function_00401E78 0->40 1 Function_004026C0 39 Function_004024F8 1->39 2 Function_00401DC2 3 Function_004024C2 4 Function_00403144 38 Function_00403478 4->38 55 Function_00401D94 4->55 5 Function_00402B44 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 83 Function_004020BC 15->83 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_004022DC 19 Function_0040205C 20 Function_00401F5C 21 Function_004020DE 22 Function_00402760 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 26->15 27 Function_004032E8 27->15 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->0 33->2 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 49 Function_00402104 38->49 39->22 62 Function_00401E28 40->62 42 Function_0040227C 43 Function_0040217C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->42 58->51 59 Function_00401F9A 60->1 60->18 60->37 60->58 69 Function_0040362E 60->69 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->19 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69->4 69->23 69->27 69->43 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->40 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorExitInfoLastLocaleObjectProcessSelect
                                                • String ID:
                                                • API String ID: 3548022523-0
                                                • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                                • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3 402f18-402f2b 4 402f2e-402f33 3->4 4->4 5 402f35-402f5b call 40227c 4->5 7 402f67-402f8c CreateFileW 5->7 8 402f5d-402f61 5->8 10 402f8e-402f96 7->10 11 402faf-402fb1 7->11 8->7 9 4030bb-4030bd 8->9 13 4030c0-4030c3 9->13 14 402f98-402fa6 10->14 15 402faa 10->15 12 402fb4-402fe0 NtAllocateVirtualMemory 11->12 16 402fe2-402fed 12->16 17 402fe8 12->17 18 4030c5-4030e4 NtFreeVirtualMemory 13->18 19 4030e7-4030eb 13->19 14->15 29 402fa8 14->29 15->9 24 403000-403003 16->24 25 402fef-402ffe 16->25 21 40301b-403020 17->21 18->19 19->13 22 4030ed-4030f1 19->22 28 403023-40302e 21->28 26 4030f3-4030fc NtClose 22->26 27 4030ff-40311d call 402e10 DeleteFileW 22->27 30 403015-403019 24->30 31 403005-403010 24->31 25->30 26->27 36 403126-40312a 27->36 37 40311f 27->37 32 403030-40303a 28->32 33 40303c 28->33 29->7 30->12 30->21 31->30 35 403041-403048 32->35 33->35 38 40304b-403064 WriteFile 35->38 39 403138-403141 36->39 40 40312c-403132 36->40 37->36 41 403066 38->41 42 403068-403088 SetFilePointerEx 38->42 40->39 43 40308a-403091 41->43 42->38 42->43 44 403093 43->44 45 403095-4030b6 SetFilePointerEx 43->45 44->9 45->28
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                                • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                                • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                                • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                                • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                                • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                                • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                                • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                                • String ID:
                                                • API String ID: 590822095-0
                                                • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                                • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99

                                                Control-flow Graph

                                                APIs
                                                • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                • String ID:
                                                • API String ID: 2011835681-0
                                                • Opcode ID: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                • Instruction ID: c3badfffa75a89a0abcd59fd2fd34812244497566a58eab59887ac76a1f04a4a
                                                • Opcode Fuzzy Hash: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                • Instruction Fuzzy Hash: D6510A71A01209AFDB00DF90DD49F9EBB79FF08700F2092A5E611BA2A1D730AE45DF95

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 67 40362e-403671 call 403144 70 403673 67->70 71 403678-40368e GetLogicalDriveStringsW 67->71 72 403886-40388a 70->72 73 403690 71->73 74 403695-4036af 71->74 75 403898-40389b 72->75 76 40388c-403895 call 4031e0 72->76 73->72 78 4036b1 74->78 79 4036b6-4036cd 74->79 76->75 78->72 81 4036d4-4036eb 79->81 82 4036cf 79->82 84 4036f2-40371a 81->84 85 4036ed 81->85 82->72 86 40371d-40372a GetDriveTypeW 84->86 85->72 87 403735-403749 call 40217c 86->87 88 40372c-40372f 86->88 94 40374c-40374f 87->94 88->87 89 4037ba-4037c0 88->89 89->86 90 4037c6-4037ca 89->90 92 403809-40381a 90->92 93 4037cc-4037d2 90->93 97 40381c-40382b 92->97 98 40381e-403829 Sleep 92->98 99 4037d5-4037d8 93->99 95 403751-403775 CreateThread 94->95 96 403755-403758 94->96 95->89 104 403777-40378b 95->104 96->94 105 40382e-403831 97->105 98->92 102 4037da-4037db 99->102 103 4037dc-4037de 99->103 102->103 103->99 106 4037e0-4037f6 103->106 104->89 107 40378d-4037b7 104->107 108 403833-403854 105->108 109 403835-40384a RemoveDirectoryW 105->109 112 4037f9-403807 NtClose 106->112 107->89 115 403862-403866 108->115 116 403856-40385c 108->116 114 40384e 109->114 112->92 112->112 114->105 117 403874-403878 115->117 118 403868-40386e 115->118 116->115 117->72 119 40387a-403880 117->119 118->117 119->72
                                                APIs
                                                • GetLogicalDriveStringsW.KERNELBASE(00000068,?), ref: 00403687
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: DriveLogicalStrings
                                                • String ID:
                                                • API String ID: 2022863570-0
                                                • Opcode ID: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                • Instruction ID: 4dd69471dbc29d4f16846e3344e2d9633d6215cd74752d72760f366e6b0bc30a
                                                • Opcode Fuzzy Hash: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                • Instruction Fuzzy Hash: 33815CB590160ADFDB10DF90D948BAFBB75FF08306F1086AAE511772A0D7399A41CF98

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 124 40152c-40153e 125 401540-401558 call 401000 124->125 126 40155d-401564 124->126 125->126 128 401583-40158a 126->128 129 401566-40157e call 401000 126->129 132 4015a9-4015b2 128->132 133 40158c-4015a4 call 401000 128->133 129->128 135 4015b4-4015e1 call 40205c call 401f2c 132->135 136 4015e6 132->136 133->132 135->136 140 4015ed-40160e FindFirstFileExW 136->140 142 401610-401628 call 401ee4 140->142 143 401666-40166a 140->143 153 401649-40165b FindNextFileW 142->153 154 40162a-40163c FindClose call 401474 142->154 144 40166c-4016af 143->144 145 40166e-401678 143->145 149 40167a-401698 call 401f2c 145->149 150 40169d-4016a0 145->150 149->150 150->140 153->142 155 40165d-401660 FindClose 153->155 157 401641-401646 154->157 155->143
                                                APIs
                                                • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                                • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                                • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                                • FindClose.KERNEL32(000000FF), ref: 00401660
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: C:\Windows\System32\*.dll
                                                • API String ID: 1164774033-1305136377
                                                • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                                • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 158 403478-403488 SetThreadPriority 159 40348b-4034ad 158->159 161 4034b3-4034b5 159->161 162 4034af-4034b2 159->162 163 4034b7-4034bf 161->163 164 4034e8-4034ee 161->164 163->164 167 4034c1 163->167 165 4034f0-403513 WriteFile 164->165 166 403533-403535 164->166 168 403515-403520 165->168 169 40352e 165->169 170 4035d4-4035d7 166->170 171 40353b-40354f 166->171 172 4034c8-4034e0 167->172 168->169 173 403522-40352a 168->173 174 403629 169->174 170->174 177 4035d9-403626 SetFilePointerEx SetEndOfFile NtClose call 402104 170->177 175 403551-403561 171->175 176 403598-40359c 171->176 188 4034e2-4034e6 172->188 189 4034e4 172->189 173->169 178 40352c 173->178 174->159 179 403563-40356a 175->179 180 40356c-40358f 175->180 182 4035ad 176->182 183 40359e-4035a2 176->183 177->174 178->167 186 403596 179->186 180->186 185 4035b4-4035cc 182->185 183->182 184 4035a4-4035ab 183->184 184->185 194 4035d0 185->194 195 4035ce-4035d2 185->195 186->185 188->159 189->172 194->185 195->174
                                                APIs
                                                • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00403488
                                                • WriteFile.KERNELBASE(?,?,?,?,?), ref: 0040350E
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004035EA
                                                • SetEndOfFile.KERNELBASE(?), ref: 004035F6
                                                • NtClose.NTDLL(?), ref: 0040360E
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: File$ClosePointerPriorityThreadWrite
                                                • String ID:
                                                • API String ID: 2296109371-0
                                                • Opcode ID: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                • Instruction ID: 02d7b4ff8a3576d09fe5cde13513df6eb5b6ce77b27be8b8a28bc97f0a3a62b9
                                                • Opcode Fuzzy Hash: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                • Instruction Fuzzy Hash: E75128B1101601EBDB10CF50DD84B577BB8FF08305F2052AAE905AE2A6D379DE95CF89

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 218 402760-402795 CreateFileW 219 4027f0-4027f4 218->219 220 402797-4027a9 218->220 221 402802-40280b 219->221 222 4027f6-4027ff NtClose 219->222 220->219 224 4027ab-4027be call 4020bc 220->224 222->221 224->219 226 4027c0-4027d8 ReadFile 224->226 227 4027e4-4027ea 226->227 228 4027da-4027e2 226->228 227->219 228->219
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                                • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                                • NtClose.NTDLL(000000FF), ref: 004027FF
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateRead
                                                • String ID:
                                                • API String ID: 1419693385-0
                                                • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                                • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 230 40286c-4028b9 NtSetInformationProcess * 3
                                                APIs
                                                • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                                • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                                • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: InformationProcess
                                                • String ID:
                                                • API String ID: 1801817001-0
                                                • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                                • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 231 401dc2-401df0 233 401e21-401e27 231->233 234 401df2-401e10 NtProtectVirtualMemory 231->234 234->233 235 401e12-401e1f 234->235 235->233
                                                APIs
                                                • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: MemoryProtectVirtual
                                                • String ID:
                                                • API String ID: 2706961497-3916222277
                                                • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                                • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 316 4016b4-4016c9 317 401859-401862 316->317 318 4016cf-4016d6 316->318 319 4016f5-401729 NtAllocateVirtualMemory 318->319 320 4016d8-4016f0 call 401000 318->320 319->317 322 40172f-40174c NtAllocateVirtualMemory 319->322 320->319 322->317 324 401752-40175a call 40152c 322->324 326 40175f-401761 324->326 326->317 327 401767-40176d 326->327 328 401774-401781 call 401000 327->328 329 40176f 327->329 332 401851-401854 328->332 333 401787-401798 call 401e78 328->333 329->317 332->327 336 4017c9-4017cc 333->336 337 40179a-4017c4 call 401e78 333->337 339 4017fa-4017fd 336->339 340 4017ce-4017f8 call 401e78 336->340 337->332 343 401815-401818 339->343 344 4017ff-401813 339->344 340->332 345 401830-401833 343->345 346 40181a-40182e 343->346 344->332 345->332 348 401835-40184b 345->348 346->332 348->332
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                                • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                                • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                                APIs
                                                • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                                • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa114f1ee830f8e65f17497400cb821732dd9855ab7f2e9336f62d107f04939d
                                                • Instruction ID: 11feaedc7804a35758cc3de20cdbd9b5fdb1a8219b2693dc5a4dcc1aa8dfa6ad
                                                • Opcode Fuzzy Hash: aa114f1ee830f8e65f17497400cb821732dd9855ab7f2e9336f62d107f04939d
                                                • Instruction Fuzzy Hash: A9F03931241A01EBD7109F85ED85F577B28FF54701F2092BAA6003A2A1C771AC80CF8D
                                                APIs
                                                • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: InformationThread
                                                • String ID:
                                                • API String ID: 4046476035-0
                                                • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                                • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 198 4032e4-4033a2 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW GetTempFileNameW CreateFileW 201 4033a4 198->201 202 4033a9-4033ed DeviceIoControl call 403258 198->202 203 40346f-403472 201->203 205 4033fd-403415 CreateIoCompletionPort 202->205 206 4033ef-4033fb 202->206 207 403417-40342d 205->207 208 40342f-403447 205->208 206->203 207->203 212 403461-403467 208->212 213 403449-40345f 208->213 212->203 213->203
                                                APIs
                                                • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                • String ID:
                                                • API String ID: 2011835681-0
                                                • Opcode ID: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                • Instruction ID: db71fdc1c22404a5b670ef955f883ff194a6135e3213665c05072d4c5e51ce30
                                                • Opcode Fuzzy Hash: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                • Instruction Fuzzy Hash: 3621F871901209AFDB10DF94DD45F9EBBB9FF08710F208265F610BA2A1D770AA41CF94

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 236 401b70-401b9f RtlCreateHeap 237 401ba1 236->237 238 401ba6-401bc4 RtlCreateHeap 236->238 239 401d8a-401d90 237->239 240 401bc6 238->240 241 401bcb-401be7 238->241 240->239 243 401be9 241->243 244 401bee-401c05 call 401a40 241->244 243->239 247 401c07 244->247 248 401c0c-401c3d 244->248 247->239 251 401c44-401c5b call 401a40 248->251 252 401c3f 248->252 255 401c62-401c93 251->255 256 401c5d 251->256 252->239 259 401c95 255->259 260 401c9a-401cb1 call 401a40 255->260 256->239 259->239 263 401cb3 260->263 264 401cb8-401ce9 260->264 263->239 267 401cf0-401d07 call 401a40 264->267 268 401ceb 264->268 271 401d09 267->271 272 401d0b-401d3c 267->272 268->239 271->239 275 401d40-401d57 call 401a40 272->275 276 401d3e 272->276 279 401d59 275->279 280 401d5b-401d80 call 401d94 call 401dc2 275->280 276->239 279->239 283 401d83 280->283 283->239
                                                APIs
                                                • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                                • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: CreateHeap
                                                • String ID:
                                                • API String ID: 10892065-0
                                                • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                                • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 286 4022dc-40232e 290 402330 286->290 291 402335-402347 GetShortPathNameW 286->291 292 402483-402487 290->292 293 402349-402359 291->293 294 40235e-402380 291->294 295 402495-402499 292->295 296 402489-40248f 292->296 293->292 304 402382 294->304 305 402387-402425 294->305 298 4024a7-4024ab 295->298 299 40249b-4024a1 295->299 296->295 301 4024b9-4024bf 298->301 302 4024ad-4024b3 298->302 299->298 302->301 304->292 311 402427 305->311 312 402429-402481 ShellExecuteW 305->312 311->292 312->292
                                                APIs
                                                • GetShortPathNameW.KERNELBASE(00000000,00000000,?), ref: 00402340
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: NamePathShort
                                                • String ID:
                                                • API String ID: 1295925010-0
                                                • Opcode ID: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                                • Instruction ID: 5bcac900e59d09c9622bdf940851d370624af246baed8abb1bc217228d1f7e1b
                                                • Opcode Fuzzy Hash: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                                • Instruction Fuzzy Hash: B6514E75900606EFDB00DF90E948B9EFB71FF48301F2082A9E6156B2A1C375AA91DFC5

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 349 4026c0-4026e5 call 4024f8 351 402730-402734 349->351 352 4026e7-402709 CreateFileW 349->352 354 402742-402746 351->354 355 402736-40273c 351->355 352->351 353 40270b-402727 ReadFile 352->353 353->351 356 402729 353->356 357 402754-40275a 354->357 358 402748-40274e 354->358 355->354 356->351 358->357
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                                • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: File$CreateRead
                                                • String ID:
                                                • API String ID: 3388366904-0
                                                • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                                • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 360 401a40-401a5a 361 401a5d-401a77 RtlAllocateHeap 360->361 362 401a85-401a94 call 401e78 361->362 363 401a79-401a82 361->363 366 401ac5-401ac8 362->366 367 401a96-401ac0 call 401e78 362->367 369 401af6-401af9 366->369 370 401aca-401af4 call 401e78 366->370 375 401b4d-401b55 367->375 373 401b11-401b14 369->373 374 401afb-401b0f 369->374 370->375 377 401b16-401b2a 373->377 378 401b2c-401b2f 373->378 374->375 375->361 380 401b5b-401b6b 375->380 377->375 378->375 379 401b31-401b47 378->379 379->375
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                                • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                                • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00402227
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: CreateDirectory
                                                • String ID:
                                                • API String ID: 4241100979-0
                                                • Opcode ID: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                • Instruction ID: 9ce072fc3005d4f78cf2e49f7f895573a995d668e844b6c98341eda9cf3d519c
                                                • Opcode Fuzzy Hash: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                • Instruction Fuzzy Hash: 81117CB5601105EFD700DF94ED88A87BBA8FF08300B1092B9EA15AB262D731D955CFD9
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00003478,00000000,00000000,00000000), ref: 004031A2
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                • Instruction ID: e5ec22d449c3d307afb1fc97fd659449252656cd0b8efbbc1ce39923ac99279f
                                                • Opcode Fuzzy Hash: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                • Instruction Fuzzy Hash: B5115E75741B05ABD310AF94ED89B8BB768FF08711F2043B5EA10BA2E1D7749D418F98
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                                • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                                • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                                APIs
                                                • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: AdjustPrivilege
                                                • String ID:
                                                • API String ID: 3260937286-0
                                                • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                                • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                                APIs
                                                • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0040211F
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: d8e0199bfff3b7c7e37b2de0e6c62c950c10b2175f78bb828c44bc6e2d432229
                                                • Instruction ID: d3d976247e6901ac8e18a8e884b3ec4d922711d5bc20faefc563e272b4fb1b9c
                                                • Opcode Fuzzy Hash: d8e0199bfff3b7c7e37b2de0e6c62c950c10b2175f78bb828c44bc6e2d432229
                                                • Instruction Fuzzy Hash: 42D0C97A540209ABC704DF94ED49E47B769FF58710F1086A1BA045B222C630E890CFD8
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2259127922.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000003.00000002.2258984219.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259202493.0000000000404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259288116.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000003.00000002.2259375164.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_400000_9BAE.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                                • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4