Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e93wY5kRY0.ps1

Overview

General Information

Sample name:e93wY5kRY0.ps1
renamed because original name is a hash value
Original sample name:20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9.ps1
Analysis ID:1579856
MD5:17a7cd1ead2d35ed5d69c71d4fd7386d
SHA1:734400d4444b88fe3848c80e3dba2ad9a5155c56
SHA256:20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Found post-exploitation toolkit Empire
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 4816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5916 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • E8D5.tmp (PID: 2644 cmdline: "C:\ProgramData\E8D5.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
  • cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.\r\n\r\n>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a cold wallet, such as https://electrum.org/ or any other cold cryptocurrency wallet, more details on https://bitcoin.org By paying the ransom from your personal cold cryptocurrency wallet, you will avoid any problems from regulators, police and brokers.\r\n\r\n>>>>> Don't be afraid of any legal consequences, you were very scared, that's why you followed all our instructions, it's not your fault if you are very scared. Not a single company that paid us has had issues. Any excuses are just for insurance company to not pay on their obligation.\r\n\r\n>>>>> You need to contact us via TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you: \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion\r\n\r\nTor Browser Links for CHAT \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion\r\nhttp://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion\r\nhttp://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion\r\nhttp://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion\r\nhttp://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>> Your personal identifier to communicate with us ID: 07AAB9B790E0235B7A4DA89DCC54C3C2 <<<<<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\r\nhttp://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\r\nhttp://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\r\nhttp://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\r\nhttp://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\r\n\r\nVersion: LockBitBlack4.0-rc-001\r\n"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x153bd:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    • 0x8c:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
    00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
      • 0x14e8b:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x14fe2:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x14b1d:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      • 0x14c74:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmpEmpire_Invoke_GenDetects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
      • 0x146b0:$s1: $Shellcode1 += 0x48
      • 0x17d80:$s2: $PEHandle = [IntPtr]::Zero
      • 0x1a704:$s2: $PEHandle = [IntPtr]::Zero
      Click to see the 8 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4816, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 , ProcessId: 5916, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", ProcessId: 4816, ProcessName: powershell.exe
      Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\kF0wnCN24.bmp, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5916, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1", ProcessId: 4816, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\ProgramData\E8D5.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
      Source: kF0wnCN24.README.txt11.6.drMalware Configuration Extractor: Lockbit {"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency b
      Source: C:\ProgramData\E8D5.tmpReversingLabs: Detection: 86%
      Source: e93wY5kRY0.ps1ReversingLabs: Detection: 31%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: C:\ProgramData\E8D5.tmpJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\VWDFPKGDUF\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\NYMMPCEIMA\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\NWCXBPIUYI\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\LIJDSFKJZG\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EIVQSAOTAQ\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\VWDFPKGDUF\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\NYMMPCEIMA\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\NWCXBPIUYI\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\LIJDSFKJZG\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GRXZDKKVDB\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EIVQSAOTAQ\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964930C FindFirstFileExW,FindNextFileW,6_2_0964930C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096493E0 FindFirstFileExW,6_2_096493E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09647AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,6_2_09647AC0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096494BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,6_2_096494BC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09650F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,6_2_09650F48
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040227C FindFirstFileExW,11_2_0040227C
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,11_2_0040152C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096492B8 GetLogicalDriveStringsW,6_2_096492B8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

      Networking

      barindex
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt11.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt12.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt24.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt1.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt30.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt10.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt29.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt38.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt5.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt36.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt27.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt15.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt23.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt16.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt28.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt21.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt39.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt17.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt0.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt7.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt18.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt13.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt25.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt6.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt31.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt37.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F39718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2509371864.0000021F480F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F37E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2608935232.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000006.00000002.2672034146.00000000091BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coD
      Source: powershell.exe, 00000006.00000002.2672034146.00000000091BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coDq
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F37E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: https://bitcoin.org
      Source: powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: https://electrum.org/
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F380B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester0
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F39718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2509371864.0000021F480F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: https://twitter.com/hashtag/lockbit?f=live.
      Source: kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drString found in binary or memory: https://www.torproject.org/

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: C:\Users\user\Desktop\kF0wnCN24.README.txtDropped file: ~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~>>>>> You must pay us.Tor Browser Links BLOG where the stolen infortmation will be published:( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/>>>>> What is the guarantee that we won't scam you? We are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a Jump to dropped file
      Source: Yara matchFile source: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2632696715.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\kF0wnCN24.bmpJump to behavior
      Source: powershell.exe, 00000006.00000002.2648289061.00000000070D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : All your important files are stolen and encrypted!
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\BJZFPPWAPT\KLIZUSIQEN.pngJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\PALRGUCVEH\JDDHMPCDUJ.jpgJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\DUUDTUBZFW.xlsxJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\JDDHMPCDUJ.jpgJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\ZIPXYXWIOY.pngJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\NYMMPCEIMA\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\NWCXBPIUYI\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\LIJDSFKJZG\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\GRXZDKKVDB\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Videos\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\VWDFPKGDUF\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file

      System Summary

      barindex
      Source: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2632696715.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\E8D5.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964D0A8 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_0964D0A8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964FBB8 NtTerminateProcess,6_2_0964FBB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09648AFC NtQueryInformationToken,6_2_09648AFC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964CDF0 NtSetInformationThread,6_2_0964CDF0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964B5D0 NtQuerySystemInformation,6_2_0964B5D0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964AD80 RtlAdjustPrivilege,NtSetInformationThread,6_2_0964AD80
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649C7C NtQuerySystemInformation,6_2_09649C7C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964CFE8 NtQueryInformationToken,6_2_0964CFE8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,6_2_0964D660
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09648614 NtSetInformationThread,6_2_09648614
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649EDC NtQueryDefaultUILanguage,6_2_09649EDC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964AD7E RtlAdjustPrivilege,NtSetInformationThread,6_2_0964AD7E
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649C7A NtQuerySystemInformation,6_2_09649C7A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649CC7 NtQuerySystemInformation,6_2_09649CC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649CAE NtQuerySystemInformation,6_2_09649CAE
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964B622 NtQuerySystemInformation,6_2_0964B622
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964B609 NtQuerySystemInformation,6_2_0964B609
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_00402760 CreateFileW,ReadFile,NtClose,11_2_00402760
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_0040286C
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,11_2_00402F18
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040362E GetLogicalDriveStringsW,GetDriveTypeW,CreateThread,NtClose,Sleep,11_2_0040362E
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_00401DC2 NtProtectVirtualMemory,11_2_00401DC2
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_00401D94 NtSetInformationThread,11_2_00401D94
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,11_2_004016B4
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_004032E8: SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,11_2_004032E8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD341B3AB71_2_00007FFD341B3AB7
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD341B34F21_2_00007FFD341B34F2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00E6F27C6_2_00E6F27C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09649EDC6_2_09649EDC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096470B46_2_096470B4
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09646BA46_2_09646BA4
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09646B9F6_2_09646B9F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096504DC6_2_096504DC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096D34806_2_096D3480
      Source: Joe Sandbox ViewDropped File: C:\ProgramData\E8D5.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: SecurityJump to behavior
      Source: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: 00000006.00000002.2632696715.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: E8D5.tmp.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winPS1@7/161@0/0
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_004032E8 SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,11_2_004032E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
      Source: C:\ProgramData\E8D5.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3c327a3c730976ff4c65a77122158495
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aivmnw2w.et0.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: e93wY5kRY0.ps1ReversingLabs: Detection: 31%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\E8D5.tmp "C:\ProgramData\E8D5.tmp"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\E8D5.tmp "C:\ProgramData\E8D5.tmp"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\ProgramData\E8D5.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\ProgramData\E8D5.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\ProgramData\E8D5.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\ProgramData\E8D5.tmpSection loaded: ntasn1.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: E8D5.tmp.6.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD341B00BD pushad ; iretd 1_2_00007FFD341B00C1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00E642D9 push ebx; ret 6_2_00E642DA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09648012 pushfd ; iretd 6_2_09648016
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964546F push 0000006Ah; retf 6_2_096454E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09645471 push 0000006Ah; retf 6_2_096454E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09645408 push 0000006Ah; retf 6_2_096454E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096973E3 push esp; ret 6_2_096973E5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096DB39C pushfd ; ret 6_2_096DB3B1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096DCDAA push esp; ret 6_2_096DCDD3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096D3480 push esp; ret 6_2_096D36E6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096D6E51 push esp; ret 6_2_096D6E66
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0974037D push 8BD68B50h; retf 6_2_09740382
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0974754F push 8BD68B50h; iretd 6_2_09747554
      Source: E8D5.tmp.6.drStatic PE information: section name: .text entropy: 7.985216639497568
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\E8D5.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\E8D5.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\VWDFPKGDUF\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\NYMMPCEIMA\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\NWCXBPIUYI\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\LIJDSFKJZG\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EIVQSAOTAQ\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\VWDFPKGDUF\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\NYMMPCEIMA\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\NWCXBPIUYI\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\LIJDSFKJZG\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GRXZDKKVDB\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EIVQSAOTAQ\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\kF0wnCN24.README.txtJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964AFE0 RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,OpenEventLogW,ClearEventLogW,6_2_0964AFE0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
      Source: C:\ProgramData\E8D5.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964108C 6_2_0964108C
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_00401E28 11_2_00401E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964108C rdtsc 6_2_0964108C
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4975Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4066Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8104Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357Jump to behavior
      Source: C:\ProgramData\E8D5.tmpWindow / User API: threadDelayed 1155Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep time: -8301034833169293s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\ProgramData\E8D5.tmp TID: 5112Thread sleep count: 1155 > 30Jump to behavior
      Source: C:\ProgramData\E8D5.tmp TID: 5112Thread sleep time: -115500s >= -30000sJump to behavior
      Source: C:\ProgramData\E8D5.tmpLast function: Thread delayed
      Source: C:\ProgramData\E8D5.tmpLast function: Thread delayed
      Source: C:\ProgramData\E8D5.tmpFile Volume queried: C:\7E0B47C2 FullSizeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964930C FindFirstFileExW,FindNextFileW,6_2_0964930C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096493E0 FindFirstFileExW,6_2_096493E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09647AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,6_2_09647AC0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096494BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,6_2_096494BC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09650F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,6_2_09650F48
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040227C FindFirstFileExW,11_2_0040227C
      Source: C:\ProgramData\E8D5.tmpCode function: 11_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,11_2_0040152C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096492B8 GetLogicalDriveStringsW,6_2_096492B8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: 3BD0.tmp.11.drBinary or memory string: 1VMci
      Source: powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\E8D5.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964108C rdtsc 6_2_0964108C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_096478BC LdrLoadDll,6_2_096478BC
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\ProgramData\E8D5.tmp base: 401000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1 Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\E8D5.tmp "C:\ProgramData\E8D5.tmp"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964108C cpuid 6_2_0964108C
      Source: C:\ProgramData\E8D5.tmpCode function: EntryPoint,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,11_2_00403983
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0964D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,6_2_0964D660

      Remote Access Functionality

      barindex
      Source: powershell.exe, 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
      Source: powershell.exe, 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
      Source: Yara matchFile source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5916, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      PowerShell
      1
      DLL Side-Loading
      112
      Process Injection
      1
      Masquerading
      OS Credential Dumping311
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network Medium2
      Data Encrypted for Impact
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      121
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Proxy
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
      Process Injection
      Security Account Manager121
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Software Packing
      LSA Secrets4
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Indicator Removal
      Cached Domain Credentials133
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading
      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      e93wY5kRY0.ps132%ReversingLabsScript-PowerShell.Trojan.Lockbit
      SourceDetectionScannerLabelLink
      C:\ProgramData\E8D5.tmp100%AviraTR/Crypt.ZPACK.Gen
      C:\ProgramData\E8D5.tmp100%Joe Sandbox ML
      C:\ProgramData\E8D5.tmp87%ReversingLabsWin32.Trojan.Malgent
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
        unknown
        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2467527805.0000021F39718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2509371864.0000021F480F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                unknown
                http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                  unknown
                  http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                    unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                          unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                              unknown
                              http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                unknown
                                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://electrum.org/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                      unknown
                                      http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                        unknown
                                        https://www.torproject.org/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drfalse
                                          high
                                          https://bitcoin.orgkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drfalse
                                            high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                unknown
                                                http://www.microsoft.coDpowershell.exe, 00000006.00000002.2672034146.00000000091BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                    unknown
                                                    https://github.com/Pester/Pester0powershell.exe, 00000001.00000002.2467527805.0000021F380B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                        unknown
                                                        http://www.microsoft.coDqpowershell.exe, 00000006.00000002.2672034146.00000000091BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2608935232.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                              unknown
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2608935232.0000000004DEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://contoso.com/powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2467527805.0000021F39718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2509371864.0000021F480F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2632696715.0000000005C94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                      unknown
                                                                      https://oneget.orgXpowershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                          unknown
                                                                          https://twitter.com/hashtag/lockbit?f=live.kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drfalse
                                                                            high
                                                                            https://aka.ms/pscore68powershell.exe, 00000001.00000002.2467527805.0000021F37E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                                unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2467527805.0000021F37E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2608935232.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/kF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                                    unknown
                                                                                    http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                                      unknown
                                                                                      https://oneget.orgpowershell.exe, 00000001.00000002.2467527805.0000021F39425000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onionkF0wnCN24.README.txt11.6.dr, kF0wnCN24.README.txt12.6.dr, kF0wnCN24.README.txt24.6.dr, kF0wnCN24.README.txt1.6.dr, kF0wnCN24.README.txt30.6.dr, kF0wnCN24.README.txt10.6.dr, kF0wnCN24.README.txt29.6.dr, kF0wnCN24.README.txt38.6.dr, kF0wnCN24.README.txt5.6.dr, kF0wnCN24.README.txt36.6.dr, kF0wnCN24.README.txt27.6.dr, kF0wnCN24.README.txt15.6.dr, kF0wnCN24.README.txt23.6.dr, kF0wnCN24.README.txt16.6.dr, kF0wnCN24.README.txt28.6.dr, kF0wnCN24.README.txt21.6.dr, kF0wnCN24.README.txt39.6.dr, kF0wnCN24.README.txt.6.dr, kF0wnCN24.README.txt17.6.dr, kF0wnCN24.README.txt0.6.dr, kF0wnCN24.README.txt4.6.drtrue
                                                                                          unknown
                                                                                          No contacted IP infos
                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1579856
                                                                                          Start date and time:2024-12-23 12:32:08 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 6m 26s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:12
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:e93wY5kRY0.ps1
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9.ps1
                                                                                          Detection:MAL
                                                                                          Classification:mal100.rans.troj.spyw.evad.winPS1@7/161@0/0
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 66.7%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 102
                                                                                          • Number of non-executed functions: 32
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .ps1
                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 4816 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • VT rate limit hit for: e93wY5kRY0.ps1
                                                                                          TimeTypeDescription
                                                                                          06:33:35API Interceptor57x Sleep call for process: powershell.exe modified
                                                                                          06:34:46API Interceptor1133x Sleep call for process: E8D5.tmp modified
                                                                                          No context
                                                                                          No context
                                                                                          No context
                                                                                          No context
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          C:\ProgramData\E8D5.tmpzhbEGHo55P.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                            LB3.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                              LBB.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                ggjLV4w8Ya.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                  yEB1xvr2rZ.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                    71p2xmx6rP.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                      98ST13Qdiy.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                        c8JakemodH.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                          Document.doc.scr.exeGet hashmaliciousLockBit ransomware, TrojanRansomBrowse
                                                                                                            Rcqcps3y45.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\ProgramData\E8D5.tmp
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14417920
                                                                                                              Entropy (8bit):7.999987695729765
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:393216:R1FggPhcyfO/OhvtFKrH31m3IH6fFmn2UGyyu:RvDiyfdvtFKD1086fFoG6
                                                                                                              MD5:F7AC4DF2894E51BC6FE22F49C41E4529
                                                                                                              SHA1:A991E05FE36A0ED51B7153166A8962DAC7884471
                                                                                                              SHA-256:E39187C69AB75322385EE0C66E7C2B7AE35CBFBB5693A4E0E42A02B4C12F7DE7
                                                                                                              SHA-512:B03F49804DFB91F277E8D5CD9E0B97E1D0EC289CEBFBA1270A60700BDF55F7940384A50C6119D9117E9B4BD221C1D00B46D061D23F39E2EA543AC630B32B6E78
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:[.rL.....#....5.x...+..x.Xf.&....v=g..L.n.....!k..sF.....}.>i...mL_<0$1.W$@...._..K..WLHT...s....>.r..2.9onQ....z.Y..WF.kXm.J.3.ADD_.W._.Z.E..+....v.75.%$.b.....f.j|.....^..D.I.,.7.*..='D.....3yf2...h.. k..hq......i.i0^u..#,K~....0...(..(!Q.M.........D7.....(....X.t.$..SD.l...8..(..\.V.<'..5.:*.$.....+@...UM...n..s..D..AnC...~Z.J.ef..n4;...J%.....9X.3.R4.6..`.x.2n.*..'..r.1..l..2urh....%.|C......s2M.~...>....s'E..%.&jK....=.X.iZae.7..A.Z....oD."D0_..?.fdp1....t..`K.zv...3UP..].....s..{...iY].R....`G.l.....Pr......'.......m.,.7.(FiPA&T9.B..^\.0..6..FI&..l`..h...........|.b.;..Y.k.~.".......M.G..D.CI.CE...k...V.......7\QuV.2..L..(..d.\]..qx..s.....pg.@."..s/;....N.e...C.r.F.s.......p...?.8f...[...O/..P.K...7(.<vn0........-a|F..`+r9.=...H..K......]..F3c.<..>.1.Wm'....u....].!sg<a.....,j....c..1[,L.u..v...`. .,..]...A}AhSq...K.un.Fk..4..~....?.rD...?|..#.(....vK.!+.c..8RL.pZ.....dq...,.m....e..StC..!E,.h..w....t!.1.....(..a.....D<.t.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14336
                                                                                                              Entropy (8bit):7.4998500975364095
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                                                                                              MD5:294E9F64CB1642DD89229FFF0592856B
                                                                                                              SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                                                                                              SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                                                                                              SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 87%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: zhbEGHo55P.exe, Detection: malicious, Browse
                                                                                                              • Filename: LB3.exe, Detection: malicious, Browse
                                                                                                              • Filename: LBB.exe, Detection: malicious, Browse
                                                                                                              • Filename: ggjLV4w8Ya.exe, Detection: malicious, Browse
                                                                                                              • Filename: yEB1xvr2rZ.exe, Detection: malicious, Browse
                                                                                                              • Filename: 71p2xmx6rP.exe, Detection: malicious, Browse
                                                                                                              • Filename: 98ST13Qdiy.exe, Detection: malicious, Browse
                                                                                                              • Filename: c8JakemodH.exe, Detection: malicious, Browse
                                                                                                              • Filename: Document.doc.scr.exe, Detection: malicious, Browse
                                                                                                              • Filename: Rcqcps3y45.exe, Detection: malicious, Browse
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 16, image size 2621440, cbSize 2621494, bits offset 54
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2621494
                                                                                                              Entropy (8bit):0.20314583509010126
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:GKm71jTv37T1BNrdVRd3fF3bdJf7vhpnzBxD1fJ/tBfJvTLtFFdF9tlFNtnvDdFJ:2
                                                                                                              MD5:94A28C5B7B4726AA99126ACB2C08481F
                                                                                                              SHA1:1E9F8562FCB99F9E431602FC1113F938DC9003E2
                                                                                                              SHA-256:EF4683F06D7539970875A72E1FCC950BB29C3C4499F5B27DAB8A89441F2FC700
                                                                                                              SHA-512:B01FEE850669550E0927CB07E00E29D11E31CD1D150540B734A72E158662A7CA1F94E600AE4B6CCE53039E913A6E6738CB76A8ACC5D8BE2CEE708250BDF07E49
                                                                                                              Malicious:true
                                                                                                              Preview:BM6.(.....6...(.....................(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15086
                                                                                                              Entropy (8bit):4.262047636092361
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:jpBaAlHSa2vU9G/8MMBD7O1lXFMB8VMJP7:jpjmkMYD7IFMRx7
                                                                                                              MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B
                                                                                                              SHA1:CE9F87183A1148816A1F777BA60A08EF5CA0D203
                                                                                                              SHA-256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
                                                                                                              SHA-512:ABAFEA8CA4E85F47BEFB5AA3EFEE9EEE699EA87786FAFF39EE712AE498438D19A06BB31289643B620CB8203555EA4E2B546EF2F10D3F0087733BC0CEACCBEAFD
                                                                                                              Malicious:false
                                                                                                              Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:OpenPGP Public Key
                                                                                                              Category:dropped
                                                                                                              Size (bytes):239
                                                                                                              Entropy (8bit):7.034512623771709
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:P3jqZig1TTDYWCuCIkdsGxYjJ3924TRTiGSU9Q:PzqZNTTEWfCyl/Q
                                                                                                              MD5:CBFC0350A7F3998D0D7042533739D7CC
                                                                                                              SHA1:3263004F8AB2AEA0F080651901F1130B50A44997
                                                                                                              SHA-256:6309DACBC8DA5F8156BFC85B68A51185D60CB924D54856BAAD10EB7689A031B1
                                                                                                              SHA-512:6A583228B0D7B67DDDE79CC86B0C7BE5C6C810CB126E53ABE2186A2DCEA4428F98E842FAC92A349E5D59C9F2729F4A40D1A94224A49681E404A19A141883A4FF
                                                                                                              Malicious:false
                                                                                                              Preview:..Y]......(.,...*........A.3....O...M..?n....Ob..=......v..i=?.0o....:|.x.6U=.n..$......6.NYu%...b.|8.a.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:NlllulZ2B/XZ:NllUIB/
                                                                                                              MD5:BCADA9B4BAFC8EB12FCDE36EFEC171B8
                                                                                                              SHA1:11503A6E80E8AE1E623C3D18A3CD581F8E1805F5
                                                                                                              SHA-256:0ABF31ECC4BD1118C66C129CFFD39128C41B1FB41639F954FB4A8F1D9B2805E2
                                                                                                              SHA-512:4FF0E7215622A25C933C2C3C0D118CEF9C989B9435904FB2D58590588D8856C0CF35D0BB81157F9EF14C14B9CF85FD02F104AF1E3A494AF76E641EEADA632E7A
                                                                                                              Malicious:false
                                                                                                              Preview:@...e...................................d............@..........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6224
                                                                                                              Entropy (8bit):3.728847670101989
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:4g3SDllItv733CycU2UfqfukvhkvklCywplPR/lHJzSogZo1FPR/lSzSogZox1:4Gj3C6T1kvhkvCCtzPR/aHgPR/nHa
                                                                                                              MD5:DAB6C79FF6038294AEE396D67D03E6CB
                                                                                                              SHA1:537C736296F835ECF25D0DA20BD5DA7D38DE8E03
                                                                                                              SHA-256:04EAF4DA57F63C744BE4AD836CE11535290039223490476BB42C4911DB4F71D5
                                                                                                              SHA-512:913BE230DC36CED784B854FE05C8259C8C8A6CE7EB5DBBF0861A3919A1EEB844DCFD1ED715E2DE3C808C67135B82CAFDC1927E3BBBC7BE8E69906AC90D175D53
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...J.S...'..w.U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....Wq.U..o..w.U......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y'\...........................^.A.p.p.D.a.t.a...B.V.1......Y%\..Roaming.@......EW<2.Y%\..../......................p8.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y"\....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y"\....2......................M].W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y"\....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y"\....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y+\....u...........
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6224
                                                                                                              Entropy (8bit):3.728847670101989
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:4g3SDllItv733CycU2UfqfukvhkvklCywplPR/lHJzSogZo1FPR/lSzSogZox1:4Gj3C6T1kvhkvCCtzPR/aHgPR/nHa
                                                                                                              MD5:DAB6C79FF6038294AEE396D67D03E6CB
                                                                                                              SHA1:537C736296F835ECF25D0DA20BD5DA7D38DE8E03
                                                                                                              SHA-256:04EAF4DA57F63C744BE4AD836CE11535290039223490476BB42C4911DB4F71D5
                                                                                                              SHA-512:913BE230DC36CED784B854FE05C8259C8C8A6CE7EB5DBBF0861A3919A1EEB844DCFD1ED715E2DE3C808C67135B82CAFDC1927E3BBBC7BE8E69906AC90D175D53
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...J.S...'..w.U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....Wq.U..o..w.U......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y'\...........................^.A.p.p.D.a.t.a...B.V.1......Y%\..Roaming.@......EW<2.Y%\..../......................p8.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y"\....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y"\....2......................M].W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y"\....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y"\....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y+\....u...........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.836176715736603
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:+DSy6UuwJcMYuqd0DDu4a9k5Pv73T6i5eIJ1ENOyT23BWQFI:+H6UbYu20G4a9kF73T6UJ1ENO+23gQO
                                                                                                              MD5:1CE13B007AF4D250188F7B9BB26D4171
                                                                                                              SHA1:649A01D392B9544460241AD1885E365CAFBE95BB
                                                                                                              SHA-256:EBB46110903801669F69F6E078349D591BB0AACDA6167EF1DB4B27421BFFD4D8
                                                                                                              SHA-512:88DCBD94C22BA1A391FAFF4E3BCC3DFBF5C82F89AE2B3CE82AB49E41A09A800B7D98852D941CCFB2341A0587AA05EF443019685A36328BCBF8079E2F57B943B2
                                                                                                              Malicious:false
                                                                                                              Preview:=F.5Dr......rH.)/...LK9......T.....p:....N...>}y.j...a...p..U^...*...f...9......F.?.]...:..0..Mb..'T.JI.8P..W8.....(..P.............nsx.?.1.,...A..(+X.........a..%.....I.C.]..d....{....S5ZP......x..!..-.%.6NN.......L..tV.X.j..&...g.U...$V.>:F.&Yk......oK.=%...@A+......F.....m......Z...1mr.a...g...x..YV...1...i...7......W.*.A...<..!..@`;..J.^P.8Y..W'.....+..U....5..-..\Fx.Op.....q.....*i.P.[.....H.p.%./.Y7...^.O.L...5s...`!<.J...Msa>....,aK..L....I...1.......N..@.}..d...F.-^eT.3Wm..G..........R._,...dIa."..Y..u.1..~.*...J.....F..al..v.... .d./.iu.Z=G.....p..M.^SVk9..L..>n...R.w.}V...a.....@.....z3..4#..j].;..*..YDa.Gn.....l.......:a.R.[.....D.e.'.%.E ...V.C.Q...>}..4`/!.A...^wp)....,cT..S....F...+.......A..\.f..s...D.)_wO.5_}..T..z...{gH......M.....K.X.=.d.S...qu.N^.$._........O.hs.;"s....Y...v.........^..v....s0s2X..4*...P..9O...ll.....b.5.../5..~_.&...(....P.....Q.D.oT....=./..c..U...s..u.#.%.{....1..5..U.,.*...<.T..td....R plE.....>Y....XM......
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.856425817162156
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:tfl2G5CbP5/a3Fox/+/J5gMZ4WPF382Bc4UihX6HMiGqiPUzQNuO5AI:VlmP5/Z+/gMZVNBc4Um6HMi9saQNuO5l
                                                                                                              MD5:4B9EEC0AF237922C870806BBF1B71F60
                                                                                                              SHA1:263E89E5DDF13ADC839190228435610B99B7DE89
                                                                                                              SHA-256:EF2138DB30FA18C6C43D5B1EEC28851CB24110B269874E116C2FABBFC5AFC8C9
                                                                                                              SHA-512:859EF9877BFBB91DA9736CE9B4FC9F0599D80943685EFC408526B63A803AAE3070B7FBCC0D7AF7A73BF0583D180163D8D3D8F56F64C02331F695FA67013A052C
                                                                                                              Malicious:false
                                                                                                              Preview:....g.Q)..E..K.....j2.-.\Jf...7C@..CG..X......Y..n.I..Xj~...<..U.Q7.....me.Do....b...=.../."a5..=.<...z..>3...Y.I..l.iI..........<.osB.......V`...:\.5Q.I._..*E&.n.Z....`....k0@....P..f.@e.t ...M]_f.S...!f..}.30Xc9.....P"b..!9...../.6..ZL.,.[n....~.G1..M..T......` .;.\@q...1SX..W\..I.......R..n.^..Zev...4..V.J'....lk.Ec....w...)...2.3h;..0.)...n..>:...F.A..o.tL......j_..y.m...j..{.axKI..y... .!.t......u......P.1..;} ..1.'.L<,Vc."4..2..:Z8.A..)x.e....f....~.#]...?...y.....w .g...(/.{..0...9F...."vl..w..2J.D.;.n}..5..8"^!.v..Q..x...0.L..Spa......&.k..O.t.Z.`...(......o..+.3..qWX`..}.-nw..=*.L.Q.....oH..d..t..g..e.|vEE..t...<.?.t............I.:..6k+..'.'.Q/'Kb.10.%..:@8.^..6}.b....a....z./Y...#...n.....v2.j...53...6c....qN.....M..u.}.."=-."....w...9#.....a...P.E..........$..j..v."`h.~)..p.v.kP(6.H8..H...R..z.p%5..N.+.D.;..."yv._x'..^?.+GJL...h.9\...3....nz`.E4....y/4.6..[*.14..."3$....I*.....|..j...I&9...p...V.s.cQ..v...B|..{.(%.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.843361477529546
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:3ZTGk6buWjm2i5xy0K2UsZ3/z72/30NNkbua5Y4vM7+Wm+58zre43BI+tkMR+kRb:py1bShUe2qixMCzrP8COqpshRI
                                                                                                              MD5:94E9056ED6034FB9016745A93349DAE4
                                                                                                              SHA1:D5E504F67C63634248519B32335EC9D9A841C04C
                                                                                                              SHA-256:EC3F93639BCF528273A340536BB0C199D5C77338F772417564A8CD1913CC6FE2
                                                                                                              SHA-512:DE3EC328DE70E61967D1E4C9E81E1C6463EDB4D22F7FCCA4145797CBA92C6539FCE7A87307FE787355E54DE2582D548AB9FC987A91F7EC72EF787ABF2187A69D
                                                                                                              Malicious:false
                                                                                                              Preview:.Tz..o..$.m...B.. ...&...>....(.F.*...<..\,9..>. .+e.`..t6......,.d.J..A...q<.......M..d..Kc..i.....'..uf.?kto...4.c..V.5.Z.E6p.i..'.^.v.C.J..[?.J...!....*M...4.\U.~.L.BW.">\..:......o`....G(.j$.M..l...\!......X*VD.....p..$.B..`UIj..B...O]..Ty..v..<.e...V........0...)....^.7...-..@7...5.+..r.b..x#......#.v.K..@...p-.......K..u..Z...|*.a..>..|v. p|e...).f..GN....|..N..6.^.I.j.JF..wH..Q.sC..>._...;..xQ~.U..TPD....p.KN.|..c.`?...........9....h..D@..Y..8.X...J...._"..UNL...x..Zf.6..l.Y1{...v.8c.T.6..'.'..S(l!...6.r.3..-..%....`......:.&o0.......t....Oe[.D.....FM..i.......t/0d?.51..[.......3.(..1.._Q?ZN...{..K..%.@.F.t.WH..xI..Y.q_.. .U......p[p.B..JX]....}.@@.j..m.s4...........#....x..VG..L..".U.*.F......D=..WKP..y...\n.+....<F..%..3<..=.......Q.>.VD.n.l.....%..I.7...E.!.dR..2.DT....F..8.*.RL.p.....%{n.jJ6...y.'S^.SN...H]..(R..\/M.E..B.M....&.].gX.{E......v<.-5"....Wz{.2...........<..pT....b.u.?....t.J..%s....04.fI....4.D..b>S..d
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.862583751447157
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:5ps8sMOIthYmPrKE2yjtKb893+uy/qduPxSgja4KComHDpTY6pwrI:5Htuiaw9OtqdI5a8N9aU
                                                                                                              MD5:EB887B5D264F383FEB5875CA3805D1F9
                                                                                                              SHA1:623360F70B75E66FDEAEDF63CA6ABBB372FAB8E2
                                                                                                              SHA-256:BC3FAB62CBDA17EAA313B52801B814DF60526771EA6019054929C655188FA5D8
                                                                                                              SHA-512:35E8FD6DD708A311D0B3EF8526230B9666B89FBC682723BB8831BD0454DA4105227BD6554BD10D2250626F9163E957220F7A25A72DCA61A4AAA98EAD7E436B75
                                                                                                              Malicious:false
                                                                                                              Preview:....XH-...8.`Hu....GcL.W...#-X....6L.../H..=....O.9.......a.<...j..No6...(}Xw.-.f_E....s...T..uJ..J.w...lu.....6...-.+.d..qY..a..5..b.;x....4.0..C..m.W.|N..i..Gf.0&J.../tB.PR....3.t.`4.D...C.)..f..D.^RK(TX.[: ...........k.j.II8...N'e..7......_~N......N\-...=.|Ul....R.X.Y...*=^....:Z...=C..(....R.5.......i.,...l..Rk*...%bSr.$..nBVz...f...E.rO..X.z...ej.....:...7.>.o..s..)...6..W.3.(..2.F5Ck8...G..l.,.....d...HO6...G,hh......_....;+...U..d.L...O.b..4X{z........?L.G3.PTc.9.@4F...@....6......d..u.S#./.i...."....#.g....i.Ih.vNgEMvuL=...U.o..o..A....({....J....eDgE....o..K.l....1...E)M.}7T.........f`sh...........=...=..U.%.8..*.A/Yz<...O..s.3.....a...WM....Z){y......]..;0...O..q.D...S.u...My|........5S.R?.WEr.;.L5N...D...."......(i^.........n:...N....G:.$..?..D....|...s...H.h..ZZ.].|.`..j.....?A9e.'....A+......="....VW...C.D|........Lb .F`........z.,....YE4.......=....Z=...E.Wi.v..m...(..............S}.>Ph....".3.T...\.o../|.<>~......S&......O.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.855554382442678
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:+fPyfIwVjCKfa1ZiKVmsJlnFF0w+hX6jgLGfpI:+n8fi1Z9ns/6jgLCa
                                                                                                              MD5:8ECB11C3F2CE7088AB072C9FD66582B9
                                                                                                              SHA1:6AFFA70788305771A66F0BB9F8782C26F60E7B25
                                                                                                              SHA-256:CF68408DE422CE5510FB5F503691B0728AB2616D421431484156C3A9B35C3090
                                                                                                              SHA-512:BD8432697D32AC63EFF9222B2A3CF1526E27D4806BEC4AED2CCEAB4FD16C6D9D2DD7276D926DAC0990BDA5D49A5EA445E823C146A3A630E84ED1A0855956E4C3
                                                                                                              Malicious:false
                                                                                                              Preview:.........~...a...B*..>+..d..........4.HR>...&9...+L.:.Y.JG.@...:.@-/...S......2..tCk...9..z...s.(y.M..:.~.....!Z..@...//._..3=..j.....9 m...)K\zkd3l..bx..q.....".......nno{p..0.~/..nA.lV.[...x.!.l.|l.i'f3.h.Q./.....f.C.4..m.b.[2....B.....t.N........k..q..R=..,/..a..........?.IT ...'6...)[. .U.TO.S...4.U!-...^......;..nAi...#..q..p.5b.K..8.~.....<U..X...,.NvnC_W...X.l?.+|....'..#0.S..4....i@.@ `A.y}....H......]...!...........2.6...?4[*.S..ydJ.#(.R/.TFn.(j...x.N........|...M.K[s..\/;.I...i.......\.~....5~6..)s...C0.L^.QSr...:v.#...HB....^...X..8...6....^.Sr....K...Z._A|....P.u...|...]K.z..ZU...E..5.OnfYVI...P.e3.8t....'..?$.W..3....gW.^;jQ.ij....A.....^...0...........'.,...>,N1.P..tmD.)).]7%PBo.<a...v.Q........o...O.]..q...?...<..4c.....U..AtA\.U./+p.b@..1.R=gV..jO{..30C........`~.%.Y.=.f9\MN..G.....%`+....5,'2L..`f.L...G...s..@4?{.":..{7......g....m.|...i.YL.k.E....E.hoYm.......L6.?......R+.]._&.(.,..,.......Q..&.....`.9.3x`.Q..'b..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:OpenPGP Public Key
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.840292098794538
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:1bSSM6B3IlX0zNptU+NpHR35nRupqZu6HjBThI:1bS76B3Ilkhpq+HV5RupqZucjti
                                                                                                              MD5:7DB05B184ECC4ACD72CAD7783310C123
                                                                                                              SHA1:33F2B74EC98EAF4AB1ACFDACD107D19BC2D647E6
                                                                                                              SHA-256:22274FABE939B399E9CA613487492EB70F041CE41B0C192C7F5DDA78E3BF1986
                                                                                                              SHA-512:71A67BDBBA64972532BCF0C45C3F45256CF849A82F99B992AE8EB0AC9C0FE67DC0E040B789FE8C1121C9351B597CF3B218496C0E9C510681020CEC5B5C825296
                                                                                                              Malicious:false
                                                                                                              Preview:.Q6.;x0V..E.k..x.y......|.g5.7...............~...+..........c5.}..d.K.b;j....q.Y.xt.?......=....I/.8.......I<*......9!.OJ...\NC.e.k/r3q..".%@.V.<X.*.:3.CY.Rz..fu......x.z......b`...L.Lr.*..V......E....u..^.e"}...i...I.......G. z.r'`Ui'.._*.5t3W..X.~..u.`.......h..8.1...............l...;..........s+.e..~.A.q4i....|.W.mr."...........N0.%.7.....W< ....../+ ........[...)m._6jU.....1I.A.5...`.4~.~/X]....-E...N.P.... .Z..N>...ZM......gP4.;6....L....H....={..=.4..N..).......|....l...(HM.V.`..;....g..N.X)......{....."X."............9...p..w..)7..[.....d.....>..{F.....s.-..6P........K.X.e.6r...L....dL.86........U...,}.B?bJ....3T._.1.-y.=p.s/ZM....5P...[.Ix... .W..@ ...\C......zB3.=>....S...N....-|....2..E..2.......e...$i.......?.QP{!.G"|.6....*..J%..\%../...|.. .._.n.. ....;.5p.b..h.)#K..|+|)5....RUp..^.x..^.Q.. (B...X.6.....3Y.F..B.-.$mW..CWk..W.A.... .WB.o..9S....0.(..rP......"..{..n.0..`O...$.6.w.....^.A...kbJ....".bEc...f-i.....tP..7uUp.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.851288458366987
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:rQFi0FskTuvhPPYSlf3P52ZX2ro6B+UsJ2p4oFaDkNwI:rQFEhP5lf3P5+X2rbfba6
                                                                                                              MD5:69C5BC8E3219104D50E44C918047F485
                                                                                                              SHA1:54368C59CEC6615E26956D43E2476CF33DFFE75F
                                                                                                              SHA-256:AD703CC514DE0B9F8F3FCF369B3C25B553D32CD9387B734E2D308A6AD3C049E6
                                                                                                              SHA-512:07CC1F350C83909084254B3BB8AE2B5446B2EF9ED7429F31C041F45A406A016CF98618DF86AB7F1E07B8822B47539D639B2DAE5BE32B3BFB1A6D27EC47976144
                                                                                                              Malicious:false
                                                                                                              Preview:!~-V#...6.}...yn..U.>\U.-C./.a....j...%-..=.</p+..7<iT.\.......C_..K...F..\...c.3C`..K.......W...~X..B.Tb*Yn.......%....{..0.]..G......U.B..:O..;.....C..&..N..?"l'D......#l...s5..."...ztJjk..$.x.u...2w{?ysc.i.N.;v.3~....=.@......._..|.N.j..+...>..Z?h=_/...:.`...hd..V.8TS.'[.7.h....c...&7..6.5.p$..8(bT.D......__..A...M..I....j.6T`..]...]...s]..E.Id Bj.......9....{....(.Q.k,.b...C..~*..\.i~.Gnq...k..V.....7..dx.e.Lh.@.~.... b...J......WuK.s...8..v".D.lu...]?...f..^~...*4....}.y5.T.Q.$.....u..M.Uv|.........<...~.sSf.Z.N.......yK&vd......~.g..l.=..o....W#0t.C....P[W..Y...%..S.i.}W.e. .3.|.6=B.T....i....<.=..&.Xpj .r...^..i$..K.re.Y|v...u..U.....!..z|.|.B..N.r....2f...L......Pa\.n.../..i .D.xw...J5...z..Gj..."5....z.a).I.T./.......Wg=..L.X...FYo&.......o>.+../s.L.R.Xe}H.....)aD_..,U'UZ..\.zD...O..E.s7/.s.H..kmt".s..{.hv........(.q.1...]z;..O("..>k.......;C.=Lz.S.z......z.d.z.:S.W..*d..c.sC..G.e.Br.....~S"ndL..E.^~...D1.sR.< [.L...l_7......-.....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.842617630410724
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:AEwbYpEcRfaA64lJwawC8r1V7b4Fgumq8gVs3CYK1jJE1CEcOn3XI:AEwIoA6faGpx4PmKVoCR1u1CEv34
                                                                                                              MD5:464D764335F7AC70920CAA9C41705E34
                                                                                                              SHA1:3EC55EB1B6EDB863BC99C32894A0B5973EAD48B1
                                                                                                              SHA-256:DB0B1DDA657FDF9E647699A4D10E3C134F94A590A93388E0A480DC87F419F425
                                                                                                              SHA-512:0EC586941EC9CE8D03C1B22690A356BBDB32FD96B70EDC23739B305E431B794BA31A1C6BEAACDC93B28E0FDFB25CBE043485ED5F45891E683D370139E38115D2
                                                                                                              Malicious:false
                                                                                                              Preview:..j0 .......[.v.9(..tW.W.&z.h..#]]..|..};G^.....b.....d?..A..N..N.x.....$B.}......$`.Xt.......D+..e.FWr./.../xh...}......}....8.f.....X.D.:z!.........[...Aj2r.K.CAuHD....y......FC.EIN..Gv.S..$.N..i..h..5?.h-.A......oY....u..ESu..ah"L.F.RK/...).3.+..x-&......E.d. ,..iC.S.7l.b..;O]..b..s;ED......~...y2..C..J..E.d.....:\.w.d....7i.Sy.......Z2..k.SG~...#...?jz...s......s......M.."..V........%.\.^:[_.R....h)7..:.h..|..u....F.b.[..'cFD..s.h&.6...w.|[...R.k..v ....2....b.%g........K.X.x....l...[.'..Z....J..i#6..Y.x........W,.UU.i..7.r1.zW..{...l../....8.4n.....jc..\!.Y*......kc.t.....^.7o..g{..:p...2..z......N..0..V........"._.^8DTpR......m;5..'.s..k..u....I.q.O..7k\K..a.y#./...`.kE...L..k..g,....;......"~..=....._.B.u.'.....G...?..x....i...en..k."`....p.&0.....^......T.'Ct..*..t..../f......^.l...5Qy...A.s.....v.:.......4.!8$...#!fi..t.z.eV ...z..k..7.O.V..Zo.#....u7...;..p..(.k..[..M.>.5..U.3.. .L...g*..(........@>..R..K.;.t...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.812227286692493
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:j2JoRdg6YHH++qSQ5KvmV2gUhqxDum2odbI6QWBArQvirh+ThwArUc03I:j2Jo3sHehS7vdQum5dbIsnvG6hwAoS
                                                                                                              MD5:FC01EE971CF4D75089A7F15CF3266E18
                                                                                                              SHA1:5E3EA90660F884CD335B3D14D408D8A8B96D09A9
                                                                                                              SHA-256:C1C2F1749CD1520AC09537B73DAE63359C84A7D86212FAFD2BE77C5DC946F3AF
                                                                                                              SHA-512:DBCCC73130E0512452EDAA466024CF3CA5A4500BE8B873383C31826D533443AC66F7572302922A3BFEEDC06E3B02B872F1AC86A0A3508B71F7DA307C487A6543
                                                                                                              Malicious:false
                                                                                                              Preview:.O.7....f..2...4..$.9p2M[5.j_3.....S....*.,\Q.n7.t.>b\.{...4A.LSK6a=....."RZ....ia..w..HT..o.]..y.i5....%....7g.=..W'...p9.da...Q.yu....-._Nc].|..P`R.B.......5.pB.bkP.7NOi.......4.B .#...F<..:.....ymK.6.E6...S..M..iK..^J......S'....=?....rL..u.].?....a..7.3.9.?,.,l&BR;.rG .....V....,.>WC.{5.j.#eP.s...&L.\C\.`;......7_E....q...d..SC..f.L..~.j'....9.v..5x.&.uW6..jd2.qc.a.9..)I#...C..2..8:..q...l.....jf\C......d....".F....ER..v....=>...T....._.~.2.V#-Fb!.20.N..H..!5...V..T..r......G.>..........V.M.N9?...IO.;..5yv,..8S|.0..6..zpD..6.a.......+....md...!....L0%A.<...6.}...G....$.r!dG.Z+..^...z......H.l.,F..wwv..c.-..7F(i..O.."..&"..k...i.....vyZ^.....d....:.T....MG..c....&*...]...K.|.:.K98Dd9.:2.R..W..-8....T..U..q......J.9........u^.*a.......:...f."&..^....G.u.}.f%....TT...m.*.x.I.pe/:..7K..$.:.vl.H.B.j.D..F..!.".I.N..6~._....,8.H.&Xp....=N.M..T ...Z..|..^W.._..X..-w.Q.[.O3i?...u...2.?..c.4...?8......!.E.v... ..^.w.....Y.=];.OW;............w
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.817788148551242
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:wnlkRfmk6SwJgHT7kmDB2ovJmO9UIKFJKcYstMOu33FciCvihxfH0+R8xTI:wnpbSwJgHT732wmQWJZYsnu33Gz6nP/P
                                                                                                              MD5:5DAA8B77C241DFC2CEEEF1CF10A14E55
                                                                                                              SHA1:E0494E2410FC9EF9396E9084A5E48BA3CDE782A5
                                                                                                              SHA-256:A7FF9E338CC851C800259B30165E74EA623B82DF9224B919D1313C2DCB75AEFA
                                                                                                              SHA-512:7B92812A8CEC0E5C99C34351493F9507B995700ED1B83773C5EB551B3B834C4A06BCB4564AF9E8F81C1E0F4299043B27C4545DA5E24137EF02C1BEE03AE727C2
                                                                                                              Malicious:false
                                                                                                              Preview:..f.<.:.VZ.......v..............K..D..`.+#....V......D.8.J..xYU..<..Hz......B....i.u....7.K.31b.(..8.E../.......T...v..y..........#...o.TS...2y. E..x...xii..o.[..Z.0.......<8~/x.].42<.S......O...RjH,L...pS...,...D.e.."....2.,[...*..|./...H..(..M..|."...Q].....~...............M..A..v.-5.t..C......L.;.X..hIB..:..T~......K....z.{....>.Z",6g.:..:.B.. .......E...b..l...O.].!b.].(..k.'......>....u.?Ec.$..0.....yM.`..-.^..032S...._..B.9.9.Q..!h'D,.Er..`S.......^..I.).x."..es..%....`.97&W..]...z.E..v...@*L|..F.;Z.]f.@.>.......vFM.....i9...N..2L...OD.....c.g......i\1..f........~I+..j..}-..<VH..f.\k..Lyk.<.;..\.N.?m.K.*..i.,......$....u..H|.;../.....{U.k..(..V..%1+U....K..X.*.3.Y..#t/S!._g..xL.......K..X.;.y.#..fb.+%....g..'8.e....q....c.V...,..dR...uyW./..q$..*.L..A..FZ.`..2..ynA<..'..M.......!^Z..;...."....R........".9q.....m.#..3.......w.5=i..4..<k..YBX.x..h.I..E..f.....O..$`!..W...!mc....X.9R.U".AH;.Z.z./[.D....u....hM.Q.p$.t...#.y.w..}`8
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.839622914214949
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:E92JxdxWdn6hBwewvYbdX75avi6JF2w5ecIyr8zsGux7uZJAUCQkiI:ndYn6hBwewvi7Aq6JFr5ecIyrxGHzcQq
                                                                                                              MD5:14AE3C7520A676F83B865042EBF27058
                                                                                                              SHA1:60D899FBCACC6FB35790FC7E0229156723F0D4B3
                                                                                                              SHA-256:B56638B362C40C7A6CDFB92AF3AA1ABEF253F3369BB131E7348363CEDB174D33
                                                                                                              SHA-512:7901A393B4F757F7382DDEA1AE6FD6A15E1D23270048D1438D1157342E882955BF372BB35BA7404502782CE298266E515848E39F540765744EC72DFC27EE00D5
                                                                                                              Malicious:false
                                                                                                              Preview:.$.?..[!..3Y"..,...e....*.g.u.h..B.!}.c.@.#...&......."...^3H..{..4.[.K.H..*...z....o.r..z.W...#?7.`.?...| vNbH.....{X[.WY.........K....g...._.....t.cX... ...X....i...#I^.*...$.].N.k%.\...[..]P.[U........U...k.....'..JHa.........5...[puS{J.M|..3.)..P-..3G8..;...d.... ....y.yd.M.'|.i.T.&..6..6....&...Y"Hi.p..7._.Z.G..2...p....e.q..m.U...$>?.~.:...h'cYzZ.....fBU.U@..Ogzv......5(.......UWp..nn.....Po.b.4..']....HIVsz..!.2.,..(.\.r.Z...0.^+,....>5{s.$.7M".1T4..l.1Q..w.c".~._.`..I..~.._`... ...msbF..L..{uB...bq..BY.v..R.g.V:.`,t....G*L..J...'~..%S.5.*.c.C.I......<`.|H..D..8.......a......m.....E..t~.J...%..S.<.Mfu.......0........P_{..|{..-..Vu.x."..1D....OL_g...$.0..9..4.A.q.\...;.E<2..85a`.9.<L?.=X8..}.2Q..x.a3.u.X.o..R..d..@o.....<w...E[.J&..<.?.J..'w.....W....P2K...a.[T.b.;&5T...........Ld...f.whV..z......../&.#2G.c......P_K.B..B.wm.~A.QNW?Ll.......[~.J....{,.'.a.Z......g.h:.t-V.>M.!.8.".?.y..F~p...8`Z~.!k.Hm..O..._...={.8C.'.&.&'. E=.lqJ,.k
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.835739940143225
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:NHJJnYcHnDq4KGbI50lBM5V4BnhjfXoEEyd3l9zwasUcEe5uGHG2LKGrI:pTzHnDOj5KzXZEWlaasUXe5uGHH2p
                                                                                                              MD5:C1691E82EE1032F0416139FE5A0E79A7
                                                                                                              SHA1:EAEBDF3C7AFA382BE7986CF392905216E7B62043
                                                                                                              SHA-256:97A0F81142B453A54012CD1A1D12138416A239EA45E0270B920AD47CCA851E18
                                                                                                              SHA-512:A84A001EC4FF3C03DC928D2CA830ED1C9075AF994029D7FB9E96929122C3DED3FB74E9687316DD46B49C96A901BB90F2646012F516FB5B1BD163E94E77EEB266
                                                                                                              Malicious:false
                                                                                                              Preview:.eD0[.d.$...K.....miO~......<"Xh[....a..I.}].I..L..h.K.........,..a\..a.[..M.c.P.%..h2^?.....z....&.C.S..x0m.8-.d9.rym..C...T.@.5..p>..b.2.5?C.2EL...>."..gQ:*.B.kk.i..`.1.P...c..Y.c.z.T.......c.....[A..4...4.B......l..C.(....=.Zzg..3../...i.F.Z.vI!F.l.=...].....tyXg......=']}W....s..O.oM.H...@..j.D..........+..tP..h.V..P.w.\.7..j0^7.....x....%.^.Q..x2a.6<.u;.ova..G.*O......i.A.S{.D....p.V.$.._....:c7"V.)..p...=.+..<m....X.... .`......z.G....;......!...4.50....%...i....G.G....q....3w,\....<./0....}o..gJgj7/.p...m.W.dw0b.!a.K.0.0.z:X.+h.4.)[~g........`..&.(....vOxV\.%..M~.r.....&..K.S.>v..lR.=. O..Rqu.3V......w=F.[~.H....p.G.$..C....3d*6M.'..n...$.<..=n....S....$.q........G....3.....1...:.?1...!.....x.q..R.X....b.....%.d...\y<rv.Ub..h......!...;.(M....../".V.Uu...B.g[.ew....lel....\....(]?.1.)=..(...%..!..@.(/......)...k..'......V..UN.y.......Z..&....x..o3.".87T"c....L.1F...v.69..6?.E$;,.y..Y}g.......pc..#.JjD.....W.S..:r.~.]..`D...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1267
                                                                                                              Entropy (8bit):7.852695202266791
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Mme6TU4B3i8H/YjBtbMrbMJlKJ95RF8jM3CA/bM7lq3jIG1f10I:dLTH1i6CMroJluvF8jM3CyA43jD7x
                                                                                                              MD5:D71EF6A57734882DA3FEC3024669FEB1
                                                                                                              SHA1:30A925EFCCD9198689CE16A884916B4CA5BFA0B2
                                                                                                              SHA-256:03D5B5CAE22433768118E0E43F6BB7FBCBFAF739696933F5CE4D289B583D035B
                                                                                                              SHA-512:6E95C909BDAFEEF309D905BB36DC8C040E52C83311A134F170237451597BB2D192A5668D8E4186B63BB74C6B05A501DF1BB9404CF40B6593C7327FF50402082E
                                                                                                              Malicious:false
                                                                                                              Preview:.I..Ks.m.\...*J....*..d....H....O.l.....e.."..P.)..........*.u..... ..0)...1....V."?h7j{Ks[.c....?..|..Y@73[.I%6..:KE.2..artP.8..m...."......=........8..V...9...A.w.[.....tN....S..V..,..l1.7C...Eq.t[....f...'...C.31|!j....T!...D.g..J.ljO9.ur..C+.[k.z.^...+L....;..w....Z....U.~.....u..'..@.;..........#..i.....>..><.......U."?v*j}@uZ.g....1..i..RL52T.].3..?]O.;..yx.......wB93MX..LE...A..@~..d.%..sl+....|K).P.C..nho....m..L....../.$./.....`j..3.......D.n.$j........cTd..B2.W..e......oD.oQ...;}..7-.t.....o.e.RH@a_.@.^.Y4...(.l.U..5....Na..~............8....7.*Hz......~$..q.)....+..q....}<.......).~..x......iO 9XU..XO...^..S~..`.5..tb&.....dI-.M.P...nb~....f..K......6.6./.....sd..........E.u.=k........fXj.kQ8.B..u......y]..P.......>.lv.....E....4..q...9B.~.....C..e4..rWBy....Q&}....O....Z.>...7..j.m.{i......yG.(.+>pF....j...s..j&..,8..?.%&C3S..G.."]....{r..S.~=....G%...u....M4..Y...t.9.`~..-ds...+....@....1..&...]."...(i.=.r.>_].O.=.j.?.(.&.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.872502677969505
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:n3jHszlsvth6nM2A66x8/nvwJ1Z0Ha3JriT11TdUPR+ulE2I:THszWvtMM66x8PvKpiR1TdUPlEr
                                                                                                              MD5:ABED633373CD18C0483A58349721032A
                                                                                                              SHA1:3F2F350D6F9C590E5681178EDCE742F5332FBBC5
                                                                                                              SHA-256:54B3F34BACB80B4E79C8A701533D2846006CD22AA5910D29D93C1DED7DDE24CF
                                                                                                              SHA-512:4FA7332E92D92398645B0EAAFB7063A20FD0004584F3BEC6262152616CD001B168D441DF00A936365FBE223C9788E86D4F11700C224C0C2B5C9A5708BE329F8A
                                                                                                              Malicious:false
                                                                                                              Preview:....~(...y.5....H...e...m.+..*..6....../..l..X.p.M.%...a.Wi9..W......E.....A<w..U..K...+&..X2....V...A.p...../........!.9.A..,.........H..2..#........H.Ez..._..9W..fnZ....qA. ....6..Y...d.P.f)T.J..AX.Y..az*.z..k.E.q;q.Hh...?......b.:.J..c'.`..(p....|....e.<....D...e...t.*../..4......7..i..S.r.R.:...e.Sn4.._......W.....X.{..W..H...67..J ....]....I.v....)......:..."..u..vI{.}.pq...Wc...J.c..d.~...FJ..10d..;..+g.c.3.~.K.a.=.....r..Mv.{.&..m.\-.3".N..V`.{.X....s..X...c.nQ..n$.4w.pb...4X.[0.3../../...q>.w`F.../.t.H0..).0'............8.!..d..5kM.....BG....#...bL...._....".u.Lrx."1...]:Z$G..[.....?..-.u.e6...8....)..u...^z.m.~b...C~...F.p..k.n...\E...=d..!.'k.v.*...W.h.<.....l..Oj.a.-..y.D%.%(.Y..K|...O..3.m..S...b.w@..d8.0b.la....F.A=..0t...(c..O.......}..EnO...tz@.}U.5..Ha...>E...y......C..I\R..6.}..U..W..QE..o.NQ..<.LY8.:${tj.-H.....K..G.P.......Jm.&u]... .Q&.sG.n..R.. ...6.ywW..QVdE.6.J6._M..q.4.Q..Ht..N......Q.o..J.t.l4.oN..3c../...^%6dKS..1.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.840474930576456
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Mn7/3oCVfG8cOIxqW1OxhXbjRGwtoAXlvLsPAtfnUI:M7QCV+0UqNxhXbIk1lzKAtfR
                                                                                                              MD5:83DBD3B5C581BF8BC7D07A91FFD07378
                                                                                                              SHA1:0C0C422D6F75F93662771ED07BBC2BCAF80F383B
                                                                                                              SHA-256:39651749AE94E115EB2A9FBA4C54058A92D25C163CE811636CCFD39703FE7F89
                                                                                                              SHA-512:63EC67BF3FAF86F526965FD6B3EB058F6F187D137C13034FA154A9FBC55F56848ECC29FD83CF10ECDCBA7CE087E1D4DF8A7FEDE4D207ACA72CB4AE6B4B0DF23E
                                                                                                              Malicious:false
                                                                                                              Preview:."...DqQ......nX.IyS1.x!.....#}d...|.......qE...f.]..@k.Q...[.aYH..$.-..6./..<_...'...?.-....F....2..9.E`...}....Y.,G.H..9J........w......S..,..E..rh...i.......uN.>..3O.......C...3.,.\?7L.s..]..E..O...4...36...:U..6l...|.o.../....!m(...T...;..$...@l]......eK.Vy](.|!.....*gl..q........oE...h.Q..Fa.D...G.dEF..4.$..+.$..&L... ..7.-....[....8..$.[v...i....K.,C.L...~.).&.(...74r..-.$V4.h.7.y.....x.. ../c..4.v.~..C.D...S.x.....J..,..2...@..0'%....9...,..g0....VM.Z...q.H...`..a..P...+..6...*R#..8.}5.._.o.5g..J."[..RHkD.;..&.}....1F.XV....A..u........U.W....k...<.h"c.Q..}.c.j...w.._ ..@/.5..B....W09...b..y.3.>.&...,-k....'.;]&.c.5.`.....f..7..'l..).g.f..\.Z.....K.b.....J..<..9...@..30;....%.."..|"....^T.G...x.N...g..}.K...*...{'..E.A.....TZ..7.....,.5...o.c...v~.jJ.J......Ot.....A`5.......c.......)qH......p"u)......s>..xds..........~-'...y4..[...Xm.W.K.k%mb;....Um...2......?...3f*.x.l..X@u*sg0.P&.....c4.=x....h.;[..y..^.Eg5........f.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.842234629324963
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:strmpFYsMuUeDkfG5hnQPmf3RwrIsUQpjNiqLAnveq1pwceCnI:strmpSsxUeDblfM1NF0nWq1p5lI
                                                                                                              MD5:75231DF6602668580775EAC0FFDF5917
                                                                                                              SHA1:E731462BEAFEEC64F02C7925B1A0DE914196B470
                                                                                                              SHA-256:1BC420835170ED41D29A2ECC26CF42B4B105E9032C780963A8B444F85A121219
                                                                                                              SHA-512:AF5740F9DA297A7C760EEE73F3A1F4CDC60AD5C3172D596650DD5B78C7E4036E589D7A7A86A0774D5D55A8E9E6AE48252405D9F8992F29DC322B716C83070729
                                                                                                              Malicious:false
                                                                                                              Preview:.].MM....o....X...7...GW6.....2."\..u.E.Y3....\..../..16.A(G^.]..P.q$a...=..&...I...$....P..olI..Y.T.I'..j.E&..Gt...=G....9.:.m....>8.....J....AZ,....&7<F,..........:5N..........,h.V.Q..O..+.$...k....j[......#&,.:...%F....0.x.V./."\..\9/..nM..b.].^P....y....G...9...YA4.....4.:W..n.U.O'....L....*..)4.I$RR.F..N.a&n...<..*...X...8....M..fbX.[.P.W .e.L6..Xo...>D...8..yP..k`r....z..3X.W.s..nJV/......a...t.f...J....v.bb...Ja.}a... ~..k3_^...(...,...F#P.9.x.W,q&._...4]2..d]".;3..s2.^)2....b.Se............|.D/3I.b..m... ..w\..#.....4V.yY......8wm......w...!S.'.:H..^a;f..2.nzmT....m......9...L..S...Lv....;.dg.v+.u.oy^..|g{....i..>W..S.}...aK[?..........x.s...@....u.j{...Jl.vo... pb.`.^S...?..,...Y7@.<...X9}!.U...4Q6..sA2.$0..v..T-3....j.Ny...V..J.t......L. .!u..b=.r.}.J.Td.....G..X0.&.\.K......b...;U.g.."..i...|].y$G...z../.M"V=.".x..Ao.pto@$.zs...wc.:< Sk....P.d.A.&...4^...!.b..?.h...PQ.......C.c..U.+.Nx0..]..w.f}.~..O...p\...\]..J.....:0.....7..lt.k.....!..X
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.8321419421884
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:bUwnTLpmDLfHUuAqbq//1vtLbf8dpD2FQqYCXjsDC3ryL1GUT9cl+0rrI:bUyT4fTAqu//dl6RXcIG+t+rU
                                                                                                              MD5:538B1E1D7CA2E50ECF47DA4CA6B4EAB3
                                                                                                              SHA1:A5660A6C4C975C48D7B4B437A61DA0561916E61D
                                                                                                              SHA-256:77872CE2ED0603A59BB74EB4CA7A352A52A29B4CCB6694961355C93B6DDFFD8B
                                                                                                              SHA-512:25AF8B8BFED9937075B153C5CE1794643B9E6D8CF9F344E00B61269C5B22E1000EA83C1B8CBE9EA68354982B96A2F187B38C1D695D5CB08E63E8139A02983F07
                                                                                                              Malicious:false
                                                                                                              Preview:[....7.,....[....!.vz../.... u.9?=.K....".4..g.J^j..qs..5g..Y.2......y...m.)..6...3<.f.?.,..s.j..r...kC0b...6.Q`...d./^.O..-..q.,..[......O....N...\..>...(..w.\rR3.....'%....M..S...b..bQ..._.,........(..tV.ey..6<+a..^..ik.,{Y#.q...Z.-....6.i.N....!.,....G....0.lo.. '...8f.)96.N....$.&..m.HPt..v...6x..Q.%..(...}...`."..?..../.h.(. ..b.m..`...i_7k...$.]j....p.(K..PB_.^.6.>.k..N..h=.B...w.2K..S1C.p.-D......4........eA.$.~.+....nN.l!.2.9......3..8Gs...|>.D.Rn.X.p~.V.J../(.,....N.a.V.....2....U[.. *.%1...y.2...wv..^ G.X.0Je.\..`.">....hf.h.H....~...........J.)+..p..?........B..,.....`9.C..y6...?..jS.a...RQK.U09.(.i..L..}#.X...f.7K..^._.v.0[...o..+........tI.2...)....nU.i6.;.3....c.$..-Eu...~9.X.M..T.ao.T.F..,9.)....I.v.H,....Z...Q!..}..3. ..fg.......[...x...?............^dv.%.RY...I$f8.=.......V..R ..f.l.......W........9......,@..n.....?......Br{.=IQ._..M=.Z-.?.6...........{.... ,..(BFD6%BR..Y.../.E.......q..~.]`O.^.d..E.....C.......&
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:SoftQuad DESC or font file binary
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.8563270347473075
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:3HMOddZR+DdEkYvv/UhtleVJo1X26bQPsk8Zsr6RFuCM9I:3ljEdaPUhtleLop+Pn+dM2
                                                                                                              MD5:CBA9B0AEDCCA24596DC71ABC56DC8901
                                                                                                              SHA1:CD8C39919FDA4A9132808B7B440B185E8C0981A0
                                                                                                              SHA-256:50D4649BEFABA4085F62AAC8A55631270B0C3197CC82E2FA2EBEDC8510E2F42D
                                                                                                              SHA-512:809EC60E7F97EBA414C4A8FCC36E3EC605D15470D60480D4FEB2A797EE65BF5A45654B8BE17F493CCDB22673815045608C6A20E4D3349ED6526D185AB2332FB1
                                                                                                              Malicious:false
                                                                                                              Preview:..&.oq..Z..Z.}'.+.-...N.3.6...I..........^...y...,...nf*Q.(...{ou.t.IM.....1L@U+..G)...h9....wJF9?B..*..E.!.<..=..].....Nqyf.*a,.......$......-..?.)L.;(..=_.L....R7p.n.....q.:..T...M..$hUf.F...Ds.*.i..i|s.'Y..-\1..s;.(l~....!.U.._...b.g[.5G.5.....9.he..\..D.j:.-.=...X. .0...\........+E..d...>..lc3U.0...{yx.{.@I.....?TCE%..C8...k1....jCU>>J../..T.&.+..:..T......Qs`o.I.r.....`..;R..h.L...x.t(.g...B{.}....lhZ.+/..........?6....-..>...=DC.-P.W...]U.D...8dI.}sY..&.5..gF)...PB.....E.h.3}.U.........v....VB(.....Za..c...Wkl....3G..?S.u}r(t.5.D..6...&..8v&.%..N.......E...a.f7r.bN..-Qwy,........'.y..U_]._wz...N.K.}........=A..e.L...s.o:.u...\}.t....zqF.&-x.........+#...1..=...3ZY.'K.I...[U.W#..3eT.q.U..7.6..hC+..TE....^;j.)~.J........c8..K.E.dO.q.....a...c..b.\e...b\.0.|..+.-.?4..~..8.q.X........-....r=i..0......[v...Cj.|.#p..\..L.Y.H..,.W..x..t.....qO2.d..P.c./DH0.3...od.Q....Ex%u....[}.....Hx...A.#&.4.,...D.?.T-...l<T6'`@..h%.,....lm....u..4..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.84975845229588
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:gVFn+jysDoCbtZ/lOIcmK+DRUFUKC1FaNnq+e0nYmpOur8o9I:KFn+D8etJlOIcmKOUFU56LxnYmbr8o2
                                                                                                              MD5:DBE45ECE31BE5E0F4299140D15A90E46
                                                                                                              SHA1:666F7F7EDB1B4E9CA325A0CFC5BBA5F081C98D4B
                                                                                                              SHA-256:7BC04417E8DF618CDDD4972EDA42386F3D8A6F43E59E191BFB131D6A46361B29
                                                                                                              SHA-512:A6A98CD3E6F9E49B8AE2B0509E3A7D6D0B5E5DE833181693081D835CBC30C9879CC599671581645EC2D5A10C52DF7731409177F51F1D9BDF5902BC967F7C2C30
                                                                                                              Malicious:false
                                                                                                              Preview:Z..!..~..1...<."40,C.oO.Ie..:.=....u....k.9{....8....d...D....A.R.....DY..g....c.L.Y).O...G.&~YMC..J..Gj....A.V. ..d1-B....a.h.S.-..?...#.\..8.:.E...'..XV.....P....J|...ZW.6.|c..5..fX..C..xoh.yQ]p`u....q.n...........C4.......?.>.....|..YU.....S..2..c../...&.1!/,M.uK.Jz..7.'....x....i.%r....:....h...@....D.\.....^C..l....~.K.G6.C...P.)c^U^..@..Zu....[.H.6..v?-F....p......,}..N.....e..v....y....wO5<5./U.!..&.xG......!s.'..,.x.....:.................3..7.KDT.KH1A.....JX|kr..E^...M..p....Z.B.Efvj...........FL.W.O.-U]I)#S...w&....+,.[..H...*}..`.".,S{iO..3.z..\....PrgEw...^m.j^..";..*.h%..[.fs...J..............0s..F.....i..b....r....dN49%.3I.,..*.eC......?n.+..<.u.......*..................+..<.YPI.CQ;\.....L]g.u..KW...Q..R>.e..`.NJ..C....3....:/ $Rlv.c.2..&}q..?.%...v..d.T....pw.l..E.2V.......L.#9..HA0.t.m..B."o.)...X...VV..<.8..f-2.....m....@..K..v.4.lt..I.....[k[..Y..o.e.D.....1...T.....l....O..`..8.. .A.{...*..9...~A....3..RU.}.4.7H
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1273
                                                                                                              Entropy (8bit):7.82410790882211
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:jbCUwXvPjrLyU86eeWSc5U3R8YtECVlD43vZ+sgXcXkhMaI:jtwXvbrLnvWSc5nlBscXBn
                                                                                                              MD5:B783482DF8E67BAAC1CC16F3141A8635
                                                                                                              SHA1:D15D02AC26EADEFB68ECBA4D8C50E8403DC3D31F
                                                                                                              SHA-256:59ADF89FD549E27DE05D97A2878ECBD8F7063BA776E635564D7F321288341A73
                                                                                                              SHA-512:A18404BCFA8FBEB94CCD69D14E58CFCA0F7B765E837692CC282DA97DF5A677FA85B001869008E0F02751914FCE615546E76842C1CCD28F336A42E0963031B006
                                                                                                              Malicious:false
                                                                                                              Preview:2.&.).1.Z./.C1...,..K ;.t+..TOU.........."&..#.vL..4.F./...4...i.5,..b....t..W/...E.....R..$...&.[..C...W...R...c...@.C......,....Q+...G......V..V..i.js.m.8C9..:......n`..UV"Cn@.xh}..tp......',.w....Q...s....r.~.i.Z3K..1B..-[LV...#e_1.4....<.%.-.,.3.I.2.^:...0..V+?.t:..^^@..........*:..4.jQ..&.P. ...&...f.6+..t....c..N>..._....H..!...).\...D...B...I...~...X.G...O1Y..~.w.FZ&.C0L5%...13d^....*._X.D.......A.U..^.\.......U`.,......;."...U..-.P..3.;...{/.LG.)..L.O.%..#..>....+...<[./..H.v.7`....1.?.{...Jx...#x.X.1...}.(?.-ekY.......!..Z.D..*Y..E4c.C.gz.f.*i]f..iswI..a6.....g....*u.1..l.............E..7O0D....k.OZ .@2U)%.... 5l\....).^K.A.......G.G..F.].......Dm.8......5.6...C..".K..-.8....f!.ZV.)..J.X.>..?.+....>...9S.,..T!.j.)o.....h.s....y=8.r...G...Q...{?+ki%..=.\:....h..T.c2..5"Zq./...vc..cF+..X....$"/'*...e.%..>...).E.Fau....q3.zB...o.x.$.6...M'.....0.U...l.e.9...E.n..QbXp.c.jv.\..;.u.L*1.I.L..Y...... ..xa.zw.Hy.-...^".....j.Q(..C!
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.8617864273908795
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:X+bq87sDd4SRQX/nLSGg5f4j5XM1NlJJsy4UIGm3emWc8hc9LJI:X+bq84DdZqn7gRu8OUIwFc8EL6
                                                                                                              MD5:78383E53578A23657D879290C1375395
                                                                                                              SHA1:1388324E3E56744A6DD5DB590B3E894967ABC73A
                                                                                                              SHA-256:96E82A93C0C9C279911989F4372673AE04FA2B6DE2491767601681928B27FFF6
                                                                                                              SHA-512:F7DAC204416E7AB737CC0672EF525EEBECF47B7C5E640BFB4443932DEAD8E0282A5712C8485F8C725E96C9493F30F5069F8955F3FEA10258C6A61822A4F4E101
                                                                                                              Malicious:false
                                                                                                              Preview:..w..!.OD.r..X}Q*..?.4.....mx..2..6d..c...3...p..,].t.r.[.m....h.7..k......w.h...S..$....<\..dN..%......W.+_=y+.|..P...4.x].....bj..KX"....x;........47..Z...`.j.......7.b...........>C...D...9...... ~.).........R(L.o..y.s.\.+...}F.\{hF&...e..5.PC.q..XoQ3..,. .....jf..(..9...a...8...r..1P.a.o._.c....i.'..u......e.a...R..7....*H..q^..7......E.'[#w7.t..W....<....Ez..0..]-.PU.-.Wo.....I...o.6..n@..7x..r...G.CS..?us..[.?4.W/.E....C..V\.}J3....g.\..g.7n...w..q.....A..z..~e....g....Lq1.p|'.".v.u.R...Rs...h.h>.]..sE|Lr..#..zd.S.|v..;.g.......9Y&.../....@......UFU.Q..2..5..+A...t.k.{....3..&YO2&.tP.F8.J.1.y...5....Fg..6..X8.\^.'.._l.....F...u.(..|B...2c..e...E.MM..,hm..R..%;.K=.T....R..AI.cQ8....~.\..v.>p.n.~..k.....F..j..f|....}...-.%...x..~r..G2M.L...t!...L.S...*m.nm/..Wh }(.#.GZ&<YX...b.....J*9..3...l.8..".+........qB.L... .rU.V...N$...NY.@..8..#A...f.IJ..F..-..q^.J..9%...hz..(".Y....KW.*.....h?V`P..]9x.I........i~|*.o.c.E..F......?....Bp...s.>T.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.859827765268745
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:BnGrRA93SyxA9i/UzdKq1HIKMcOwYS4FUHdkjmfVEI:FGe9OWUIq1HGwYS4FKOmdB
                                                                                                              MD5:99713CF6FE2030905F81EDD53C9B988A
                                                                                                              SHA1:F64185CC52F698A13FBCC185C215ADBC71C8AD52
                                                                                                              SHA-256:2513D374FF78C3C5643DC7AB0D4CF92EA004543E99D675BDA56494D028D65B7A
                                                                                                              SHA-512:9C445026A5D9CC3DD103B21FEB170037BB8506A74D9ACD8ECB0B3053F75E85D6E2AD8734EC5C2518BE23D12F96A043A1AB5E9F31703D5EAF8E401E25EE852B44
                                                                                                              Malicious:false
                                                                                                              Preview:_...'...}t.S...1.x.7....;..A......t#>/.IW...C...~!b...2sR@.........s.K|<...S1h.l6....7....V.z....bul.J..*X.UG...........Z&e~O."..{A.Mi.Q.o-.GxK.....Xbv..c...|.a.......P.wTD.c@.<.....'.....0.s......=.../..{[J~A..Hj..03.E.1...lK..W.)...p...K..+_...+..~u.Y...$...-.j..?...Q......q.$#.J[...X...a3z..."{V\..........c.Fu&...@>k.c?....."....X.u.....zjk.W..3[.QI...........P...r..d0.&...i.J|.}.{.@....[..m...%.^.......haT..DO#.....<V....\..T..}2.O'.lxA...!...x6...w....{.BQ..O......-C.....,.N.s...*ah.)..mk..[Z...K,.T.p?.4.Y....Z0.Ev9F;.d.{....`.v....4m..}.f.H...8..."&C. ..J.%..4?..Q.C.w7.M.Q=..E...,;...w.L@J...I..)...._^...|..e*.(...l.Ia.u.j.H....G..i...<.W.......heA..MS%.....<^....B..G..c8.V=.qjF...1...h)...v....n.EN..D...t..6\.../.D.y...6q....0..!..=...)1..j.......H4...1Ffv@.....+&,...+...n.|.ZH&9=#.0..+._....`&..x..}.3......S.....R...6.x./......o.L.:.B.....<.y1...9p=|.Oe.e...)8...^....r.f^..P./7.o>.....[_6.c....^e....U..q.Tl..*....sbo.a|.j.)..igMi..g....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.85632757415032
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:oUgRWALVOZR9DoO0l0qPyuY2aNV1/T/WYBsgMfrpOZdTHjmdedzaI:o5RWALs79DoOQP5Y2aNVRT/qJj8dzjCq
                                                                                                              MD5:36FA3CC461DE2DAF03EC1760176119FB
                                                                                                              SHA1:746E31CB8193A02298615C7969246B7F47233E59
                                                                                                              SHA-256:7A41C90434C83B943F5B7C8966C241DC9B7E64EDE03432CFAF356A221DF5EAB5
                                                                                                              SHA-512:1BEC73DF2585A87215D61E4AC0AA78EFC7F1003AAF956B370B1EE9E6A8E26507F8F0997C99C39AEB07F291DEF402F83920038E8071F22C5B7A2CA9B36A63569A
                                                                                                              Malicious:false
                                                                                                              Preview:.8\....A.mL..T...=...s....P.../....#.5.......m..}.E3P+.W....f*...(v;i+ul{.....sW..I.2.."D.$@1k...2....n...N9.(..zB....8....4...3_T.`S.zC.p....Or>.W.......[......X^L..&.(...............F.....5u..30.o.:.<.~V......cm....r..5pp..!.....K.b."..f.....X...6@x...@.gQ..A...'....u....@...)....9.3.......l..o.])D;.S....s%...8h+q&|vi.....|X..M.4..7B.9Y?x...!....i...C .,..dB.... ....>.*.y..|!.&...y...Y;..2|.e...*F...Jmr.^..?J.[....v..R.......5....q.^.g..x.....w...P..N*.7.w'.$....U..jud*5R..@...d.Q.?08...f.E.. jZ.2U>......rfZ....[$..Qp^t~.=I.#.J"..>... ..=I.y...d.._.95..@.......[.s.F.....p....xV7H.....j...}P..Nzl..9e...t./.w..};.(...|...P3.?&t.i...0B...Cc..^..+J.N....p..K........;....w.@.b..f.....g...@..H).1.u$.4....^..ks.5#B..O...n.J.:4%.......V..Ou.7...r..../7..W!.:.:....f..PT...J.c....b..!M.q...z.V.Q.Cb..9..I.....q.4..../...X....E....yVN...5..+.bcbF.........+!.+O...n.a.aX..D)q...m._+-..c( ..7oQ..K&..3...q.+...FG..N..6..pN...O7..`.N..4.Z..L..b_I.X+...H.<^
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.816806181240087
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:/h9vkvlTcmalaeiPqNyZ7DFL9FcZFWjnrNGfE5joZLN5JWvDMbJKPI:/rsdAn0hqNyZ7DFLoiQ1pNPWr+
                                                                                                              MD5:F5F8D5EE73A9B5D5AC7B8908E296B637
                                                                                                              SHA1:8966680B36FB8FF36E6F494A0ED728DD4AE4FFA6
                                                                                                              SHA-256:4C042BF60716390B0586EC356DFA454A5B4ADE963E4EEB0B587AA703600A0D82
                                                                                                              SHA-512:502FCB68BF86D35453057C5E84856B1C5FB1CE7A5D90D975C51130322866EA40B72A7C646FC74DB166B654BFC972748A0A3B7201C86CF8CA2881F1A48E22FF50
                                                                                                              Malicious:false
                                                                                                              Preview:W.ZU...13>.7o.r..]+..../.c..7...j....%....Y.'...C..v..Y4..d.I].A.Y.ROPHd.3.]m5.RM....H.$.A..Y;..U..W..:.[....9.<.WXT.xW...2k..5.|-.-.p.D&U..'F..~C...KD....{...08........v+.`g[V..M#.1=.../..ZG..M..?d..A.....e...1.<......u......u.CY.)<I...>...)8I.J\.../?5.:w.c..X(....=.{..1..l....$....R.....G..b..E,..r.EU.A.T.MPVCi.7.Kw<.WZ....T.7.S..S-..X..G..'.Q....*.+.[WH.|O...<u...4.B....3.*jA.#.bg.3.c|.V..X.zS.(.I..W.A.|K..WB...>.==.j..X.jv2/..O.s............=OE..CR.ac.=...d.......%.cM#3,3.^?,q......6..5.]..D..c}.c+e....E%..=...{.:.5..`.D......x...K.._.K.}Q.SQ\..S.k...........u.7..F.G.|..).o.....n..3.3....,D....6.........=.M....2.4v\.-.l`.$.xg.H..^.b\..:.V..R.].`^..I[....*1.{..J.`~5)..L.k............"M]..WP.pc.*...m.......7.b^?084.F#.l.z.%..4.!O^y&....f.B..HZ;,.t1?.:..pc...)...5M.<.".y....22.....2.J.y.......\..R/..rK&.J......k.......=.k.Vj.~."fv.&.^.U..+.....~.u...<.9..."; ..T....f.._..D.V..i.u......"]$hA.B..^.\...9..9y......Kd.%.).Cj-g...=?.L|....ri.01....b.$X
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1275
                                                                                                              Entropy (8bit):7.840241451566632
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:t2JyAtIbGniKxBp/uy6qIgWrcxTp5Asq5zC6R6bWu8BTvdbDXGJfLAd5I:cYmIbqB1uyrIhgx/7qQ6Rp1vdbDXGRLp
                                                                                                              MD5:6F85B26770851D41A1F3C64D64B5F106
                                                                                                              SHA1:907B7E361A3F9E3B70F38CB631E4E6AEB9105851
                                                                                                              SHA-256:8C11D416FE68B2011A630FF51A9714DE1B4E06B5FB24879275AB5BBA82EB77FE
                                                                                                              SHA-512:921318C5D8A41075A6E79DC8026C6BC162F6B429C1117D26A15FDF521722886946E01846DFA6B4B51A354E623E2791F15AFC74555AAD89FF262522EBAE8345F8
                                                                                                              Malicious:false
                                                                                                              Preview:._...........U"B.....9.cFk....3^Z...2*....[..a...:-....m_...o..n.&.HLe.-..h...%..M...'.!C.k.gH...k.X.#Pp{=c..vXR..yS..$T.....xG...r.0cO&..u.mw..>.B....k........i..'..3R.OD..w...pGe...%.)C.~I........Q.G.._o.J.g7.......m..w&..Uayv..<.....J...]...I....,......S2J.....2.iFz....&V[...71....G..c...6?....|K...q..u.!._Zk.,..t...;..W...,.;C.n.wO...h.O.7Hln-`..mTH..zA...H.i.U.h....,..0.h..x....}H..N.].q..Un....c.x..H..w..N-.....9e4i.u...1.q....K..j..X.V9a....=I2y..2.^kR....!x#nV....L.%....../?%x.B..........T&..#i.........62.J....d.mT..&.M.S..|P.3..+f......)g..0A.... ...'.R.~.........S..w...r....t;n^.S..a.......h.i.H.r..2.%..0.j..v...lN..Y.O.z..Fk.....b.o..Z..o..]9.....(h,}.....6.e....]..e..B.H.i....#T<x..>.VyT....$q?mY....O.4......,&9wK1..B.Zm.M..+U.....wd..L;=-#.)..u2.6..\......Y......#.#.j..k...0I.Lv..=*.~..P..A.x2...6..Dc.a..I.....,.h`....9.<p.j.....|m.g....\.ZZ.{.J...d.mia...J.M.....n...........Q...*...........t.....5.=Z.....).n.e.......M...y.8.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1273
                                                                                                              Entropy (8bit):7.8531573716101555
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:chLKTjjLe1dKwvEspivX9tfVWKWBYWRlswl00mTZZPVL5XgI:TTLi4wvEs8D9pWBYalHUTXPvXF
                                                                                                              MD5:78D0820CF6C4A83221E22091D547EFCB
                                                                                                              SHA1:17900AE131FDBF9A7ADF5B1AEFC14E5F7A211BF4
                                                                                                              SHA-256:1AA3C317CB28FA905362FCD680BCAC0A8114A8A5DC356F430CF4F1B4E11B70FE
                                                                                                              SHA-512:5B56004F3C9FA9BEE4F4733669AEBE358D81BC676A43C6C17BBD3ACA517271B89DE3E2D1529340DC4F5A6AA708D8F6F0BF220C60F4F38B8F7BB7E7E2C772C927
                                                                                                              Malicious:false
                                                                                                              Preview:......4..E....D.>..x.....8 %^o..xv.H..k.I....Ri...x........&......x...D..TH.;...+.c..qM.......*..6......q...}..........0..%...'....[g.9.F...D.s!..S..K~...8......+..e..o.w.=....Q...R....t.T.7.!.G^_..d..tI........m...9.y...9..o.;.......LgN.....x6..G.....O....v.....81-Fe..ye.L..p.@....Pu...j.........8......o...E..HI.%...-.f..kM.......)j.1.......j...`.........f.eE..=...et n."..y..Q..xs......I..}..>.m.........\.|.....S"_.XD.i.m.l..I.0.C^`..8..G.'..#...KQ"[,H...-_F.*..)..1.:....6<w..6R..4.+...<.;....-..n.r._.d.;x.t...V.2.G....*..ic....U'.....E\#p=k6:.....D;"..F.....:2.9...\.4;2. .Z=L....m.J2$.....g.q_..*...ew"w."..j..@..og.....Z..k..8.z.........E.v.....X(K._J.}.h.t..E.*.]Ih.."..Z.&../...ML5V7M..."J^.4..8..4. .....)..n...3.aDx......(.g...|..tL;.....3e+....0...QP~>.t.gi.Z..&'l.r.{S..f...|gN.7..' st(.B.I?....V..d......,(.. .(W.[..@.q.L.O..KBV.w>}.%..b.G,*.70%...d...\......;J.9.Z..r.(&.F..\..ou.5dzfD..S5.=e3..._4.Z=..+g.SA..:..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1267
                                                                                                              Entropy (8bit):7.85262473957996
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:HCto8CJlz9dLMiMn7/cnMr7b3sVFcwVbzyUPXjjLcI:HCtUzy7/cnMr33sb/fXjjLJ
                                                                                                              MD5:E96ADB92BFA4B10C418C4EAD035903C1
                                                                                                              SHA1:F566044381C0F3D1AE049E4973D21AC714922810
                                                                                                              SHA-256:CAAE770BAE336245FC2A0F0DA87A9882DADEF51674B2F8E72A783CCDD9A244FF
                                                                                                              SHA-512:C6013DBDAA928199A71AEAED2752C76403C5917F39C1347EEA4F5120189C2966BD289C8A10F85B95CE68BF5D4C26193971D78EDA285F33B9B07307B13EEDCF73
                                                                                                              Malicious:false
                                                                                                              Preview:.W../'..t.E]..z..A..1k....?.~7h..w....oy..5.... ...A.V....n..x...'A...@.3...'m.TF9..NQ.e..n.U]..#...].p.I*......D;..9..K.u.O..3.p..;~s...Y4$.n.........zr.m..p...!..~j#....r10.....|u........ .N........YT~*.Q......7.+.V.>...*E.U.o..Z.....W..c\..]..??..a.NH..|..^..0e....-.i#e..e....li..0....2...Y.H....g..p...4_...U.$....t.OE8..PL.c..o.Q@..9...^.|.H%......A-..0..H.mv|...#.....4.^#.)5Lfn..fr..Ve.)>.G..r...,$......`..F..S.......{.D.x.kZe..?.Db....rs...L5........T.O....!aR....U...K.~$..5..N...65>.n..xCd.....~..W.]+(l....^.G.......R....7$...`.?{\.....eJ..w...a..y..PK...&.f...ZE..6e......0.k~..)r$.+.X3ivk...<.....!.N'.#7Whq.yur..R..?".I..n...4&......v..W..I.......t.D...`Zl..*.Wl....rv...M4.........O..B....+aG....X...[.h.@...U.QI#.g..gH.K...G."....F(.J..uGT..O..........k......#2m@.....:x.. .N.*..T....y....n.x.,.nT1.U.J.=...p.g..tR$a.&...|..W$.~b...>.......~8.%#.n.2.,.`.,)K.qT>...*.;.+...w8`..{..o..\.[...0..|(.v..J....,.$.Z.Y...........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.844236970824044
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:D16L/93QFUMat8v6LBkFV/LkCBEwNJLkq5GcejtXJL4PI:569QJQCIcLJlkig
                                                                                                              MD5:7BD587461D8D1B21F929828943F48679
                                                                                                              SHA1:2C7E0C04DA5FF660F1E2AADEDC57A295BB71A91A
                                                                                                              SHA-256:E2B6D33D40181AE37F161994E14312A51D4DA6325C9DF33DC29A9A89D2702FB8
                                                                                                              SHA-512:79FB4789AF8BA37D9758D544775D6F9B6826EAA1D4F9B521E3CE003D325D5F89A9D768CEF355B04BFB0689F01178E351C1EC8B0DCBEDC391AED83FAFECA5EBD5
                                                                                                              Malicious:false
                                                                                                              Preview:Q.........{xO.....W1......].7v./..aeE.m.a.D..Q8..R........z.[....A..T....Js.f.(.#.."..U...?C..E. D...`.%.G.......+e.q.|.|e...G.....ny..\0.U....(.q.....0C,|.3/.Y..{&..>."..g.`^p3t.v."&.:.p.5.t. .4'...!=....{..Cs..a....D=.SZm#gG.......9b...S.l..G].........ktT.....J1......A.2z.5..ezZ.u.l.X..B:..S.......w.W....U...H....^i.t.5.!..!..H...3A..B.1K...j.?.O.......-t.l.m.v~....1.../.....{[......X.....o...E0.L<c3.p.I.V....4.aEa...r...X._p..x`...[...M.......u..4..[.....s*..........8...........y|.pI.-l.]..M:h..-.M.w..l&)....sG...........!.G..OI..o......`3p....W..5F.n..V&E.K..?..k1..}iJXk.......~..o......j..Z.#...|.9j......-...>.....qU......I.....`...I&.C$u1.}.@.L>...+..\l...|...M.Bo..yw...A...S.......h..7..N.....n<..........;...........of.zS..r....Y....O.d.l%.5m....W..N...M........#..Z...A..*..z.B..y..|...x...UE..P$.1.....b..SM...!8....T.>?n./{X.Z.....u<`..S..0...~4..M.1 ......8.5-:R....;...}.#...#6..D.)/.W...2d.U.#.1....50....+.A....m...X.K..*...:V.>....6...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.842759666981506
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:CqarhQxwCmzyZ/b84fPz9NHtza/hVvO13ZcnhKjGqI:PqQ+CGyZ//fzNzai13Zc8G3
                                                                                                              MD5:5781BE9A1FB0B8A68A5186EA83FEEB2A
                                                                                                              SHA1:2ED01FFF3748CA1105B400788FCDB1169A7831A1
                                                                                                              SHA-256:B78DA10126CB720D3D292EFCDE0542351924BA1A03F26E322B84045166FEF837
                                                                                                              SHA-512:70EBBC825EB275E0D2DF0879BACEB04C1B9628FC7714E658D85E260D9E0E68FDB2A5DD57F9440E9230FEB7E7BCEA18CBB0E9F355ED593F5D83DF571A07DE2899
                                                                                                              Malicious:false
                                                                                                              Preview:@.D+.^.u...}..5.k.n.........2..ti.[..f...re6...<^l.5...(..Mn....7........QW.s..".).(..2.EA.C5-v.f.;.c.]K.8]=H.@h....s...E........`X.0..0..%....w&...y..Dj..($...q<.#y.f].B@.4.D`.];&..Z....`o..6y...]U..F...:..6G.l9..7...P........\]>..yP].54..@.X,.O.y...`.. .l.t..........*..rj.^..j...ml-....Ft.!...4..G{....)........^T.|.&./.<..,.\O.L3=e.p.$.|.@F.;Y9F.^h....p......e...$|'.I..N...@...3"...Y..i.6...K2.(.Z.(..m...]_....3.#.a./.+.B......Cb.{..`.J.B.%...Y..[2D..8..u........v.....d..CY......`.....N.H.c...........H?N5B.7....i.*...E%~..\8...p.....YU.{..v.....M..f..5.T.0....Lh.Y-^.....=o...37Cs!...el.......X...k...>a).E..^..H..k;%...E..m.9...B<.%.X.<..x...AY....$.).i.#.5..Q......]..|..h.W._.:..._..X'T....3..k........y.-...n..^E.6..5.J,.....E..3...7BF.G....I`^.Y}qX|.7...Q}...a<.!-l,.._.p?..~....<..KK.T....f..D..?q..Zu......S7..l.^+..G..{...S..'`u.).......T.1g.....L.J.h.............}.....xE..m[5.P$.A8.A. e.(.h.........o.2j....,S.U2xk....S.@.8.D.../{[
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1275
                                                                                                              Entropy (8bit):7.849054314349689
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:nI67Nz6+k0nrzmTSC/uJ6c+uOxOM8agyOVm0pcgFmyvU0D57DAQX0xdI:7Nz6+k+MD/46cSv8FawvUU77Xf
                                                                                                              MD5:B31949E070C1AEE409A73CDA38DC044B
                                                                                                              SHA1:D50896CB13C69880CF7D17D3446BE26A77E4A7B3
                                                                                                              SHA-256:B710DA3263ABD5A31EC656E0EEB03E944329DD98D5160ADB77F55C4D779DB268
                                                                                                              SHA-512:EFD135BD38EC1AA2A4335C04743B75E96E4F264FC87735C4B1977D3AFDB7D1F2D8F03FE60F7F393F4F5E13383F992CDBF526D47E0DF265FF9E765586369DC160
                                                                                                              Malicious:false
                                                                                                              Preview:d.s{.....h[.[it.b...b.F%C...S....e....g~}...."2.;...Q...3q......"<:lr^L$.....y51r..y..X:.n.i..X...YT..r.R6..0u....#E.9.t...]..1.....=m./Y...Y..h.'.YT...."N...H...)..a..K........F...{f5.4....t.=........f..!Cv>4...z.`6...v.......k}...q.hq.O.s.xz.....jH.Fqi.d...l.N8H...B......d....bec....*%.'...C...<`....-'9kjIZ*.....x, l..c..]1.n.l.._...ZA..f.N#..1n....>F.2.p....v.P.Kw.s.L..4.,..t0.4Ux.......NP.....j..Ee=.I..+...k....@_6.B..k.M......<5q6.........N.p..U.#..|y0..s..Z..*HM..I..3.....X.@x..G..+P0...J../%.[....%6..@.jX..^..QR.R...F...sS..h.....j..R.g..bY.L."..L.24>....J.$.D....&v[...-..8....r}...Vo.m..d.<..$(..k.J._k.z.J..6.0..b#.,D~.......M_.....o..Dp*.T..3........XN;.V....O.....+$#i6.........P.b..[.5...tk6..h..F..?PI..\..-.....A.O........) oJ.y^..3-.g/...:}..@.z.;c.r.z.yB..QZy..I.;...].H.S...P...#..T)f,!9.a.;..-.X..B.B_wQ\...z...K.*........o~l.....A..D.8S....H....]...|...D8......%...CA<.B)n...T9...:~...)~..]u..dG..`.....S..Pu3 ..s....l.^.K.J....T+.l
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1271
                                                                                                              Entropy (8bit):7.849843393069946
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:f3kfsR5K93Z/XqTteftN9rqj80/AFKErb+IDuAjIsI:f3kfZpXqTteVrP0xeCIpkZ
                                                                                                              MD5:AF3F28C06E8572D2FBCAA18F249137CA
                                                                                                              SHA1:8BA0E104C0E65D09BF10857A5A28488EB3C764E5
                                                                                                              SHA-256:DED28C0D002CE5BBE959363064B903EFD0ACA077BF6A87D4FD9DA10E56BFAE4A
                                                                                                              SHA-512:5E960538E00A58FBEBD3223947ACC03D7361028D98B61F1FD68E4A06B32D07A809B42CEFC8FDF9C6C1A37BB81ACDB760AB341F7A927B64A3CC863965A67FB1CD
                                                                                                              Malicious:false
                                                                                                              Preview:75.EN..:.... C.>.....%.SI_5v.g..........=..a(.-.up.c.$|....|y.?".1.U.d<...32..$......+...B,~-.tD..7...E.....C.Q5e....Gvy..I...4.c*.a..lM"..Nvo.....B..8..@F.HkA...yl.m$.._..rb...6.....\....&o...g..4.j.Ej&v.$.8...!&.w...8.H}^[0..q'?..g{V.p+...X....G.x,#.XH..%....>C.>....1.WBN#l.`..........=..i7.2.zl.s.0a....~d.;".;.N.e ...-,.?......:...W9m'.qZ..#...U.....V.J%w....I~o..N...#..M.j>0p..Y.Z6.eM....n*".g..YQ.9.?p...&.m........5A.:!....9.73...G....h..5..v..>..H .m......iB........"......S.#.1d...}...oM#P..9#[`.;.....+..]Vt....{n.....6.......>`J(Sm.)..;..U....Dz...*...>..Kj...y-.X....I.}..C:...A(..O....J^...F.....'..H.}=-x..C._#.iF....f)..e...YK.#.!r...9.h........0O.5'...4.';...J....}..-..h..=..V9.m....sS........%......B.$.8i.,.....q..`...8..O.jfqoR?...!-.Z.G...e.l..|`.|..+..3x...........=..._A..v...`..Lwn......mP....}...}..o.E..x~qI.d/.okS.".Gi.*T...h...T+$r.."g{.`.?J.=~.E..!.C...B3w...*...............zY...y..A.``A....7.6SRY.H.....?-*..-..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.836582354580099
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:WPs46Fp+V1/EK74VCiSBEYyWm/nFQrJ9nD7R+XyxbrI:WPs3pQz4IijWm/nKrJ970CBU
                                                                                                              MD5:FD3EC76A179E3C300FE6BDF78D4A55EF
                                                                                                              SHA1:337C97E30F5C02DF6AB9120BCE3B00887DA3355A
                                                                                                              SHA-256:3FA72D02DE7DDA588B7433C5EC4EF7ABE57FD83CEAC66B7F9A03F31BD366AD0A
                                                                                                              SHA-512:085D092DB0E51C62FEFBD7F59B8DC67A3EFDDA3A57DE97425EE4E62B00C6C42311020F5B3AC9D579AB44FCA56155FFBAF0453020A4B18CF6FF6C9F7C379C8AD0
                                                                                                              Malicious:false
                                                                                                              Preview:.X.*%17.k..#7.x...hP.._..,.)]fv..L....<#....?.z..E.....8b.v.Pov..q*.s.}.$.E1~m.tq_..,..$..?~...~...g..R.o.g.&...ZS..^....6.|..-}...... .A..77........#..4....wh.@w...m...x....:;.-....'....p.A.. .[.,...9?.....J..F....2....{.. @[.DF0...`..k.].<,3%.a..$,.j...jA..A..*.1Kzn..X7...+;....(....E.....*p.c..I.m..u-.j.~.4.I"wj.upX..3..$..#g....}...q..Q.k.m.=...F[..K...N.|.cJ.v8.]4]...8]|... .BA{..7..b...1.R~.F[}.......n..gO.Ov........CM&_f....l.m.m.....#.F...a...m.*...a.:.0..E.S.b.....3...=R.....M...G. e.iS...P.M..k..x.Q>.....C..J."....H..E..h.]o..nD...T.i.@/..Q...>.JI..yM....+..'.O.....t...p.M*..R.M.7..V.d.hD.c/.S,@...,Xz...(.JPk..;..y...$.Mi.AFg.......r..iB.Za..........GJ8Ui....w.|.i.....7.C...f...n. ...m.:.&..W.P.|.....:..J.+..8.R.....o..%.n........2....d...S.}$..W;...v3O}.D..^.Q(^D..<.;..m.n.:.x~.U.z.~.tp.(^_....+e%n+......!j.s....z.......j.L0w!.....*.#..J.t....!.6.O.U.....(.,...*0@.g.. .y...........M.'..J..4.+.......#F.5....,.-e....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.85945249246757
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:9G04SUKBHHmSr/rYq6mTNUpaH4HRO2+DUazVAiSUFsI:GgwqDpkaHoROflVAhUFZ
                                                                                                              MD5:11F0E67C736C4B732A39BF8B42C719F6
                                                                                                              SHA1:4A8A6C5A74868838D610460DD4333FC5EFF0E049
                                                                                                              SHA-256:6080D46CC50A773A8EAC95C7BB0566D977831D156CB6A370889775ED88783025
                                                                                                              SHA-512:045E216E4AF3453A91A96600F11432CF081897AA9A752038889C2E89CD46B256541B237F94E6AF3E1CF65E5C853A295B96E2F57C0B43B8234A55FC65802610CE
                                                                                                              Malicious:false
                                                                                                              Preview:+..Z.q....".^.bo.gx..7... M.k...O\...vj.6^46p9>[..p=.,h......hR.?.Q...%PW..!=RH ..O.*.3.......M....<...(:0.6..b...Ga<......G........R.#.lc.1Y...."e.....sJ. ....!..y..UL..$Z,L9#....T .|Kg.l..]<}..-nw...Zi..R...^k@......%...k........D..zL....W..j0...\.e....0.^.bv.kk..6...:G.u...U\...md.4D<){&9T..`(.1u......lR.5.M... NI..:7_R2..^.'.&.......[....,...?6%.-..p...I}2.........V=....aF..Go...#.t.M.G....4...@K_:.+Ed...W.*X{. K...jJ%.W7..V...A.....bG.".0T..>....5`..%.Z.b..G._.];.p...........f........L...*.&.Pn..$F..Fg.O.L..A=./..Q.....U^..<w.Gt..|..1e3..+@"....t8.r.....rr.T9&.f|?h.1!......M...eJ...(......N...3......Y8....s@..Xc...2.|.A.E........^IZ(.7Zy...Y.)[{.%E..yW;..^'..Y...P...w_.7..O..-....5n..).D.s..G.E.L5.g...........a.....9..a@lA...'?.w3C.......s.....6..xO..G...qS`....as.T..z.W...;..ec....+'IJ...b.&.I.|..f.N.,ru?..v..Z..e.1....=Qt.f..4..X~w...D...I<G).D..q....&Da.]..n..[l..w..._+.6...Ja.#..qi.eP....jf.2.C.@.9c=..........S.S7.^H..J..j.....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.8424480395203116
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:xgrzOfut/L9tbnqakUaOO7iaclwOTPDmUMB0vNEyXqS3B2xb+2I:xmOfYTOaNpllHTPDm9mXbG+
                                                                                                              MD5:0121489A3A6F463AFAE2B31AD0D1C930
                                                                                                              SHA1:D2D86CE410D942DD619012AE4F68676233534227
                                                                                                              SHA-256:44057958160F4565710467BA4C83411EA884896E48E5C548C8A22E9F73BC39C9
                                                                                                              SHA-512:DF9DA3F28511BE00F5BF0650572054B82A9D9358AB7CA2C9796F8FB9A649A2111DEC4F415513FCB6BCEF8E2EACDE4F925767EB913A4ED125F70EBED1EE8C63C2
                                                                                                              Malicious:false
                                                                                                              Preview:.`D7..A(..J..W..1L..!J5.6Y...7.![..B.C.o....{.K.O.-.j.....xO........ ..lX...x)..).X[oUQ.i..[..fQ.}...7{.Tg-.6....G.G.6.f.6?...../'r-.Z..).Y..Rk.swWvv.J.A&7<....@.J....p....K.8...8.2..."\....')\B_.=..........+.~.-.W..dj...G..7zp.5...7.......ov.vV*..U7..I..W..(H..<^4.=H...).3[..\.M.m....d.D.M.8.w.....e^........0..rF...c#..;.QJdXP.|.._..pE.~...%l.Ac6.$...I.I. .g.8P.-h..S. $Q...X.2!.wII.&.........,.."^./..)-...E^Y,?tAcy"...>8E..e...".o..I...T.7.h..q-.."..Re...CF0.BDR.....t....[.......L'..=.T..,_...t.TI`.N<.gX.=.L.4.....h...I.(=....~.l.. ....1k.........Ps.-...m....xu.Q..B_.pK..l.,SMku".E.>.....DY.f_.y?.Q.)a..P.#9Y....].--.tCX...........6.. [.-..4(...F]Y.:z_l.1...31U..j.../.j..\.....O.4.l..a-..3..L....C^*.SJO.....l....\...G..gH...[.:....~]..s..}..@.b..R...t.M.;[.......V...#m[$..=9/.Pp.2.I...ei*....t.BB.4.@...`..?.Q...}[C...'....].......v.U.Q.i%5C..=.KDO..k.3.6.Ps..b.|..@..a........."...m...rL.:;.Aa?..Q..2.Y.J.....X..D.u...O..@.....jIH.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1271
                                                                                                              Entropy (8bit):7.8209298069158235
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:HOSiPgBK0fd81wpSvlXmDQkoPD8vTJu4zDf4t4vdZ4pz7CbkBLI:ur0fd4nkcD2T/v1s7CYB0
                                                                                                              MD5:0CE1D12638365AE404A6ED89B78E465F
                                                                                                              SHA1:AA16E3B833C2F938961685D6DB2FAE34B9D646A7
                                                                                                              SHA-256:C8B2F04718981A0ADD2AD022B174DBF8F48CBC34E4BAA2FF7D16715C369E0C51
                                                                                                              SHA-512:E95D0DEF47F6788919B0653CDC1C1609A9C59232941F5CBD95C43A7002380DD0EDE09226CE8B73370DD53C491556E38337ED98BDCF069B17DE5821A6CD2EFFA9
                                                                                                              Malicious:false
                                                                                                              Preview:(6.9.7B.t0..5...M....M.Nbj.:....4.. ..g.RN.1.."..od0..Y..E...d$*...2EN@...J..<a;.RDw.7...z...v....h.AQc.....V..........j............u..FM...s..{bZ.i....e...../.d.9.;H#h...&.Cv{ ....E.j...M0.5P...^......b8.4....... ,..#.....H...EBz.<u..B...3 ...-..0B.f...5...P...\.Thm.(....8.....}.ME.6.. .{y-..L..T....8+...7[PA...@...r2.YIv.$...d...x....z.MDg.....R.............HQ..p.8\... o.\...X...iK..H...W$.3e..`..iX..Ux..=y.&.."...:.FW....q*.w-u...K#...d.........h.u....c..L...1.!&..Om..Yt.U...W.1.=.../..C..g..4:).^Y.zY.^i$]e..B.....4a...-...".k..Q._....;..OR....h.b.Y'.7,c-y.(.4er`k...yc...^k.Q.N..?.2o....N.....GT..s.0N...%z.P...I.....kT..H...X:.6w.....rH..Vx..3g..5..6... .WK....u3.f8m..U8....z.........m.u....t..\....(.02..Bl......t.A$....AE...$...}^.7.c.....@..I?.....7M..+.....)...@..w.R1.Rj.I./{...:.7...=......X.Kgw....CR*..:....k.......h..o.B....oR.&../.7p.y.7>.-c.....+T.W.K.b.../.p.%~..!.l.....e.i...Q.TE$.%...BDJ.U..<...."..D...s\.......
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.854152940847426
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:acNmZglv62GA1/yMgTtQmJcvccIXRduv7I:jw6k2GA1/yMutmwrZ
                                                                                                              MD5:F69DBF651A213857EDAD95101E7AC745
                                                                                                              SHA1:74FE78AC7E3393EC422985252C9FFCBD839BCF03
                                                                                                              SHA-256:0A7413446D9E38C8EFCAD056533F4DF439134326CEC62F47D04F08712ABE00CB
                                                                                                              SHA-512:4482E858253F5E9B250213242B57FA3B97DB86808839492D9E966AEA44EF8BCB65FBE591911959786ED40385864088BE4816A61CAB35AAEC430EB6AFC4D922E0
                                                                                                              Malicious:false
                                                                                                              Preview:...d...]..P.23.....`....`....Ao.......y...%...Q..1.X.....V......\'.D5..A..y.:.Q4.*.^6......o..HzY.d.`Q...M.l..n.+. ..v.a..l..(r....$P"......}w....+^...aZ.....[.....C..P.T_]..T:.uS.%..J.z......-c.J...@J..f....+.x...?.X.......T.5.'5...Q=E.B(.`N......r...W..[.5(.....y....~....Yy.......`.....F.+1.X.....D......L<.O6..K.z.*.]'.-._7......o..Tc_.u.cO...X.o...o.>.(..j.v..l..................)..c4H.I.x..=h.kW.U.Ya...eC.....eVX.....-:..Y.x.u...~g3.J..}....A@M*...t..d.a..G.......X....G..'>&....(.......C:.d..%.....j.."....'U8..q.2_h5Y.:j.X3aMp..T/9...8L....^...)...{.].....rv. ....*../0...<}.C.boS^.. Q....i!O.Ru.I"3..2...2.....h.......=...n*@.A.h..1g.p[.P.J~..)xY.....rIO.....0/.J.g.x..bi5.M..r....Z@\>...a....s..@.......C....Q..5/%....5......##....)....9W.@.....5$@ ..._@.q7...nJQMwy<.F.......t.M...qb.>fSpJ.h-.%.).n..t.U.?u....&..x..bfs...8]...{.p.Ur....:[.f.Z.../.q..U.....V.|.ph...;..+T..8.{.GN\...\.Y..t....&G.3o.y;.9...h....+x.D...0.F..{Z...#<"..S.....".
                                                                                                              Process:C:\ProgramData\E8D5.tmp
                                                                                                              File Type:data
                                                                                                              Category:modified
                                                                                                              Size (bytes):477827
                                                                                                              Entropy (8bit):7.997084050500727
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:3u2nTdbu2nTdbu2nTdbu2nTdbu2nTdbu2nTdbu2nTdbuT:1bbbbbbg
                                                                                                              MD5:1484E543DA547AB9C48D9A1F62EAB666
                                                                                                              SHA1:F7322AA4A44137DCFCE952BB992E091DBD119498
                                                                                                              SHA-256:A413D5FB23B108FA753AB86ACD3A73BD9BCDA78301A387FB65333E6DBEA68C38
                                                                                                              SHA-512:31E8AEFB7DE38CDAD899084248512D04E959C13CF4B4BE611FF4C2A71FD9A4F23586BFC3FBBD3CB69F99221F8F59157DAA235224530045597CB2B9E1F4A98B35
                                                                                                              Malicious:true
                                                                                                              Preview:`'.b.1.\3.M!.|..|&N.>..#|+...W........:..EB.'.n).-.uN`.+.@.U.....d.q...u....c.i..e......H.b.Z..c?.....8...H.g......p....F..Z.....&.@..F......TRP.h.N.M:%s....?:U.]....L..........}).......Un...-....A...>.Zy...J..N.....":...^......'S......`.._9.T.... ;~,SJ.O..)..F..`.....C.V.R...@`L.........k..T...%jg..]....E..|l.......P...~.A..".~.:-.$.C..wvp.#..u...^o...i..38.....YP(.*..>h...+.2;.......Kj.hm...d...J./f.C... $...I.mEb'pMH...<..X.i....;.4..`...^.Wl}f.2..v..9..2....8....:.h.}./'.......l5..C..lh....p.{4...9..&:B.........0..`.W.....q.".C......V..(.[......)..T...5.O..#.sM...+..R.....:..g.[Px....D...p?...vD'j..9..j.a]Y.>V.tPU........,...|.......E,/R...Bs....(..M....8.j....H.t.x)I-.......&I...z.x8S..z~....,...n...T..s........GPA.XBtF.......1......V.R..h..ZS..v...t......l&....gd3T-.+.>...i..:.1E.._..w#...LT..'...j.0L..T.^b.Si1.|."../...>.}.....[...!..4Y..dA.G...d...h....~.Xd3.\..k..o.i.~......ZUy.O/..VyFg.I.9..r......c..bT...8-.d.?u.EH
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.8391707356863645
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:ccUGIJhhwYN3V28R4EjfgmnF1OqH8uGC89fA+UMWh3R4iWAJMvII:ccNIrCYN3VfpfPrlH8uGbA+Ub3NWASvd
                                                                                                              MD5:2D66C43F16B4D70D71EC1401AB3CE5DC
                                                                                                              SHA1:F3769B0368D93886620211ADC8D81E1ABDDAFE52
                                                                                                              SHA-256:10EDA00CA889C207EE2E589D28F83AC909D66E110038023B96F5905BFBB5C934
                                                                                                              SHA-512:31D2B4D603FE02BDF4A1320D7852F7D487885428015A6FA35F1D369F10A8E0C4F12A786604B7A233B0455F9654E0B0D73BD0509B433802407C8B356BD6C7DEF0
                                                                                                              Malicious:false
                                                                                                              Preview:o.........M'.[F........y...71..~2.I..!..(..y].BN..b..U....BY...\..3.........E..?g.9..l)..S...u.L.....L/.c.\....q..B.i.N...^.5$.f...H..+\.....h@.R..4`.2...........M..M...k....t.rb.S..'..X6.b.<..!Y..J..=.P..O.9...F.G9._...5..;..R...`SN.."....k...Xh.......8T/.XY........o... #..~4.Q..5..8..mA.UA..e...B....NL...K..(.........D..-f.,..p=..U...|.]c....E1.w.S....q..J.f.M...I.3...[.....X......F...o...{.9..|."...X.E.%......7......x....S^j....Py............D...A>$ .U.W.!...~/.P...4..u..a.).[L;..u..A..a:...2.tb<U.T/V~X.8._...!9..... .....BI9.(...!A3.P..$.2%.\..R.^..c....1.S{.......,...~.....k...d..,..sH.?...1.{...".K3...L.....A......B...c...v.1..`.:...X.[.:......4......x....YHp....Mx............P...S9(/.Y.M.,...r+.T...+...p..k.(.@A=..h..o.5.j.......1.......U....H..W..c..K........L.I..Z...R.....G.../.s.l@......t..bB...4;z@.G....X.zf.....p...(U..d.......x.low1I..........Elu-\..[p.pr.....F...I....}9..e.D7lp..5..e1dXOL....j....@L.v....cX..>....tR..,.*.0:..(r.7n.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.877276464382923
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:FZZQn5qBmvOiNsq1wpX+NHXKL/cFGnwvYD6RCoI:FZMUBQXsqAyXKL//wvgyC9
                                                                                                              MD5:8C18952E22A857F45E72F754AF3337C2
                                                                                                              SHA1:23FC83BD14E883FD19ABB6EC40763D63007AAC63
                                                                                                              SHA-256:1FE266C517C259E777210EBD651143EDFD9F6133ADD300E4383E3A3915F3403B
                                                                                                              SHA-512:E77AA5EC5479837A0AF9F36022EADF594398A97939B1E303283B72DDC3E2E4816FBAEBBDD5D0B7F9A45625108C45D69EB1C2567F8E5928FC9577D6FAD23984AB
                                                                                                              Malicious:false
                                                                                                              Preview:.:.j;.....te\.h..\..;.(].....B\~.....C.G'.....\.J...G.n.2..z7HB...b.....Z.)o.P...fg(}...s]N..I..-E....8..F.B...B..>QBJ...]....].s.....S..CVX9.?."...E...6..?9...}..<....B..9PV.`....+...J..X.u..<.t...:..cWJv.[....>....X.0.h.=.'u.,.p/}...........:.y&.....mmA.w..R..1.6K.....@\x.....X.W6.....S.A...B.h.=..r,_A...`.....T.%r.Q...j{<f...lLG..U...)L....8..\.]...M...#TT]..X%...E...W..|&mw/W......*d)]..l.f..I..f...Zo...G_...,N..X.|.........e..jpVV..L-....lf...H9..*.r..3Y.......L.8........_....}...VR...2...y.Fb#;p../ ...%..s].[8.............u.v&......I7...Jq.N?..~ 9..Q......b.....#4Z.3.&{.a.g0v1".Q.[..d.!.r.]2...@...I....x;cy#P......6d1C..l.x..K..z...Dg...GR...&X..V.o.........{..ppTI..S(.....`a.$.E=....v..#B.......F.9.........2B#o..v9kc.4X....1.2+.X..UA...Bm......=..Y..M.h.d.....D..i.4w...'..)..6h.%..c....*|;;...^{...O...S..r....E.$...T.d.j<m?...0.3(.r.....Y...,.......~....\..~}......(...Ql.....".....v)..f...o.)r...{ai.[o.&b..)i'...h....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.872235474457179
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:eZK8/YnM41s6I098WgBT3d79cybPQsoc8oXJ9XI4qmb3vGKrnrI:eZ/qMSr18WgB5ZNL8Srb/jrU
                                                                                                              MD5:DFACAA2890CBE91A823E63A382CCADD0
                                                                                                              SHA1:DD6C2DECDC1CCD7DFC5587AFB5234885460D9C8D
                                                                                                              SHA-256:3A5E12C64482BB44915E8677D0440477216E37BCEF03AF7CE4EC92815D4E0376
                                                                                                              SHA-512:23DD214757722784573A8D4060021B9CD46DBCBB35C2194EC13B6B08A0C183C73529BD8C9A44333F3D1F5557EABD3403B37C8C47BD8C7548BDB312FDFA2F5B54
                                                                                                              Malicious:false
                                                                                                              Preview:y.c..W4....j;.\........<+q...u...,-G5..Z.<T'..._..)..(xQg........c.h.?.a....^..&,Y.^.....?.9..OL..SIL.Z<.}...&...h.I>.......R_.....I....7.wg.R.....U.....ia.'...2R..P.#.-2...v.y~.3...H4...u....`......iU.Yj$-<3...Hql....c....u.>.,.....y_.gz..[R.~.`..N4....b&.Ck......."=s...x...<5L(k.P.-B3...P.."..?~Ie........}.x.0.s...._..4-H.K.....93&..A]..FME.](.r...<...b.J#.....m|....Qj....f.,Q..L....i...'Q?....:.....>{A.q$V.....f.q........W.Y/.n...L...+..)..]k.<I|).X....OC.....)z;.%.Nsr.(..WB.Y9.d....y.>....pr..LA...1...i.'....w.l.........P"..h..j.p=..M..3...k.r.u.+..q..G.._N...]h|.l..O....^..&gs..../._....>..!1}...mr....Xw....n.;O..B....h...-S#...:.....0gV.r:^.....k.z........\.X".j...R...+..=..Xy.0Fi%.R....CG.....2e8.'.Rqx.)..ZD.D%......4,.E..D.?..*.'.h.K...qv3...*OTKU(GC^..2Ix.q..O.~..D.x.?c.K...k)Q....M...........*B.............K1._....g ......6.r.....M@i..."6k.z-@.@..N.v~.......y...w...G@s6P..e..9.Jx..;.m.,&yt................l..R....=../.....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.812743763159626
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:oYbCkfqAibaIFPioFsYRIom9lWA4AAlJbpeyT93xqxzcI:bhqH2OiCsdomB4AArp1dxqdJ
                                                                                                              MD5:702C9CEA026BD897CCA6E76778C39B2F
                                                                                                              SHA1:4533A2500F62677E7383FEE25C8CBAD888DD5580
                                                                                                              SHA-256:C4BDA9942E6CCEC9AE580A722832E82FFAAEC2316BAB7DAC974148BB2F2B1EBD
                                                                                                              SHA-512:890CE29B6C66385D9FDBA265B107930F61D388E1987E26F1530A308DD6CFB2C153B1B1470D53C67D64D6404017FBAC2728DB5864E2F5C8B20A86F10BC2780024
                                                                                                              Malicious:false
                                                                                                              Preview:...p.?y.D.E..I...N.d.,..*.....-....t.I\.%......n..*.-.......0...\....oZ.....K?...;6.(...9....t".b.+.y.g.7.;....z...F....hT)E.C.......y.ze...[.....C.[8~{....Z.....B.h@..?E.V2...W..M.E..ju..B..7...(^.X.5.7..k.....~.}$.....o..t.....T|.%...V..|x......n.?~.].[..P....T.x.#..:.....&....b.OJ............".........(....@..zW....S!...>8.?...;....q!.p.&.e.n.8.$....z...S....jgx.75....y.......1.y.E.l.....q[...@..j9~J...S.6...^....T.*z.f..;.O..u....1....6..J.G...\w4..;...=...+.../N.-.h.yZF..'#.p.T.%..?.z7!...`..J....7O.2fH...K.2.._W...........>..r.....<~..1..).|B.m....6B....9. ~.O.Hs.....s#.......\.".....l!..7.7.].....z.#&.a..o......./.c._.}.....|D...]..r<qZ...K.=...M.....U.(c.y.. .J..|..%....!..._.A...^p>..1...1...9....F...l.pJK..;4.n..2.].....g..!..b6..0az.@.e..$Q.o..o+*.8Pp .M..$.a,.....`..m......-X.I.$I.k....4..L...<....9.I.....YF!..J..17.7.f...D..F.o.....v....R)..3?...;p7_.87g;..3h.^Q?......Fg...x......,[..x#....H...|D'c}......l2n...2..h.T(._...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.828287966734658
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:mkQs72hQjyCa+asljv1UW0vIRo571GGAAaUwy4evwupFI:pQNh5+9H0vh55lAANwyOupO
                                                                                                              MD5:72FCAA890DE2D9BDE14935F30BDD22BB
                                                                                                              SHA1:E9839337125F7B4BF7C756B4944585D2C6A9A6F9
                                                                                                              SHA-256:7731F43565D92A988BE3B28ACC0DE03A87BF29566EDBA1678ECC55E4F158FF27
                                                                                                              SHA-512:03E80F354A62872FB384C77C18E33B389B9D8E44EE0A9A0A9D3C1E09E3365D13884259C1AD19B0EBF673B0E446486ED0C0C74EC3249B197D6E567ECCDAABC6F5
                                                                                                              Malicious:false
                                                                                                              Preview:%...Z.........'.i^P.Z.;.|...G...b%.$..:e.r....x.*."VI.Sm...*.....I.H.e...S.1.. xJ.)8[7N]`..*h.cT.}.R..n.d...)...D.._1...m..h.......?.......#..@...J1.w..dn..R..1a..n.....cL.......L^..EzsX..<6....Gqs..p#".}.J....0.7:...E........kK..%.e[.4.. .....t)]-...G.........'.wAI.M.*.x...Z...w).....w.g....h.+. ZZ..Db...&.....A.O.p...T.5..-eF.>4R%LGb.."s.oY...C..m.y.../...D..X ...b..p..[I.."..:ZBA.A...5.."8G).a.Qw.z....b..i..._.d.fZ}.=n}....D...+2.....JlW`4..M......0........h.L.Q.#.@.M ...f..._.".S.....K.a..Pg.....Y...`?/.CDL...0....B........@e).%}|.G..f.C...4=.>..9l7.!t...X...=...A....x..(.RC.......Qk.....L$..*.`..\V..BK..8..)]VI.H...=.."7V-.}.Mc.~....v..g...D.t.vM}.<mt....A...>#....GiZ`1..V......+.........y.T.U.".T.G1w..y...X. .C.....R..p....B{..e....-.\.:..zjL.|..+....Y..!..S...`.|..=8t...........C....6WP-..U. .d.&eCPO..4a`E..N..&hN....g.._.d8...J..e...>...A.....u*.Nm.....J......H1#Sa.;.e.M..hJ........6..K..6.=.|..O.......?F.z{..U..+.4;[).Z..j....:
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.837968587366878
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:ZWOWf2TR3Tm8/A9mC6Ormdzw+c99e5300i4Bd8NFniHj85LyI:tWf2lF/K9udcekB4sNxUj8N
                                                                                                              MD5:A282B231D95C85553400C61A39A1ABDD
                                                                                                              SHA1:26FAFBF2CF34051BC973457BC46E4CFCB54C2748
                                                                                                              SHA-256:D7B961B00E5EDDD7EEECFDDEF82BAC0A7971EBD64487442A6817486A6E8B9F97
                                                                                                              SHA-512:B7003DF1796AA64D0BFDE90B794E48115FDDC24E46A00311AC4B3177D11769A54720EBBDF7E7DD1D24F73BE1466CACB5D99A0CE5F1AFEE5B5F2E67022EF42BC9
                                                                                                              Malicious:false
                                                                                                              Preview:>A..~J.9...].SZ......N....c..EM.\......KXu..2..T...fT.=.#...8.{...<..w.....1s...5....C.NU.....y0.i&.g.;,.2V)KR.I..d..Zx....h...5d.h..&0.l..Z.rj).....u..g..j.i..r...t....*R.E..;z8.! ..%3.yvW.e.Fv).(]......e....k.*.... ..G...._....G...N..BZB>O...oD.:...@.IO......Y....s..BK.O.....BG|.3..F...rD.9./...7.p...,..~.....2|...1....].W[......o(.n9.z."/.6X0UR.Q..|..Vn.b.j.MQ.}f..}.d.U.J................}nh..=...9..*.I..~g.q.<..q.~...F[6............&.8...CF1...`.q....A.. .z&[.....[D..\.....(...X.,x..".].%.....Isfs...~..kRW......#o...m..H..kC=.(..Y..Z.vGV..._@a\Y2.N..f..b.3x......5o.8.V.[..D...!....)>.s...ut.f.YQ.g{..b...y.]..^..................mzh..%...?..3.^..~o.z.2..|.x..._A(............$.;...AE$...g.z.../G..6.|6T.....QA..@0TQ%..IYbl..l..d.*)(..v..o..3.y....7.].&....\R.....j;.K/j...v...?5L.|..[..Z'f4.i.A.}..G..q.......*.....T!............._u......B.....k...y.&.r...2..8.n...f-.{.@]A;.....&..A....y....D.+..t...V........W.y..2.....%:U.Y( 5...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.833676284354844
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:EVDi33uKdUX+GEV8KkIC2wI968RaYUotsq3cCxD/QXOMdNVBZ0I:EVDG3FdPx6KkwRaYh7xsXB/vx
                                                                                                              MD5:C340B16CFE0ED2753500A0E8D930D4F0
                                                                                                              SHA1:5957D06C56BC0D66833C64DD8BA4AA1155ED7F31
                                                                                                              SHA-256:0F5EC458628259F2C2CBCB7598642AD22D7CC6147B6F9E1A6495271189AA833B
                                                                                                              SHA-512:B836FC90609B346FA96EB0D24C91353DFE996DC79EB7913D1BE4987A64E0204F6AAAC1E171CF41F7D779CD50AB399EB7261F4EC99509424F627C6A86D26E51F2
                                                                                                              Malicious:false
                                                                                                              Preview:.oC.|.#(...."..6.e|....*.d...i.`.,..MW..A.O.^].......jm..8P..k..Mk...y....hh...]p.w...D....!.E.....8.#.9...l....H\..I.. +ca.-G.5.{y.wm...:..|..F..P..y..`L...9/.{./..&.^..]...=r.^k......q9W@.LqG`g.u.JUO.1.]...7Z...jQ.f.=....;..).X.H.*z.D.%.....yS.p.;6....:..<.`.....8.|...`.i.*..LV..[._.LT.......~f.. M..g...Qk...f....p}...Gy.r...G....3.P......7.$.$...v....DS.7M.. 1m.%....9m.XN.a.].C_...+.........lv.9......2..b...{.T....Id..G.Y..9.w`.XoaR.~...........jR...Cj... .Q..V...cg.......U.X.......h/h.]T...0.7..#.I.L.F+..[......6|O8.2..q..G.[M.Go&...:TE.....{...|B.$P...Oy..-..N.#.4....4CR...C%K.......zy.e.i).2K|.Y...+....6l.X^.u.A.RQ............ty.6.......$..|...v.C....X{..C.Q..%.lx._{vB.~...........h_...T`...?.E..D....`s........M.Z...J.i..8Zf.W..p>..y...s...Q..F..gP}..1..~.o...8..s..S.......u....Ji....`N..7H..q......>.X..!w.....gV4M..z....7.LN..}y:.k..j...C....+..w...,...`. ....m$......0@.;P......i,.....b.]i}.5.0...B.P...B.{..h..n.>K....<...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.845727110973765
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:g0hO9vf/Nbxuml2M4iEM6bVs6fctNnapnf9hwVXfNpOc+FaBVWNJEpI:gMwvfltl2FMIVf0tda5fMX1pOcyajoEa
                                                                                                              MD5:F920664B7C211F03E52F9485848F3DB9
                                                                                                              SHA1:31D5CA45C375F8E7F4E3A31DB344EFEEB78C1493
                                                                                                              SHA-256:1676786DFB47E84992C256B11CD344534BCFCA928E7D2156D0E893D6374B3D18
                                                                                                              SHA-512:57BE9309A8BDF00EECBC361B3E6238A88795CEDBA08AD5809EC6387DC528DC91F59D87EAD20C8ABC1D2399EBC7B7589D9F33EB806AE823D47C5EBB3E5FC1923E
                                                                                                              Malicious:false
                                                                                                              Preview:..Q.cNl...^..........Ve.p.FiT..{:...}.X. [1!.d@....uH%.=.v..J(C...nh.!u..8UZ>@.7...G..Jv.a...>.u.u........s.1"n.w.1..]..qd...0..d...J....Q..$3..?B#...R.Z.oY.. ..z,.....s..f....5u-?.W.$....6...~.46....?. .}K.vf.....S.f...'4..R.W.?.#..?.f.NxJR....C..wZs...L..m.......Rn.f.AwL..a:...f.Z.(D:>.k\....hU(.(.k..J&I...ot.<p..#NP3Z.$...J.._e.e...(.{.`........h.#0b.i.-..K..vj..........aX...~.}.2..R...w..e..v...s.{...3...K].@.H. .#.Vi,...O..ds/a..Wn.....M.X..|)3......L'r-{.v:AZ2......pzR>.!....rH.g.........;.^.S...p?<.s.U(ceC.L..X"O..2..q..I...)..S/q.G../....Q.6..... .k1%..>.^hiq.~.7'[...B..v.2.......i'.+K%Q..S....`.........s^...k.q.1..U...h.....y...a.g...(...H^.B.F./.0.H}!...@..v~>d..F{.....V.[..b0#......R=c(r.n BK<3.....hc_/.&......#~....H.P3:|j:4....Q..J....~ ...t......j..s.v...:.'b....Q.>g...3N.[@fy.2p&'...;.}.ad..5...`x.e.n(.fM,8..i.|..gg.T..(.....&t...%6"g...3.).-.=......(8wj.U(....8.G.Ue...........N.e.....Jo.AJ....&.p.(....K..=..Nuv........X....h.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:OpenPGP Public Key
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.837142302925213
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:XRXXQsLWnBSLmbfHVGHsyTC+0RIUu49rQMkQULrZwvb0LwUE2BI:BwyWswfsM9Y4JQMknlK4q
                                                                                                              MD5:AD1EF970425CE78F59D735AE9ABE6B57
                                                                                                              SHA1:F9480C3E321F7A75307ACC3FFE9772A0FF0C4141
                                                                                                              SHA-256:47AE59FB3A2E14C8A5D64C6B9E7E51713BD59F01AF7E59B691E8016B93793CB9
                                                                                                              SHA-512:C4E749B2EC4D940AABAAA2E20FC2D58E5BAE22B5183896BB3A236CBCA63890213BF0DF2612E5D7BC9CE19200F605F69DDB7710ABF9F2AD4FBC94914748F82830
                                                                                                              Malicious:false
                                                                                                              Preview:...st.a.1.....n..9H..K..X.................T....cT..Fs.U.l=G.*.ON.4.....L...JhJ.<i}....;E.f5.....Ss.....;.s.....m:mJ...7..}.PX..x...d......hZv.t'..Q..KxY..T8...EH.Gn.....FsQYU6.. .......X..!Z.u_.4..Y..U....x.....E.^.....T.a......x;.q.j..?k....mb.a.6.....w..(@..W..Q..............F....aZ..[t.].o"M.'._^.,.....A...UcO.5qc.... R.j<.....Vp.....'.z.....v6gJ..."..z.R..w...sI..zf...k....i....3H6s.BC.....'..%.a.l9......dM.C<z..i?.\.....(...!..!=....@...Vt..S......_.!v...D.k.A+')............g.sn..;.(...f.......ox;... ...K.Z../v...l..].....+.yP.B.n.jI7B..d...APw....h...K.avy.....c..,.!..Y.0....u...p[I{.!._.d..mF..xj...`.....s..z3H>b.]_......"..%.~.t!......lX.S=o..o .\.....;...)..#!....Z.....^v..O.......N.#w...H.z.D+.9.......)..e..|)....+..._....!+,.....u....s.C.:.P..8..o.gV92...:I~..&e. ......zl....T..6(@h)..+xX.%....".l./..~H..?}v.d4...d..W[.J.t.'.w.o.I......_O.....F.*..+.$.P.W.].:3...adt=._.i..6.h=....3.......p.m;.;p..?....L.M.xY.[.C..8qQ
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.849110466723603
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:f2yWPaYRThV/z9RwEiN1RO1IJNr36K8hkrQ9BIlBAxN+PCjqII:uFdhV/5RwEiNXOCj0jIliNdg
                                                                                                              MD5:433B4416318973C56C5F4FE03ED1B82B
                                                                                                              SHA1:010233ED83D46B2FEFA5204D94AAAF3AE72D52B3
                                                                                                              SHA-256:1C77C26F1669618DF83854C663963BA32D2A807A93FBA3FFE04AF30643A446C0
                                                                                                              SHA-512:EC736A6CE1DE6716593F160774E49CBFCC7A086EE76E0FBDB32358E22CF68DFEB808ABEEF2B0C83E2E409AE7C9D72A1D79B52A8692B23C97369FABA41070D4E2
                                                                                                              Malicious:false
                                                                                                              Preview:+..4Y.N..#.e.I.Gf.I..mE.....Jr.a.|9.Cs.l....'_.D....#.f.l..V...'........n...0..aF..#.........U...(..e.X...5$.p.T.jT.....e.g..Eg..k*...4...9a..+.;N3....v.xO.k,.Fg.p....O..=..].....MC.&.M..]....x...qU.n.e..mY....|....-.M...fFSQ..1.c.[.Ms.|..%5.>..<G.Z..$.`.U.^k.X...qQ.....Y{.g..<.Oe.j....2].Z....+.y.~..F...4......e...8..dH..6....s....G...*..l.W....(.p.N..@.......K......;..f..:G....l.9).....].!.5i..Q....7/.@".>.~.tVa.x...z.....Zd....o..\i.$y..y....HY..W.A.;..3.2.5.4..y..'d....\.q.k..j..O..d}...v"..sZZv0a.^.....-..D...r1..p.........t..(/.ij..=.iQy..O#..=.oM~.5.d.uD.O..:.J..g...!..A..s......F|.}.u......_..a...9..d../Y.....}.<).....A.'.(v..^....57.K0.;.o.a@q.a...z......Iq....x..T~.9c.......OS..].P.7..".3.4.8..}...t....K.ou.........#...<..U7Ji..!.HM..........gK\...o.;}kR....D.q!2...f.{.NE*.....W..q...f..6._r..>.4._A....U....@ .f.6..|.a...PbB......*.FB...h.:-....fpE.......*QfrP...9.l(8A./..1..b......N....*G.{.'t.lg..-_..p.;>......~..)..f|.S.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.850604741215949
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:/cEjWtQVe04aO3MvJrbVNmSpM8XQVIHRC9HI:fPVy3MvJrhFpM8XQVXm
                                                                                                              MD5:471D2E7EE633D74C52ED3CC8320E9558
                                                                                                              SHA1:5D6CD6FB789561542136273780153987013755DA
                                                                                                              SHA-256:186405C5AA674CF3EADC58F531D2A8920429B15F0C8A2F8575F73904FD6FBC3E
                                                                                                              SHA-512:89385D01C1D4A9970888D73A2C98BA66AAB27A3821EB11D6DE489FEA3C3A23DFD0891B2A5CA9EBE7EF2DA8E2DAC762943E2438068C9FB58D5FA1D6F7228A8F9B
                                                                                                              Malicious:false
                                                                                                              Preview:. yd"W.Q.......v.g.......l.^X....1.._.....`T........txa.lz.C;w.*..<!..E...)..#e.Sy..>%..ik.'..,.uv...1...q<0.8\.......M.;.....Mi..X5.c.....3W..FNx.7..I.....DR*.....[]" .S)...Y8....'...=.DQ..[._k......[...8...sR1...b...Z...t.?..{..8.Z..L4..B.0..p..7fr%C.].......a.y.......p.RM....*..W.....eI........pqy.kk.U6|.%..8%..J...9..,a.Cs..6>..kv'4..$.k~... .x.f$". I.......O.2;..K".=.d..6....\...Gh..,I....na..8.... .b..O.n..S.1.k}.^.%O..9m.5......i.F....$z......N>s..G.....m..J....I..<V......$Cd..xB..)...W.........".{O......W#[.l80..".N..Q....nL...Z.*.k......h...w..Z...V.6............W.,B. ...v...e.......'<e$.p2..D+.2.n..3....Q...B`..7[....{...1.....9.~..H.g..L.4.~h.C.9R..=c0/......r.@....9v......B'c..D.....o..N....O..)T..-...6[)..|.....j..w..B.....0|&.A...UN.^T.s#....q*.Hp&....{.u.)...1.{$....bP..64.d..F9#.}.r.........eyq..a.A.V..G....Og......c.2w{..l&Q....`......I...W...Soi.@V..<.7..y....P.m7..n..G..E8..2.{T.BZw.<L...i.O.\.R/....3A.,{3.M#{L{8.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.842514673417983
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:biw6kH6yc/VlypVRWGdSWm2knbKq/oQ+qKJ8wI81kKf2rI:XH6DlmRWOXm2lSoQ+qKJHfl
                                                                                                              MD5:7380DD74ED2FFFD5D76F81090E7A3D69
                                                                                                              SHA1:F8C64E036286134EA044FAFA996B37FAF7AB0140
                                                                                                              SHA-256:880C2314EADD3048B22A161F5AB1A15304422F07B2536A056BD6F820B58FBFA8
                                                                                                              SHA-512:7A9E9F8E40C0A750D0C95CE08D0CC79DF57CBA559F69789464473BE13592836CE6C31F654C46FF659BD5D120A122FD212CA188F5D912BE960B6C430A8E22F385
                                                                                                              Malicious:false
                                                                                                              Preview:..q..Y...Dt..O..G..51.8.Gn....9?#.j..... ..9F...*vDk.n....?.zv...<...h.D..B.:.......a......O..6....I.....|...!4Q.\wl.MW)Zqlw\~fW..L.....h.....y]..@......Z..g5.@.0C&...7.N....0..{...Wt..eH....M....>).....N.1.%...a3..=.W.L]............h.@nW.A...|..N...@s..H..X.."(.*.At....<*/.`.....5..'T...&tHx.l....3.rd...7...}..C..O.7.......{.......B...'....T.....~...03@.Kjc.MO-G..._I.....}....h&../..v...O...).o.as].0...S.f+d...nK*.n.k..rQ..ja.J.l...j].q.RC.~.IM.S;Ua_+.FL,.P.q2d...~,4.W.Z.p..8..i....=........*.E;...Q...7S..p`..C.T......v/(..15WBN...N'.......{......@...?P.N......A..5....m..iD.w.YRX..4....v....Uob|...^Q.....i.....{.../..v...[... .r.o}J.....J.q+p...zD5.k.h..g@..nq.G.l...qG.}~S[.l.YN...V1TpP3.BH-.D.{#l...k +.].^.{..!..p.&.....4....>....W.U.w.uD.._.O.j.?...?`.4....@.PH....&g..A.... l.|...........|~./.......g....s.mX.Z.*....+..DiO...6W...W.....E,....]..|q.......h2".U.^.%O...>.j.B'.....#..L-..up.+......3..7...I.-.n./.Yw>...C.1Z.?A.}7kl...K.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1267
                                                                                                              Entropy (8bit):7.848999771601717
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Yxu3bGSm/Tf4gYwrVg2+3IQByuK/jyvVBI:ySbGSm/T1brC3mljy9C
                                                                                                              MD5:A2297759199F5EBB7523FE507B50642A
                                                                                                              SHA1:661796997D923693E616EE04F629A26129A027C2
                                                                                                              SHA-256:E53CDD8DB17E1CF4B8CB1FABF399F4766A21967C1AE31CD16C88686FC909B995
                                                                                                              SHA-512:1273A43A3746A02E0958B791D42EF66C9D15A9C92A6F88896E387EECE751D7AB2F208EBC1282CF51322A56BED93045A26E776D8ACE0E1099D2A29A5576CED130
                                                                                                              Malicious:false
                                                                                                              Preview:t...v..v=..j...............X^.D.....hn+e...P..8-..^C..s..{.h.\.I....,.....l.....E.0...S.......7U..N..]..`g.......y!...S....m..=K.....<....-#../.N..-3..i....%.T.Z.tEh..)...h..7..G.^.5q9..@C..t..v..P.t.....Zf;..n.......`..1Bk...vb..j.=..(.X.W.r>...d...f..c?..|...............OI.I.....pq3f...U..(:..[Y...r..|.e.T.N....".....t..6..D.0...U.......!O..\..[..bf.......o+...F...2.....H.l.U..>.Lx5...."-..DW<.f...|^...C....}.. .."..8.<..+.'.T..(R9-.@...-....0.a.~.'.{.;=..J83.d5...'.I.....z..k...K...y"G ....vO*.. ^bQ..EA...yHg..R..]lF...E..D......H..%l../S........q/...LV26F.TAl...*~OnJ<|\]....|+...BIsRF..B.q..... 9...(v/...H.b2.....W.a._....Xr7....$>..HD8.v...rS...K....|..3...$..).<..:.2.S.. ]8-.G...$....>.e.h.".w.:<..B!2.w2...4.Y...xki..~.....S...}4c...i2.D.i.~...>d..[.D.t.....MQ.xT~..o.0.DH.T/..#]t..Y...$.CD@...F.B?...Q...Oh. pF`..MD.....~..*...o..,.*.rM[.N.....P.......xSR[....k.2.......g+#..].:,"..1..0SJ?....$.Gh.H...vB..... %...t.....X&...D....9V......j....X..S1nj
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.839016399414432
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:oRgQy2kPr8UmXZwhk0kzchlnR2X1gn2FRritsk1xZBxNHU0ThjMh6I:CynP4ZwhDPmm2FRtexZHN00TQH
                                                                                                              MD5:575435F04311293944CB35FED6A301D4
                                                                                                              SHA1:6DFF5A6FB6BBEBBB9BA89AF281D256AAF931513B
                                                                                                              SHA-256:81238D44AE25FA3653F8FDF4FA0D05E89EB10D47B0BF6B5260F8B41D89B66AAE
                                                                                                              SHA-512:B954D7FC8AF3323CB40C857F992229AAD370996D4526E1B1BDEC32E1A48B1AC9D6C7CF61AF7090E66CF62192F5DD1D048598F93DA3EA775D26EB42F1546F8A65
                                                                                                              Malicious:false
                                                                                                              Preview:.\...z.*.R..y0V.....k...D~.I..../..S...T.f....._.e.....)...Y.2..l....2..5i..J.+.j..e.:.v...=.I..5.]R..........8#...........@......r.....G.Q...G............u..!...Yv..ef..BY.....T4.k......{....1d.\:.sI.....,........SX.Y{4. \..j...}*.....*D..H...t.(.P..u+R......m...E..Y....-..W...L.c.g...^.d.....-...U.:..x.... ...}..X.%.b..o.0.g.../.P.p>.XX..........>2.........x...[.~.....Q...W...q~.k..V..2.P.m.......G.VcR..........P2t...C....."3...tg.....f..].S...a.._4..8...^.........N....J....p...j6b.Jk..B..oO.hHm....kC.F>c%...N..p.}.....V...k.(.*OBp.TXq..s..>../F.....{:.%.gl.......*6...E4F;D...U.;l.9o.).$...Y#.s....J.i.....B...C...`r.x..Y..>.F.b.......WpZoM........E'i...B.....=8...y......q..@.F...s..I*...+...E.........V....\..../.$i..k...g..\.Q.9.b..)...SQ....s7...b...F..8aX_...>."..vV.. \N@@ .....c....Lo...H.__..`d+.=..'H....c.o....^.JUC~..]......n..h.9J*VD....^&%...+.8.5.u0...DB.m..1|d.....J..F...........yX..7...Y.g..L.ZL.4Y..B{3...T.9.1...P.C~
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.838968277712315
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:ob91B7JkxXdojc8+78OwbMN83szKbMvtCD/+46QF98HauIiW9JyZI:O1B+r78OwbMNsUguYD/H8HLW9IK
                                                                                                              MD5:8DAD230064FAC2DD98941A0F58B24185
                                                                                                              SHA1:4C904CA1F07F9E6A64AC7F1A063EAC06AC927813
                                                                                                              SHA-256:D7509F85F48ED1A5C9B93B8ACB8BC4E26B3EDB664A420D02CD9E0883CF52620C
                                                                                                              SHA-512:5806C8F30E2C05B18E05F90F4145B4DF9AF4DFFF9594AEC0A2600B980FE85B416CCCD71CAA2F90D1A5CD9BF4901D99F24EEFDA8A635933546BF14320EAE9FF69
                                                                                                              Malicious:false
                                                                                                              Preview:..a.....H..J...h~a..~..Y..|y..UG]h...v.V..`$...).IVY-M.~.....d..].p.@*$..dh...}.T.-.x.r...nAi8...o....J..aGG..... ...].."..iC.pq.*.N!....]P{b.,%..4.}...Di(..}..`...".'h..-.....2*3.?A...............m...N... ..=..+....=..9..s..2..).&Lt?..P...u....D..W...cmt..p..]..cx..\]Uy...q.H..s8.../.KQW0A.e.....o..A.l.O94..~u..m.G.$...l...nC{/...h....H..~YQ.....>...G..&..`..b..Po....).xq.[\.....X.....t..C........\.>KC=..7..(,..?>L.C..;..M.......R..l]i......P.O{..fW.>yk..c.L!..n.5....d.._?...l2..].....r...B...al..#{.{.TG...8.x:...n.1p..x.`..XW...C....uk.n(.......ZZ~.M,Ao-x^3..P.3G..L*..)..`.5.J.A.).4...4z|'LlH.u..e..Jh......).ao.QH`...S.....u..]........X.)S@8..)..$3../$A.@..;..].......R..oJw......N.A...tC.,wc..~.J%..h.....e..V$...J.X..7.%..W..-.u..m...6i..oM.l..I'+.Z_...(*.......!.X..s..k.U..J._..*4.2a......Rm.O.n.....3a...M..........0e......$r.5V..h.v....w.&..a.n...^...eR7....]...t~....\Q.b..l...*...$H..T....\..w...N..!k. .J. C.......{..1....%.eM.A.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.827359858755042
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Y1q4LQhiBRjwJxJD5gJvK89lbupenJkjodX2QI:B40hiBRExjsvN9lbEa0MG1
                                                                                                              MD5:D81BC7B9ED07F1D6D425DB4727241563
                                                                                                              SHA1:C01A0B6B4F84C9FC11AF4B3F451889D56DBBEABC
                                                                                                              SHA-256:B82D606CDFF4890606EFE74EB548404CDF5A61CA861E82A787F5F6720ECF0AF8
                                                                                                              SHA-512:23703505B700A57D20686E691E093D81408CE1C63F17BF201BB8584DF3D9AD888D660C5790AA1F7F20604D4F4213882F7C119411F804658541D43E1BD901C48A
                                                                                                              Malicious:false
                                                                                                              Preview:....}....!.^.`.CB....M.D.../..............e[......9^C-./....?6.9:.......vb.q..8e...!..6...z>.z. .9}.,..9..;=`VZ.^.......l....9..3q..E.E.o_..1H.29V..L..?...>dL...X..%J...Ku..d"...!...N..G..6|. b.^[!X.0Lb..5,.A...p...s..q...&%.....e.,~..i.4"..Y.....`7...7.V.c.EL....S.F...=......3.......y@......9[T+.-....3>.:$.......}c.l..-p...:..+...k".x.$.'z.5..0..;"{^P.]......P.W9a%n3.....V...$..$..w)]S.@..Q.E.....Y.#.0.?............T.?..\..N...L.._.R.n!'B....:...]'......^...C.U5.<|....f...`5.2..X.^..?.%...I..#<1.P....>9.^.!....h...\...m.....")..;...L.X...:t.!U..R.cD.5D...Q=.M....e.E.:y}..c....q..8.........P.X<v"g......[... ..*..x(PC.J..Q.[.....F.+.>.(.............B.?..O..O...[.._.P.~>"P....6...P*......B...@.P).6x....`.....&.YjTP.0...#.z./.r....!.<..P&....pfD.0......L...I.....g.:..._..p7Q...1..._@<M.+..5.YS..2Jp....Z.......?gNv.;.4yVr$D.=7..9..+&2.{V!..L......F....e..E.;.4L4...}C..L.G....=..?Y....d.%..:...Kx.rb.b).g.S#A.._g/..1.X.rD..(u|
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.8340389476501695
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:ZPMIpvLMs2Xk1bDOeBKY15q6OkjuGX6F+VB7hSpbsUxP4DdI:ZPMIp9SKb6eBKYGwqcJLl+ZxQS
                                                                                                              MD5:F3430763B278085FD7BF2F07B13A9859
                                                                                                              SHA1:7DD876948FB017FE67493EAD4820E48D9ECD2ECC
                                                                                                              SHA-256:FFEA1F4B719769EFCA9B416BB2B6F09905445C14CEF58D43B90219CD7ABA1324
                                                                                                              SHA-512:15CA519A9CA8F9BB223FE17E2BAA23EFBCDCD7DF976D9D2D75F990A700CC894D1439FEB3F9DC9652EAC14A8A100C30AA4A212FBE8323DD2F47D6A710650B2A21
                                                                                                              Malicious:false
                                                                                                              Preview:.^.I.S....0.....52.._5<.*eT......"..{.cc:...g(9@...L.v..._..sX.[......Z..dqm...X.N.W...1..L..~.W.A.cm..Ql@&b+.x.le.=.......'...1.>...|...+U....x..W.L'...mq@.V.{L.r..\.n;..w.&^uX..d.LM.;..."ix...~LD..g.J.E.N.i.........P.....'24.+.......m....mC.L.A.E....).....8:..J)(.#kD......)..i.ul<...u",B...Q.z...@..~P.K......F..ijx...R.V._...*..@..o.H.D.qt..MkI9m)..c.lt.2.........=l..[..2..t/.J..P..<...z....r.....$^l};#..'..Yv....qm.....@}.yPw&..8.V...'.5...{JTs.D.1.6...Qie.....7R...z.n.4..)?'K.......jPC..Y....kP.@.|...?G..)...9.*M{..N...l..l..4.".b.VK......XH.z....H.0..e.w..L../U..r.........{......T....|..);.)..%}.8.N.o......g..P..0..v?._..J..&...z....m.....;Fir+#..%..Rd....yx.....Y{.nPl2..".E;..3.7...vWNf.B...4..._cz.....&C...v.b.%..)67F......e....)...4n.....zd..Zq....\.v=. .).[P.W1[T..%.Lq....q..oB..{E.$..=...././.....8.0.C@..Jc...UM.....p]|1..!8.!1...?L..zs....W.b...J.,....R..y...L......2...i.]..pf..[G..Y..pP...3..>8M...}....j..3p~e.d..fJ.^....[.n.D..E.`.D.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:PGP Secret Sub-key -
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.875729872379994
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:zJH+75pc3d1Ju6Ij9y2HlO4WINp5A117v890C3YYI:zWBg2H84fNIQB3Yt
                                                                                                              MD5:2738952DFC8DAD07B0ACE3D45F09E555
                                                                                                              SHA1:3AABCA7839648CC03E13250823AA0ACDDA68F5CA
                                                                                                              SHA-256:8039F3164E93159E0776527252673F7603C2EF673940C2539395E4E745A18E3F
                                                                                                              SHA-512:B7BE0159916F6A29532488FC20AE1D52D51EA791E74EF924655CD6257C68392B594BC06ADE9387B54C9ECD86E5AA23C5461D0432B47DBD7FCE15216A029BE417
                                                                                                              Malicious:false
                                                                                                              Preview:..6..QU...C@..ew.Z.n.q...`^_....v'.UV....3oQ.....|6....M..aAg.......-_..c..7..d.V.b......M`...AZ.~1.NSZ(p..7.U&X.O...o#...5.....Og....le.1D..^;..&<.D^.?.Ob..Y. ..;.oe[J...|..@I.u+...=.......hV.8....H.h.G{.x.Q.4&....,.:..9....E..*G..3.^.....l.TE..)..E^...]Z..rq.J.s.p...xBR....z(.SW....'gT.....d,....J..wLl......./P..{..9..u.\.a......Ds...MD.{+._G]=g..0.@/Q.D...m:.xe...u.z%.q......,..r^..6...J|......04V4..\.Lb.b....0..YwY...........W.VUz...5..<R.2._E.;.....Y.j1..yD..a......d.x.....|..?;...].........3<...;.....l....A...!.E>..._..O...c..y^..r..j....`....e..y=.Co./.P@Jq.....%A.B.U!Kb^Ij.e~.&.1......@Dqg...z.p:.g......'..wV..-...T.......&1K"..@.Ne.k....2..LiD...........@.^Na...8..7S.+.SI.../.....[.y:..qK..m.....a.w..E.\?HG.y.y.}r...O~F.O..G.....p.....q.m.9ab..wG~..m..e.wK.....1......[|.'..-S.=.9.....h...?M.>kA\ B\...xO4.m...!{..8..P.X......J;..Odt.O....3i....X....\.z...x..{.5.$......p._.0f+}.^<.].a.CY....8.....;...6...f4....U).$ns
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.833054617094024
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:aPU7kTdKyDg8P8SmTrLGzR9rsj7uyk7XSeVtpPD6cnG0nGjCkflykTA5l6I:aPcGUtrrLsrreeVtpOcnGqolRTA5h
                                                                                                              MD5:7975ED38315E251C19E6E958F344A5D6
                                                                                                              SHA1:4CC3AF53D1D51CD9AE2E6C1C539AFEC4D75300D4
                                                                                                              SHA-256:053F5156B78D467507B08D9E7305EE80EBB51DA46489A19D18294751D8709D8E
                                                                                                              SHA-512:61F17F82CB871AC87B37551A808A88B0F79202AA72902C36D5146CA1C3AB24A52DFC75FE8F6F3760DECAB51BC20908E653CC986F2DD542D2571E374AF613A9B5
                                                                                                              Malicious:false
                                                                                                              Preview:.Lz.=...D.."jg....9Y.D.W"..H.D3`..>....8N......FJ..G....8....../(uN.../..saT....7v.8..&9.-.?*_z.W.{....T.#.3.S(8....4..2.?...a.|GX.....674..+)F.Tw.N....4O]+..i.c.+...!.3 .rN.h\.l.|(.U.z.Y....?.Yp...t.M...9..R...,O.I..f=.-......L.p.b...b*W..$...Jn...{.H..?r~....9W.^.T=..E.^;q..3....:]......DM..K...<......*4{A...&...fjY.....>q.&..*9.?.%%B}.J.q....J./.).G6 ....4..6...,|.2?*R.o.2..U...).`-.._w.bj.p...L.&.6N=m.p..}..W.F.4.....8iP?2....=...nodQ..)0.R\W:.>.....)..?.|.u6..,p.~vO.....>:r.smWpB.z...K/.zi...!...:...9c.iO...g...S....G...h.I[Ne.}.i.4S...;3.....?...0..s;....z}.{..v3..._..Ks...!.....4.?..*L.......+j.(82N.e.:..L...2.t2..A|.`m..q...P.".>A1n.t....x...J.J.6.....sP#$.... ...ntkR..45.Z@]$.0.....4..&.a.s2..*u.jqY...%;~..-........M"-g.u.m...8..............7{..J..:......1.M...W.?-L.0"......m%2..m.)^.l..Wj.......G..l,=....G3?.$.)SBKVa...H~..+....y..`.=..A...e....K.....c._..:|.J./.U.}.p.v.......=_.P.......i...'..;V]....x6..?C.X....O..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1273
                                                                                                              Entropy (8bit):7.832157046923194
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:zv+n8becnhTbXeHMmOeD7s1UnMV+tMliU/LN98sbtTGOlRPXi8I:28D9bO7s60+nkHTBRPXU
                                                                                                              MD5:3C14FA855D023EA8C475744245240C57
                                                                                                              SHA1:9DB2CBF40ACED148F372C15B590E8F80113661BF
                                                                                                              SHA-256:ED11BC4046611C31AE5CA56883C15EDADCA05A77A4B976F5749D9063717AB7BD
                                                                                                              SHA-512:8C6CA4AB2E3513816599B23136CF144CB2A1F2D9347694BEF9649EE51AFE7505F585CD951BD3B0AC46DABDF6D485464FE527277E8C572913E5948A3CB2E6BFE9
                                                                                                              Malicious:false
                                                                                                              Preview:..../.z....}...2..Os400.........u.....y.'....pu..P....p...UQ<}X.}..a..<..x..[t.....|.4.T.......s_..|m..wk`....k.oC...N.. ...{u!A...m.......|dU]j....sV..+.e<!3...W&.j..<..LN./a.N..U.*6.*".=u..[.k!.{.S.{..e.)g.....@%...]U..J...H.......|>._......*.x....k..9...S},8-.........`.......b.'....xb..M....x...KS3f[.e..o..<..y..Ei.....w...B.......fH....i}..lpl....y.wD........W]A.3.Qo.H.....M.0=.B2..].(Z..1Ul...s...Y.G..$..].up.O.."#{YIs..7G..l{.T..'..)...6....#o......e..`.C.C<.!;Z..wm...Y.....6.I.9..f$../...b...J3#.]..j<QC...,...>.|S.O.D`g...R....!*_...;c.<....O.i.;...4.'.V......e:U7GCc.V.._K..q..-?.8.%.A.o[-.Eh........@TA.3.Sv.H.....\.8?.V ..^.)I..'Pu...d...@._..7..D..ma.W..(7e[N}..7B..t{.X..-..!...$....5~......r..e._.L).%%Y..vs...Z.......m..{..?..Z.C.e.#..\.fy..~..2.)5Gw.\..F"./._....5..g}.Q..#..8X...)t..`.!...a.8.,.[V.!.Z...(...MhkAU....l..R.....1.a.d....E....tI...A..-D.#.D...6s.d.{6jH.......P..........u..j.W.=.^..q.+.z.d.6..-.~..Qe..5.dM.C.+e.7
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.845599959617315
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Z4P5ANWFvQtyLmlnBDKRws23aImGC4l2Skkfhwhwpm1m2I:Z4PdIYLm/KRXKajM2SkcwhF1m
                                                                                                              MD5:9F570093DF5483C5419AF63F5FD48490
                                                                                                              SHA1:82406DA993FCC06733133B99817E7DAE43390FC4
                                                                                                              SHA-256:35CFC91FB14CE4DC52694CA818E14A3E7BBF7C691B603BB896186581950121A8
                                                                                                              SHA-512:5D6DDAFA1E4A7E47A1FCFE940D08C3585507BBCC2B0EB4B5D908870F1B155ED3DADAE53B33941D446864769D00BC476C699D8AEAA35F26ADADE84BF07C2B7545
                                                                                                              Malicious:false
                                                                                                              Preview:^]b>s...k...1...{EM..q......M...J.......i.....Ua..)..).J..".....Y.4.. .'.~}....^g{."..z~....i..'....@...,..._p..-B..nf...#.Vl3.^.+I.o8.T..}..;...U...]].:.S5..3..f+5..@....../.ys.=..v.^2.....F...M...6S;.&dN#..[.Q.Yz!..P.S|E.....9.|....A......EKp#u...l.../...bAA..e......J...P.......k....Rn..9..4.G.j .....S./..<.:.`c....Tja.+....ok...w..$.....W...<...[n..#J..oa...G$...4a..Lt......].poTr..6.^..Un...Vn......kD.v5.;.f..,...!S.$aS..xTd.\..]7.....d....Q......$..N.I........D..EH].C.y.....c;.R...hK.n.lo..O...dD.;a.....i.x...e.^..Wcnt...~r#eI.q. 4$1....i....`o.....~.`.|....L_.BZ*z....,c..=.0U4.9.G.A.,.l.`l....N+...7|..Jn.....^.ah\q..4.U..\t...S|......{J.u6.9.h..*...5^.4iI..dFi.Y..H&..........O.....:..K.I........T..BPD.R.~.../.K....1%.f.w...<...{.j...g@MR.i;..0......".S.....6p1.R.....>.....K....k..0.E.=...ou[....'..).We..~.V..1OV.9T...-..\.K.<.O-#.`...........{6ch......q...q...=.......miDG[..D.......;..l."......+R]..]...X.G.-Vi.q.r`..ND!..g.!.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.842499528072671
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:1vXnzBL8n1zy3WC4yDeKTZ3d20ev1lyzAM9621aX3jnI:VjBL8ty3WC4yTZt20w1leAG62OTI
                                                                                                              MD5:34F6218DA00D17BB0170817FA0DE0261
                                                                                                              SHA1:0FF0C4730057046D397E82B14BE87D316E17548C
                                                                                                              SHA-256:1B4B09D5E4FCBB807EF20FDC5DBCE4E4A27FC4FD9EEFC81DD481AADD1F0902A6
                                                                                                              SHA-512:002A1334A29E6611252E88C6215FB7E1B0C09D0AFCDA21FFEE52472BB6E6C0FF21A8F4BBF9C9F5F81DE8D780DF38F52949722AC93066FD84F89204141CFC521E
                                                                                                              Malicious:false
                                                                                                              Preview:..aU.............{...D....=...K.~.&.(..R.F..%.....K...... ...Z`.jA.l$Z\.....w)..t~....v..o,%...O!....r4.A.....".7..g..)..;.....&f..l.W ...f....4...b.@..|..<.......cL&.s.J..W.B..../.p...4E..k...6...]...|.n.H....g......(.....5....7'...I...s`.t....}R.............|..fQ...#...S.y.%.-.4^.E..,.....Y....$...Pu.dJ.|:JD.....~:..{q....p..z*;...\.....d,.F....!.3..y..1..8....`..+*g>*...G..T.....O...K..'.g.ZGd>..f....?....L.]...KN....A.f.....g........Zr\..;@w.._{.|...<.3,...x..G..(.5.fp......r...S.....1Ly.b.p..z,..t...t..]....b\A..xv..:.|Fb4M........qA>.........~..:^.{.C..40_...[.%w6..dF[p;P....o..O.=..J.^..._.[..v.s%>g?0.....B..I.....G...V..=.n.Y^y7..k....?......J.G...AN...._.k.....~.......Jo\..$Bq..Yw.....;.8*.0.y.X....:.ei......1..<.G@}...M...9...Pa.x.....q.n......;............?4.... .vR..M.k..P....$fK5,%.kQ..l.E..}.....ud..x."(>..a.pW.%i~T2R`...l.v .9X..U;....P...xeDq4.....A.R...@U...._.yY..fd[..4wY..#s.S0......l.z.|.fb1I....Z.'(%...'X[..Yib..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.852975777663162
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:xsyPEG+rFZkuxgEVV12ZwWmHGK2SKdYd7569MTecPBVctDHjlI:xTEG0FVVV12ZpUoSKq5+3cLADju
                                                                                                              MD5:B4DB12ABB95EC81E5BFEE2E9D65110FF
                                                                                                              SHA1:023A3C639B36650C081738FA25AEA24C9D23FE97
                                                                                                              SHA-256:0637CAF3252D1A529A2B20C12DFE62EDAE5A40880180B974C011DF33EB3FEC44
                                                                                                              SHA-512:7A4647E4A98E7C5C02852185871AC0462D2340A7710B1BDAD0550D42DE721760164B052E55C9F38352A1D0FDE45CDCCFBC3051F490C7BB67983D9E873CEC1FF4
                                                                                                              Malicious:false
                                                                                                              Preview:s........[o.2O......#P..Q.R2.....X|T...H.....Gr...v..t.o.WZr.0..........4Z.'.l..-...ya...@....#.>.7.....>^.qC.t....454NL..B..*.............V.U.q.}.u..1b.Z5T9...56........O....o.C...-5...8_....m*.P.y7.....>.......;..^d.k.9....[b...........s........Zc./D......:E..U._&.....]qN...D.....F}..n..d.k.[Rx;?...........=I.(.{..+...g|...O....;.9.*.....:P.{[.j...."?x6.".....#.?8.:u.......2V...B.@.7..N..&B...../I..k/.~.0.}.(...........3.`*,.|..l6.O...E.}o.,.....@..:!t#3..hu..r....C..Y..m....U^....*+... J5.....FP.:..c.2......L...C..a..q..xl...A...c....;...iE..y........[.....V..t.dR..i........]. '...5..\n3.,.....-.3'.*v.........0K..F.O....@..$R.....:@..~5.y.:.u.#...........).}8+.z..q6._...D.qm.9.....F..1 r8,..ne..q....I..D.c.B.. ....E4f_..W.L.mM..fw:..)(..%P...b..z{.W5:.wy.....<...*.o.b....o...kc3_.5..<......\8........b.#q'C.Q...I...pv.+..V?IA.=[.{>L.*.H.jG..P.... .`].Ux.N.=.I..0.s8,.}..R....alp..b_..k7u)...H.\8p.|...2.F.8..5..;...T*...........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.856402954419906
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:P5cRPvYLXkDM5nk3SQNHqNOa84aZTyApo+LCHd5BERRGPI:eRPvY+Sn3QN+lmyw9aTE7B
                                                                                                              MD5:DF1BAFF7FA382651B68A46D568C50EC1
                                                                                                              SHA1:C5F91E16B326F4DA0432FFB010A89CAB57492059
                                                                                                              SHA-256:FED69A538E6E3DD8108D8D5F271450BC67CB4DF04C3E47E7C0540361A148CC13
                                                                                                              SHA-512:8E772555C4197D26ECF617A2B03B8D4DF1B9F9860832BDEDBACF0E1FF26C3D0A60BF4EBABC519FF94F8E0B585A107DB5A5AEB8D269086DBD08C000AB23CF2C61
                                                                                                              Malicious:false
                                                                                                              Preview:.C.1.).)r-c..r.z%.....0%...Q.6I....v....*._.~.....WM.ad...LTv.....M".D....]d..~...b..q.$./..u..+#.f...(w..~.L.m.VI.....E.X....L.._.&..!.)....s..n.i$,+...;}.kn0`&.P8....K....C>....i}Z.?.....o...Z...).h8\E..m..o..W/....h......".GcC......d.q=.Q...$xaU.8.".7~&~..y.p!.....67....W.'@....w....0.T.w.....DB.jd...@\z.....G=.B....Cr..z..w..m.7.=.....,..i...5q..z._.z.ZF.....E.V.%n..v.m..*.`g-.D.....I..U....[..#L.....,.nN..m..yW.m..*~v1#n=....o.8.)."0.%...^{......W.5..t-.U]....Z..U..2...<Z.sI.+N.3...l6z....vg.2...A{.1Sm. x...-Z..T_.|7W.R.l.H>..CO....c<..:y..L$M..w..Qi.....Fq...A|..q.........c...w..'.K....XU..5..J.I.+`...l..:.ty1.U.....^..N....]..,R.....).rX..s..tY.}..%oi:1j7....s.#.>.6'.8...Ik......U.$..c'.DT....N..].....9B.qT..V.1.....YMd......S4B....}.....).....{..W.:nS.x...]6I....J.....^.F.p.....T.x"..!91.~8;......l%.J......@E.<..oQ".g.....b9..gRI].L..L.._.....11..].l..u..`...sb3.c zZ.#.m..i......S.1z.sdL..e..b/..t.j....=9>O......G.......e.g..>
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1275
                                                                                                              Entropy (8bit):7.831526066862942
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:YVUJKIKiLzq7IhUq9oQvJi53d3udhQqrpTRwfiTgqIJrHDY7EppXCcI:YVyKbyBFvY5t3yhycsXY7ETXi
                                                                                                              MD5:47CDC8EF2B65E59A3C77BD1F8CABC2C6
                                                                                                              SHA1:15A7617A85F6A07B5DD86D44FC6F0F7E3718113A
                                                                                                              SHA-256:23297AD20DE2CE31C5CB9BD68B9DAE241B65147FD910640CA888AFE11D9224C8
                                                                                                              SHA-512:3F2C2CDD90EC24940264D90A2D291605717FCD600744ADBD408D83B715A2A2EA9F6026C6094B3EFA2D0BDFBEFE93D4B299F38DC6F04BCE1074DF7E6BAF998753
                                                                                                              Malicious:false
                                                                                                              Preview:.*p.~U.Q?.,*^>-/)....?F.1.v!Y ........!y..&..g...8..tZKl..o...$....nS.*...-FL.;E..9..by...4:vg......m3.oT..>G.(..[..z6<...c..L8..M.$o.....V.<..a_c$].WK...[.......U..._..zjHW.4...cJ.||......F.'A. ....b..-..t.x.q...7......U.9.}7.rE-..Y.....0SN#.<{.{R.P3.?<C&0$/..'N.:.|!H(........9|..&..{...%..fE]d...p...+....x].+...,_].&X..,.`c...%*qh......y+.zD..%\.2..X..b18..}.-....=...]...C....^..(..t+..U..#.I.wa...6H.`... .U......h.x..u.p.#.. m...6 @`0......7...\......5....c............C......h.jc..b..............!K..T..=P."..._z.Qm.l..b7.......le9/8.Tk.{b#M.Vl.......h....2....w.4.Q....+.8....#...z#...m.p.;.n.e.}.0....!...[...Z....M..9..v<..^..".L.ad...#_.}...8.T...7.u.y.`....n.$..4m... Ol+.$....)...A......(..d.j............K.....;QW.+.&....+...iT..(..I..\.CIF..........v>...VY9{%.D..7..!BR]zv6..)...U.... .S9....4J.^b...c....`.8....V$X.6..+o....=..pRR..v.....l.9..Y....>..8hG.uE.v.....ebI.%....{..C.u6..?.Wa0{_........p......TL0..+..c3`..C..V.DW(....U
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1273
                                                                                                              Entropy (8bit):7.827200909091106
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:3T1m7egFImmX/O3Lsau01mQZe9SuaR0+QjFUV3BlXQwoI:j1YNmvO3LsauhmeouavQ5UflXQ4
                                                                                                              MD5:6A76EAA6558A2AC212286572CB3E08C0
                                                                                                              SHA1:D0759F7D5B9CE3BD7A3E3DC470311236EA19D84B
                                                                                                              SHA-256:9E93D0A0CDD82C63263027EC52866514DEFE27DE16779CF16B03C12A0C89C6B7
                                                                                                              SHA-512:6BABF970D2285E558E2CBECA0A9C042BCA5379A22B5E6FE168886EEF5600B095150DBDD8EB496C24CEB9ED1560F5567ABD368F7B09E36C8CF4FE533036776DB5
                                                                                                              Malicious:false
                                                                                                              Preview:C._#..AO.6...N..q...P.+....j..t.."...V...HT.....Ax........Ih).r.me...V.W..f....l.X-&5..+U.....`..k....z..t..q...+`q.|TDvHl.Z............@&..c....).@...........D.y...\.z@ML.xS+x...A{L%.l.?sC-3..$....d<...e...v.se[.k....'...q.....J..=........zT.T"..CN.4...V.tw....X. ....b..e..#...N...H].....Cd........[t7.}.nb..iX.V..z....q.B+30..1U.....{..l....y..o..g.. xv.vHG..UP.&=...a.e..x.].j&......0U.w..2..n&.^.T....V...|...s......."...NL..WfDh.l.}.H.}...........8_..I....<.EE%8....7).w.(....g.2.]{\.......*_......;.....O.2...*....w0..*|.I4.r...aX/%G9..*...~K\.5..>..{a..@..8Q......-....!...."}B..O...mr...HD.')...g.f..d.K.r7......;V.v..7..w .K.R....Nt..h...y....... ...ZL..WiHs.f.j.K.g.........>B..R.....).A[&-./..-*.n.'..9{jT.^...6..u.....=..........>|t..x....E_.I..\f..9g'....H......m..).A..9.b.......i.yW..*..b..x.S3.C...X.....7.....y.A0.A..9,.1]&.75!.1A..q..$.mn.;.cv%...$...<......=........"fB..`.......'_.^.v.-[...'.........$.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1267
                                                                                                              Entropy (8bit):7.8281280121115655
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:9+NhJ6Nlazu2SryjBcPijvw4a2J4xmDgBSm62IjVhI:9+UNlaSu9jt4xmDw6Pjg
                                                                                                              MD5:91499F40A1E0C48A766F5C01AEB99420
                                                                                                              SHA1:231BDCF82FC160ADE9F77B9A5F658349F67D1442
                                                                                                              SHA-256:650C43468A387D31F7E35792487D67B3917E8238C236D84F080E54AF1E6E4BF1
                                                                                                              SHA-512:8B69373BD4F92B2AA3C6F87F83465082939D5941C518E4413D1B37C0D58C2D868D33CC4CD0B2D08E2D160A5CC05040A021F357604D1C9ADD8941852055E5E7B0
                                                                                                              Malicious:false
                                                                                                              Preview:.!n~.6..-.....'D..[=X.........y.I.B.-....x."..A...%...4...h..6..G..l.y..O...N.C....`...p(..6..v+...g.Q.m.S.Q..u.X..]oQCOd.(..B.hg....n..QJ.H.v_..1..T..@..6.v>)..=.)|....v'F.OQS..B.-?.v.......5...Q.h.,......g;.M...t...cb[. ...$.^?..{.q..5Z2..+ka....8.....!S..D?I.........m.S.L.5....o.'..Q....?...5...a..*...W..l.w..X...G.[.......f...t5..,..d>...k.P.s.X.J..c.V..HlI[.}....9.....Ek'CC.{@;.....7..>2.G..pI....s...."....6..,..-n..w!iBH.s...o...1Wq.~..K... ..\....=.Z.,{.x..F..4..\.n.2.....G.6...!O...X..(d...m....T..w}[.k.z..,.yH........B.Q..5..t'Nu......?.....:.EP....H...[a.[~....X...t{OI..p..>:#T.<..o..1s..dQ.7..0.J.j..).....Pf7GW.y[5.....!..:(.Q..~D....k....1....6..*..4....&uI@.r...d...0Ba.p..V...#..]....$.R.+|.h..V..:..O.n.;.....P.&...+?..v.~4..lF...Y..fn........@Soh......8...+.v.......0.:H..\z_E.....Np. KE..76..@5.!.eY.G.dq#......I.*.qZ68q.%wC..$.d\.n.6.d.9..Y~....+..J..C]*.b.#5=x.....*.....X.;e..M....K....\...=j..&=s..>B+..eG...h..>..(.]............
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.842289206351003
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:2cu2E+Nmfkn5wXZg/PJuxaO0P65qrX3gF8jaDI:Oewp2Pwy652XwFc
                                                                                                              MD5:2F6D32EA47313FA434FF2EA7F428D43E
                                                                                                              SHA1:B6A9138C6B09C2E44A15B55DD49ABF03B772B6AD
                                                                                                              SHA-256:F9A7D1CF04F54185F9967132CE43281ADF0E6B628115A18C6A2C92BC4409CF53
                                                                                                              SHA-512:18E89E1C24F7129437D21DD2273D7EE37B60335B1569826F1EAA55FE8C829068ABDF8DF7565857D12BA9D308BC86F5F11714663486CE836FA316C9E7E1545C26
                                                                                                              Malicious:false
                                                                                                              Preview:....D..N.....,..s..*..1.+........"..2..@...`_j......s.,.Q....}.t.5.....o...F..........GEu.....T...@._.....@....,dK"7.......Y....Y".BoX..Pr.4[!.....@...QM......Lq-..-s......(@...3{..hi.K.X...m.OO.T.3.[.9..W..m=.~_..j.xs..$.<yn<..(:.5...............B..R.....(...c..,..(.*.......{&..-...E...s]k......w.(.\....d.r.).....u...[..........VIw.....[...J.E.....E....!rV+&....r.,M.....4W..,+.u.P........J.C.......`.x...&.u!!..$.!.[...)A.Ln2.Bg.t.....&..a..5xg...HI.....).vI.../{.C1.=n..B...b.d.bq.....L?x.~c6..H....`..0.....3@J....R....7...mt..4..4xy..8.../..3.....w.?D:....(..-..'.fZ......D.H..tM.(......:...4.h.r.kBr.'Q.....5Z.."8.u.D........E.S.........m.q...).y>4..).2.U...<\.Hp3.@{.n.....>..w.."qd...LL......7.}Z....`.R2.7r..W...~.r.|{..6..........0jz.N.J?..wL.....'.D>,.Rc@.2.;Sh...y..P.WA Mr......D.z.....s.[.5Y.X....l.(.K).o..*......~.N8.....9y8..0id..WfR..{...E..............3.{...M.].......`...........NP!g.4.t.D=M..1....(..A;...1z...~a....f;J......p
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.836155271285988
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:kQXdUmwQgrsDdyJYOZpamBkhv7Sj5vAINEVbuGpjzeTJHI:pNwWTupamBkhv2FvAGEV6YzeTJo
                                                                                                              MD5:3621056E9A4533B392CFB328DE94EEC4
                                                                                                              SHA1:1ABE926C1C80B9E31561646CAF6796ABA73A78D1
                                                                                                              SHA-256:5B0FBF68299A4EC1A2392930A5128D83D745EFDD9898ED9B3132DE2622FDFF60
                                                                                                              SHA-512:FD7AC3BCB16C3FE4FD576D03A9212AF0D24870A22636C60D9A23956FFDDAA24796B635E5B8B229F278F8BBA294E32D1370F7212285A371F4DC3ABF1E3C3DD8CB
                                                                                                              Malicious:false
                                                                                                              Preview:N.:..9%(.V......=..C.....z.!\?.I.<.2s..Tq..u.+.l..Dk9..,....q.T. ).k..y..#2..y.|.H.......F.]...j.....)........S.]...{.y....j."s....C.O$..*bF....3x... .....-..Q..J.U.H,..."N..$......R...m.f>77W..X..u.P.W..H=3%!Q.8e.t.Pj..<....1f=X.e.n..8{J...N.&..(+$.W........(..E...b..'_,.D.0.1...]j..z.9.t.Tc=..$....z.D.01.b..s.. =..n.q.F......I.M...r.....$........Y.O...m.o...HTu..f;...t..1...V@..Cp.V_P.-...br?L~/.b.....*Y?.....l...AFa..j.dl[n2.X..D.e..@.{\.A~.&<2...L:dNsK>k.K..:.]...n.O.U....Q.s..s.6.bR.[/B.8g .4b.o."/>.1.......?.9.."c..jy.@.....G.V......]../@;n.JL.7...Z..F.s.zt.\.l...I.....|..-.s.84...$..WG^.7.v...DZa..|&...k..2...IQ..D|.KCN.)...{o6Bs".`.....2L6.....k....IKj..t.i.]`,.]7.Z.w..F.kA.\n.$:1...O/tIlL-`.@..;.F...h.@.V.u..[.w...5........S"..|.J.3...K.8...!.. .....;.n..yN....A...#.8..,.".v..0.x;7.4..}=...R.....V........\.............J.:j.Ez.n,2.W..78.p2.q..V.ZB.Q.A...jZ........2...R.m....y...w.&f.......b..9')...R.|J.......%....4'K..w..X.-.>
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1275
                                                                                                              Entropy (8bit):7.869244211557274
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:K2aLFwXNhZdxCWNij7uArCQ1kqXf1eIYOoU/oEtoX+b5aZI:KOXNhZLij7uGGqf17fAEGX+N3
                                                                                                              MD5:E9F7A64CF6A16213E08FA70D55FC4B6C
                                                                                                              SHA1:5C7EF3329C108483F1D4525E41D28B3EC26DA564
                                                                                                              SHA-256:1ED7736601EFDB3FF246520EA213CF99F43326BE3B6B8AEC5EA0E50136CC3AE2
                                                                                                              SHA-512:6B4DBE9F92E876C7C2EAFC608C69EEE880480CB7C2A37C409584BA3E7A50CB29FB9362284D4CD4D53810D074C799CCD88B970A4892C2C80D2D5C240E33A92CDC
                                                                                                              Malicious:false
                                                                                                              Preview:g.....[....p&..a.... .3yD)=.B.f..]j...iG&\/......P..w../[...?u...d(......FO..3..T~.r..Q1..z...w...4*..=TlU..,{Sw.K.h).V.z...!......i.!......YB.:.....z$.>K..+.s.{..=X.....[+#<f0...0.$.|$...)8.....h7..`..oC.l.$........4...V+|T..Y..`...i..p.....Y....m>..q....(.8}N),.Z.w..\y...l\8\&......M..e..'T...-i....+.......QS.."..Id.g..S+......l...#-..-WmN..:fPe.S.l#.U./.pv.K...M.zY2j?v .1.Y....w.W0....f.|.#]............w.R.D..q..|....!."n.5.g=Z.E*.'.^..../.L..K...._.@u.n_-.\u.z-..d.1J......B...A. .......*..N+..R.6&......8.*4dym.r....w..)5Y ....X...Nv..B...A....1.-.t.+..t.Q.$..9E/m.nTH.KT....!.8v.<.pm.....2.jw.W...K.y[+v?x6.:.H...c.A;....c.j.:[..............a.C.P..e..{....$.4v.9.}7D.M).=.@....>.L..M....Z.\v.{G)._`.{3..~.2S...0T..Z9*.t.1H..%gs.m...03.$..../.#.Q%Np.4...F. .(o...qO.q3CvD.tb =..jev...J'.;...d.ML.1{f.......0....B....n@aV...*.......c..[...P...-.......?$.5.X..Vd....fO.{&......}9.....B...F......q..I..9H.....F51+..L...U..-.q.......
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1271
                                                                                                              Entropy (8bit):7.842945274981597
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:E1ThAcdkSP1cl5srmdd/5WZOvbaJQutQxBX56ptHQX/L/M/I:airSP1MpRWZybaJRA0vQ
                                                                                                              MD5:D9D1043C5EAF87B09502AC18070590E4
                                                                                                              SHA1:E8D3B3D68478A8544F066D4FB0244A8784F9A61B
                                                                                                              SHA-256:1CDF85F1B20C083C027CCFEA4D120AEED9D6F889098C57F1E7EDB7FE3372D1BC
                                                                                                              SHA-512:37057327DF365F27A5889A32E7F50778F03E034F93EC9753A81D8F530FD369BA299E5E5D49450BF8E7E700F3FA6CADB39A9E405F9137A4E62CCA2DCBE297D788
                                                                                                              Malicious:false
                                                                                                              Preview:.`.s.h......*.2..7.|.O........x/.....E.Jz..K..[.&e..S$.H.s....x.v3..pV..n....*W...d+..cUR....U.f.h[F...F.p.n...K..b...+.....m=E8....Y~....n....i.......O....ab..{.A}=.F2KL].Z....u.5....6..S Eq?H?..`........wM......g..~.H.).^o;..D.Hf.=.c.....+..m~..v.n.|......4. ..3.o.[.......`=....J.Dz.4C..\.:g..G9.F.q....v.}(..lF..p....1]...w"..nTG....K.p.fXS...T.|.j..Y..|...=....B..#......G....m.?&Ta.f,h..\8.%g&..3.e%.+R.........FH24...._pD[..4N......eF..X..zx..@q..b.a\..xU..R)q.Z:..[..sq.F.......Tc\.*.I...d........!K)....k.^$&].J.}..!+|..rf..0.._kN....^.W....l/.51R6..sj....2P..(...U..u.m.a.}..^.?.$S..qn..5'....}.]C..*......O....h.3-Wk.a$k..C3.%}/.p-.`7.7M.........CF,;.....RyTS..%R........}Q..F..yk.Ya..s.hB..}\..H*`.G-..K..ti.W.......k.).o(.p.....L.c`...I'.'.l....\.5:}~...D...[.....{.0.5a.w.K<8...........$.......Um..S..rs.y0.$.#.+T.l..f.^Sp./>..R.A....H..N..]....f...i..x,..>.y....|..H....Wh{..j.y..^:...B~..i...W.rV.^......nZmcMy.........<..SH.r.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.8384475996452805
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:jJz+/PSzok4A5swzaD7SqF4YG3tkuzFnbNybyHOTeLVDDI:jJ8Sz/laDmqFBctk2nbNlIeLV4
                                                                                                              MD5:610D94C7BA5C1CAB0F87E742C86B5F6A
                                                                                                              SHA1:AD49307AA2AF3EA0BFD3A01DED4664455B3DD32D
                                                                                                              SHA-256:BB13973D36D558574BCF02E32BEB026A982F11AF165CFF775C17AE3418AFB260
                                                                                                              SHA-512:D1A6D3C099ED10A3EB4E58A3872865CF60D0B28BCAFD0C808BD5B48E941C5B77ACE47F511D6D17884A69C24CC8E4BFC288A7A93AA4F69DFED76F92E368BE97C8
                                                                                                              Malicious:false
                                                                                                              Preview:!.X...I.R.:c......!o.._..>.K.........84...........+.H..;.C..5....!=d...H}...#.c...dZ.>.q.Z.o....At..@..S./..o..h.Vw-'..%3.W...a......V.A..yxG......_.t:......@...~[u...zU....s..g.._.g..$P..9."J/...&2..At[Lx.`.R..EB..t.{7><. .........@.$_........5.\...[.X.=h......,h..N.. ._........:-........./.O..9.Q.. ....:0o...Aw..3.o...d[.9.u.]..k....Ue..^..E..,..z..}.^m);..1&.N...V.o..g......g+.............../Cs.|..g.5.d.n...y.:C.^.j..6..H_R....n....b....U3..Y.=........`.<dWN....G.%.b..M....y.g#.#s....1.O/..}TM...D...d...'^ou......K.... ..8..5? ?^1.!...V`..."I....&1..|.....'....o'.....V..O.r..F.^G.?.X.8`.y.4.t;..N.d..n......h3................#Av.c..`.).z.t...e.,M...I.y..&..RPN....p....l....A7..L.)........h.?x]U....Q...7.a..Y....po%8D.:.P...r...."..`.V.2.Xk...e.. ......l..0..E%...we..$q{..y.&..kex@"C......^.j6.c....X.....uu%....7..G_.....s.....x...R..9.c..+.8&.L....|...7..=)...L...u.3.To....).....M...c....N....VkV.x.B".?r.>.k.......v!+K..)^.....Gy.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.8305804620721915
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:AF+z6uvY0HsremlCSk1csFkDQ9L/nZLO+ZP47f2D7I/u6tXep1KI:C+z6uvY0MreWYTkU9L/nZL4e7Im6tupp
                                                                                                              MD5:A3FA2338E5571C5BC2D4CFCF51FAB9BB
                                                                                                              SHA1:A7EBD87E130301C314C448713F62B0E6B71DC03D
                                                                                                              SHA-256:D4234BACE830CD48033BBF51A7EF46940BC093E6AC5D377497A45019752FDF58
                                                                                                              SHA-512:FE68D3A31B3016E93F85B160FF17CBD36535F41202FC7288792C3F20FF841CAE125AEC16E0D631BDD34D72CBB31744902644A303A9DBC35869FB887119245E0F
                                                                                                              Malicious:false
                                                                                                              Preview:..P.....x..[.........D...t.)..z...z>6Y.-...\....2.n......[).^e^..>.j.l.D.a.S.........R..^A..Zj..,.8............LK.>.#...Os.'n..Et...X..j.....fux........p2...+-vO.iI....U#.......x..<...<..+........R...;....TI..H.`...@.A+-.=..h.......B#)....s...D.od.B........I..........E...b.#..b...z :V.#...T......~.....N+.Oa^..5.v.p.Y...R.....C.._T..Pn..5.,.............^G. .-...Nt..L.D<...g..hD~_g..&F. ........eU...L.&]+c..g.....~*._..j..bM<....!..-..6.3.Jr...Y...j\..K.r2...g..u...i.]0s.)..?..s.[)....-...+.........)V..v.&`C2*.n......0...`.n^.Ua.?.g'...\..:/...O1=W..7s.........9.-....A I.i..P.....H.s..>V.....v...^.M3...d..n^~Zr..-E.1........eO...N.:B6f..i.....p4.Y..t..k]4....3..(..#.$.]l...]...d]..Q.w;...d..h...y.N7k.$...%..r.I*....v...]:...w....8...T-..Rj.H./.|.......~.L....4FN.....L.,'..{....!.U...... .X..|..(.=...-...^[u.nN..!.N..\........P..o,t..J....h:e...$..:.^.\ku..d.I.g.iE"..........S....,..m.r.L.U.xaF<.&.O.-..!.......nk..ep.....R.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.8498752082369165
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:z0ehaogjw7Ff9ntmxmVB8YxzB47U2AKqqDKBiZ202FwTLlzPincZ6lEDKI:rhbCylngxmz8Yx14QVKqqDlZ8enlzPi+
                                                                                                              MD5:2FF4853D3E15BE89D5CD7D5D3CEB37F7
                                                                                                              SHA1:61F6E45AC9183888BD35DDB5D2E90A2F02D8CDAB
                                                                                                              SHA-256:C1ECCC400F9AD24B9B05EE0C42215C7C19A3D2B17765F7DF58746D51C5382DFF
                                                                                                              SHA-512:1FD6F599081C2F8E6DD1331F1995F4A95561D457CB15BE52D62A2932C218D43FCCEC114C21E2F00206DFC49A1925B0FFA4BF0D87815A27E21BAC38DA20C1400C
                                                                                                              Malicious:false
                                                                                                              Preview:........1..8w.....S....Z..p..!n.wY@.!9.:P.C,8a......F.NH.?.W.#3....4.V..v...r.*....QG}7...R_...(...4.3B5..ol.&....O..Pq$..^.|%./.#....I..~x.. ...Y..|k7_.{..;....TU0....#9..(......Y}.....M{.s.......1J..O/....1}.}.h/..&(..N!LmW.1.D..q...uL.:..........6..*i....._....^..f..&p.eYZ.?5.!^.A60~......R.CF.....W.)8....$.S..w.....8....\Fh"...LF...+...%.?W1..}~."......N..^\l/....J..%\.R.$...............i..m...%....Ei,..r.N.-...o.m...U:.8......5..3.$..k...4.j.y...lm{../.P.0UWbR....uou.&.<|.3n....<.y........................gN^...........d...~c.....W.J.....A,.._y.....F........%]..1\L%9/..D2....b..F.HV(u(.!Q2....I..]~+....]..7Z.R.1..............`..s...9....Ug;..r.K.3...r.y...] .)......$j.$.3..`...*.z.w...rwj../.J.![JuU....rwl.7.;f.>oX.........}.~.s..^r.I.....f.K&..z....:P...KoZ.&...z('kxTGY..J...?"%.:J9\z....p...#.]..?.sm...`5./..-..?...P\...&-}....)vI.Q...]..hXr.X....?..6..q..)=!I..kf.\.7.m.ju...;!?T...]T.=3#.9K......`./..\...>#.t...Z.c...V..v...I.[IV
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1271
                                                                                                              Entropy (8bit):7.846814521534512
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Qsbnpu8as+wobE58V/YobXbiuTak54jrZ5KygYKpTjmAxqTbUjiI:QYnI48V3Dbi9D5KygYKMAxqTy
                                                                                                              MD5:BF28596865059861BB5CDA7E6E7A1B4B
                                                                                                              SHA1:8A4C1C15E4C788DF9CC2B3AE5206BFCECE139A11
                                                                                                              SHA-256:BD92E84067D49F7EF66DA98235616442EEFFE1BA7692BF6F715D39F3E7F72F1E
                                                                                                              SHA-512:22ED8D5B4116EAB2C21E7AF0208B2722FF76C026D0C9DFB90B1EE7E3BBB5FC56C7221C56C4674E0B4F37CFC00ECA06AE13563A5B8F03363E5587E96C5B16844C
                                                                                                              Malicious:false
                                                                                                              Preview:-..k.W.:M....y..t.,h...d.Y...j....p.....W.d..41.Tv..+...}I.V...ef.F........XK....l}&...... Y......cP..FdfL].f_..?T....^[..-..ti...5...f.eFg.K.b....h..O.z...Z..S K.|m...%..Ss.wi...~.;..Y.t..U3.r.}..*j...{HL3.=..m..M..{yW.!.A.l..|..=Y.).L2Z. ..6..v.C.%J..m.y..m. {...`.H...m....j.....Y.f..?.)[j..>...s\.K...kl.Z........RP....el-......$\......oA..JqbWM.tS..1H...._\.^-.E.o.....Rl..$.......G.$...{NI.gq.>.r.....4..C. ..n.G2....GP....io.sS.-..W...Tp...jfZpLw..(rWn.V.[. ..%{....]......)..n_'Y.>..0.5....V....w<)L.W.8^...CF..f7.u...S..........n.9.i%.a.v.%P .+|F`1..v..b>...~>^@...S.\......"....1.%...%..\..Z:.._?.J.l.....Tv..1.......O.(...pAI.nk. .w.....1..M.#..l.I,....YD....s`.oA.<..N...Lg...qmYcHi..(|V.._.A.%..=a....J........=..gR&K.'].\F=....m....):.....s.3.2.)|........3.....k1....:....q. ......J......". ......T.....*.2D...2.r`@|.h...........H...nob.J...87zO...D...^..Z......>XR[#.......M....T....O&.Is..P`.h!...3.. 0....$......T..... .[!c...q.y
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.856039021972144
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:OPWupzr38FNpECeNTFroYKGYHNJyqt1oRTRFKCLjpPj9I:OPWuZ8FNChFoYzYtOVnpP6
                                                                                                              MD5:14631ED6936E45C27354D51AD0AB61F7
                                                                                                              SHA1:57CDA6BE81A0BFF8B076E5B22B1BCF99632C7AE9
                                                                                                              SHA-256:6B64BD67E2A0D54B64A18AE6FDBC7A9BC0E454F49FF397F85BC2FB5721C39787
                                                                                                              SHA-512:CE05B82A950BE5216EB3728578E02FCF3030FAE314BF17B2D214D2DA95A74FAED97100E5AD0FE1C1A4EA8A3240743160692E3235498C1F91FCBA192E86BBDF74
                                                                                                              Malicious:false
                                                                                                              Preview:.r....WjGl.v...b<.)F.7]Q.L...i....3/.G{.ZX..YG. M....z..?..t..e.1....J.gB.B.A......+......6.0.._%l.a.;..t.&..bV... 0Mx..4...$....yU...>...A._...u.;.\1.XpVa....(.[...j"AJ...qik..$..n.&`.hTvf..j",.P.'....Y..wN1....K.x..]..C...,...L..N.`.#.6av.8..w....EsMd.}...p;.._.&IR..X........*-.@l.QC..NX. I....x..-.....u.:....@.dA.H.H....../......*...!..A0f.t.8..a.,.jL....4%Ma.Z.&.L..R.............Uy.zu..E...h..[...\./.m.v...a...J...3./.T.n5..H.}g...&w.52..,.."<0/i3..,..@E...>....O..I..B..<b....(E9{....=.......n.1J%^.D.e.`..F.8..Q......M._..lA.G.\..#.).m.T...i....Q..>`jL...kH$...#....^#U..,.K.6H;SW#mS....$y..:(.X..8B.>.G..[.............Kq.jk..J..j..H...[.5.o.v...v...D...$.<.K.c#..T.{c...)p.;:..=..4 %1}'..(..BK...".....O..N..S.."h....!2f:......}r7!tQ.F....G..q^.A...$.26...).d4..d..#...r.P.....2o.........ow>....F[HA.@.......MI..2....$..K..$....=...E.......l..O.i..J.O`..`,..BT...xcN...#..A..fX.i.@.....8...u.iLcYV.....A._a....4.G\..Fo....ic..f.1?..C^.<.D8....:..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.838853703203386
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:ysdULz56lXSMbQ06wSgq8Mrd9I1BmaTK9AHqexWjUfntcnsJIcrI:nd2olXrbATgq1p9IvmaNfnasJ4
                                                                                                              MD5:5BD3816F41E03002050908CCE862C3A1
                                                                                                              SHA1:ECBE46F5D65D6528BD50EEFDF2DFCF7528F3044B
                                                                                                              SHA-256:F3D3432D5E50D4B3C05E1217F80795B80C70C78DA919B79A9BE04CB27AB451B1
                                                                                                              SHA-512:0839F0534C9165EA1831368379441DEE6E878511EDFE8036AE8D7BDAB9F46469866BC81B0D359D65D4DFB4D1EABE02559F872AE6D696E8F9BABC5A6B1A07C11E
                                                                                                              Malicious:false
                                                                                                              Preview:~j0^..-+...t..oF..4/........F.>.......[..Vl..I.tZ>>..$...)M..n@...`..7....'..B.t...L*J.....NS...m........~C.40.#......=..>...Wpd1.YW..../"......R.d31......<...+..7q<`{...z.Dq.).......'...tK..B)..*6.....]-.O=....e...._1....;...=....M.Q$.R@.x15.yj3M..-=...|..pR..:0........Q.3.......O..F}..U.cU.5..$...1O..bU...w..'....&..C.i...Y?F.:...QB...q........qC.$*.<...... ..(......Y...K.R.\..O.Q.....8)..........5.....~....u..%+.!.N.).cA.6....".cv]..H..t0$2....9..<jB...By.....P...P$.[...H....^..o...E.v\|.lJ........)|.3.$t/.X.~.>#6.AB.J}.gz.G6L...<Tq2.....Z...9....5c.......(..P........H..z"..s.C...3......*.....="n.Y......N...N.K.T..@.O....?&.........3....;a...b..;#.-.N#?.mK.,....)..neY.._..t*$0..<..0eW...Ht......T...K;.L...J....E..g...V.Q........-..VM[..`^.....'..c...-.)9Ez.z8.'...`.j..!.....~.$A....i.l.$.*Z}.:KD8Z.4.-.?9....y..z..v......,....iZ..k..;LB.".......&VI0.....|..J...bv...D..X;...~./">.p....H.>F.j.Sz.......YB...]U.*X..)S...../.LK..8.c.|.'yYS..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.867267507150186
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:gttSzWIn7EqRRWFrBhth1ig6BapWEe7SkifsF9rHmTXPnMVI:ItSbrR+rBbje7JfGTXPnMe
                                                                                                              MD5:6F8A2EA0932832493AF54D11D789387C
                                                                                                              SHA1:095CC7F8C8296EB0DA6F58AC86708A69B374062B
                                                                                                              SHA-256:A96C9DDA94728E87C9993F5FE02E673A0F67BA8454B4B330D3C85B30624BE3A5
                                                                                                              SHA-512:B8D1E29FC8CE7B5E321B2516A3DC132E3407C76F77BBF666F2A55089B6374989EE2F03C111AA56A12128AFE90F14B3A7D0C143DE48AB7D1E620FFE6476F3F5DC
                                                                                                              Malicious:false
                                                                                                              Preview:.4=:.+...m.e.M..../.}.....z.......F.U....5z......A,....9Z6j..iL...e.K/.1.(.. F.,S.M....:H..`|..J.n...p..U..v.er/....+[.:iCu..._pW.B2....J.....t).@..]x..Y._.w.L.y....[.NT!.PX.9N.+.gX.!..4.M9..\[.0.m<f_..E...S#....~. .]G.../.)..\P.iD..3...s....'D.7.'.+...t.x.R....0.o.....m.....>.M.A......)a......A)....6R:...r[...u.D .1.&..,[.-B.X....0N..qu..V.l...n...U..l.zi'....6^.-x.i.qr..`n.P.?.h.t..&..n.?...S..\...f.&..B.H.]".I..p....J.AH.P...z."..f.. ..(.....Z..B.....1\....R..2.!^Xp.d.&..1...Vf....g. ....b....V.".|.r..=.B......(W.@f........*2......55.#..!t..\h..?4Jw.'v.s.@.w|....Bc"a..I....8pD..[..t..do......5+.'.I..f.fu..el.C.!.g.j..(..a.2...O..B...j.3.J.F.J*.W..{....A.K^..^...g./..w..>..2.....E..E....;Q....]....:A[g.a.$..0.Pn....5y&...2.pf......0.2v....<.'.>d..i..&v..\.~.......B..P.G.t..]h../..#...+.u....kSKb>..2.t.Z<...8.@.;..h.HWw. .......-.U.....s....1.........U`..gJr.9%..S_...).u.|.B..........Eq.Z......0..0b.BX`W?...D..U.......w,...#O/.lz.n-<..
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.83202709430935
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:sZsX0fQrIhivUs+swHvMMzgfAZQ3M9FKUvFcGCwitC3QKfLUjR4VpI:PrIh6U7fH13Z0o5vFG7tC3QxjR4Va
                                                                                                              MD5:7FA6D0B9829E777F5A50AEF44B4A88C7
                                                                                                              SHA1:73A349876944775D5C682C42936F69F97D520E2C
                                                                                                              SHA-256:3DB94250F4F6488F4590F953C8ECCF26105B680E8857638A3EF3444840BD96B6
                                                                                                              SHA-512:E0B10F9D41A6E9D3C681C8B6FBA917A09D05DE527695C0DFB6A65A0DFA7105EC1C062276379C9DD7738C2BB454F662EFD3A7A4298F88B51F4D8C3F8C6B3686B4
                                                                                                              Malicious:false
                                                                                                              Preview:.......U.}..K.N..N.p..D<jb....A..@h.....)+oCi.tx..<..x_..F~]..e.x...h.a..8....-.VJt>....}.{....o..&.-..v...r.-I...B..._R..[:..."..K....w.KC...1y0...S...O..|..`Owb.~.....uA....z?.@5.6E...t.~..X@....$........5;.)...aL..MWJ..[..AX..EB.[....s.z............R.x..V.C..F.e..K5dr....Q..Cm.....?9dQc.vv..!..pW..TsU..r.y...t.}..-....'.NT|#..j.w....p..%.?..j..`}.?R...S...KY..Y.xw.d.c.D..#!aH..._..t.%..r..t...=...X.....f...L.(&...t.......9"..MW?..D.........;.....&".S20.n....>.q.M.c.).a..`.....dY...a.....&..Otg.......tX....p.!#.......<.%...f.w;.Ez...$d..9i.r...%....}8...P..#.... ....R......K..m........*..'.....zd.w.}.O..!-wJ...G..n.4..r..e...;...@....~...I.9....u........8..X]=..S........=.....((.B'<.i....?.p.A.r.,.h..t.......Q..c. I.].0n....li..S.Q.n..D).....f......b..A...4>oE..a...:....B.\..H.!..X{.P.[..b..NO........YJ....]e....'.j..'...X...I..e1..'.\....t.l.l...".t......_.L'...._..r....p.-..n.N..3..`...D.....4.N...Jw5T{.,.v..n...5.<=...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.818497234811795
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:VODPeSJsGvkpNfDNezB0+LjViQnw3sJot32Apo2ICPdGxI:QTrqGcfpezBpowwMohdpoToGy
                                                                                                              MD5:D42E55552B94F8ED30E5908255AE0BC2
                                                                                                              SHA1:1B66BB818342C2F6C8B3ED742D787C2A8E5155FA
                                                                                                              SHA-256:18C6E6E8DC16D5F074999995DC6535A14D8CB31A962876BF2F21573DEACD4340
                                                                                                              SHA-512:BCBFB059F9809A7B6090A0170B6907B5323BCEE50FFDACB8E5323566B15885386C116136EF8B01C70723E53A875CD7276C3B339526A1816256943C78A7A31C33
                                                                                                              Malicious:false
                                                                                                              Preview:Q.r.C.NJr....m....MWg.Q......o<.m....rHg].....t.... .Q.S.....U.z..3...r ....au.Q|=.m.....C..4....Q...]0.^...s..Z.>.....m.)....|.5.._5.5..8,.l....jDaUV............u.........,...8.7N...S.....&=....^"qN..?..5.K.y0..Oly.q.V...(...!x}..;?*../W9.VDD.h.].NMu....p....EMr.E.......:.h....t^uV....j....(.R.Y.....B.{..$....;.....k|.Ot .h.....A..+....H...Z9.Q...h..Z.$.....s .>Sk. ....L..(....`m...D.NDz....B.S...;5.t.O.=]Q.U...c'.8..mU..Bg.0G...4b......H,...I......-."P..&,g.9...@#.d..O....t.<.....h.Jx...i..$A..V..[......0F)KF...5...[.......~..u.H....X....^#.}...h.a..g...b.>..#.../.L.0.dK..e.kcR.9.E...mKe+MT..pe.`.....q3.-Xu.+....Z..#..g.gw...A.NLk....D.N...4%.q.M.%VC.P...v1.9.}tS..B|.5P...!h......_!...K.....'.,Z..3 j.(...A/.l..K....y.;.....'..&.qY3.59..{E..ds.<Nw..d....'.._...[6._.e...z...r.w.A8..w.P...B.........7s._}fI..+..~.1.#..K,.....6w.[v.d.N..v.......V.y.....,....J.x.."...&....5..O..N.&6..\H.J..l3..{.....4..x7...3p...^.._.a0...n......kw..u..0.c......%.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.8514541109546965
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:nDHAcd2ja9bFa2wTDHrtmOv34FwWc1x9rGQOBw1Y881+Z6yCWCXuWm1LrI:DgchZk2eXtmOovezO0Z6yCtXaG
                                                                                                              MD5:766ACF7BAD10A0978BB89897E7A06513
                                                                                                              SHA1:C5C3C9DC3E5C629857F35B8AD4A6C0446FC83541
                                                                                                              SHA-256:CC6559DA835D79D7EF7916F3C974911DC607796169504CE9E99BF093C4AB3C41
                                                                                                              SHA-512:58790A62D5BD9C6391AD5AF650CF6A4AF7BFCAB9146E63FF7F32FC2F0BF284697F46EF640072929F07826981DA737EA7383D8398225ADA26B12581A335362A34
                                                                                                              Malicious:false
                                                                                                              Preview:yD./%+V....\....0A...L.{...-G......C..\.A..BS.........!.5..s...s.D...#..1..HN...Vy.O.OA..a...x&e.'...^;j...9.Dzy.b.>.c..b..C..Sd.5N?.j.#.SC...#..W.$..I..P.y.Q0...<f..fGXv..)..........:qc..L.4...k.s....2M6..j.g....8h.y..p..>.Z. .?.=.....GTAL..(hS.9"?].....F.....Q..._.}...!R......B..Y.U.._^..........(.,..s...|.M...!..).FD...\s..T.@C..r...t8m.=...Y.}...!.Mse...0..z......8I.Uk...cA1.>.p.:..!4Qq'..it...M...8..C..J.&..2]..op.V.\.#..Be.....)..1{.#.......D..?...K.pZ*.zP&......."5....$..\a..j..t..;S.+.....{.$L.+..f.....u........F.....K.dy..U..P.R....\P...E*.}.L...J.q.....>Tr..$..H.mg...E.EZW....a~..i.=..L..yG......7F._t...g]<.>.u.1..3!Co$..on....H...$..A..O.:..0I..qm.J.^.?..L{.....7..*h.#......H..&...H.{Z%.xA5.......9 ....!..Xs.$.)..Fh....wj.".;..+..Q.Yc...<x..zF<zKE.._.U...u...m.M.2.\{......c..tzE.:e.n.M...c..U.?.......tF.W7.B.e..6D1..nT.].....~.*L(...`6b.:.R.)\k.k..n...s...K..0...H....Y.W...Y..%~ x.u8"..$../z.I.._.Y.N.>.t...B.x..............f0+.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.873974958040567
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:On5rd8oznV+95TQRj0BvKg0GJY4n+PIPYzl0uJ2G747wPz/0wfNdWagkI:IxdhznV4SRjkiBG24ndYzlpme/06NdWL
                                                                                                              MD5:4E6B612ECE6B3E0CFB74EB4B45DC6DCA
                                                                                                              SHA1:951B4DF29C5DB164D9305E1081AECEC99A32A799
                                                                                                              SHA-256:DAA01B2AC27CF2C69A7C4128A6A4CE49A88F958D6672917CA7E3B3F16074786D
                                                                                                              SHA-512:768FB62D58361FB1E81B7FE7CD311AC017D7AD6DC93941EF65A86675A6532D8A72860AF64B9E709B1E835F7684A3836280E72C4DDAF1819E1165237BB1DF5644
                                                                                                              Malicious:false
                                                                                                              Preview:.H....{....)0.`.2....,=F+P...=..n.+v.".r\.[...ea..#x..n....U.x....#.<...r9..ck....d...sb.....0t}..-W%2...(....Y....vg)e.4.......jpU..!...n{tB.{..s_.....\%>RB.MQ...n~.b..q.....W%*.T<....\.....F..f.k.....J8d1.... .8...TP..x.4"..Z.%4~.|:..t.%.R7O.Y.7..[....s....?7.p.-....=/B-J...8..b.!k.6.yI.]...s`..!t..y....Y.p....(.2...u0..of....h...i`.....<yv..<C%1z..*....Y....tp4j.4....[f..h..g......U.3w."Ym<....|.b../8.e.f..8...h."M..q......)0..9.V..H..l.<L....D~.N..2....x.)....(.F.....od.=..3..V.3.\...o......sr..S.g....LR=..m..kNX......d...*\E.;.C..$...G.\d.^.s..g.D..U.F...J=.7I.IuW....3..z.i....s..[..,C*p...C[N^]/z.4.\..Bd..`..y......].!w.3]m ....u....!6.p..l..(...i.+Y..z.....87..).[..H..w.4@...._l.^..;....w.-....#.W.....c{.7..#..X...E8t/%...J).g?......M..V..D..A.5.........S...X...hM...).........z..m....(w..@...R...!xS~A.0&Z........G..4.m.zy...,gU....$...8..[.H.....k.c8.."O......m..w..e9z..\....!?.%P......%.'..7.]..WZ........E.....i.J.~:%..u......H].yS.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1267
                                                                                                              Entropy (8bit):7.830842219128122
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Pf2F4Vg7ubulalZxVN/TofbZNDIeBQdgxN6+PSe9ijXjZo3bZI:Pf2Fh7ubuaZTybD7uNNfjwK
                                                                                                              MD5:14EC38A043CD5FD3A6F4847339410043
                                                                                                              SHA1:08490000B39B793FB0DA93D9CC1A2695D29055E2
                                                                                                              SHA-256:DE2884DCDDBFFF6ECAC8EA72748293124C0029C44F09ED628208770E703B76E0
                                                                                                              SHA-512:69FED61CA9245342B0879342089EF3212496769473BF10F99AEF40D78C0476BB782DE4FB3DFCE94B9121AD110BBCE5B48216C5510ED392BFE7EA885E8949B592
                                                                                                              Malicious:false
                                                                                                              Preview:H..yQ.y....<a+"x...;...9...]..h.....,.i.-|jv.H....].R.3K...u...........{..Qc.xI.O...?........{.9.*fA....bC.9.......\J.g./.0?...8.eT..~.(.[%~o....K.e.....}..........t..C9..U...X....y.Ad.?..v.-.I...S..#....<........?...N.q(.A....Z..A5BU.W.>...^+..fX..fA.t....)w*$o...9...*...P........".q.5.za.M....O.W.+R...n...........uj.Fb.`@.W...?........o.$.<|O.;..iO.8.......Y\.i.(.3'.5......].5.`.....l..S.h.%...A......6.5.....0n..M......J...}........?~KG.......+..|.}k...^K.....o....*..<.S.....,..r.#D8....{.~|......T.Z...}.D..pnQ..././Cm..>.i..-'8.>d....it.6U|..R.Ip.R.`...j.D.T...9$...|..Zb..R{.n.t..n...U.9.9.....w.H..5......C.,.u....w..V.{.3...[......*.=.....-o...[.....7[...z........?wTF..........~.|g..._C.....|...$..6.F.....4..v......jJ..u?6..Ea..ds..j`.w...-(...1..i..m....:.....<=.h)..~K....>.D../....^..T.>...\Q..G....~AS.E..r..!9.d..fl...."..L.Y..*.\...R....E?..D#.........RZ`./j..<..8.a>Z.....M.IG7[T.O..T-m...H}.3..~...,.04..P..NB....).I"K)..xW.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.8559716257774586
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GCxbjNcUCbnLKqe1oF9MwyGdpCZ+snyYZTSkKWSPGCf8Lxdc4I:NclLTLMVG2RpTItfQxdcN
                                                                                                              MD5:62280D33B60DED2C9C77F77E35B505E8
                                                                                                              SHA1:598FE3D87D2496056D6541EFBAC40C085198D71B
                                                                                                              SHA-256:C8AB4AC69C4C29392BEC62A9F10D9D8A3BFC5015379155E40D3DA87B9375D567
                                                                                                              SHA-512:1BF20154B95716256A3448955B05D996193E2917B149D49F5F01AAD3E2C5BD4F963A0256E409E70AE813F270348974F51FE510587FC2E2278E6886A714C618BC
                                                                                                              Malicious:false
                                                                                                              Preview:.....;.....+.h....\..@.p. ....^. R.g. .~..P.Ae%./.l..8..e.L.B.\..1..[.*}...Y...c....%k...~...V(.^...j....b..}.FX...q....,.p.t.7r.......-....'.<Q...h`.7-*.._T..xy..21.?.n.G/im..>......&l}.?..K-...)...O../.....0W?...Q..<..G.C`cK.......{..H.......5.....;.s....L..F.g.!....R.:P...x.?.s..L.Jv'.0.s..<..b.@.J.E..0..R.1i.U...u....8a...|...O9.U...p....t..`.@I....l.._p.....o/.+/.....`...m..4,0.)...@.8........nH....c..4.@9....6+.bv.9...;.zB.........S.L.G.... &..w...H....#GCi..4.~.w/....+z.....z .a.r5z.9.%..am^....:*#.e..%.sa......=3..ve.H]....w;.{*.....)..i...L.|.t=M..Jf...y.I.....&e....:'.."-y.XVj...,kY..G{.....x..;%.....}...a../4?.9.....V.'........q].......5.U$....!).}l.2...6.r@........V.^.Z....+5..f...Y....'R[u..0.d.}5....P..........j...&.....$O.........@.I......F......>.....xv.WZ..+K....T....J.........j........w...:.....=>.z.P....q.l......[...+..i.+..vc...!.2r.{.g.A.."....'...Z...h`.T.Bh."..x..q9K......\..r'.;+.i%...d6.Z...O.....`.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.858753681978777
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:PbWD2/pAwtrvzE/Wn58e38EVbJkv8baQVeseaohgOmMMujpNNz8pI:Scp5Vvzf5hvbI8baQXkgOmMMujpH
                                                                                                              MD5:2E3C3A81294ADCC01EC89A0F8C0269F6
                                                                                                              SHA1:10FF5F8AC7CA078CBEEA20DF82169947A2B8E927
                                                                                                              SHA-256:970E6B9F843DBA3D0EF7400717F18851798A8D003EE4ECED115A0CA8F1A7A3A0
                                                                                                              SHA-512:1204A6D61474E584180A90909F018FB38672437E249FD21369A2146DC50E5B7A506CEEC66111FC24FD5E2BABE3498BC093C2D8C135A36F633778824C07FCD33E
                                                                                                              Malicious:false
                                                                                                              Preview:.. w..].pl@.....UW]...|23....S....d_..pan....9...b......2L.@5.....d9..I.......f.....z.../....U...(..(.P*g.H....o.+.. ..}....\..r..+,.Y[.fR._..4..[.>..\C;w.+..6[.....wn..r.W.U..M6....D.@'...-.G..8._%F..S..a.....Rl"........l.W.."...p..#../9..4g..Y.|}^.....FBB...f63.....Z....cA..rrr....'...n......9Y.\0.....k0..T...o...o.....v...8....M..."..7.F&~.R...}.9..$..tW.0Y...4........H.q..j..{.&...4......xV9*..]5....+S8.4.%.a....y+-"......IR[Qr....C . ....L...d./G./.....BV..c..3+.n.."........_......K..L...?.!.* )T.R....F....2.H|*....A..r.8.M.@.b.H+....<..^$m..H..C.W.`.......LT.a...+?..H.D .D.....?'.s<M{g..UP.OO.7O...,........V.t..~..i.-...-......dJ....R9....<K;.+.;3g....i1 5.......SWPLe....@7.=....F...`.4U.2. ..._U..j...(?.x..>.....*...;0R$,"'N..y..]Zv..........oW=..-,.4.F.%..E.3.A[..U......G..&QU]...#...............9..3.s.=..d.6c..u.0..k.....Q..-.....,..^h..<1E?.i.n..g.P...9O...I.Fm.W...S...n.uA..8.7.1 ..4N:A.....L......y..d:..O.>.... .........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.827106568655308
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:SPROC1TQcESBH5XZ0eRq5Ys9DCJxWO8IibjsI:SQWBHLRZs9DccZ
                                                                                                              MD5:AF042A2A660D2E7B7B9D1219E636E2BA
                                                                                                              SHA1:CFC7F4AD17242926328BA4771FAF94FB429D8DF3
                                                                                                              SHA-256:2A451713CA443D464E0844C4325612782C91D62ADCA76393124F15C4410D41AC
                                                                                                              SHA-512:5209C03F3CCC3528AD1544C0DBCDDE869DCCF711F383E3DBD02C15B12CEEB74A926BBB51B8F34B427FDAF7893542CAD7AC951C85F7151C0B97E602C76CC32BAB
                                                                                                              Malicious:false
                                                                                                              Preview:..~a.....@..=.U...6....7...)..8 .{R......7M.7.:VS1.Z.d...).-.~qf....qX.M.......P....;!.I&lN.5.`.L...e......{y~.e.......Jl!.Aw.....%.........MO.s...[.......&.......MG^\..i)5..&J.>.9.:....o.v...........@...B..,.~.........f...}:FMM...C...f...O.Q,....bf.....A.. .O...;......3...9..?&#.vH......,_.8.(NK+.J.`...#.".u}v....xB.G.......G..../4.W;u@.:.s.Z...z.......wg.e......Fz+8o...oW3..'h..y.M"...G&.a...H+..XL..x.B..Z.8.c..........>.^.&.k.I...pB.p.bn..=...f'.5..0...B....h.!J.b.....v..-..d.S9..k..s2..=..}.......I.gMt.).~._.t...ta...&...G.....m.E..x.~<8...x@.o<q.-....sq.|!..x...@.....>p.2.....1p....;-.....xzS.&.e..j...oV)..1d..i.P+..S..m...V1..WO..q.O..X.,.g..........4.V.-.e.B...~\.u.xp..:...v:.%..6...N...o.&Y.d.....m..=..k.P ..p.w/.5.Cu...d.6.[aQ.`7.(.~.u%.Y.k.Z.....;...........M...\..%..M..L...Y.`Y.%..<h_f....Tzb.b..E."...Ll...5}.......Q...,..sK..B..=.'.J.r..~..x.Yp^...=..2L"d.....7.....h....D...@].b...w9v..U.:.PP...,.P..I].......q.........|..+....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.861044323495584
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:OgtpDHx/XakOXUKjXeAOx2MsHrICG5Fsfu9vqK83czeuW6HjG6c9tI:OgnSXzjX+UpGuuVR8AekjGX9m
                                                                                                              MD5:243C0E0EDBC31463BD280FE2136B6908
                                                                                                              SHA1:2914AB6F35C99DC8305A34714BB7EAADA970AC8D
                                                                                                              SHA-256:A007B47AB7D21B09587E2A8EC1297A07A0317F0E91040C98E51D676C948A2761
                                                                                                              SHA-512:B198079A004A102F0BADEACEB3E77F2EC6A07D3C1B7E938332A91919A6992349B0FB7CA2DBAA5E6E22F8016D5B39649C1DC4FA4F4E5F47FDDF8354B5F0F5D530
                                                                                                              Malicious:false
                                                                                                              Preview:O.=...3.(F<?0.....5.L?...g...;.Q.....s.. ]...(.Mv..Ql.>#..Fj......U.......nV.p<...9...T}..#.?!..Y...4..G..2U$.......F.u.B.?I.g"\.....T.j2g....9.Jd.qG9S...,.8...../......O..(*[?`...s[...&L.....Z...oO...Z.Z~u......._+.XhClK.(.R...?.*`rp..-O.!...=.+G05-.4...8.U*...c...#.V.....i..#Q...'._n..E|.:?..L......X.......aY..t1...,...Ms..%..'7..^...9..C..+K$.......J..7aL...L.f$...r'. ..o.... ...........E.o....R....d..TQ..[6.B. )dI...p...u.7..K...W.pF..Z.".e@.)..a.....[,.q.s .v......;~.{K.R.=k.)=.W.+......YU$.E$o}p....O#e.X.N...._..N..>;.E?W.Z.eK.%..N.....I.|..l.+j.i.s..>V.T.0&..t.....S..)w..Z......W...[...B!d@...M.{*...q:.?..g....<....-......G.{....G....~f.C].S;.N.>"iZ...z...k.%...C...J.oD..[...fU....j....]7.g.u0.k......?c.....;..!.\..plm.KT.A.v.,2....jJ..N.xQ.b..;w......6H...C!."\.....p.P...3..&n.*aq.(;.D.....f>.?...*....:.h........[<...S...{. ~..j...g@..B......K&.c.6/*..K.-..%...x.!.+../3....U.....9.6...CR..6.o....W..o.9)..s...sN.U
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1272
                                                                                                              Entropy (8bit):7.84106542252131
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:b8tdGyKjZSOe0mQ4tEF26A2BlZZ8GNOseFPItX7Ew9I:b0Iy5Oe0mQG8lvBR/OsedWX7Ew2
                                                                                                              MD5:7ADFC24CF9AC622767A98B5751F0E862
                                                                                                              SHA1:1C4AE3DFE194A35984EE70F83735D8FB5EBD863B
                                                                                                              SHA-256:85E40372648724F959D93964B88470DF47669E745D8EA29A8F3F8131ADF63F6D
                                                                                                              SHA-512:19101F7352F125DD03D6FB484FF466B090F1E9EC52D9424FFF68BADA554E026B55D601ED0CBA41B0BCF423DBC3BA855CDAFFC3C4D2427F9498BC728B18A457C3
                                                                                                              Malicious:false
                                                                                                              Preview:.5..*....\....U...&.._3.....9..p...a@..E....J..b6Jx..b..m.}. .....T.d.....@..r);.9.-. 21...=.er"....m..H..Z..&.*b.5_m.|...w.].W..{.hva....Sp$....V...p....P.....#..X..K<t......wRl}[....t$c|.Mu#{O...-.*..._:...[....q.g.H$.#c.k.[.@..e....f\._R....V}.#..!....Q....Q... ..M9....(..v...`W.._....E..q9^s..z...a.q.<.....K.o.....V..v,,.,.;.(!5...7.`u/....|..B..@..1.&m.,[u.|...I.K.'P......b.y .%<s.[.;.U..oF...t.w.l[|pr.............r..X9...krA..C.qlv5....{#l.q...5..;..V.D{...eD....#..s..0..../..1..U.r...@Q*.f..u.'..R..x.........q4...*.....7.*..W..;.B.n..W.|..i7]'._"........{S.]7D:.X/.O9) .G.x.D...M.x.|.[..\...0"%...G.Y.._......~.h..+;v.V.+.G..~^...f.h.h^ild..............m..\3...`nB..T.e{f(....k<s.i...8..&.._.[|...dV....7...o..5....-..5..t....v..N.g.C.......~.N+j....6b`%.....Ax}q.K...h...G.,...~).G.q).q....x.iG.L.....f!.KY.....:Y"...FU............*...j.5...[.=m.;.kd.x...^.`.gh{9..m..U.....`..2.X|d..e..x."..s)U.-..6.~...lV..J..B3Z.UB$.6j....~.N.Q.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1275
                                                                                                              Entropy (8bit):7.81685041311252
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:vhfl+ODapCqkVmRSmmV3ZeGHrSCGSQ4c+ymO3osXzcxPI:vhsOkpkgRiVXmCZQrXzyg
                                                                                                              MD5:D563B1D45896430231F7C419B73ACC93
                                                                                                              SHA1:4B02244016E3249CF4160E44D9A6FF0F1D6CF0E1
                                                                                                              SHA-256:F1BF23AE929A040C74B0C982A8EAE45AC833555195FFDCB77CF9C0BA0AAAB527
                                                                                                              SHA-512:38A9AF30FA8679818DA3C33458DC46AA9753AD782D352C439FD5616A668C2FE7566869593778AB9131F3F699836FF3C0A762CF1528812CFA2E29200C69892920
                                                                                                              Malicious:false
                                                                                                              Preview:...&.....H6)._....^.i....M.......f...M...H.vK8......(...3AI.dE#.'.T....(t..N9 .s.e...0E.^%.).....^J.6.....v...\..90b..].....2y.QgC...~.].. .......E.n...y......_..~.;. .O.. z....s.S\..6.........J..#..H..?..G...'g.(.......X0...Z...qLT..3...M...P.i.'.....^+1.T....P.a....M.....g..U...H.~W,......$...<P].vY=.(.W....&n..Y%!.b.x...5N.D%i,n....YI.!.....f...P..$3p..Z....L*.g.;.....I...C...XQ.5x.6....pWL;.Y.@.S.(.up..,.`F......'...H.....e.-bn.S...@...F..f..=l.X6..zB!o..v..G.N..]...^..........ap;.m.J..&.y../.tH.*...q......K.N.@.S.iK...2.]..6.t...r..IcjF......K.W..._.*"..S..;..C..U.CXo....m(....1..x..v7..J..Z..!L+.s.:.....I..._...KZ.$~.4....sXM(.\.E.U.=.sm..4.aU.......*...\....e.5tv.\...J...E..t..3m.I:..|_6b.....H.V..^...@..........-.En9...Y.{a..../.1.......'j...:.3..x...Z...u...3.W..8.cW...E.+!.......>...PuB.w?..y5.j...p...2.......?r".^?... .g...&.E..EC.A.U.5.D.g........=.Cr..tf.U.+...t.^.B6..6......R.@.(.i...D.2......p8.R.A.W:.+...gS.....M
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1273
                                                                                                              Entropy (8bit):7.844477620750126
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:Hs3cXVzDhBZte5uLYTsYwvyR3saFOHmKL5i71va+/XCC0I:9XVzDhBaILYAYCs8aFOdNi5vzXn
                                                                                                              MD5:38CE3313FD12898B518157C163B0EF1D
                                                                                                              SHA1:673E61F25B14635D75118CFCCC048547065C295F
                                                                                                              SHA-256:7400DC7439CB76BDA98E8215A9A6DC7C53241C984E35F5CC1A5C880BC43888C5
                                                                                                              SHA-512:E49901E690931222F847A5B29D4C8DB51F963489F3BD9DAFB34041A8E52CFD430FD89ED8E48288C712F33391068C71A6D8B1CCA6C8159B7D4920733627A1F6B6
                                                                                                              Malicious:false
                                                                                                              Preview:X.K....._J1.....4.@^..G..u...O.....^.,..xe....U.*...c.ht[.2.2..G...g....8.].K..z...>......H....0w.....K.j./.2cQ..~..[.G...B...O.....1.^R.....}~.Y.W$....f....5K...o..u.q..&....!?.]0.I.x*}V._)...[...-..d...\Z.p.{.[&......N.@_...!q.S...) .....I.w{[O.@.....]Y'.....$.\P..Z......^.....F.7..qm....W.7...|.`{J.-....H...... .9.J.J.d...8......M...+p.....W.z...)oK..}..\.M..c.....e*\..Ho........1k<by...._N.a....f:N..GS.5.?.....B'J..y.......[:.C....P;...6..B.Gf..q.1B......._....o..U..NR]xh....{{.,.txk.H...4>......vS..8...|+.d=j8.$..3...F.4Y.hq.,..?......A..S....g.........2F..n,..D:o.......:N..].G\..r8...2.....c.....y=U..Hl.......7c>um....PO.d....`;[..ZA.-.4.....H?[.m.......[?.U..p.K!...>..P.Ig..}.9P........P....l..T..FH^{q......0...LK.Z@.....vZ.k..H...B ...k.W.G1$..h....'q[LP.'.]......$..&^....#d.;....j2..jF.................$T.1I...u...).s9..A.........y.....4...v..gsA.p...S..].....+.P.....e.....^5]a<.&$.T...X.....E..r....a.Z~.NG~t.....A.%m.{Q...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.844570473630025
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:qW7kwnmOFUuU6XdypQ2JlqJyh8kMPOIyH18qlMRzq0LGWquJk1I:q8kwn3FUPpmXk8OX1l2z7Dx
                                                                                                              MD5:2BDA0627E5FC33C723C6BB766D659FB4
                                                                                                              SHA1:87BCBCA00E2D9E2E5E369D04EA2BABB7BFB4918B
                                                                                                              SHA-256:A7B77585023CDE07B8DD447EBAE7142334355D4961E8EB3E45B2E39F6337C688
                                                                                                              SHA-512:8F1F083007779546A8824C49F2B8827A2922228C7071C68D68779CDEC046981E720C3BB7BB2436286CFEAAAFFBE83F955D85AEF85593409EF4EE3553CF6B1CAA
                                                                                                              Malicious:false
                                                                                                              Preview:..L.d..+.......Yf.....K..Uk.4.<n..;.p+d..d..j..V...BW.~d..3....{.!.>a.wR.....e.E......]".h6...k.?wt'..Y{E......q..,...X....&.n....`G8..{...&...W..X_.b&zt...\F...4@..\.G.....>..Gv]....{..rR..f....{......[..`*.......A.c.%.W.j"R..:..~......@J...;3...^.b.4......Y......J..Cq.3.$|..;.|$...f..u..Q....WC.ci..1...u.*."`.gO.....~.O......V/.}#.....r.1ta7..NwP......u..0...Y....D.93.(...w4.v>.R...N.......;J....O...k.......g.u..S.4.a.d...|@..1.=.<jZCn........~....p.6u...-......Z^...rv.s..}.....Q..w..\.v.G..?(...H...je..or]...J.d+m..".:bJ|'..2.B?R...e.`0.."..[i..d...#Y..&'.....*..}g./Z...z...Sm*)......w...&.K.|V..V.0<.+...q..s+.^..._........;P....M....t......d.w..M.2.|.p...tZ..#.,.8sOR{........g....a.?k...$.......MY...un.~..g......C..;......K.t...L.(A....=.=q:>:.J..W:..l.Jz....5.c...Y..of.&.,0...n...}>.p.M..3Wy.X....&....Y#-z....[N..%..G.DC|.)...$..0..JU.~W...;U.....8.f.....u.@.....|....*.|...}.%...j.~WR.wT.=.....G.xH$....... ..Y..5.._4g.....@......
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1270
                                                                                                              Entropy (8bit):7.865031311553103
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:TxVf05FpRO6STbdHrz/x4MZ93M98GxSgA2sJBrI:Y/ANn/GMZ93TgKY
                                                                                                              MD5:3243987781A8F2AAC8069452CF5A482E
                                                                                                              SHA1:15853011CAB74F004F00512EC827417C56947C87
                                                                                                              SHA-256:C1EAF6A241CA94B32917BD0ACE291D47AD21E96855572DBCBFD05CACD9872317
                                                                                                              SHA-512:0A61982C9DEA1DC1B08CE842EAA4914DAA0E6C4162350F81CF10975AB48D1EB9BCE4B6922AE80765F3C503F0BF85312929D0776B2A997CD72D6D58937DDF84ED
                                                                                                              Malicious:false
                                                                                                              Preview:...G.w.....GhX......e,.-..F.J/....I2.............)RN....>.[.[R..ck6V.R.GK...K.N...k..Y5..o.../(L..!ls3....y.........tN...`y..w...`6..|..B...eY).C?.:.H@..[..8..<"..i...*...\.o.. b^.n.0....V.....<.Wg...{.P.A.81J.Jo.7.8...)...*qS{A.4=aA...|.n~...u.......Z.c.....UvX......q-.&..\.M1....I,..5.......5P^....3.N.FC..ma=McS.ZN..A.Uu..y..H>..z...+-R..5bp&....l........h@...a~...\y.]ci..p...$I.H...y..*.-....j.f....U]vR..(..,..0...,.Yn)..%.Q.......,S......9..@{0Z.w.)*._S...5....J..I...pr....Q..%..J.%.l.......m.....O.c.........3...tj...E8ry,.!...hl...........r*K..INA.\...I/,.t......t.+.E:C....6..)....,e+..{....Xp.X`~..x...$L.W...s..".!....c.i....WAiO..8../..2...#.Js7..,.Y.......)W.......Kx#^.n.)$.N_...$....P..T...`b....@..?..K....\...*-L}86...v...t;Q...*H.m..D?...K..Y...U.N.j.}....J2..9.<..A]%.k.Vw..knmW.UZ....~3..m...Ie..xr|Z.'...9 ..q...K@^... .e.9......kqZ.ex...eAG..q....c.f....6....7q.......b.U$.j.._..f..c..#..LK.Oh.(.}..:\...P........
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1271
                                                                                                              Entropy (8bit):7.827968435926007
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:T37tb06sEA42AMO/YRIko+rQGvLMajG/weGHRFaE+I:TZbNQSkZDhjG/wbRl
                                                                                                              MD5:1F9382AEADFFF86715615673EA8C4BC5
                                                                                                              SHA1:0C73D4B669453EDF37AA6BC59FC7320BEB4546F7
                                                                                                              SHA-256:9CADF086009C946296220447FD9A3CD55798798F2A538A78C412DF023BA52031
                                                                                                              SHA-512:3DCB75D22CE9E5F94072966DAF54DD743A0F27EAAF7DA04CE1AD7E0F7B5F194DDE8C577EE9CB1A8439D4256F9969CC002067289C289641C9DE4AB00F84EA383C
                                                                                                              Malicious:false
                                                                                                              Preview:>~..3.i2g0.q.k...?..jY...#m:..p.S.*......(.....@..2bD..e......e.h...'...K.X.)~.cn.""l....p-..W.......Z.0.R >.0...]. ..sqT.w....*...[T.....M.....f...1!8......-... |Y%.... ,....9... }V.,..>....P....*x.D...\.|.x.N.d......./.].65\.\.e).....0J..U..M%h..'.v5g3.o.y...3..~X...5w0.h.S.*......2.1...\.>'vY..k......n.t...:...J.C.#s.q}.3)a.....t(..A.......H.<.V;.."...A.(..rvZ. ..D.i\...+..\...V....WQ...3,m...U.Vr..}.vP.w-NC=?"}2^.TT.&-htqD.K2._j...-.e..@.....a...w...#......B....B.v.V.D<SM.S..B.u....C.U....g}.r6d...`....Wi.a7Y..*A...p!.Bdp.?'"..xt.."W....\.A.0....nP-....4.q.~..............i...v......tz.6$[.....<E..o....".2..K.jK...9...Y...]...._R...,'b...O.Hp....iM.l=@T><".7P.[R.;3|yxT.D#.Mg...4.t..W.....b...n..."......G....A.x.A.],C^.K..S.r...._\..........0 .....L..:.e._&h..K.q....).8K.... K..|.g!...../.+u.e[B...3r.....r.4DG.......b........u..'.e.W'....t4.xI..,..Q...K....;.S...($i.....s4..3...Zj.......N$j;."W.ot...).....CJ][.*.Hy.j..(+#...g...I3..!^..My0."O
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1269
                                                                                                              Entropy (8bit):7.8567389280540745
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:6nBJs1g3a9MXGFalTtSzK0wC+W7BnyFgRdD/4t2P4qfL4LAj8I:6Be1gK5FQVLpyyieBEL4LAp
                                                                                                              MD5:8C15FB0811BCF5DCFF9C6358B95E4E99
                                                                                                              SHA1:5EDDA4E33506D7CBA0B4E4694278D1E415EA28F9
                                                                                                              SHA-256:18888606BF6718AAEE46FD3A1CAC9E037DD5A6D356287C3553001DEF9FB88027
                                                                                                              SHA-512:B0B970003464070EF94A64B1F01C00F9BD49EFC4111D4D616EC30D197AE2A6E522DA8C49FAE363E17F5F2B3D230C60AA0E372F6A46D96EA1624FB2FF321B230E
                                                                                                              Malicious:false
                                                                                                              Preview:H.,...@-...Vrp.!...*.Y..o.1.9,..^....n]).h}UI..ycS\.*h..r..O3.(..........yK).mW.....S....0t......1.)..............mI..OU.6.H.%.e........a..K........'.@...L...oi.D..H.....Q.w8u..rx2........8..s...XK.~..J:."ZL...9p....-...V.....i..\QL6..3......I..\.(...R4...]awd1...3.H..q.%.)4..F....lD..pvNM..ffSX.-k..w.._&.'..........zH9.aD.....T....(t....../.<.............iU..[@./.l..S.....%#..h..f..otzw....Jn\-r...u.."..Vm.t.x.K..9[V.l.):..?*..1.......v.>....u.._.!..v...&/....do.G.eR.v7.]@`~.c....u.Hx_..}...0.@aN'k&,..F}^.*..........pPi.m.Fbf.`.d.5 S%.....F.u.W-....7].\Q..L.q.e......M.X.'.*.........i...h..c.`.q)...Gt<.O.....+;..p..c..bjri....FaH6~...f..%.Jo.t.o.\...4FC.e..6*..%%..7........~../....`..K.$..t....3.....s.G.sD.u%..A^jj.a....=.H.c.t.w..aw!.K.A.HN.....W)...........&...S...4t.....*..m...m....=.V....D..'1./.S..I...{....`..4.:P~..3.&.g.@.)..%..kS..v..r....p..J.O..-mz..`..8l.?7Ko.#........BE.'......9..I..+L..G..;..._..2Ns..,..|....c{...;.g..y
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):350
                                                                                                              Entropy (8bit):7.33702319330694
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:HwaAAykvM2w6we9e4MXe3coSL+9dKWvdsGxYjJ3924TRTiGSU9Q:6cvMX6n9e4We3ZO+W1l/Q
                                                                                                              MD5:CA0DC1FFAF11EFF51DB49AF714AD2DA2
                                                                                                              SHA1:95A05ECAFB7E17A72E5AF88CD5B847B0D0E14313
                                                                                                              SHA-256:5C334CD10A5C4FEFB6D7C6B83386A05A5A72EF9075E90FE7BF81AD0211D1D71A
                                                                                                              SHA-512:E5C8E5DE881EEBF2253719F168C8A907B4A9B8EEA867E77727C47CB64D27BE670BD6C9B14D24FEFCB7C947AADE99E95C62CABFDB163035ECA7807E37FCCC2949
                                                                                                              Malicious:false
                                                                                                              Preview:[u.+...d..u.JUCF..zMl.....P...R.d...X~v.!.d..5....g".Ks.:.`..z+.'.....I.Mo..Y.....p......;.......g..N..T...(.,...M..d...,j.W1....O...M..H..........4.Dj.....[..H2m...%^....Fo.....H...O.....eC..1....P.4,4bi.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):443
                                                                                                              Entropy (8bit):7.415735803222695
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:68qsuSV6bERaAvzmerInzAZDOT1hI8rrYNikgx7RhJfgd3tnFcyQWZTdsGxYjJ3+:tLwIJrInOOTxrRtfY3xcl/Q
                                                                                                              MD5:7DBBED935A490DBC57F0F42E09A89F37
                                                                                                              SHA1:B62975757DB3A03FE0BB9827E408CD6D8C8FCA1C
                                                                                                              SHA-256:65F02CF79A02A13163BF0CF0A76D8B8DE35F2AD13E6C68732539D9F6FB2C138B
                                                                                                              SHA-512:62B583F60F03993770752C59BE186947BC92CA5A4533D1F7B931167B5532799544B9FEF4EB9134936DB84EB6BE0013FF272E8B3934391582D46E7FD5059E12DF
                                                                                                              Malicious:false
                                                                                                              Preview:.".Vc.....5...3(m.>k.,l.4F.......ESF.G.G.W...8.X......"........=c.^.g.Az`......lO.g.....4.x..O....u.{....l...E...O.E.J......Y....K..@J..J../.AW......E...| TA......#(...$[.9.<.Z.\....)..[g .[....(.,....V..d..2....3....O...M..H.....!V...K.f_~..e..#...6qt...,.H......Y....a|...{N...3Q=.DN.e.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):355
                                                                                                              Entropy (8bit):7.38026756667587
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:e4TKk9KhWdMghNg0Wi5YHZBC4NIvTh97MWvQdsGxYjJ3924TRTiGSU9Q:Ph9FFg0jUBCOILh97hVl/Q
                                                                                                              MD5:7C06FD6AF5E269850F45D737B3F34A0D
                                                                                                              SHA1:C3F5A3D5970564EBE1C635F6BB95F9F32C0E34A7
                                                                                                              SHA-256:A48ACB4DBCFFDECA3D013C13BE63AE5D3FA8ED29D9A2A92E1D28C256A1B60576
                                                                                                              SHA-512:1009D68DDB8742828FFD953613966ED8FB0A82BE8F41473FEBA28D8B471AEF317F99E94D83A29843CA8CAB25C2F4ED7EC9457F876FC8B93A8DA9A3857ED52269
                                                                                                              Malicious:false
                                                                                                              Preview:p..{*...?.....V<...)...9.M,..8.....\.......uat.=X*.8u..s..O.w'Dg./..-..S....|}...=..Njh.:k'.Qi..L~QTo........(.,...L....+...a._....U......K.......%`....r.8....uU...?..!...W`....-....2.,=q........A[..!W..o=f.)...l.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):347
                                                                                                              Entropy (8bit):7.350966070191466
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:bF0Vel0D+jNHhkSn3gWWsH4AxEVRnptjz8UTdsGxYjJ3924TRTiGSU9Q:bmnqhkSQWD/EVjRgUWl/Q
                                                                                                              MD5:7E0DAF7D1B0F2B32DAC3C4A2C7A0CB5D
                                                                                                              SHA1:F556CF112CE8F59768BEBF011BC1386B4E6FAF0B
                                                                                                              SHA-256:6D8B60FECA41465A49B7DE81913643644179A414DC095CE2807D725F764E7533
                                                                                                              SHA-512:08711546921DD1184F2EE9FBFE29AF6BED7C143429B9AC60FCB92DDC1EA36EB1772A521E917FAE0B3AB8651882BE483D048C0F330641BA6DEA6D48AE3184EA94
                                                                                                              Malicious:false
                                                                                                              Preview:.y.?...|.,.n...F.g^...X..P.).............KR..jR#..t*p....Y.p).e......v..M..:.r;........J....x....%......>.......B.i-9...w.|...3....O...N..K.... .t....p..u....B...t....3o~.V...1...sw....)r....g+...W..U>...]af.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):344
                                                                                                              Entropy (8bit):7.362410767830321
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:sOQ0e8RZ3rI5FaOeYsV7Rhrpkxu+ik2L07TdsGxYjJ3924TRTiGSU9Q:jQZWFrWaOiVRkxu+ixLZl/Q
                                                                                                              MD5:4F0E57AF7C0F23D6541E5F274357B925
                                                                                                              SHA1:7F5FEFA7E684522A8F1A3F3B5C18E8475871F118
                                                                                                              SHA-256:B59647A894C32F682B3C95EAD4B0A71F1A40B1D4FDD105B0CA7FA4F318B981C2
                                                                                                              SHA-512:FF9BD4C18409757B2BCD0F63D1C5610A56D6634C49651C18B211FC06F9849F76678E2BFA7F92D9AED2564E3E0263078D7C1D104E648C335BCFDB6FF568BDA373
                                                                                                              Malicious:false
                                                                                                              Preview:..:A......!.t.,.....%oj.q..S..x(.....F..=L5.1...k!..W.os...Y(../.q`..t].m..-...:.Ku%jj....9.....-7.%....(.,....V..d..2....3....O...M..H...d.e.u,"/...!.&..~...`..{.ngB.e)UE.......wI ...]j....C.G>I.s.e.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):353
                                                                                                              Entropy (8bit):7.316183996383061
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:vk5EWmykxqubRyrRkUJ8pQL6mumRrJXAr/rtWvE1e481FTkdsGxYjJ3924TRTiGq:vk5EjycbuFHL7umRmr/rka8zT5l/Q
                                                                                                              MD5:251B5DDAEC567319CC59D867DEB91D6E
                                                                                                              SHA1:870FE64778A85F0440C789D0CB074A6C3E4152F6
                                                                                                              SHA-256:443AB8ACC94CBE610DE0C7E3767553420F88472812AAF61E6FF85D9AF8C77770
                                                                                                              SHA-512:0C9AF393E1697C6E1777EB29ADDDCA9CEC210A13143A03581A725DF24AA5C76175C9E509B4DC903B5141F99A2434E4EF0D2FB0B4DFD1DAA5AF508AC17AA32FBF
                                                                                                              Malicious:false
                                                                                                              Preview:Y.P..F..\.|....*..;...[mf.....gd.J.......7j...)..T.t..g..a.`..L.....M.M.D....i,P.\W.U.YuB.+...y..QM.R.;.N....(.,...F..d...,t..9...O..PM..K.......%`%.....`1.. .....3....r.Q...T.}.!.)q..~].....wB..b......5a......k.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):349
                                                                                                              Entropy (8bit):7.361923744874261
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:nGKxUFOhvAkVdgJNVPPgR66HgRpAREbCA3gXPNReBcVONdsGxYjJ3924TRTiGSUq:nGMUFOhHGBgCpAHAwXPrTl/Q
                                                                                                              MD5:1A7841E5DE1E002C61A34F5877DA7A2C
                                                                                                              SHA1:1AB22374377A617EDD7D38C6FF543C5165E8A277
                                                                                                              SHA-256:6B3DDB99B43757F0FFE77A3B510FE8CE027071E223B5B7F01E5DB5952C455E3D
                                                                                                              SHA-512:685743A914CA87FB317720CC87A903C2415B4A612A61BB9AA732C6B4F1864A7FD5CAAE512C2EC764CF887CF2C3E9ADB35C33A9D83545ACDDBB76A7611226AFB9
                                                                                                              Malicious:false
                                                                                                              Preview:.!..mT%[.).Ja..OoC.~.zS.(.X..i..+..+..?..l.L..!.f....$.:X...bD<.7.l..]".}Y..G.:....j.:.>kK.Mf..P|.4..5i...(...G.x-9...w.....3........M..K.......n..?Z.*.!..N.N.....X.L.87.....}.....@..L...o..l...D\.y...:6.h.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):350
                                                                                                              Entropy (8bit):7.458709166066319
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:PLeHXuYFbvWc0RAqCQWREbCAErGHCmpF/a1DEVdsGxYjJ3924TRTiGSU9Q:PLeHXuC90/CQWHALCmpF/aBEkl/Q
                                                                                                              MD5:DDC7EDA632AE3BBB96F5E0A0BF0B14F1
                                                                                                              SHA1:66EFC40D52AFD45D10137B488093D29BBBDE2889
                                                                                                              SHA-256:43280F46D48E7B40C3B90B8477EB1DB2E71D434158C8612A86D82FC452875A9D
                                                                                                              SHA-512:4288F1CA3993DF47E71FBC9010C05F80C009233A785F2A7F0E5B51E2069BB384FCC484B3718079C81594F28C9BFBD4D09DD407CE73CAFB1A5F78752819FB726C
                                                                                                              Malicious:false
                                                                                                              Preview:mA..I^...uCX.....J.....70A..5...e}.U.K..[QB.v..6...../..gj....F..n.2..0P$L.zo...?.ET..W.|h_Xr.O.9..BJ}......(.,...i-e..p....3........M..K.......fw..`#"...0.:yq.......7....8.D.i.H..m....<mj...K.......v.=.*h.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):356
                                                                                                              Entropy (8bit):7.383468386008189
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:OylykiWazR+xwUtlAXIzoFCC6OqC4OHyl6lDgBdsGxYjJ3924TRTiGSU9Q:OyEPR+CUtlAYEF8CPD5l/Q
                                                                                                              MD5:A39CA6535340259869B66F10C2954660
                                                                                                              SHA1:672CB93835FD6102BD6C0ECFEAE5F199E9A69EC4
                                                                                                              SHA-256:84C44989C129F8A61FDC0BC61127C181B7690E355BC4EC42D7F0AEA616D160A6
                                                                                                              SHA-512:AC4D6D58C6C227B60907F52263F92689B6642A54E7C65E9C339626F3B4973BE6B63A71AE785F7FF92089C8BC46F877BEBED2DD73A7A5EC2386E292453D70545A
                                                                                                              Malicious:false
                                                                                                              Preview:.......y,..*.=......E...F..f.i..c.$v..w?.L`....a..(1K[.~.D....p[.....3....~g.\...K.Q4=.?.......Pv.Z".|..v.&...(...^.i/s...+b..a._h...U......K.......%`.}6..'D.W9.N,..P...,.,..0 D..h.:...l0I).,.n....O.5]So.....7:.l.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):350
                                                                                                              Entropy (8bit):7.393336067434213
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:R3iwu1kQ74/+fXUz0Tr10Lz6EbCA8AiuuFhVDW0cEVdsGxYjJ3924TRTiGSU9Q:Riwu6uWbzKr10veAmPbVUEkl/Q
                                                                                                              MD5:BFF943624DFA7709FCC49FA449462DB2
                                                                                                              SHA1:3BE8BF72DDFABF208F5A25F6657530F2B656C6F4
                                                                                                              SHA-256:F99E7FDD1A1DDD7521EBA714B3A60C9E8B60657A59364AF4530E2DE85AAD7EA5
                                                                                                              SHA-512:A3DC4E8D46733B249F55E8CAEA6C137A997097E1AC9445B09A6CB6630F54F740AB567D3C3E088171DD3F43AC126854EA866576E1301FB0271C316B6D3B50051F
                                                                                                              Malicious:false
                                                                                                              Preview:.[...wu....k......0..:...\..s...$j.7.j....FB.8.b....zVRC...x..5..)b....O.l...|.....`2+M...?.<h...g.........(.,...n-r..wb...3........M..K......9...ZN..w..KO..}.6..|.;.-....+..D.N.^.*.@.Nb..Q..$Q.m.|9G.R\..h.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):497
                                                                                                              Entropy (8bit):7.52741109134455
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:t6X6JuJXAOfQrXEG+61ucdFtUMROJT9t9ru6qM4E/7R9pbVNUTdsGxYjJ3924TRm:tLJuJmY6kcdvrEv3/7R3VN5l/Q
                                                                                                              MD5:DC1181A9A853FFB3D58F5C21F7955648
                                                                                                              SHA1:74F2C251B80C4A9DDB0608AC08BE4A5627C23A82
                                                                                                              SHA-256:AB0EC4FD64163052E2B0E77FFC814548565D19CF7836C04E6F28EED7F9F086B2
                                                                                                              SHA-512:D213D194AA9B02E37937BA051F67C8E9FC97B86D54E9E875D30F21862D83F31E48EB773D6A13A25D9B8037DFEB89F528B294B0F18D1C1C0FF12EDA77758E2F6F
                                                                                                              Malicious:false
                                                                                                              Preview:...Y...@.Se...`h..3.0.W.=.w'.u'...0X..$..m....v..3......P...0.........g.@o.....>..l.....a4........,.UM....0......3=.'Y..JHfI.=.A.k...V.E....F.P.....k*.o..).q.......8...u....sR;8.X.Z........J.".VN.@..r....o....'....o.l..c.d...T.f....(p$.3..q...(.,...T../.=..5`.R....b..nl..j...X...%`.:...P....!......P.z.wk.^..=..n..7..tq'kQ...G.U2R..:....3\./...(17.s.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):511
                                                                                                              Entropy (8bit):7.559323733616864
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:jPb8k7rY0Z1B7aOkdN0XS8nMxqkJXgC2l/Q:jPV7r7LW6SHn0I
                                                                                                              MD5:F503DCD9DAFA9D540D02471827AAF215
                                                                                                              SHA1:B35D6FD9300915B0EC319653C0F18FDD6B69927E
                                                                                                              SHA-256:7E3E56DA0280E726144B1A823ED2FFDA09A3627FB93C3D0874BAC03EC231F5B3
                                                                                                              SHA-512:91CABED168406548C716F382BC4D861BA3E8C6519E90C48B7F8D1BD787B94C659B671A81FA6F0CD9D20A8ECB7B5B45206FF388C46D5C9B9BAF3B4F20DB5EE4CF
                                                                                                              Malicious:false
                                                                                                              Preview:.Z.....ik...y2I.h.ro...yKn.m.;..V.G..............#.y....f..!.|..W.....3.xo..../.~..q.a.2....8E.x..[b.W.-......Z..0iP.iD..E...\...b.......O.....9].V..x..$..b...j...Q...7.ZN.ovo.c.]...mS.qn..I....s"!...N.a..2..H5'|..w.smZ.-.=k...h.O>S.R8.py{...(.,...*..E....e...l.bZ..c......;......8g..P..@M...N,..].........l.x.4..0...GmA.@..nha~...s....\U^.:.4....+.,..f ..]... ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:false
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1173
                                                                                                              Entropy (8bit):7.821487644002929
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:zsDUiLaGugmzsC9ABwiOlANKzJG1krtDIJv1rT3MZbXE1jCuwZ+gI:zS30gmzLatIG1kpDMrTgFZ+
                                                                                                              MD5:233CEE8A564A928011FF25F2A7FFAE1B
                                                                                                              SHA1:37783D644EC4E388A145991C07754253A326797B
                                                                                                              SHA-256:4790551D4A003ABC4A900BC486794AF927C2E4A4EC457161974A7F06A8D7951E
                                                                                                              SHA-512:269CB9FBFAFC165A6A720F7A46100F320E2DB16218908520492A112B970C75D18B7A059D48068DA603B347CD64218DBA50D4B936DA35D89822BD3BE355FEA2D7
                                                                                                              Malicious:false
                                                                                                              Preview:...qD..d{.f..........4.77..]..PH..._......*6.t..<>g..~...6>..!.'.|j._..8.....&T&.7.UGZ.....y".z..O...j........x@3 .e...x.5.pj."z. g.x..~...e..F.........[..P.n..+.V3..=4.2c..p .....E..in_.....-&.u..a..e$i.=..{..#Wx..(^.26.bKd.....b.W...q.yL...9..QM..Rj...R2......*.9'..T..;....]....A..9..RL.kc6.M9...c..x..L.?..RC(.\.=.]LM...vW.....n?.l.._qh.e......QO..z<.....td.6;.0.."0B.D.q.".........9....T.*...g:.......N..8fu..^..........b.P$.....8..&x.W......^..Bie...K/)G..T.2....XdR...E^'...R.g.0....U.....4]D.*u.#f....d..._j...M{....1:.!...jT...7\.5y3. .ny.U..].;stq...+..E..-.....y........e..a.\.b:.%".3..&.r.8I..Fu1"..2..y.w.j.*Ze.m..o..H..W,.;/.A"...[...g...4.N.;..>..i..b`.p..&eo.l.9...W..9.i>.......?*C ..f..A.x+......_.R...I['k.o_.c.01..i(.......O..~..X>&..qaR.x@.@M.....#..[.G......!..W..1E!7.q..T...)..?...".tX.U..zL%....(.,........V.........J..4U....y'....m..><.U).>m9...d .k~...X.........D.K..o..7.L.-..D....-P....25.N.OjE.\T...1~...Nsc.ty.......V...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):239
                                                                                                              Entropy (8bit):7.081671385473804
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:8EjqZiK0OGiw5S+p+2vPopkdsGxYjJ3924TRTiGSU9Q:7qZ5fAMk54l/Q
                                                                                                              MD5:FAD2963E51E0222233110B0AC78A9A29
                                                                                                              SHA1:562231D7EED30AF79915EB74E3EA47F1CD5A03EF
                                                                                                              SHA-256:4FE0A9491DAF86E2E21B2564476D3F0EDA1BB8F37744714A0AF75DA8B788F32B
                                                                                                              SHA-512:AC304F4C7DB95C21E9EC24D38BE14A3B70C407D60C87ACAFD8F115DA9AA30B1D826AE7A1631C36678188E6F17804058C6491932DAB0425AF821E7C5CEE612CA5
                                                                                                              Malicious:false
                                                                                                              Preview:4...p#.....(.,...*........A.3....O...M.....,...k.M.v.=.#.....J..g..s7..q.7......$'..c......"p.3[#a.. ...|..x......C<...]..D.=..|z....E..B....... ...`......64..T...x....-...N;......].6.`!...,S].....5^.X..".@y.. .........`".
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6291
                                                                                                              Entropy (8bit):5.02936286887508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijww3wwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkA/i0
                                                                                                              MD5:E2A5C9049EFDDFD19C144F7AD8CCCE10
                                                                                                              SHA1:77EE5E661288C33E9759048FC938E4CC8FEC6C4B
                                                                                                              SHA-256:9A4ED4CC7C63FDF3BA27232AB78165FF40BF26D70AADF6A369AD1D9ECF7961E9
                                                                                                              SHA-512:B55339FD45B5FD19EE2FDD694FF05847BA073EA750138F967085AF992FB7D18F7DF0B6913A833EDADA7DC351E6F1C7F5ED491EC230AEA24FC2AC6896953C049B
                                                                                                              Malicious:true
                                                                                                              Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                              Process:C:\ProgramData\E8D5.tmp
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):477827
                                                                                                              Entropy (8bit):7.997084050500727
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:3u2nTdbu2nTdbu2nTdbu2nTdbu2nTdbu2nTdbu2nTdbuT:1bbbbbbg
                                                                                                              MD5:1484E543DA547AB9C48D9A1F62EAB666
                                                                                                              SHA1:F7322AA4A44137DCFCE952BB992E091DBD119498
                                                                                                              SHA-256:A413D5FB23B108FA753AB86ACD3A73BD9BCDA78301A387FB65333E6DBEA68C38
                                                                                                              SHA-512:31E8AEFB7DE38CDAD899084248512D04E959C13CF4B4BE611FF4C2A71FD9A4F23586BFC3FBBD3CB69F99221F8F59157DAA235224530045597CB2B9E1F4A98B35
                                                                                                              Malicious:false
                                                                                                              Preview:`'.b.1.\3.M!.|..|&N.>..#|+...W........:..EB.'.n).-.uN`.+.@.U.....d.q...u....c.i..e......H.b.Z..c?.....8...H.g......p....F..Z.....&.@..F......TRP.h.N.M:%s....?:U.]....L..........}).......Un...-....A...>.Zy...J..N.....":...^......'S......`.._9.T.... ;~,SJ.O..)..F..`.....C.V.R...@`L.........k..T...%jg..]....E..|l.......P...~.A..".~.:-.$.C..wvp.#..u...^o...i..38.....YP(.*..>h...+.2;.......Kj.hm...d...J./f.C... $...I.mEb'pMH...<..X.i....;.4..`...^.Wl}f.2..v..9..2....8....:.h.}./'.......l5..C..lh....p.{4...9..&:B.........0..`.W.....q.".C......V..(.[......)..T...5.O..#.sM...+..R.....:..g.[Px....D...p?...vD'j..9..j.a]Y.>V.tPU........,...|.......E,/R...Bs....(..M....8.j....H.t.x)I-.......&I...z.x8S..z~....,...n...T..s........GPA.XBtF.......1......V.R..h..ZS..v...t......l&....gd3T-.+.>...i..:.1E.._..w#...LT..'...j.0L..T.^b.Si1.|."../...>.}.....[...!..4Y..dA.G...d...h....~.Xd3.\..k..o.i.~......ZUy.O/..VyFg.I.9..r......c..bT...8-.d.?u.EH
                                                                                                              File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                                                                                              Entropy (8bit):3.4801122471091563
                                                                                                              TrID:
                                                                                                                File name:e93wY5kRY0.ps1
                                                                                                                File size:477'827 bytes
                                                                                                                MD5:17a7cd1ead2d35ed5d69c71d4fd7386d
                                                                                                                SHA1:734400d4444b88fe3848c80e3dba2ad9a5155c56
                                                                                                                SHA256:20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
                                                                                                                SHA512:7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
                                                                                                                SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
                                                                                                                TLSH:30A409F0636099E3B6D94993B265195E3B2A103F7AC635D84083FBDD1C7BAC08A19CD7
                                                                                                                File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                                                                                Icon Hash:3270d6baae77db44
                                                                                                                No network behavior found

                                                                                                                Click to jump to process

                                                                                                                Click to jump to process

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Click to jump to process

                                                                                                                Target ID:1
                                                                                                                Start time:06:33:19
                                                                                                                Start date:23/12/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\e93wY5kRY0.ps1"
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:2
                                                                                                                Start time:06:33:20
                                                                                                                Start date:23/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:6
                                                                                                                Start time:06:33:36
                                                                                                                Start date:23/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\e93wY5kRY0.ps1
                                                                                                                Imagebase:0xf80000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2632696715.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2632696715.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2632696715.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:7
                                                                                                                Start time:06:33:37
                                                                                                                Start date:23/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:11
                                                                                                                Start time:06:33:47
                                                                                                                Start date:23/12/2024
                                                                                                                Path:C:\ProgramData\E8D5.tmp
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\ProgramData\E8D5.tmp"
                                                                                                                Imagebase:0x7ff6ae840000
                                                                                                                File size:14'336 bytes
                                                                                                                MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 87%, ReversingLabs
                                                                                                                Reputation:moderate
                                                                                                                Has exited:false

                                                                                                                Reset < >
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2532967331.00007FFD341B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd341b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a291d6b14db8370c981dd9b57f405e03f400a3421dd5b208b63a9ea17f239ffb
                                                                                                                  • Instruction ID: 822641f463b338fc8d0108373c5ac3843ddbd94f7ea94eb609d074a5edfa703f
                                                                                                                  • Opcode Fuzzy Hash: a291d6b14db8370c981dd9b57f405e03f400a3421dd5b208b63a9ea17f239ffb
                                                                                                                  • Instruction Fuzzy Hash: 3001677121CB0C4FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3665DB36E891CB46
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2532967331.00007FFD341B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd341b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 50359a365d4b7e46b9dbd0957bf41738c7705baf307f251fdef0a29242ca8aae
                                                                                                                  • Instruction ID: 845576085c32c566f0cf6e0e356c364ea5f4146b861f441b32d58b39ea55cd0b
                                                                                                                  • Opcode Fuzzy Hash: 50359a365d4b7e46b9dbd0957bf41738c7705baf307f251fdef0a29242ca8aae
                                                                                                                  • Instruction Fuzzy Hash: 86D10867B0DA864FE752962C98E51E53BE0EF53324B0800BAC199CB093EE9D681B9751
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2532967331.00007FFD341B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd341b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 961738c9709d3da8d540786b108962d81f877cedb68b97409900a2c86b288392
                                                                                                                  • Instruction ID: 92077afa0c302aac6f9ebc13a67bdf7668690ab57b5deea31e7db07197b99185
                                                                                                                  • Opcode Fuzzy Hash: 961738c9709d3da8d540786b108962d81f877cedb68b97409900a2c86b288392
                                                                                                                  • Instruction Fuzzy Hash: E161D65BB0DBC61FE352962DA8F60D53FA0EF9322474900B7C2C4CA093EE99585B9761

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:4.1%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:21%
                                                                                                                  Total number of Nodes:742
                                                                                                                  Total number of Limit Nodes:1
                                                                                                                  execution_graph 46413 9701700 46414 970180b 46413->46414 46415 970173a 46413->46415 46415->46414 46420 9701c28 46415->46420 46425 9701e49 46415->46425 46430 9701f78 46415->46430 46416 97017ef 46421 9701c5c 46420->46421 46422 9701d3a 46421->46422 46435 9740436 46421->46435 46440 97403c9 46421->46440 46422->46416 46426 9701da4 46425->46426 46427 9701f27 46426->46427 46428 9740436 121 API calls 46426->46428 46429 97403c9 121 API calls 46426->46429 46427->46416 46428->46427 46429->46427 46431 9701ecf 46430->46431 46433 9740436 121 API calls 46431->46433 46434 97403c9 121 API calls 46431->46434 46432 9701f27 46432->46416 46433->46432 46434->46432 46437 974043b 46435->46437 46436 9740689 46436->46422 46437->46436 46445 96dfa30 46437->46445 46442 974043b 46440->46442 46441 9740689 46441->46422 46442->46441 46444 96dfa30 121 API calls 46442->46444 46443 974062a 46443->46422 46444->46443 46446 96dfa70 46445->46446 46454 964b7e4 46446->46454 46487 964d0a8 46446->46487 46493 964818d 46446->46493 46535 96481bc 46446->46535 46578 9648176 46446->46578 46619 9656464 46446->46619 46447 96dfa9a 46447->46422 46455 964b7e9 46454->46455 46627 9648dbc 46455->46627 46459 964b82b 46663 9648bac 46459->46663 46461 964b83a 46462 964b848 46461->46462 46666 964db18 46461->46666 46462->46447 46463 964b7fc 46463->46459 46701 964cea4 RtlAllocateHeap RtlFreeHeap 46463->46701 46466 964b854 46669 964d07c 46466->46669 46467 964b822 46467->46459 46702 964d430 RtlAllocateHeap RtlFreeHeap 46467->46702 46471 964d0a8 5 API calls 46472 964b863 46471->46472 46673 964cfe8 46472->46673 46476 964b86c 46477 964b8ca 46476->46477 46704 964cbdc RtlAllocateHeap RtlFreeHeap 46476->46704 46680 964e38c 46477->46680 46480 964b882 46480->46476 46703 964c84c RtlAllocateHeap RtlFreeHeap 46480->46703 46482 964b8b1 46482->46477 46705 964cf60 RtlAllocateHeap RtlFreeHeap 46482->46705 46736 964874c 46487->46736 46490 964d0b6 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 46739 9648778 46490->46739 46491 964d0f8 46491->46447 46494 9648192 46493->46494 46495 96481ca RtlCreateHeap 46493->46495 46494->46495 46496 96481f1 46495->46496 46497 9648329 46495->46497 46742 9647988 46496->46742 46497->46447 46502 9647c3c 7 API calls 46503 9648239 46502->46503 46504 9647c3c 7 API calls 46503->46504 46505 964824a 46504->46505 46506 9647c3c 7 API calls 46505->46506 46507 964825b 46506->46507 46508 9647c3c 7 API calls 46507->46508 46509 964826c 46508->46509 46510 9647c3c 7 API calls 46509->46510 46511 964827d 46510->46511 46512 9647c3c 7 API calls 46511->46512 46513 964828e 46512->46513 46514 9647c3c 7 API calls 46513->46514 46515 964829f 46514->46515 46516 9647c3c 7 API calls 46515->46516 46517 96482b0 46516->46517 46518 9647c3c 7 API calls 46517->46518 46519 96482c1 46518->46519 46520 9647c3c 7 API calls 46519->46520 46521 96482d2 46520->46521 46522 9647c3c 7 API calls 46521->46522 46523 96482e3 46522->46523 46524 9647c3c 7 API calls 46523->46524 46525 96482f4 46524->46525 46526 9647c3c 7 API calls 46525->46526 46527 9648305 46526->46527 46528 9647c3c 7 API calls 46527->46528 46529 9648316 46528->46529 46755 9648614 46529->46755 46531 964831d 46758 9653c18 RtlAllocateHeap RtlFreeHeap 46531->46758 46533 9648324 46759 9648640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 46533->46759 46536 9647988 3 API calls 46535->46536 46537 96481ce 46536->46537 46538 96481d6 RtlCreateHeap 46537->46538 46539 9648329 46537->46539 46538->46539 46540 96481f1 46538->46540 46539->46447 46541 9647988 3 API calls 46540->46541 46542 964820d 46541->46542 46542->46539 46543 9647c3c 7 API calls 46542->46543 46544 9648228 46543->46544 46545 9647c3c 7 API calls 46544->46545 46546 9648239 46545->46546 46547 9647c3c 7 API calls 46546->46547 46548 964824a 46547->46548 46549 9647c3c 7 API calls 46548->46549 46550 964825b 46549->46550 46551 9647c3c 7 API calls 46550->46551 46552 964826c 46551->46552 46553 9647c3c 7 API calls 46552->46553 46554 964827d 46553->46554 46555 9647c3c 7 API calls 46554->46555 46556 964828e 46555->46556 46557 9647c3c 7 API calls 46556->46557 46558 964829f 46557->46558 46559 9647c3c 7 API calls 46558->46559 46560 96482b0 46559->46560 46561 9647c3c 7 API calls 46560->46561 46562 96482c1 46561->46562 46563 9647c3c 7 API calls 46562->46563 46564 96482d2 46563->46564 46565 9647c3c 7 API calls 46564->46565 46566 96482e3 46565->46566 46567 9647c3c 7 API calls 46566->46567 46568 96482f4 46567->46568 46569 9647c3c 7 API calls 46568->46569 46570 9648305 46569->46570 46571 9647c3c 7 API calls 46570->46571 46572 9648316 46571->46572 46573 9648614 NtSetInformationThread 46572->46573 46574 964831d 46573->46574 46786 9653c18 RtlAllocateHeap RtlFreeHeap 46574->46786 46576 9648324 46787 9648640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 46576->46787 46578->46447 46579 96481d4 RtlCreateHeap 46578->46579 46580 96481f1 46579->46580 46581 9648329 46579->46581 46582 9647988 3 API calls 46580->46582 46581->46447 46583 964820d 46582->46583 46583->46581 46584 9647c3c 7 API calls 46583->46584 46585 9648228 46584->46585 46586 9647c3c 7 API calls 46585->46586 46587 9648239 46586->46587 46588 9647c3c 7 API calls 46587->46588 46589 964824a 46588->46589 46590 9647c3c 7 API calls 46589->46590 46591 964825b 46590->46591 46592 9647c3c 7 API calls 46591->46592 46593 964826c 46592->46593 46594 9647c3c 7 API calls 46593->46594 46595 964827d 46594->46595 46596 9647c3c 7 API calls 46595->46596 46597 964828e 46596->46597 46598 9647c3c 7 API calls 46597->46598 46599 964829f 46598->46599 46600 9647c3c 7 API calls 46599->46600 46601 96482b0 46600->46601 46602 9647c3c 7 API calls 46601->46602 46603 96482c1 46602->46603 46604 9647c3c 7 API calls 46603->46604 46605 96482d2 46604->46605 46606 9647c3c 7 API calls 46605->46606 46607 96482e3 46606->46607 46608 9647c3c 7 API calls 46607->46608 46609 96482f4 46608->46609 46610 9647c3c 7 API calls 46609->46610 46611 9648305 46610->46611 46612 9647c3c 7 API calls 46611->46612 46613 9648316 46612->46613 46614 9648614 NtSetInformationThread 46613->46614 46615 964831d 46614->46615 46788 9653c18 RtlAllocateHeap RtlFreeHeap 46615->46788 46617 9648324 46789 9648640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 46617->46789 46620 9656493 46619->46620 46621 965646d 46619->46621 46620->46447 46622 96481bc 11 API calls 46621->46622 46623 9656480 46622->46623 46624 964b7e4 16 API calls 46623->46624 46625 965648e 46624->46625 46790 96539e0 46625->46790 46712 9648c54 46627->46712 46629 9648dd4 46630 96490ab 46629->46630 46715 96486d0 46629->46715 46630->46463 46660 9649edc 46630->46660 46632 96490a3 46633 96486f8 RtlFreeHeap 46632->46633 46633->46630 46634 96486f8 RtlFreeHeap 46634->46632 46635 9648e74 46637 9648ea7 46635->46637 46640 96486d0 RtlAllocateHeap 46635->46640 46636 9648df1 46636->46632 46636->46635 46638 96486d0 RtlAllocateHeap 46636->46638 46659 9649095 46636->46659 46639 9648eda 46637->46639 46641 96486d0 RtlAllocateHeap 46637->46641 46638->46635 46642 96486d0 RtlAllocateHeap 46639->46642 46644 9648f0d 46639->46644 46640->46637 46641->46639 46642->46644 46643 9648fa6 46649 96486d0 RtlAllocateHeap 46643->46649 46651 9648fdd 46643->46651 46645 96486d0 RtlAllocateHeap 46644->46645 46647 9648f40 46644->46647 46645->46647 46646 96486d0 RtlAllocateHeap 46650 9648f73 46646->46650 46647->46646 46647->46650 46648 96486d0 RtlAllocateHeap 46648->46643 46649->46651 46650->46643 46650->46648 46652 96486d0 RtlAllocateHeap 46651->46652 46651->46659 46653 9649018 46652->46653 46653->46659 46718 9648d58 RtlAllocateHeap RtlFreeHeap 46653->46718 46655 9649040 46656 96486d0 RtlAllocateHeap 46655->46656 46657 964905f 46656->46657 46657->46659 46719 96486f8 46657->46719 46659->46634 46661 9649ef1 NtQueryDefaultUILanguage 46660->46661 46662 9649f17 46661->46662 46662->46463 46664 96486d0 RtlAllocateHeap 46663->46664 46665 9648bc1 46664->46665 46665->46461 46667 96486d0 RtlAllocateHeap 46666->46667 46668 964db29 46667->46668 46668->46466 46670 964d089 46669->46670 46671 964d090 RtlAdjustPrivilege 46670->46671 46672 964b85e 46670->46672 46671->46670 46672->46471 46674 964cfff 46673->46674 46675 964b868 46674->46675 46676 964d003 NtQueryInformationToken 46674->46676 46675->46476 46677 964cdb8 46675->46677 46676->46675 46722 964b5d0 46677->46722 46679 964cdd5 46679->46480 46681 964e3ac 46680->46681 46682 964b8f8 46680->46682 46683 9648c54 RtlAllocateHeap 46681->46683 46706 9650214 46682->46706 46684 964e3bd 46683->46684 46684->46682 46685 96486d0 RtlAllocateHeap 46684->46685 46690 964e3d9 46685->46690 46686 964e5d9 46687 96486f8 RtlFreeHeap 46686->46687 46687->46682 46688 964e5c1 46689 96486f8 RtlFreeHeap 46688->46689 46689->46686 46690->46686 46690->46688 46691 964e42d CreateFileW 46690->46691 46691->46688 46692 964e481 WriteFile 46691->46692 46692->46688 46693 964e49c RegCreateKeyExW 46692->46693 46693->46688 46694 964e4c5 RegSetValueExW 46693->46694 46694->46688 46696 964e4f7 RegCreateKeyExW 46694->46696 46696->46688 46698 964e572 RegSetValueExW 46696->46698 46698->46688 46700 964e5a6 SHChangeNotify 46698->46700 46700->46688 46701->46467 46702->46459 46703->46476 46704->46482 46705->46477 46707 9650230 46706->46707 46732 96502ac 46707->46732 46709 9650286 46710 964b8fd 46709->46710 46711 96486f8 RtlFreeHeap 46709->46711 46710->46447 46711->46710 46713 96486d0 RtlAllocateHeap 46712->46713 46714 9648c65 46713->46714 46714->46629 46716 96486d8 46715->46716 46717 96486e6 RtlAllocateHeap 46716->46717 46717->46636 46718->46655 46720 9648700 46719->46720 46721 964870e RtlFreeHeap 46720->46721 46721->46659 46723 96486d0 RtlAllocateHeap 46722->46723 46725 964b5ee 46723->46725 46724 964b5f1 NtQuerySystemInformation 46724->46725 46729 964b607 46724->46729 46725->46724 46726 964b624 46725->46726 46727 96486f8 RtlFreeHeap 46726->46727 46728 964b62c 46727->46728 46728->46679 46730 96486f8 RtlFreeHeap 46729->46730 46731 964b66a 46730->46731 46731->46679 46733 96502b8 46732->46733 46735 96502c5 46732->46735 46734 96486d0 RtlAllocateHeap 46733->46734 46733->46735 46734->46735 46735->46709 46737 96486d0 RtlAllocateHeap 46736->46737 46738 9648762 46737->46738 46738->46490 46738->46491 46740 96486f8 RtlFreeHeap 46739->46740 46741 964878a 46740->46741 46741->46491 46743 96479b4 46742->46743 46744 964799a 46742->46744 46746 9647988 3 API calls 46743->46746 46748 96479dc 46743->46748 46745 9647988 3 API calls 46744->46745 46745->46743 46746->46748 46747 9647aa6 46747->46497 46750 9647c3c 46747->46750 46748->46747 46760 9647920 46748->46760 46771 9647ac0 46750->46771 46752 9647c67 46752->46502 46753 9647988 3 API calls 46754 9647c51 46753->46754 46754->46752 46754->46753 46756 9648628 NtSetInformationThread 46755->46756 46756->46531 46758->46533 46759->46497 46761 964794c 46760->46761 46762 964797e 46760->46762 46761->46762 46767 96478bc 46761->46767 46762->46748 46764 9647960 46764->46762 46765 9647974 46764->46765 46770 9647870 LdrGetProcedureAddress LdrGetProcedureAddress 46765->46770 46769 96478d3 46767->46769 46768 9647901 LdrLoadDll 46768->46764 46769->46768 46770->46762 46772 9647aed 46771->46772 46773 9647ad3 46771->46773 46775 9647b15 46772->46775 46776 9647988 3 API calls 46772->46776 46774 9647988 3 API calls 46773->46774 46774->46772 46777 9647988 3 API calls 46775->46777 46780 9647b3d 46775->46780 46776->46775 46777->46780 46778 9647b85 FindFirstFileW 46778->46780 46779 9647bf6 46779->46754 46780->46778 46780->46779 46781 9647bb5 FindClose 46780->46781 46782 9647bd3 FindNextFileW 46780->46782 46783 96478bc LdrLoadDll 46781->46783 46782->46780 46784 9647be7 FindClose 46782->46784 46785 9647bcc 46783->46785 46784->46780 46785->46754 46786->46576 46787->46539 46788->46617 46789->46581 46791 96539fd 46790->46791 46808 964b4e4 46791->46808 46793 9653a03 46794 9653a24 46793->46794 46800 9653a4a 46793->46800 46806 9653a19 46793->46806 46795 964b9b0 3 API calls 46794->46795 46795->46806 46796 9653c10 46796->46620 46797 96486f8 RtlFreeHeap 46797->46796 46798 9653b91 46802 9653be1 46798->46802 46803 9653bbe 46798->46803 46798->46806 46799 9653b6e 46801 964b9b0 3 API calls 46799->46801 46800->46798 46800->46799 46801->46806 46805 964b9b0 3 API calls 46802->46805 46812 964b9b0 46803->46812 46807 9653be6 CreateThread 46805->46807 46806->46796 46806->46797 46807->46806 46826 96522e0 46807->46826 46809 964b4fd 46808->46809 46810 96486d0 RtlAllocateHeap 46809->46810 46811 964b50d 46810->46811 46811->46793 46813 964ba52 46812->46813 46814 964b9c3 46812->46814 46813->46806 46821 9649de0 46814->46821 46817 964ba05 46819 964ba25 CreateMutexW 46817->46819 46820 9648778 RtlFreeHeap 46819->46820 46820->46813 46823 9649df7 46821->46823 46822 9649eb0 46822->46817 46825 964a780 RtlAllocateHeap RtlFreeHeap 46822->46825 46823->46822 46824 964874c RtlAllocateHeap 46823->46824 46824->46822 46825->46817 46833 96522ef 46826->46833 46827 9652369 46874 96492b8 GetLogicalDriveStringsW 46827->46874 46828 9652342 46828->46827 46831 965234b CreateThread 46828->46831 46829 965232a CreateThread 46829->46828 47236 964b440 46829->47236 46831->46827 47225 964ad80 RtlAdjustPrivilege 46831->47225 46833->46827 46833->46828 46833->46829 46836 9652395 46838 96523b6 46836->46838 46839 965239e CreateThread 46836->46839 46840 96523c4 46838->46840 46884 964c034 46838->46884 46839->46838 47241 9649c7c 46839->47241 46842 964d0a8 5 API calls 46840->46842 46843 96523c9 46842->46843 46894 9650144 46843->46894 46846 965240a 46849 9650214 2 API calls 46846->46849 46857 965241d 46846->46857 46847 9650214 2 API calls 46848 96523fb 46847->46848 46899 9652134 46848->46899 46851 9652418 46849->46851 46927 9651838 46851->46927 46854 965247b 46856 9650214 2 API calls 46854->46856 46855 9650214 2 API calls 46858 9652405 46855->46858 46859 96524b5 46856->46859 46857->46854 47020 964f994 RtlAllocateHeap RtlFreeHeap 46857->47020 46903 9651ee8 46858->46903 46862 96524c5 46859->46862 46863 965254a 46859->46863 46949 964a050 46862->46949 47021 965333c RtlAllocateHeap RtlFreeHeap 46863->47021 46866 965254f 47022 9652e98 RtlAllocateHeap RtlFreeHeap 46866->47022 46868 9652556 46871 9652540 ExitProcess 46871->46868 46875 9649303 46874->46875 46876 96492db 46874->46876 46878 964967c 46875->46878 46876->46875 47023 964930c 46876->47023 46881 96496a9 46878->46881 46879 9649aef 46879->46836 47019 9649af4 RtlAllocateHeap RtlFreeHeap 46879->47019 46881->46879 46882 96499ba CoSetProxyBlanket 46881->46882 46883 9649916 CoUninitialize 46881->46883 46882->46883 46883->46879 46885 964c05b GetVolumeNameForVolumeMountPointW 46884->46885 46887 964c09e FindFirstVolumeW 46885->46887 46888 964c2ef 46887->46888 46892 964c0ba 46887->46892 46888->46840 46889 964c0d3 GetVolumePathNamesForVolumeNameW 46889->46892 46890 964c104 GetDriveTypeW 46890->46892 46891 964c1a5 CreateFileW 46891->46892 46892->46888 46892->46889 46892->46890 46892->46891 46893 964bfa8 GetLogicalDriveStringsW CreateThread ResumeThread GetExitCodeThread NtSetInformationThread 46892->46893 46893->46892 46897 9650151 46894->46897 46895 96501b6 46895->46846 46895->46847 46895->46857 46896 9650186 CreateThread 46896->46897 47053 964fdd0 SetThreadPriority 46896->47053 46897->46895 46897->46896 46898 9648614 NtSetInformationThread 46897->46898 46898->46897 46901 965218e 46899->46901 46900 9652208 46900->46855 46901->46900 47060 96487e4 46901->47060 46904 9651efd 46903->46904 47064 964be18 CreateThread 46904->47064 46906 9651f0f 46907 96486d0 RtlAllocateHeap 46906->46907 46925 9651f15 46906->46925 46909 9651f27 46907->46909 46908 965210e 46911 965211c 46908->46911 46912 96486f8 RtlFreeHeap 46908->46912 46914 964be18 5 API calls 46909->46914 46909->46925 46910 96486f8 RtlFreeHeap 46910->46908 46913 965212a 46911->46913 46916 96486f8 RtlFreeHeap 46911->46916 46912->46911 46913->46846 46915 9651f44 46914->46915 46917 96486d0 RtlAllocateHeap 46915->46917 46915->46925 46916->46913 46918 9651f5f 46917->46918 46919 96486d0 RtlAllocateHeap 46918->46919 46918->46925 46926 9651f7a 46919->46926 46921 96487e4 RtlAllocateHeap 46922 9651fd6 CreateThread 46921->46922 46922->46926 47086 9650f48 SetThreadPriority 46922->47086 46923 96487e4 RtlAllocateHeap 46923->46926 46925->46908 46925->46910 46926->46921 46926->46923 46926->46925 47072 964bb34 CreateThread 46926->47072 47080 964cdf0 46926->47080 46928 9651864 46927->46928 46929 96486d0 RtlAllocateHeap 46928->46929 46930 9651871 46929->46930 46931 965187a 46930->46931 47206 9651400 RtlAllocateHeap RtlFreeHeap 46930->47206 46934 9651b89 46931->46934 46936 96486f8 RtlFreeHeap 46931->46936 46933 9651887 46933->46931 46939 96486d0 RtlAllocateHeap 46933->46939 46935 9651b97 46934->46935 46937 96486f8 RtlFreeHeap 46934->46937 46938 9651ba5 46935->46938 46941 96486f8 RtlFreeHeap 46935->46941 46936->46934 46937->46935 46938->46857 46940 96518a5 46939->46940 46940->46931 46942 96486d0 RtlAllocateHeap 46940->46942 46941->46938 46948 96518c0 46942->46948 46943 9651170 NtSetInformationThread 46943->46948 46945 96486f8 RtlFreeHeap 46945->46948 46946 96512ac NtSetInformationThread 46946->46948 46947 964cdf0 NtSetInformationThread 46947->46948 46948->46931 46948->46943 46948->46945 46948->46946 46948->46947 47207 9648840 RtlAllocateHeap 46948->47207 46950 964a0ab 46949->46950 46954 964a0b0 46949->46954 46951 964a729 46950->46951 46952 96486f8 RtlFreeHeap 46950->46952 46953 96486f8 RtlFreeHeap 46951->46953 46955 964a737 46951->46955 46952->46951 46953->46955 46954->46950 47208 96526c4 46954->47208 46955->46871 46982 96525c4 46955->46982 46957 964a10d 46957->46950 46958 96486d0 RtlAllocateHeap 46957->46958 46959 964a1ef 46958->46959 46959->46950 46960 964a207 46959->46960 46961 964a221 46959->46961 46962 9648c54 RtlAllocateHeap 46960->46962 46963 9648c54 RtlAllocateHeap 46961->46963 46964 964a211 46962->46964 46963->46964 46964->46950 46965 964a254 46964->46965 46967 964a268 46964->46967 46966 96486f8 RtlFreeHeap 46965->46966 46966->46950 46967->46950 46968 964a31b DrawTextW 46967->46968 46968->46950 46969 964a343 46968->46969 46969->46950 46970 964a47d CreateFileW 46969->46970 46970->46950 46971 964a4a6 WriteFile 46970->46971 46971->46950 46972 964a4c7 WriteFile 46971->46972 46972->46950 46973 964a4e5 WriteFile 46972->46973 46973->46950 46974 964a503 46973->46974 47214 9648afc 46974->47214 46976 964a525 46976->46950 46977 964a5a8 RegCreateKeyExW 46976->46977 46977->46950 46978 964a5d9 46977->46978 46979 964a612 RegSetValueExW 46978->46979 46979->46950 46980 964a63f 46979->46980 46981 964a69e RegSetValueExW 46980->46981 46981->46950 46986 96525ed 46982->46986 46983 965261c 46984 9652520 46983->46984 46985 96486f8 RtlFreeHeap 46983->46985 46988 964d660 46984->46988 46985->46984 46986->46983 47220 964e858 RtlAllocateHeap RtlFreeHeap 46986->47220 46989 964d695 46988->46989 46990 9648c54 RtlAllocateHeap 46989->46990 46991 964d70d 46990->46991 46992 96486d0 RtlAllocateHeap 46991->46992 46993 964d716 46991->46993 46995 964d72d 46992->46995 46994 964dadb 46993->46994 46996 96486f8 RtlFreeHeap 46993->46996 46997 964dae9 46994->46997 46999 96486f8 RtlFreeHeap 46994->46999 46995->46993 47221 964d4e4 46995->47221 46996->46994 47000 964daf7 46997->47000 47002 96486f8 RtlFreeHeap 46997->47002 46999->46997 47003 964db05 47000->47003 47004 96486f8 RtlFreeHeap 47000->47004 47001 964d75e 47001->46993 47005 964d77f GetTempFileNameW CreateFileW 47001->47005 47002->47000 47003->46871 47004->47003 47005->46993 47006 964d7c4 WriteFile 47005->47006 47006->46993 47007 964d7e0 CreateProcessW 47006->47007 47007->46993 47009 964d84a NtQueryInformationProcess 47007->47009 47009->46993 47010 964d86e 47009->47010 47010->46993 47011 9648c54 RtlAllocateHeap 47010->47011 47012 964d89f 47011->47012 47012->46993 47013 964d903 NtProtectVirtualMemory 47012->47013 47013->46993 47014 964d92f NtWriteVirtualMemory 47013->47014 47014->46993 47015 964d949 47014->47015 47015->46993 47016 964d9ac NtDuplicateObject 47015->47016 47016->46993 47017 964d9d4 CreateNamedPipeW 47016->47017 47017->46993 47018 964da40 ResumeThread ConnectNamedPipe 47017->47018 47018->46993 47019->46836 47020->46854 47021->46866 47022->46868 47031 96493e0 47023->47031 47025 9649324 47026 9649356 FindFirstFileExW 47025->47026 47029 96493d0 47025->47029 47028 964937e 47026->47028 47026->47029 47027 96493bc FindNextFileW 47027->47028 47027->47029 47028->47027 47035 96494bc 47028->47035 47029->46876 47032 9649400 FindFirstFileExW 47031->47032 47034 964945e 47032->47034 47034->47025 47036 96494de 47035->47036 47037 9649673 47036->47037 47038 96486d0 RtlAllocateHeap 47036->47038 47037->47027 47043 96494f6 47038->47043 47039 964964e 47040 9649665 47039->47040 47041 96486f8 RtlFreeHeap 47039->47041 47040->47037 47042 96486f8 RtlFreeHeap 47040->47042 47041->47040 47042->47037 47043->47039 47044 964952e FindFirstFileExW 47043->47044 47044->47039 47052 9649556 47044->47052 47045 9649636 FindNextFileW 47045->47039 47045->47052 47046 96486d0 RtlAllocateHeap 47046->47052 47047 96495d0 GetFileAttributesW 47048 964961e DeleteFileW 47047->47048 47047->47052 47049 96486f8 RtlFreeHeap 47048->47049 47049->47052 47050 96486f8 RtlFreeHeap 47050->47052 47051 96494bc 2 API calls 47051->47052 47052->47045 47052->47046 47052->47047 47052->47050 47052->47051 47056 964fde7 47053->47056 47054 964fe49 ReadFile 47054->47056 47055 9650006 WriteFile 47055->47056 47056->47054 47056->47055 47057 964fe3a 47056->47057 47058 964ff8d WriteFile 47056->47058 47059 96486f8 RtlFreeHeap 47056->47059 47058->47056 47059->47056 47061 96487fc 47060->47061 47062 9648812 47061->47062 47063 96486d0 RtlAllocateHeap 47061->47063 47062->46900 47063->47062 47065 964be5d 47064->47065 47066 964bebe 47064->47066 47084 964be00 GetLogicalDriveStringsW 47064->47084 47067 964be94 ResumeThread 47065->47067 47068 964cdf0 NtSetInformationThread 47065->47068 47066->46906 47069 964bea8 GetExitCodeThread 47067->47069 47070 964be6e 47068->47070 47069->47066 47070->47067 47071 964be72 47070->47071 47071->46906 47073 964bb6c 47072->47073 47074 964bbcd 47072->47074 47085 964bb24 GetDriveTypeW 47072->47085 47075 964bba3 ResumeThread 47073->47075 47076 964cdf0 NtSetInformationThread 47073->47076 47074->46926 47077 964bbb7 GetExitCodeThread 47075->47077 47078 964bb7d 47076->47078 47077->47074 47078->47075 47079 964bb81 47078->47079 47079->46926 47081 964ce02 47080->47081 47083 964cdff 47080->47083 47082 964ce49 NtSetInformationThread 47081->47082 47081->47083 47082->47083 47083->46926 47087 9650f60 47086->47087 47088 96486d0 RtlAllocateHeap 47087->47088 47099 9650f7f 47088->47099 47091 96486f8 RtlFreeHeap 47092 9650faf FindFirstFileExW 47091->47092 47092->47099 47093 96486f8 RtlFreeHeap 47093->47099 47094 9651122 47095 96486f8 RtlFreeHeap 47094->47095 47097 9651145 47095->47097 47096 96510ea FindNextFileW 47096->47099 47098 9650e08 RtlAllocateHeap 47098->47099 47099->47091 47099->47093 47099->47094 47099->47096 47099->47098 47101 964e130 47099->47101 47120 9650da4 47099->47120 47124 9650bac 47099->47124 47102 964e14c 47101->47102 47116 964e147 47101->47116 47155 9648794 47102->47155 47105 964e164 GetFileAttributesW 47106 964e174 47105->47106 47107 964e1d2 47106->47107 47108 964e1b9 47106->47108 47109 964e1e9 GetFileAttributesW 47107->47109 47110 964e1da 47107->47110 47111 964e220 5 API calls 47108->47111 47113 964e1f6 47109->47113 47114 964e202 CopyFileW 47109->47114 47159 964e220 CreateFileW 47110->47159 47115 964e1c1 47111->47115 47117 96486f8 RtlFreeHeap 47113->47117 47118 96486f8 RtlFreeHeap 47114->47118 47119 96486f8 RtlFreeHeap 47115->47119 47116->47099 47117->47110 47118->47116 47119->47116 47121 9650dbc 47120->47121 47122 9650dd2 47121->47122 47123 96486d0 RtlAllocateHeap 47121->47123 47122->47099 47123->47122 47125 9650d95 47124->47125 47126 9650bcd 47124->47126 47125->47099 47170 9650308 47126->47170 47129 9650d8d 47130 96486f8 RtlFreeHeap 47129->47130 47130->47125 47132 9650be5 47132->47129 47133 9650c0c 47132->47133 47134 9650bf9 47132->47134 47204 9650924 RtlAllocateHeap 47133->47204 47203 9650840 RtlAllocateHeap 47134->47203 47137 9650c07 47137->47129 47138 9650c27 MoveFileExW 47137->47138 47139 9650c39 47137->47139 47140 9650c74 47137->47140 47142 96486f8 RtlFreeHeap 47137->47142 47205 9650924 RtlAllocateHeap 47137->47205 47138->47137 47138->47139 47141 9650c91 CreateFileW 47139->47141 47152 9650cb5 47139->47152 47143 96486f8 RtlFreeHeap 47140->47143 47144 9650cba 47141->47144 47141->47152 47142->47137 47143->47139 47183 9650970 47144->47183 47145 96486f8 RtlFreeHeap 47145->47129 47149 9650ce3 CreateIoCompletionPort 47150 9650cfa 47149->47150 47153 9650d1c 47149->47153 47151 96486f8 RtlFreeHeap 47150->47151 47151->47152 47152->47129 47152->47145 47153->47152 47154 96486f8 RtlFreeHeap 47153->47154 47154->47152 47156 96487aa 47155->47156 47157 96486d0 RtlAllocateHeap 47156->47157 47158 96487c1 47156->47158 47157->47158 47158->47105 47158->47116 47160 964e381 47159->47160 47161 964e251 47159->47161 47160->47116 47162 964e289 WriteFile 47161->47162 47163 964e2c0 WriteFile 47162->47163 47164 964e2ae 47162->47164 47165 964e2e7 47163->47165 47166 964e2f9 WriteFile 47163->47166 47164->47116 47165->47116 47167 964e330 WriteFile 47166->47167 47168 964e31e 47166->47168 47167->47161 47169 964e357 47167->47169 47168->47116 47169->47116 47171 9650321 SetFileAttributesW CreateFileW 47170->47171 47173 9650367 47171->47173 47174 965034f 47171->47174 47172 964fda0 RtlAllocateHeap RtlFreeHeap NtTerminateProcess 47172->47174 47173->47129 47175 96503b8 SetFileAttributesW CreateFileW 47173->47175 47174->47171 47174->47172 47174->47173 47176 9650464 47175->47176 47177 96503f8 SetFilePointerEx 47175->47177 47176->47132 47177->47176 47178 9650417 ReadFile 47177->47178 47178->47176 47179 9650436 47178->47179 47180 96502ac RtlAllocateHeap 47179->47180 47181 9650447 47180->47181 47181->47176 47182 96486f8 RtlFreeHeap 47181->47182 47182->47176 47185 96509a0 47183->47185 47184 96509d1 47187 96486d0 RtlAllocateHeap 47184->47187 47185->47184 47186 9650214 RtlAllocateHeap RtlFreeHeap 47185->47186 47186->47184 47194 96509dd 47187->47194 47188 9650b77 47190 9650b85 47188->47190 47191 96486f8 RtlFreeHeap 47188->47191 47189 96486f8 RtlFreeHeap 47189->47188 47192 9650b93 47190->47192 47193 96486f8 RtlFreeHeap 47190->47193 47191->47190 47192->47149 47192->47152 47193->47192 47195 96486d0 RtlAllocateHeap 47194->47195 47202 9650b24 47194->47202 47196 9650a3a 47195->47196 47197 96486d0 RtlAllocateHeap 47196->47197 47196->47202 47198 9650a69 47197->47198 47199 96486d0 RtlAllocateHeap 47198->47199 47198->47202 47200 9650b1b 47199->47200 47201 96486f8 RtlFreeHeap 47200->47201 47200->47202 47201->47202 47202->47188 47202->47189 47203->47137 47204->47137 47205->47137 47206->46933 47207->46948 47209 965270b 47208->47209 47210 965281a RegCreateKeyExW 47209->47210 47213 9652758 47209->47213 47211 9652847 47210->47211 47210->47213 47212 96528c2 RegDeleteKeyExW 47211->47212 47211->47213 47212->47213 47213->46957 47215 9648b23 47214->47215 47216 9648b3a NtQueryInformationToken 47214->47216 47215->47216 47217 9648b35 47215->47217 47216->47217 47218 9648b8c 47217->47218 47219 96486f8 RtlFreeHeap 47217->47219 47218->46976 47219->47218 47220->46983 47222 964d4fc 47221->47222 47223 96486d0 RtlAllocateHeap 47222->47223 47224 964d51d 47223->47224 47224->47001 47226 964b5d0 3 API calls 47225->47226 47227 964adb8 47226->47227 47228 964ae28 47227->47228 47231 964adcf NtSetInformationThread 47227->47231 47229 964ae4d 47228->47229 47252 964ace4 RtlAllocateHeap RtlFreeHeap NtQuerySystemInformation 47228->47252 47231->47228 47232 964ade3 47231->47232 47249 964abe0 OpenSCManagerW 47232->47249 47234 964adf8 47234->47228 47251 964aa18 RtlAllocateHeap RtlFreeHeap 47234->47251 47253 964afe0 47236->47253 47244 9649c84 47241->47244 47242 96486d0 RtlAllocateHeap 47242->47244 47243 9649c96 NtQuerySystemInformation 47243->47244 47244->47242 47244->47243 47245 9649cc9 47244->47245 47248 96486f8 RtlFreeHeap 47244->47248 47246 96486f8 RtlFreeHeap 47245->47246 47247 9649cd1 47246->47247 47248->47244 47250 964ac14 47249->47250 47250->47234 47251->47228 47252->47229 47254 964b0c1 47253->47254 47255 964b285 RegCreateKeyExW 47254->47255 47256 964b2df RegCreateKeyExW 47255->47256 47257 964b2b9 47255->47257 47259 964b3fa 47256->47259 47266 964b3d4 47256->47266 47257->47256 47260 964b2e4 RegCreateKeyExW 47257->47260 47268 964aed4 47259->47268 47260->47257 47261 964b312 RegSetValueExW 47260->47261 47261->47257 47262 964b334 RegSetValueExW 47261->47262 47262->47257 47264 964b352 OpenEventLogW 47262->47264 47263 964b3fc OpenEventLogW 47265 964b414 ClearEventLogW 47263->47265 47263->47266 47264->47257 47267 964b36a ClearEventLogW 47264->47267 47265->47266 47266->47259 47266->47263 47267->47257 47275 964ae54 RtlAdjustPrivilege 47268->47275 47270 964afac 47271 964afc4 CloseServiceHandle 47270->47271 47272 964afcd 47270->47272 47271->47272 47273 964aeed 47273->47270 47278 964fbb8 47273->47278 47276 964b5d0 3 API calls 47275->47276 47277 964ae8c 47276->47277 47277->47273 47279 964fc12 47278->47279 47280 964fc16 NtTerminateProcess 47279->47280 47281 964fc2a 47279->47281 47280->47281 47281->47270

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 964d660-964d714 call 9648c54 7 964d716 0->7 8 964d71b-964d734 call 96486d0 0->8 9 964da94-964da9b 7->9 16 964d736 8->16 17 964d73b-964d74e call 9653ec4 8->17 11 964da9d 9->11 12 964daa9-964dab0 9->12 11->12 14 964dab2 12->14 15 964dabe-964dac2 12->15 14->15 19 964dac4 15->19 20 964dacd-964dad1 15->20 16->9 24 964d755-964d765 call 964d4e4 17->24 25 964d750 17->25 19->20 21 964dad3-964dad6 call 96486f8 20->21 22 964dadb-964dadf 20->22 21->22 27 964dae1-964dae4 call 96486f8 22->27 28 964dae9-964daed 22->28 37 964d767 24->37 38 964d76c-964d7bd GetTempFileNameW CreateFileW 24->38 25->9 27->28 31 964daf7-964dafb 28->31 32 964daef-964daf2 call 96486f8 28->32 35 964db05-964db0b 31->35 36 964dafd-964db00 call 96486f8 31->36 32->31 36->35 37->9 41 964d7c4-964d7d9 WriteFile 38->41 42 964d7bf 38->42 43 964d7e0-964d7f9 41->43 44 964d7db 41->44 42->9 46 964d7fb-964d800 43->46 44->9 47 964d804-964d806 46->47 48 964d802-964d843 CreateProcessW 46->48 47->46 50 964d845 48->50 51 964d84a-964d867 NtQueryInformationProcess 48->51 50->9 52 964d86e-964d88e 51->52 53 964d869 51->53 55 964d895-964d8a6 call 9648c54 52->55 56 964d890 52->56 53->9 59 964d8ad-964d928 call 9656410 call 96562e8 call 96563bc NtProtectVirtualMemory 55->59 60 964d8a8 55->60 56->9 67 964d92f-964d942 NtWriteVirtualMemory 59->67 68 964d92a 59->68 60->9 69 964d944 67->69 70 964d949-964d9a5 67->70 68->9 69->9 72 964d9a7 70->72 73 964d9ac-964d9cd NtDuplicateObject 70->73 72->9 74 964d9d4-964da3c CreateNamedPipeW 73->74 75 964d9cf 73->75 76 964da40-964da59 ResumeThread ConnectNamedPipe 74->76 77 964da3e 74->77 75->9 78 964da6a-964da87 76->78 79 964da5b-964da66 76->79 77->9 82 964da89 78->82 83 964da8b 78->83 79->78 80 964da68 79->80 80->9 82->9 83->9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: @%e$D
                                                                                                                  • API String ID: 0-885740330
                                                                                                                  • Opcode ID: 5f142eb5d00842eb4dfc0932c1eac6ff6bfae4ec52546136f474bc16c92c6d04
                                                                                                                  • Instruction ID: 2d4db5a98fb1cdd1713d4251a1d09347eeee1217c88cced3213805bf28bc7583
                                                                                                                  • Opcode Fuzzy Hash: 5f142eb5d00842eb4dfc0932c1eac6ff6bfae4ec52546136f474bc16c92c6d04
                                                                                                                  • Instruction Fuzzy Hash: EAE10771D00319EEEF21DFD0CC59BEEBBB8AB04304F1044A6E609A61D0D7B66A85CF56

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 222 964afe0-964b2b3 call 9641190 * 5 RegCreateKeyExW 233 964b395-964b399 222->233 234 964b2b9 222->234 235 964b3a4-964b3d2 RegCreateKeyExW 233->235 236 964b39b 233->236 237 964b2c0-964b2dd 234->237 238 964b3d4 235->238 239 964b42d-964b431 235->239 236->235 244 964b2e4-964b310 RegCreateKeyExW 237->244 245 964b2df 237->245 240 964b3db-964b3f8 238->240 241 964b433 239->241 242 964b43c-964b43f 239->242 251 964b3fc-964b412 OpenEventLogW 240->251 252 964b3fa 240->252 241->242 246 964b312-964b332 RegSetValueExW 244->246 247 964b38d-964b390 244->247 245->233 249 964b334-964b350 RegSetValueExW 246->249 250 964b37e-964b382 246->250 247->237 249->250 253 964b352-964b368 OpenEventLogW 249->253 250->247 256 964b384 250->256 254 964b414-964b41f ClearEventLogW 251->254 255 964b428-964b42b 251->255 252->239 253->250 257 964b36a-964b375 ClearEventLogW 253->257 254->255 255->240 256->247 257->250
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 0964B2AB
                                                                                                                  • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 0964B308
                                                                                                                  • RegSetValueExW.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 0964B32A
                                                                                                                  • RegSetValueExW.KERNEL32(00000000,?,00000000,00000001,?,00000064), ref: 0964B348
                                                                                                                  • OpenEventLogW.ADVAPI32(00000000,?), ref: 0964B35B
                                                                                                                  • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0964B36F
                                                                                                                  • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 0964B3CA
                                                                                                                  • OpenEventLogW.ADVAPI32(00000000,?), ref: 0964B405
                                                                                                                  • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0964B419
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Event$Create$ClearOpenValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4090462516-0
                                                                                                                  • Opcode ID: bffeac5a8cdaec464f8f6f86b027458494b0afb4855235a8df23713b21a09400
                                                                                                                  • Instruction ID: b4c1d1c92400a0bee795929a75622717c2b4aa8d6c0d92324e7048e3a7b41e51
                                                                                                                  • Opcode Fuzzy Hash: bffeac5a8cdaec464f8f6f86b027458494b0afb4855235a8df23713b21a09400
                                                                                                                  • Instruction Fuzzy Hash: 96C1E7B0540B04EFEB55DF91D989FA9BF78FB04300F528099E6195F262E3768A84CF51

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 353 96494bc-96494e3 355 9649673-9649678 353->355 356 96494e9-96494fd call 96486d0 353->356 359 9649657-964965b 356->359 360 9649503-9649550 call 96416bc FindFirstFileExW 356->360 361 9649665-9649669 359->361 362 964965d-9649660 call 96486f8 359->362 360->359 370 9649556-964955f 360->370 361->355 365 964966b-964966e call 96486f8 361->365 362->361 365->355 371 9649565-964956b 370->371 372 9649636-9649648 FindNextFileW 370->372 371->372 374 9649571-964959f call 96486d0 371->374 372->370 373 964964e 372->373 373->359 374->372 379 96495a5-96495e1 GetFileAttributesW 374->379 383 96495e3-96495ee 379->383 384 964961e-964962a DeleteFileW call 96486f8 379->384 388 96495f0 383->388 389 96495f2-96495fd 383->389 386 964962f 384->386 386->372 390 964960d-964961c call 96486f8 388->390 391 96495ff-964960b call 96494bc 389->391 392 9649609 389->392 390->372 391->383 392->390
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096486D0: RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09649543
                                                                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 096495D6
                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 09649621
                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 09649640
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$AllocateAttributesDeleteFirstHeapNext
                                                                                                                  • String ID: *
                                                                                                                  • API String ID: 2270753430-163128923
                                                                                                                  • Opcode ID: 7a740b775ef2b118ece1b7d24948b3f4c9ffb6f8eb71fd8e6612303aa5a4ebf2
                                                                                                                  • Instruction ID: 49b895863e101a0927fe01df622a0f5c88faeb6a9d15cbdda34ef94c1cc110d5
                                                                                                                  • Opcode Fuzzy Hash: 7a740b775ef2b118ece1b7d24948b3f4c9ffb6f8eb71fd8e6612303aa5a4ebf2
                                                                                                                  • Instruction Fuzzy Hash: BF416D70C40218EBEF12AFA4EE48BAE7B75BF00785F0045A4E415A91A0D7B64B64DF46

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 398 9647ac0-9647ad1 399 9647af2-9647af9 398->399 400 9647ad3-9647aed call 9647988 398->400 402 9647b1a-9647b21 399->402 403 9647afb-9647b15 call 9647988 399->403 400->399 404 9647b42-9647b49 call 964165c 402->404 405 9647b23-9647b3d call 9647988 402->405 403->402 412 9647b4e-9647b52 404->412 405->404 413 9647b54-9647b7e call 9641190 412->413 414 9647b79-9647b7c 412->414 418 9647b85-9647ba0 FindFirstFileW 413->418 414->412 419 9647bf0-9647bf4 418->419 420 9647ba2-9647bb3 call 96411f0 418->420 421 9647bf6-9647c38 419->421 422 9647bf8-9647c02 419->422 428 9647bb5-9647bc7 FindClose call 96478bc 420->428 429 9647bd3-9647be5 FindNextFileW 420->429 425 9647c04-9647c09 422->425 426 9647c27-9647c2a 422->426 430 9647c22-9647c25 425->430 431 9647c0b-9647c20 call 9641190 425->431 426->418 435 9647bcc-9647bd0 428->435 429->420 433 9647be7-9647bea FindClose 429->433 430->425 431->426 433->419
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,00000004), ref: 09647B93
                                                                                                                  • FindClose.KERNEL32(000000FF,?,00000000), ref: 09647BB8
                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 09647BDD
                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 09647BEA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                  • String ID: 0vi}
                                                                                                                  • API String ID: 1164774033-463007280
                                                                                                                  • Opcode ID: 6f9742907493495a3519393a235066c45c6d2cc0ca9c07066229fc77b7504b5b
                                                                                                                  • Instruction ID: 304e2ea7854a959dd76232d1932c7a2776d7878d1863ba5a97c116ecc9b20c63
                                                                                                                  • Opcode Fuzzy Hash: 6f9742907493495a3519393a235066c45c6d2cc0ca9c07066229fc77b7504b5b
                                                                                                                  • Instruction Fuzzy Hash: EF417570850344EFEF21EFE0D889BA9BB75EB01350F10A5A9E509EA250DB764AC4CF52

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 828 9650f48-9650f63 SetThreadPriority call 9641568 831 9650f65-9650f6c 828->831 832 9650f6e 828->832 833 9650f75-9650f88 call 96486d0 831->833 832->833 836 9650f8f-9650fcf call 964e130 call 9650da4 call 96486f8 FindFirstFileExW 833->836 843 9650fd5-9650fe3 836->843 844 965110b-9651120 call 96486f8 836->844 850 9650fe8-9650ff1 843->850 848 9651124-9651138 844->848 849 9651122-9651140 call 96486f8 844->849 848->836 857 9651145-9651148 849->857 852 9650ff3-9650ff9 850->852 853 9650ffb 850->853 852->853 855 9651000-965100a 852->855 856 96510ea-96510fc FindNextFileW 853->856 858 9651012 855->858 859 965100c-9651010 855->859 856->850 860 9651102 856->860 858->856 859->858 861 9651017-965101e 859->861 860->844 862 9651020-9651024 861->862 863 965102b-965102f 861->863 862->863 864 9651026 862->864 865 9651031-9651039 call 9650ef4 863->865 866 9651059-9651061 call 9650e5c 863->866 864->856 873 9651054 865->873 874 965103b-9651052 call 9650e08 865->874 871 9651063 866->871 872 9651068-965106f 866->872 871->856 876 9651071-9651078 872->876 877 965107c-9651084 call 964db9c 872->877 873->856 874->873 876->877 879 965107a 876->879 882 9651086 877->882 883 9651088-96510a6 call 9650e08 call 96490e0 call 9650bac 877->883 879->856 882->856 889 96510ab-96510b2 883->889 889->856 890 96510b4-96510b6 889->890 891 96510df 890->891 892 96510b8-96510dd 890->892 891->856 892->856
                                                                                                                  APIs
                                                                                                                  • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 09650F55
                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0965DF10,003D0900), ref: 09650FC2
                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 096510F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$FirstNextPriorityThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 247853790-0
                                                                                                                  • Opcode ID: 375afe71c6da5b0155d9d5ff9b71386d7e237ad948ad70717f73dd87c0946055
                                                                                                                  • Instruction ID: c7820c81bc20cde47ce7bd06e92e4e05f5feb4f828292ac768e4e0da6926a499
                                                                                                                  • Opcode Fuzzy Hash: 375afe71c6da5b0155d9d5ff9b71386d7e237ad948ad70717f73dd87c0946055
                                                                                                                  • Instruction Fuzzy Hash: B151907080C25AEFDF21AF90CD45BAD7B74EF06381F119295EC16B62E0CB718A81CB56
                                                                                                                  APIs
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,?,096523C9), ref: 0964D0C5
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,096523C9), ref: 0964D0D7
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,096523C9), ref: 0964D0EC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1801817001-0
                                                                                                                  • Opcode ID: 5334de528e470b33b940fdd10c7fdf3033003054c614d5eced810d2ae252a4ec
                                                                                                                  • Instruction ID: fbcb9966a76da220fdff982f54f8bc68ffc4b480715bd1705dc552c51f9bbe8b
                                                                                                                  • Opcode Fuzzy Hash: 5334de528e470b33b940fdd10c7fdf3033003054c614d5eced810d2ae252a4ec
                                                                                                                  • Instruction Fuzzy Hash: 5CF0F2B1240364BBEF22AFD4CCC9F6537ACAB06B20F505360B2319E1D6C6B099148B27
                                                                                                                  APIs
                                                                                                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0964ADA2
                                                                                                                    • Part of subcall function 0964B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 0964ADD9
                                                                                                                    • Part of subcall function 0964ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 0964AC01
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1715806643-0
                                                                                                                  • Opcode ID: 75bb66f5076d292c1467ba895129220266940bd7fa09b35af554cf906b4e6b1c
                                                                                                                  • Instruction ID: d61c422051db7fb0307ede7636e30f481a1482d11ca1d6c4dbf3cfd099ae1058
                                                                                                                  • Opcode Fuzzy Hash: 75bb66f5076d292c1467ba895129220266940bd7fa09b35af554cf906b4e6b1c
                                                                                                                  • Instruction Fuzzy Hash: 70214270A80309FAEF11AFE0DD4DFDE7AB89F04705F9041A4B514A62D0E7B58A84D751
                                                                                                                  APIs
                                                                                                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0964ADA2
                                                                                                                    • Part of subcall function 0964B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 0964ADD9
                                                                                                                    • Part of subcall function 0964ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 0964AC01
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1715806643-0
                                                                                                                  • Opcode ID: 56f5684b0b4f1e4e856f7ab1cbef03748439fc65f31473c89953a398881333f3
                                                                                                                  • Instruction ID: 76a217ab868f24e34eb68ec1748ee850e48242cc28765bc19f99dad687390838
                                                                                                                  • Opcode Fuzzy Hash: 56f5684b0b4f1e4e856f7ab1cbef03748439fc65f31473c89953a398881333f3
                                                                                                                  • Instruction Fuzzy Hash: B2214270A80309FAEF11AFE0DD4DFDE7AB89F04705F9041A4B514A62D0E7B58A84D751
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096493E0: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0964944F
                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0964936F
                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 096493C6
                                                                                                                    • Part of subcall function 096494BC: FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09649543
                                                                                                                    • Part of subcall function 096494BC: GetFileAttributesW.KERNELBASE(00000000), ref: 096495D6
                                                                                                                    • Part of subcall function 096494BC: FindNextFileW.KERNELBASE(000000FF,?), ref: 09649640
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$First$Next$Attributes
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 407996502-0
                                                                                                                  • Opcode ID: ff206df45718106a9179f3cc563bca43cf7ff67e22d55fe323e7c7a3ae85b790
                                                                                                                  • Instruction ID: 140aa412b52d7ade85306222ef408fec721df1af9aab25127379c8069359dba8
                                                                                                                  • Opcode Fuzzy Hash: ff206df45718106a9179f3cc563bca43cf7ff67e22d55fe323e7c7a3ae85b790
                                                                                                                  • Instruction Fuzzy Hash: B22147B184020CEBDF21EFA0DE49FDAB77CAB05701F0040A5AA09E2190E7759B588F66
                                                                                                                  APIs
                                                                                                                  • NtQueryDefaultUILanguage.NTDLL(?), ref: 09649EF8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DefaultLanguageQuery
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1532992581-0
                                                                                                                  • Opcode ID: 8b02c08d72b6293044f7ea3d0c975710b71acb8aea321cb23a9e34442d48b470
                                                                                                                  • Instruction ID: a50e6b4db8c1992392c4e1894ba6d28733a50f6df2b68c9946702e488865c0b9
                                                                                                                  • Opcode Fuzzy Hash: 8b02c08d72b6293044f7ea3d0c975710b71acb8aea321cb23a9e34442d48b470
                                                                                                                  • Instruction Fuzzy Hash: 6A310A26BCA9066AFFB5ECD092427F7A248F350FE8ECD5113F44E63782581D0D828663
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096486D0: RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09649CA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeapInformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3114120137-0
                                                                                                                  • Opcode ID: bbe07416c4ad85c87c030ab32d343229a961a9b7e520541c96baef01da9d8a57
                                                                                                                  • Instruction ID: c46f62f20354cee919ab0cd4e30a35987bf9b6c8d4b394c3d03461b48f2f805a
                                                                                                                  • Opcode Fuzzy Hash: bbe07416c4ad85c87c030ab32d343229a961a9b7e520541c96baef01da9d8a57
                                                                                                                  • Instruction Fuzzy Hash: 02212871980208EBDF11DFD0DD44B9EBBB8EF04704F108199E518AA250D7B69A45DF91
                                                                                                                  APIs
                                                                                                                  • NtQueryInformationToken.NTDLL(00000000,00000001,?,00000028,?,?,?,?,?,00000000), ref: 09648B47
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQueryToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4239771691-0
                                                                                                                  • Opcode ID: 0fa57465a353a6d956cf0823b411baa1926b593ef01d0d7f49c069c4b4099b1c
                                                                                                                  • Instruction ID: 64de2e62eb775d5f8dfd14e068a9a30107afb02a36cf212af53e6939945eec45
                                                                                                                  • Opcode Fuzzy Hash: 0fa57465a353a6d956cf0823b411baa1926b593ef01d0d7f49c069c4b4099b1c
                                                                                                                  • Instruction Fuzzy Hash: 6A1133B1A00209EFEF10DED0DC88FAEBBB8EB04754F0041A9F510A2290D7725A88CB61
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096486D0: RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09649CA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeapInformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3114120137-0
                                                                                                                  • Opcode ID: e2e4efb74195946776519b353925ee8e64a48b928d16e1bc16d71e75db3b76a0
                                                                                                                  • Instruction ID: c748ba6c0ab37880dcd296ebb89e055a72bc41fac3cda5d3383d4970d0766df5
                                                                                                                  • Opcode Fuzzy Hash: e2e4efb74195946776519b353925ee8e64a48b928d16e1bc16d71e75db3b76a0
                                                                                                                  • Instruction Fuzzy Hash: A721ED71940208EFDF11DFD0CD48B9E7BB8EF04704F108199E515AA291D7B69A45DF91
                                                                                                                  APIs
                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0964944F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1974802433-0
                                                                                                                  • Opcode ID: 4568f94984954af3641108f3ed14783c887d8aa0866d14119c1f7f1b847618e5
                                                                                                                  • Instruction ID: 7d6c6bf32fdba261fedb7b06bd0ea7e9f0642d287bf431f286a10bb3042c4263
                                                                                                                  • Opcode Fuzzy Hash: 4568f94984954af3641108f3ed14783c887d8aa0866d14119c1f7f1b847618e5
                                                                                                                  • Instruction Fuzzy Hash: E1210BB0800208FFDF11DF90DE4CB9DBBB8EB04755F1081A5E908AA251D7769B99CF95
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096486D0: RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeapInformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3114120137-0
                                                                                                                  • Opcode ID: f2d8cdfa3f3a49e3dc4cfac736f43026f3ba86e937b81a6dbb15d54ca30a24e7
                                                                                                                  • Instruction ID: b8363cee8ef9a957d76df5866bbb290fe606cf95cb989097542bcc06967c469e
                                                                                                                  • Opcode Fuzzy Hash: f2d8cdfa3f3a49e3dc4cfac736f43026f3ba86e937b81a6dbb15d54ca30a24e7
                                                                                                                  • Instruction Fuzzy Hash: 7E112871D00108FBCF11EFE4D980BDDBBB9EF04350F109196EA10AB250D772DA609B98
                                                                                                                  APIs
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09649CA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3562636166-0
                                                                                                                  • Opcode ID: e125c77ea40d7da0cb64f866ba7d7511d345e35e703e1752214f6cdfcf6ef3f4
                                                                                                                  • Instruction ID: 0abbb1a61ba2e3244ac97806d99d9b47424d57d0030912122614d0ec85250e4b
                                                                                                                  • Opcode Fuzzy Hash: e125c77ea40d7da0cb64f866ba7d7511d345e35e703e1752214f6cdfcf6ef3f4
                                                                                                                  • Instruction Fuzzy Hash: F3210D71980208EFDF12DFD0C948B9E7BB8FF04704F108199E515AA251D7B69A45DF91
                                                                                                                  APIs
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09649CA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3562636166-0
                                                                                                                  • Opcode ID: a848cf3c75040552495c847c48daf1109d76cc2149d38c5174b6f42d9aee441a
                                                                                                                  • Instruction ID: 0abbb1a61ba2e3244ac97806d99d9b47424d57d0030912122614d0ec85250e4b
                                                                                                                  • Opcode Fuzzy Hash: a848cf3c75040552495c847c48daf1109d76cc2149d38c5174b6f42d9aee441a
                                                                                                                  • Instruction Fuzzy Hash: F3210D71980208EFDF12DFD0C948B9E7BB8FF04704F108199E515AA251D7B69A45DF91
                                                                                                                  APIs
                                                                                                                  • NtSetInformationThread.NTDLL(?,00000005,?,00000004), ref: 0964CE54
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4046476035-0
                                                                                                                  • Opcode ID: 02b4b0a84e8867564bc7b7ddfbff5fe5875764abc2e29e93e1014d6fa063dd01
                                                                                                                  • Instruction ID: f7fac194f36e13b30cadecfb3313a3cb2691415bbd28779e5770ecf9ea0fd4cf
                                                                                                                  • Opcode Fuzzy Hash: 02b4b0a84e8867564bc7b7ddfbff5fe5875764abc2e29e93e1014d6fa063dd01
                                                                                                                  • Instruction Fuzzy Hash: 5A014471600308EFEB10CF90CC89FAABBACFB04714F509165F9549B291D7758A05DB91
                                                                                                                  APIs
                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 0964790D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Load
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2234796835-0
                                                                                                                  • Opcode ID: d496df2da61e354bf7d49638122ade9a9c4da750e6c76ca1305ca616de0c17c1
                                                                                                                  • Instruction ID: 88aceb457114b2d955bc5fd6f0fc79da70776a965ef65b7cfbdadd9c0b9987d8
                                                                                                                  • Opcode Fuzzy Hash: d496df2da61e354bf7d49638122ade9a9c4da750e6c76ca1305ca616de0c17c1
                                                                                                                  • Instruction Fuzzy Hash: CBF0C47694020DFEDF10EEE4D849BDEB7BCAB04355F0081A6A908A7140E771AA1D8BA1
                                                                                                                  APIs
                                                                                                                  • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 0964D012
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQueryToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4239771691-0
                                                                                                                  • Opcode ID: cb0fa226a16076f8e77bce86be81f31f5caed792df1f33e32c60861d29e2425a
                                                                                                                  • Instruction ID: 401f34a34964fa11e7b40becff938e82b6cd12267be5da730ea6eb6110bde25c
                                                                                                                  • Opcode Fuzzy Hash: cb0fa226a16076f8e77bce86be81f31f5caed792df1f33e32c60861d29e2425a
                                                                                                                  • Instruction Fuzzy Hash: 33F03031A01208FFEF10CEE4EC85EA9B7ADEB04714F500161F914D32D0E762AF44C651
                                                                                                                  APIs
                                                                                                                  • NtTerminateProcess.NTDLL(0964AFAC,00000000), ref: 0964FC1B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 560597551-0
                                                                                                                  • Opcode ID: 025af9e5ef3740fff723f532f173953380672d35a230d369549cfef47f641b9d
                                                                                                                  • Instruction ID: be984d6e3d29263a184868b506031054a2ba69fe23b22f9e64c6b05172835c5b
                                                                                                                  • Opcode Fuzzy Hash: 025af9e5ef3740fff723f532f173953380672d35a230d369549cfef47f641b9d
                                                                                                                  • Instruction Fuzzy Hash: 66019A71900208EFDB01CF90C958BDEBBB8FB05318F148199E504AB281D7B79A46DF91
                                                                                                                  APIs
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3562636166-0
                                                                                                                  • Opcode ID: d1854e0fb7319379da593fa726bddc61d7067ba99e00ad379e6078fdab8af347
                                                                                                                  • Instruction ID: 2125980119d6d0a5dff2f7c914c24867b3c8e32173c8013cd3c72445e5723f90
                                                                                                                  • Opcode Fuzzy Hash: d1854e0fb7319379da593fa726bddc61d7067ba99e00ad379e6078fdab8af347
                                                                                                                  • Instruction Fuzzy Hash: B3F03431A00108EBCF11DFE4DA80BACBB79EB08380F549096EA15AB250C372DAA0DB15
                                                                                                                  APIs
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3562636166-0
                                                                                                                  • Opcode ID: 604e0afe44bd874fc16af489472ac2cb5ad1e39ee370fd0f00455e526edde06d
                                                                                                                  • Instruction ID: 2125980119d6d0a5dff2f7c914c24867b3c8e32173c8013cd3c72445e5723f90
                                                                                                                  • Opcode Fuzzy Hash: 604e0afe44bd874fc16af489472ac2cb5ad1e39ee370fd0f00455e526edde06d
                                                                                                                  • Instruction Fuzzy Hash: B3F03431A00108EBCF11DFE4DA80BACBB79EB08380F549096EA15AB250C372DAA0DB15
                                                                                                                  APIs
                                                                                                                  • GetLogicalDriveStringsW.KERNEL32(00000104,?), ref: 096492CF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DriveLogicalStrings
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2022863570-0
                                                                                                                  • Opcode ID: cf3d0c81eb58b0857aa26184888bd38e39ce443a016e353a5395a220a954c1ba
                                                                                                                  • Instruction ID: f2f61b48e900afabdac06045faa09963461d6476546aa52060279d7a6d15933e
                                                                                                                  • Opcode Fuzzy Hash: cf3d0c81eb58b0857aa26184888bd38e39ce443a016e353a5395a220a954c1ba
                                                                                                                  • Instruction Fuzzy Hash: 50E02B3254072B57CF21ADD45CC59EB731CDB02B00F000150FE58D2244CF509E4589D2
                                                                                                                  APIs
                                                                                                                  • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,096501A7,00000000), ref: 09648635
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4046476035-0
                                                                                                                  • Opcode ID: 2bc163bed4775be3b23c8ea1a7bac892babedc3dac636e58e047d69628cd8208
                                                                                                                  • Instruction ID: 10ae092003eb01d6b6d1feab7071af82351c9950195865a582a50820df11a658
                                                                                                                  • Opcode Fuzzy Hash: 2bc163bed4775be3b23c8ea1a7bac892babedc3dac636e58e047d69628cd8208
                                                                                                                  • Instruction Fuzzy Hash: B8D0A77259020CFED710AF90ED05FF6335CD315341F004124B507CA080D7B5B550C654

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 84 964a050-964a0a9 85 964a0b0-964a0bf 84->85 86 964a0ab 84->86 93 964a0c6-964a0d6 85->93 94 964a0c1 85->94 87 964a6d9-964a6dd 86->87 88 964a6df 87->88 89 964a6e8-964a6ec 87->89 88->89 91 964a6fd-964a701 89->91 92 964a6ee-964a6f2 89->92 95 964a703 91->95 96 964a70c-964a710 91->96 92->91 97 964a6f4 92->97 101 964a0dd-964a0ed 93->101 102 964a0d8 93->102 94->87 95->96 99 964a712 96->99 100 964a71b-964a71f 96->100 97->91 99->100 103 964a721-964a724 call 96486f8 100->103 104 964a729-964a72d 100->104 112 964a0f4-964a10f call 96526c4 101->112 113 964a0ef 101->113 102->87 103->104 106 964a737-964a73b 104->106 107 964a72f-964a732 call 96486f8 104->107 110 964a746-964a74a 106->110 111 964a73d 106->111 107->106 114 964a755-964a759 110->114 115 964a74c 110->115 111->110 122 964a111-964a136 112->122 123 964a139-964a1c9 call 9641190 112->123 113->87 116 964a764-964a768 114->116 117 964a75b 114->117 115->114 119 964a775-964a77b 116->119 120 964a76a-964a76d 116->120 117->116 120->119 122->123 130 964a1d0-964a1de 123->130 131 964a1cb 123->131 133 964a1e5-964a1f6 call 96486d0 130->133 134 964a1e0 130->134 131->87 137 964a1fd-964a205 call 9641568 133->137 138 964a1f8 133->138 134->87 141 964a207-964a218 call 9648c54 137->141 142 964a221-964a232 call 9648c54 137->142 138->87 147 964a21f 141->147 148 964a21a 141->148 149 964a234 142->149 150 964a239-964a252 142->150 147->150 148->87 149->87 152 964a254-964a263 call 96486f8 150->152 153 964a268-964a27b 150->153 152->87 157 964a282-964a298 153->157 158 964a27d 153->158 160 964a29f-964a2ad 157->160 161 964a29a 157->161 158->87 163 964a2b4-964a307 call 9641568 160->163 164 964a2af 160->164 161->87 170 964a318 163->170 171 964a309-964a316 163->171 164->87 172 964a31b-964a33c DrawTextW 170->172 171->172 173 964a343-964a3eb 172->173 174 964a33e 172->174 178 964a3f2-964a41f 173->178 179 964a3ed 173->179 174->87 182 964a426-964a49f call 96416bc call 9641190 CreateFileW 178->182 183 964a421 178->183 179->87 191 964a4a6-964a4c0 WriteFile 182->191 192 964a4a1 182->192 183->87 193 964a4c7-964a4de WriteFile 191->193 194 964a4c2 191->194 192->87 195 964a4e5-964a4fc WriteFile 193->195 196 964a4e0 193->196 194->87 197 964a503-964a527 call 9648afc 195->197 198 964a4fe 195->198 196->87 202 964a52e-964a5d2 call 96416bc call 9641190 RegCreateKeyExW 197->202 203 964a529 197->203 198->87 209 964a5d4 202->209 210 964a5d9-964a638 call 9641190 RegSetValueExW 202->210 203->87 209->87 214 964a63f-964a6c0 call 9641190 RegSetValueExW 210->214 215 964a63a 210->215 219 964a6c4-964a6c8 214->219 220 964a6c2 214->220 215->87 219->87 221 964a6ca-964a6d1 219->221 220->87 221->87
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ($BM
                                                                                                                  • API String ID: 0-2980357723
                                                                                                                  • Opcode ID: 1696019e08decfe2e92e94184f90987d6ae163f2e81fbb7df498047a87b1d7e6
                                                                                                                  • Instruction ID: 2224fd1c54b3a3de79776667e565a6bdc3c625b0af95f5396fd1a8699c9f2e25
                                                                                                                  • Opcode Fuzzy Hash: 1696019e08decfe2e92e94184f90987d6ae163f2e81fbb7df498047a87b1d7e6
                                                                                                                  • Instruction Fuzzy Hash: 8D222671940308EFEF11DFE0DD49BADBBB4BB04341F109059E116BA2A0D7B64A85DF66

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 258 964c034-964c0b4 GetVolumeNameForVolumeMountPointW FindFirstVolumeW 262 964c2f8-964c2fd 258->262 263 964c0ba-964c0c0 258->263 264 964c0c6-964c0cd 263->264 265 964c2c7-964c2e9 263->265 264->265 266 964c0d3-964c0ea GetVolumePathNamesForVolumeNameW 264->266 265->263 272 964c2ef 265->272 266->265 268 964c0f0-964c0f4 266->268 268->265 269 964c0fa-964c0fe 268->269 269->265 271 964c104-964c10e GetDriveTypeW 269->271 273 964c110-964c113 271->273 274 964c119-964c121 call 9641568 271->274 272->262 273->265 273->274 277 964c123-964c16b 274->277 278 964c19f-964c1c5 call 96416ec CreateFileW 274->278 286 964c16d-964c186 call 964bfa8 277->286 287 964c18b-964c18f 277->287 282 964c2be 278->282 283 964c1cb-964c1f1 278->283 282->265 283->282 288 964c1f7-964c1fe 283->288 286->287 289 964c191 287->289 290 964c19a 287->290 291 964c264-964c26b 288->291 292 964c200-964c20c 288->292 289->290 290->265 291->282 294 964c26d-964c274 291->294 295 964c20e-964c215 292->295 296 964c22b-964c231 292->296 294->282 298 964c276-964c27d 294->298 295->296 299 964c217-964c21e 295->299 300 964c250-964c25d call 96416bc call 964bfa8 296->300 301 964c233-964c23a 296->301 298->282 303 964c27f-964c299 call 96416bc 298->303 299->296 304 964c220-964c227 299->304 312 964c262 300->312 301->300 305 964c23c-964c243 301->305 315 964c2b2-964c2b9 call 964bfa8 303->315 316 964c29b-964c2a2 303->316 304->296 308 964c229 304->308 305->300 309 964c245-964c24c 305->309 308->312 309->300 313 964c24e 309->313 312->282 313->312 315->282 318 964c2a4-964c2ab call 964bfa8 316->318 319 964c2b0 316->319 318->319 319->282
                                                                                                                  APIs
                                                                                                                  • GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 0964C07E
                                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104), ref: 0964C0A7
                                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000040,00000000), ref: 0964C0E2
                                                                                                                  • GetDriveTypeW.KERNEL32(?), ref: 0964C105
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 0964C1B8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Volume$Name$CreateDriveFileFindFirstMountNamesPathPointType
                                                                                                                  • String ID: '
                                                                                                                  • API String ID: 2925825261-1997036262
                                                                                                                  • Opcode ID: d9c0670f3a9453c4559e21378ebf4ce16085f263dc56265590547b0997075764
                                                                                                                  • Instruction ID: 7402ecc2205e856185c13b2068385a01158d47f5fa92a140221b36493b183a9e
                                                                                                                  • Opcode Fuzzy Hash: d9c0670f3a9453c4559e21378ebf4ce16085f263dc56265590547b0997075764
                                                                                                                  • Instruction Fuzzy Hash: 38719B70902714FADF229FE0DC09BDB7B78AF02711F008196F585A6290D7B98784DF66

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 321 964e38c-964e3a6 322 964e3ac-964e3c1 call 9648c54 321->322 323 964e5df-964e5e8 321->323 322->323 326 964e3c7-964e3dd call 96486d0 322->326 329 964e3e3-964e3f4 call 9653ec4 326->329 330 964e5d9-964e5da call 96486f8 326->330 334 964e5d3-964e5d4 call 96486f8 329->334 335 964e3fa-964e47b call 96416bc CreateFileW 329->335 330->323 334->330 335->334 341 964e481-964e496 WriteFile 335->341 342 964e49c-964e4bf RegCreateKeyExW 341->342 343 964e5ca 341->343 342->343 344 964e4c5-964e4f1 RegSetValueExW 342->344 343->334 346 964e4f7-964e570 RegCreateKeyExW 344->346 347 964e5c1 344->347 346->347 350 964e572-964e5a4 RegSetValueExW 346->350 347->343 350->347 352 964e5a6-964e5ba SHChangeNotify 350->352 352->347
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 096486D0: RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0964E46E
                                                                                                                  • WriteFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 0964E48E
                                                                                                                  • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0964E4B7
                                                                                                                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 0964E4E9
                                                                                                                  • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0964E568
                                                                                                                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 0964E59C
                                                                                                                  • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 0964E5B4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$FileValue$AllocateChangeHeapNotifyWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2786709897-0
                                                                                                                  • Opcode ID: 062f4ed6390d8ba0a0dbd85632171e47c34a4db311bdfd4d47ad3020cd7212ac
                                                                                                                  • Instruction ID: be1443abebbc2d662073fa6c523c0c05835129930a272e72e8892f827b365fd1
                                                                                                                  • Opcode Fuzzy Hash: 062f4ed6390d8ba0a0dbd85632171e47c34a4db311bdfd4d47ad3020cd7212ac
                                                                                                                  • Instruction Fuzzy Hash: BC5150B1A40309FBEB11DFA0DC49FAE7B79BB04705F104164F615EA1C0E7B2AA54CBA5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 437 964e220-964e24b CreateFileW 438 964e381-964e387 437->438 439 964e251-964e26a 437->439 440 964e270-964e282 call 96417a8 439->440 443 964e289-964e2ac WriteFile 440->443 444 964e2c0-964e2e5 WriteFile 443->444 445 964e2ae-964e2bd 443->445 446 964e2e7-964e2f6 444->446 447 964e2f9-964e31c WriteFile 444->447 449 964e330-964e355 WriteFile 447->449 450 964e31e-964e32d 447->450 452 964e357-964e366 449->452 453 964e369-964e376 449->453 453->443 454 964e37c 453->454 454->440
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0964E23E
                                                                                                                  • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,0965F000,?,?,?,00000000), ref: 0964E29F
                                                                                                                  • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 0964E2D8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Write$Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1602526932-0
                                                                                                                  • Opcode ID: 1d029445aebed53e8edc56f8a3453ff8d35545139ae74c3b649ba0d974b34e5f
                                                                                                                  • Instruction ID: 6730297ff3ecfe4c57de29dfe21c93660a0315d40244206503d237dce43eed26
                                                                                                                  • Opcode Fuzzy Hash: 1d029445aebed53e8edc56f8a3453ff8d35545139ae74c3b649ba0d974b34e5f
                                                                                                                  • Instruction Fuzzy Hash: 49411931A0024CEFDF01DED4E845BEEFBBAEB44322F5041A6E604A2191D7724B54DBA2

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 457 9697b7c-9697b8c 458 9697b8e-9697bb9 457->458 459 9697bc3-9697bd7 457->459 462 9697bbb-9697bbe 458->462 463 9697be0-9697c28 458->463 464 9697bde 459->464 462->459 466 9697c2d-9697fd2 463->466 464->466 470 9698001-9698033 466->470 471 9697fd4-9697ff9 466->471 475 9698039-9698041 470->475 476 9698151-96981a4 470->476 471->470 478 9698059-9698071 475->478 479 9698043-9698049 475->479 493 96981ba-96981cc 476->493 494 96981a6-96981b5 476->494 478->476 484 9698077-9698085 478->484 481 969804b 479->481 482 969804d-9698057 479->482 481->478 482->478 486 969809d-96980ff 484->486 487 9698087-969808d 484->487 526 9698121-9698127 486->526 527 9698101-969811c 486->527 490 969808f 487->490 491 9698091-969809b 487->491 490->486 491->486 496 96981d2-96981d7 493->496 497 96982d7-96982ec 493->497 494->493 499 96981d9-96981df 496->499 500 96981ef-96981f3 496->500 506 96982ee-96982fc 497->506 507 9698270-9698277 497->507 502 96981e1 499->502 503 96981e3-96981ed 499->503 504 9698289-9698293 500->504 505 96981f9-9698222 500->505 502->500 503->500 508 96982a0-96982a6 504->508 509 9698295-969829d 504->509 505->504 536 9698224-9698247 505->536 512 96982fe-9698324 506->512 513 9698333-9698337 506->513 531 969827e-9698286 507->531 514 96982a8-96982aa 508->514 515 96982ac-96982b8 508->515 517 969832a-969832f 512->517 518 969842f-9698479 512->518 519 9698339 513->519 520 969833b-9698345 513->520 522 96982ba-96982d4 514->522 515->522 524 9698331 517->524 525 9698347-969834b 517->525 537 9698489 518->537 538 969847b-9698487 518->538 519->525 520->525 524->513 533 96983e1-96983eb 525->533 534 9698351-969837a 525->534 526->476 539 96983f8-96983fe 533->539 540 96983ed-96983f5 533->540 534->533 559 969837c-96983de 534->559 536->531 545 969848b-969848d 537->545 538->545 546 9698400-9698402 539->546 547 9698404-9698410 539->547 548 96984ed-96984f7 545->548 549 969848f-9698495 545->549 550 9698412-969842c 546->550 547->550 553 96984f9-9698502 548->553 554 9698505-969850b 548->554 555 96984a3-96984c4 549->555 556 9698497-9698499 549->556 560 969850d-969850f 554->560 561 9698511-969851d 554->561 564 96984cd 555->564 565 96984c6-96984cb 555->565 556->555 563 969851f-9698541 560->563 561->563 569 96984d2-96984ea 564->569 565->569
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: U$(U$di$x.[k$yi-
                                                                                                                  • API String ID: 0-2927692823
                                                                                                                  • Opcode ID: b4c80f44bc54cfa1c40d707e621b262f05e26591bc0b32bdee85782e2d853c9d
                                                                                                                  • Instruction ID: a7a64372df29f253c9eba6924fe4570f0efd63486bdd8587c0e1e32ce60cac81
                                                                                                                  • Opcode Fuzzy Hash: b4c80f44bc54cfa1c40d707e621b262f05e26591bc0b32bdee85782e2d853c9d
                                                                                                                  • Instruction Fuzzy Hash: CB91C430A10215CFDB24DF64C855BA9B7B6EF86344F10C4EAE909AB352CB729D42CF91

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 575 964fdd0-964fde1 SetThreadPriority 576 964fde7-964fe06 575->576 578 964fe36-964fe38 576->578 579 964fe08-964fe10 576->579 580 964fe3e-964fe43 578->580 581 964fe3a-964fe3d 578->581 579->578 582 964fe12 579->582 583 964fef8-964fefb 580->583 584 964fe49-964fe7b ReadFile 580->584 585 964fe19-964fe2e 582->585 586 964ff01-964ff4a call 96420d0 583->586 587 964fffd-9650000 583->587 588 964fe7d-964fe88 584->588 589 964feee 584->589 595 964fe30-964fe34 585->595 596 964fe32 585->596 628 964ff63-964ff6b 586->628 629 964ff4c-964ff61 586->629 591 9650006-9650045 WriteFile 587->591 592 965008d-9650090 587->592 588->589 594 964fe8a-964fe92 588->594 593 96500dc-96500fb 589->593 597 9650047-9650052 591->597 598 9650089 591->598 592->593 602 9650092-9650096 592->602 610 96500fd 593->610 611 96500ff-9650107 593->611 600 964fe94-964feae 594->600 601 964feb0-964fed7 594->601 595->576 596->585 597->598 605 9650054-9650072 597->605 598->593 600->589 630 964fed9-964fee4 601->630 631 964feea 601->631 607 96500ac-96500da call 9641074 call 96486f8 602->607 608 9650098-965009e 602->608 641 9650085 605->641 642 9650074-965007f 605->642 607->593 655 965013c 607->655 614 96500a0 608->614 615 96500a2-96500aa 608->615 616 965012f-9650131 610->616 619 965012d 611->619 620 9650109 611->620 614->607 615->608 624 9650137 616->624 625 9650133-9650136 616->625 619->593 619->616 621 9650110-9650125 620->621 644 9650127-965012b 621->644 645 9650129 621->645 624->580 635 964ff6d-964ff6f 628->635 636 964ff7a-964ff86 628->636 634 964ff8d-964ffa9 WriteFile 629->634 638 964fee6 630->638 639 964fee8 630->639 631->589 646 964fff3 634->646 647 964ffab-964ffb6 634->647 635->636 643 964ff71-964ff78 635->643 636->634 638->589 639->601 641->598 649 9650081 642->649 650 9650083 642->650 643->634 644->593 645->621 646->593 647->646 652 964ffb8-964ffdc 647->652 649->598 650->605 657 964ffde-964ffe9 652->657 658 964ffef 652->658 655->576 659 964ffed 657->659 660 964ffeb 657->660 658->646 659->652 660->646
                                                                                                                  APIs
                                                                                                                  • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 0964FDE1
                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,?), ref: 0964FE73
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePriorityReadThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3643687941-0
                                                                                                                  • Opcode ID: 291ba54d39a1f84c53627b599793b442438c1a23bd37ea22fdfac1cfe55a320e
                                                                                                                  • Instruction ID: c747ee525bcd69197279f86662c8a023d7f4e66f3e74a32cecc05f5a015308b3
                                                                                                                  • Opcode Fuzzy Hash: 291ba54d39a1f84c53627b599793b442438c1a23bd37ea22fdfac1cfe55a320e
                                                                                                                  • Instruction Fuzzy Hash: 99A16971500245EFEF22CF90C8C9BAA77BCFB08355F1012A6FD0A8A196D771DA45CB62

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 661 96522e0-96522ed 662 96522ef-9652315 call 9648948 661->662 663 9652318-965231f call 964ce84 661->663 662->663 667 9652321-9652328 663->667 668 965237d-965238e call 96492b8 call 964967c 663->668 669 9652342-9652349 667->669 670 965232a-965233f CreateThread 667->670 680 9652395-965239c 668->680 681 9652390 call 9649af4 668->681 669->668 673 965234b-9652367 CreateThread 669->673 670->669 673->668 677 9652369-9652374 673->677 677->668 684 96523b6-96523bd 680->684 685 965239e-96523b3 CreateThread 680->685 681->680 686 96523c4-96523eb call 964d0a8 call 9650144 684->686 687 96523bf call 964c034 684->687 685->684 694 9652425-9652439 686->694 695 96523ed-96523f4 686->695 687->686 702 965247b-9652482 694->702 703 965243b-965243f 694->703 696 96523f6-9652405 call 9650214 call 9652134 call 9650214 call 9651ee8 695->696 697 965240a-9652411 695->697 696->697 700 9652413-9652418 call 9650214 call 9651838 697->700 701 965241d-9652420 call 96501cc 697->701 700->701 701->694 711 9652484 702->711 712 965248d-9652494 702->712 707 9652441-9652455 703->707 708 965245c-9652476 call 9648948 call 964f994 703->708 707->708 708->702 711->712 713 9652496-965249a 712->713 714 96524b0-96524bf call 9650214 712->714 713->714 717 965249c-96524a7 713->717 731 96524c5-96524d3 call 964a050 714->731 732 965254a-9652551 call 965333c call 9652e98 714->732 717->714 738 96524d5-96524ee 731->738 739 9652500-9652507 731->739 740 9652556-9652559 732->740 738->739 746 96524f0-96524f9 738->746 741 9652509-9652510 739->741 742 965251b-965253b call 96525c4 call 964d660 739->742 741->742 744 9652512-9652519 741->744 747 9652540-9652548 ExitProcess 742->747 744->742 744->747 746->739 747->740
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0964B440,00000000,00000000,00000000), ref: 09652339
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0964AD80,00000000,00000000,00000000), ref: 0965235A
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,09649C7C,00000000,00000000,00000000), ref: 096523AD
                                                                                                                  • ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 09652542
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThread$ExitProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3195946472-0
                                                                                                                  • Opcode ID: 7bd86a259738e16d62b80b8348556c413adc51b7fc165d56f6c68f5c6e545c1a
                                                                                                                  • Instruction ID: 62c3e488af318e647b21bf0c3fd5012d9435c7f8b9fed245c9ed795c02319d50
                                                                                                                  • Opcode Fuzzy Hash: 7bd86a259738e16d62b80b8348556c413adc51b7fc165d56f6c68f5c6e545c1a
                                                                                                                  • Instruction Fuzzy Hash: 0F618F70944385FEFF22AFB0DC2DB6D3E60AB05711F54A158F966652E0C7F51A80CB2A

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 751 96503b8-96503f6 SetFileAttributesW CreateFileW 752 965046d-9650474 751->752 753 96503f8-9650415 SetFilePointerEx 751->753 754 9650464 753->754 755 9650417-9650434 ReadFile 753->755 754->752 755->754 756 9650436-965044b call 96502ac 755->756 756->754 759 965044d-9650455 756->759 760 9650457 759->760 761 965045e-965045f call 96486f8 759->761 760->761 761->754
                                                                                                                  APIs
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 096503D1
                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 096503E9
                                                                                                                  • SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 0965040D
                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 0965042C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreatePointerRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4170910816-0
                                                                                                                  • Opcode ID: cfead8c16467aefe0395abc46ad748ba3bd676b8c386176e2b0fa3b3b75c4a11
                                                                                                                  • Instruction ID: 46153b424c20ec3c0565e0013036abda06dfb47dd72e448bfc3ec529204dad3c
                                                                                                                  • Opcode Fuzzy Hash: cfead8c16467aefe0395abc46ad748ba3bd676b8c386176e2b0fa3b3b75c4a11
                                                                                                                  • Instruction Fuzzy Hash: D6110D70A40309FBEF21DFA4DC45FAD7AB9AB04700F1081A4BA09A61D1DBB19E54DB15

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 763 964967c-96496ab 765 96496b1-9649914 call 9641190 * 10 763->765 766 9649aef-9649af2 763->766 788 9649916 765->788 789 964991b-9649933 765->789 790 9649aa5-9649aa9 788->790 796 9649935 789->796 797 964993a-9649949 call 9648cc0 789->797 791 9649ab6-9649aba 790->791 792 9649aab-9649ab0 790->792 794 9649ac7-9649acb 791->794 795 9649abc-9649ac1 791->795 792->791 798 9649acd-9649ad2 794->798 799 9649ad8-9649adc 794->799 795->794 796->790 804 964998e-96499b3 797->804 805 964994b-964997d 797->805 798->799 801 9649ade-9649ae3 799->801 802 9649ae9 CoUninitialize 799->802 801->802 802->766 808 96499b5 804->808 809 96499ba-96499d3 CoSetProxyBlanket 804->809 813 9649984-9649987 805->813 814 964997f 805->814 808->790 811 96499d5 809->811 812 96499da-96499fd 809->812 811->790 816 9649a04-9649a23 812->816 817 96499ff 812->817 813->804 814->790 818 9649a29-9649a2b 816->818 817->790 819 9649a2d 818->819 820 9649a2f-9649a57 818->820 819->790 823 9649a95-9649aa0 820->823 824 9649a59-9649a8e 820->824 823->816 824->823
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Uninitialize
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 3861434553-2766056989
                                                                                                                  • Opcode ID: cd7ef4cf9a160b3651d616d78355528e1063d1affc5536659403402e56b8ceb7
                                                                                                                  • Instruction ID: 9a4682c6f6177c7af2b3a3b12ccac224f4c2b0995fe7470e16adf6ea2ae1da0d
                                                                                                                  • Opcode Fuzzy Hash: cd7ef4cf9a160b3651d616d78355528e1063d1affc5536659403402e56b8ceb7
                                                                                                                  • Instruction Fuzzy Hash: E6D137B0940209EFEB10DF90C889FAABB78FF04700F118195E518AF2A1D776DA85CF65

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 894 9650bac-9650bc7 895 9650d95-9650d9e 894->895 896 9650bcd-9650bd7 call 9650308 894->896 899 9650d8d-9650d90 call 96486f8 896->899 900 9650bdd-9650be7 call 96503b8 896->900 899->895 900->899 904 9650bed-9650bf7 call 9650818 900->904 907 9650c0c-9650c1a call 9650924 904->907 908 9650bf9-9650c0a call 9650840 904->908 913 9650c1d-9650c21 907->913 908->913 913->899 914 9650c27-9650c37 MoveFileExW 913->914 915 9650c39 914->915 916 9650c3b-9650c46 914->916 917 9650c87-9650c8b 915->917 918 9650c74-9650c83 call 96486f8 916->918 919 9650c48-9650c6c call 96486f8 call 9650924 916->919 920 9650c91-9650cb3 CreateFileW 917->920 921 9650d7f-9650d83 917->921 918->917 934 9650c70 919->934 935 9650c6e 919->935 925 9650cb5 920->925 926 9650cba-9650cd3 call 9650970 920->926 921->899 927 9650d85-9650d88 call 96486f8 921->927 925->921 937 9650cd5-9650cde 926->937 938 9650ce3-9650cf8 CreateIoCompletionPort 926->938 927->899 934->914 935->917 937->921 939 9650d1c-9650d3e 938->939 940 9650cfa-9650d1a call 96486f8 938->940 945 9650d40-9650d60 call 96486f8 939->945 946 9650d62-9650d78 939->946 940->921 945->921 946->921
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 09650308: SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09650329
                                                                                                                    • Part of subcall function 09650308: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09650341
                                                                                                                    • Part of subcall function 096503B8: SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 096503D1
                                                                                                                    • Part of subcall function 096503B8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 096503E9
                                                                                                                    • Part of subcall function 096503B8: SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 0965040D
                                                                                                                    • Part of subcall function 096503B8: ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 0965042C
                                                                                                                  • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09650C2F
                                                                                                                  • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09650CF0
                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09650CA6
                                                                                                                    • Part of subcall function 096486F8: RtlFreeHeap.NTDLL(?,00000000,00000000,?,09649673,00000000,00000000), ref: 09648714
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Create$Attributes$CompletionFreeHeapMovePointerPortRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 97630321-0
                                                                                                                  • Opcode ID: 817fdf6c8717f0f469acfd75d51b1b9b95a6e316202b917aa1fa1f25995b61bd
                                                                                                                  • Instruction ID: 7ee5c6e70e7c0d7817738d037d963a943d81b26692ddb55af7edd8e7d849af8c
                                                                                                                  • Opcode Fuzzy Hash: 817fdf6c8717f0f469acfd75d51b1b9b95a6e316202b917aa1fa1f25995b61bd
                                                                                                                  • Instruction Fuzzy Hash: B4513A30940349FBEF22AFA0DD09B9D7B75AF04341F10A168F91E691A0D7B6D651DF06
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a959d339b1affb2ad69bef3d0840151e0c1f03ef7bf87ddd9718bb2baeb80e80
                                                                                                                  • Instruction ID: 75213e9647346eaa06a5610b2e2b7f0924c32ae8f995f10601ffdb49d36ff984
                                                                                                                  • Opcode Fuzzy Hash: a959d339b1affb2ad69bef3d0840151e0c1f03ef7bf87ddd9718bb2baeb80e80
                                                                                                                  • Instruction Fuzzy Hash: A621D430844248FBDF12AFE4DA45B9DBB72BF01355F1091A5F5156A1A1C7B34F60BB06
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0964BE00,?,00000004,00000000,?,?,?,?,00000000), ref: 0964BE4E
                                                                                                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,00000000), ref: 0964BE97
                                                                                                                  • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 0964BEAF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$CodeCreateExitResume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4070214711-0
                                                                                                                  • Opcode ID: f6267467d6e98bc9c429cd0c8e66fef3e22c12fcdf21f21bc298adda83a78b9a
                                                                                                                  • Instruction ID: 6b4af181b37f929d66d8709966797d9cbb31d05402e64652b3d9007336035f6d
                                                                                                                  • Opcode Fuzzy Hash: f6267467d6e98bc9c429cd0c8e66fef3e22c12fcdf21f21bc298adda83a78b9a
                                                                                                                  • Instruction Fuzzy Hash: C2210B35904208FFDF11DF94DD09B9DBB78EB44321F204165F614A2290D7725F54DB51
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000AB24,?,00000004,00000000,00000000,00000000,?,?,00000000), ref: 0964BB5D
                                                                                                                  • ResumeThread.KERNEL32(00000000,?,?,00000000), ref: 0964BBA6
                                                                                                                  • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,00000000), ref: 0964BBBE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$CodeCreateExitResume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4070214711-0
                                                                                                                  • Opcode ID: 41b440734959ce7f8c5fe15a7eacbd200a3edfcf5045808b67c864519d93c74a
                                                                                                                  • Instruction ID: db67d122a53f1ee6fdeca54122bf2d5e2c7f664ad7fd7aa06681fe544995999e
                                                                                                                  • Opcode Fuzzy Hash: 41b440734959ce7f8c5fe15a7eacbd200a3edfcf5045808b67c864519d93c74a
                                                                                                                  • Instruction Fuzzy Hash: 96111936A04208FFEF11DF94ED0AB9DBB79EB48322F2041A5F604A11A0DB725F54EB51
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThread
                                                                                                                  • String ID: $e
                                                                                                                  • API String ID: 2422867632-283899394
                                                                                                                  • Opcode ID: 1cf39c327a846c63f3bf763d88a7e538d3a1e4159134d1725f23595801151057
                                                                                                                  • Instruction ID: b2af6b652d54c038d03dc3fa172af814fed1abd3aea7402c34d19bb38036d1ba
                                                                                                                  • Opcode Fuzzy Hash: 1cf39c327a846c63f3bf763d88a7e538d3a1e4159134d1725f23595801151057
                                                                                                                  • Instruction Fuzzy Hash: CE618D70D0030AEFDF21DFA0DC55BAEBB75FB04350F104169EA12A62A0D7B69A51CB96
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Tl$Tl
                                                                                                                  • API String ID: 0-2544751534
                                                                                                                  • Opcode ID: c04a2f35f98a89cc91f38fa22cedfd9ed4149bcf81d562410d18af5dfd7c9d70
                                                                                                                  • Instruction ID: e4f141d34aa7356e630b9f621bcbdc98f5c821bb10ebb0ba94687a1f8de33c9e
                                                                                                                  • Opcode Fuzzy Hash: c04a2f35f98a89cc91f38fa22cedfd9ed4149bcf81d562410d18af5dfd7c9d70
                                                                                                                  • Instruction Fuzzy Hash: 048238B4B00215DFEB14CB58C844B9AB7B2BF85714F15C0A9D949AF351CB72EC828F92
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (EP$PLP
                                                                                                                  • API String ID: 0-4281096145
                                                                                                                  • Opcode ID: fb39edd9af627d9797706b8d4d99dc550cfb01948684b176a407203498b6adf5
                                                                                                                  • Instruction ID: 16f2654ca8e68b21a2fdba8f35fb9e01171c5c5f2779d18c73e33ae42f47337c
                                                                                                                  • Opcode Fuzzy Hash: fb39edd9af627d9797706b8d4d99dc550cfb01948684b176a407203498b6adf5
                                                                                                                  • Instruction Fuzzy Hash: EC622C34A00209DFDB15CF98D584A9DBBF2FF88354F249559E845AB361CB71ED81CB90
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,00020119,00000000,?,00000000), ref: 09652839
                                                                                                                  • RegDeleteKeyExW.KERNEL32(80000002,?,00000100,00000000,000000FF,00000000), ref: 096528D5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDelete
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2606249652-0
                                                                                                                  • Opcode ID: c51542070824c159db7b82600f81d5bc2bf975107d4c42431fa77d13c6c97cf8
                                                                                                                  • Instruction ID: b21ae9ab4b192d65ff988006497010ba34b88088f6d275cf3c4a811fbda052cd
                                                                                                                  • Opcode Fuzzy Hash: c51542070824c159db7b82600f81d5bc2bf975107d4c42431fa77d13c6c97cf8
                                                                                                                  • Instruction Fuzzy Hash: 5951F7B1950219EFEB12DF90CC49FE9BBB8FB08700F0040A5FA15EA191E7759A54CF62
                                                                                                                  APIs
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09650329
                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09650341
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 415043291-0
                                                                                                                  • Opcode ID: 5905278870bf7770e756564331d7b6890e13bc3c4de525e26762244856f5b8b9
                                                                                                                  • Instruction ID: 43c95653178f1b0f1953c778636dda9ad0fef7a03004112c700d7d2ef530b8ae
                                                                                                                  • Opcode Fuzzy Hash: 5905278870bf7770e756564331d7b6890e13bc3c4de525e26762244856f5b8b9
                                                                                                                  • Instruction Fuzzy Hash: CC11A03190530AFFEF218F94DD05BAD7B78EB007A1F208266F91BB51D0D7B19A81CA46
                                                                                                                  APIs
                                                                                                                  • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09650C2F
                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09650CA6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CreateMove
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3198096935-0
                                                                                                                  • Opcode ID: 89eb58a9b363a1c0401e1cab0592a0c0bf7a070e5cb5e73c4f6e84b9b51f40c7
                                                                                                                  • Instruction ID: 9ea6ee914f0732a00db7a4a5381adf5df72a6ccfdd5c97317162a9781697d139
                                                                                                                  • Opcode Fuzzy Hash: 89eb58a9b363a1c0401e1cab0592a0c0bf7a070e5cb5e73c4f6e84b9b51f40c7
                                                                                                                  • Instruction Fuzzy Hash: CAF01D30A40208FADF219F94ED05B9CBB75AF11751F2082A6FA1A791E0C7B29651DB09
                                                                                                                  APIs
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09650329
                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09650341
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 415043291-0
                                                                                                                  • Opcode ID: 99687348feeda32d4e82257fbd1263fda85b2e9e69e1a5aa1343fbc1c34ce98a
                                                                                                                  • Instruction ID: f67bf0318c239b7579e57bb5037f282cf7d80859bbaefaff7166bb46f39720b0
                                                                                                                  • Opcode Fuzzy Hash: 99687348feeda32d4e82257fbd1263fda85b2e9e69e1a5aa1343fbc1c34ce98a
                                                                                                                  • Instruction Fuzzy Hash: 83E04F30544306FBEF321F60DE06B5C3E64AB00B90F109121FE1BB81E0D7B1D641CA4A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl$84hl
                                                                                                                  • API String ID: 0-2123644506
                                                                                                                  • Opcode ID: 164f74f8c7db4f6d5f3957674f3c7ca95a2f1b8f7756e20db4e81486607f7a65
                                                                                                                  • Instruction ID: 1d1e5d74086cb446dafa0c7f5e0545e2b3dda2b0750f04bdeb4d957d6b52dc0f
                                                                                                                  • Opcode Fuzzy Hash: 164f74f8c7db4f6d5f3957674f3c7ca95a2f1b8f7756e20db4e81486607f7a65
                                                                                                                  • Instruction Fuzzy Hash: 6461B536A00218DFCB14DFA8C410AAABBE6EFC5350F15845AEA069B342CB71DD51CBE1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: h2]k
                                                                                                                  • API String ID: 0-759999175
                                                                                                                  • Opcode ID: b6a3d49729e3eab56b8b84703cf4cb03081bae088a4a1c0a52208e68d79daacb
                                                                                                                  • Instruction ID: 146cfed09a389fd0e88d0e54a61da346a0e63cb6a439f6741d9db5658b9b5dbf
                                                                                                                  • Opcode Fuzzy Hash: b6a3d49729e3eab56b8b84703cf4cb03081bae088a4a1c0a52208e68d79daacb
                                                                                                                  • Instruction Fuzzy Hash: D97217B4B00215DFEB14CB58C844B99B7B2FF85714F15C0A9E949AB351CB72ED828F92
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Tl
                                                                                                                  • API String ID: 0-242367606
                                                                                                                  • Opcode ID: d40c5c13a617a08ad237a5ce5cf9e6386d08b857daf7f87f2f724fa3dbb2323c
                                                                                                                  • Instruction ID: 6531d7c8e2b9ebbe64e8b644cd66ce213e1fbeb62440174fecc34535d13267d4
                                                                                                                  • Opcode Fuzzy Hash: d40c5c13a617a08ad237a5ce5cf9e6386d08b857daf7f87f2f724fa3dbb2323c
                                                                                                                  • Instruction Fuzzy Hash: 106218B4B00215DFEB10CB58C944B9AB7B2FF89714F15C0A9E949AB351C772ED828F91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8ae17d32f17af0376345434464f15fc58ef6e9afaf52504f4be7fe269c61bc60
                                                                                                                  • Instruction ID: adb68cb70b6546cfebeb0cfeaec19a262334003a96900b9de1ed00999d8b1e1d
                                                                                                                  • Opcode Fuzzy Hash: 8ae17d32f17af0376345434464f15fc58ef6e9afaf52504f4be7fe269c61bc60
                                                                                                                  • Instruction Fuzzy Hash: 99515D70980304FBEF21AFA4DC4AFAD7B74EB04B41F105095FA06BA2D0D7B66644DB5A
                                                                                                                  APIs
                                                                                                                  • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 0964BA3F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateMutex
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1964310414-0
                                                                                                                  • Opcode ID: 38196fa9315325ffb821190098323018bff8148c55ee038fcb8fcd1b41999d4e
                                                                                                                  • Instruction ID: 4534c8543d0dc470eb0ce054037d2cce0827dddf7b148003d4667ae11e6a1ca3
                                                                                                                  • Opcode Fuzzy Hash: 38196fa9315325ffb821190098323018bff8148c55ee038fcb8fcd1b41999d4e
                                                                                                                  • Instruction Fuzzy Hash: FA4149B544E3C49FDB439BB098656983FB1AF07224F1A10D7D084CB1E3E2A9194AC722
                                                                                                                  APIs
                                                                                                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09656480,?,00000001,?), ref: 096481E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 10892065-0
                                                                                                                  • Opcode ID: fac923ac6db7d6146e29910ef9f75cd21ab34e0e3b27aa068b1529b0c7f70aa9
                                                                                                                  • Instruction ID: 75589b0c29ade84829d3a9970a8211a95cb9858ae2f48735b3d911708333f46e
                                                                                                                  • Opcode Fuzzy Hash: fac923ac6db7d6146e29910ef9f75cd21ab34e0e3b27aa068b1529b0c7f70aa9
                                                                                                                  • Instruction Fuzzy Hash: 123139203C1395399B323EE64D0EF8F5D188FD3EA4F90A559B90577C838AC95516C4FA
                                                                                                                  APIs
                                                                                                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09656480,?,00000001,?), ref: 096481E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 10892065-0
                                                                                                                  • Opcode ID: cfe6269cd04e8fdc1e263ca0a911011a4483a46c0dd06295a3c09f60ded40baf
                                                                                                                  • Instruction ID: e02d2934a45e98ac9440d770c39036620ffd6790582f6ee544badb4664f3c0fc
                                                                                                                  • Opcode Fuzzy Hash: cfe6269cd04e8fdc1e263ca0a911011a4483a46c0dd06295a3c09f60ded40baf
                                                                                                                  • Instruction Fuzzy Hash: C821A4103D13A5385B723EE65E0EF8F0C188EE3D94B80A459B909B6D938ACA8516C4F9
                                                                                                                  APIs
                                                                                                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09656480,?,00000001,?), ref: 096481E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 10892065-0
                                                                                                                  • Opcode ID: 926daea38b7b2b1698f4d521476c6ade6943105106b05c777b3721a65678e62c
                                                                                                                  • Instruction ID: d5f61428b15c0c97efa0015682dacd019c0f2caaf8fdf6f0bdd575a26af116d6
                                                                                                                  • Opcode Fuzzy Hash: 926daea38b7b2b1698f4d521476c6ade6943105106b05c777b3721a65678e62c
                                                                                                                  • Instruction Fuzzy Hash: 9221B8203D53A5385B723EE65E0EF8F0C188EE3E94BC1A45DB90977D934ACA4516C4FA
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0964AE54: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0964AE76
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0964AFC7
                                                                                                                    • Part of subcall function 0964FBB8: NtTerminateProcess.NTDLL(0964AFAC,00000000), ref: 0964FC1B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3176663195-0
                                                                                                                  • Opcode ID: e5c88c14783da79f0cb2f73f001d58b58d9068a7b461907fb6bf25b5502fce3b
                                                                                                                  • Instruction ID: 391f11359b5cde8fc8ad7568cd58b5b42082eaf74ed7f321b0a6a45e431f08b7
                                                                                                                  • Opcode Fuzzy Hash: e5c88c14783da79f0cb2f73f001d58b58d9068a7b461907fb6bf25b5502fce3b
                                                                                                                  • Instruction Fuzzy Hash: EA31BAB0980308FFEF11DFD0DD49B9DBB79AF04701F4450A4F505AA1A1E7B29694DB51
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 0964AC01
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ManagerOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1889721586-0
                                                                                                                  • Opcode ID: fc256e56d88be7995e1e4ab933bb934a65e942ef60947987443d3245e7707715
                                                                                                                  • Instruction ID: c7370e97607b2efcbfeab783534515b49224c421213eba389c7e05b7503ed193
                                                                                                                  • Opcode Fuzzy Hash: fc256e56d88be7995e1e4ab933bb934a65e942ef60947987443d3245e7707715
                                                                                                                  • Instruction Fuzzy Hash: 173119B0980208FFDB55DFD0DA49BADBBB8FB04705F108199F501AA2A0E7769B44CF95
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0964FDD0,00000000,00000000,00000000), ref: 09650195
                                                                                                                    • Part of subcall function 09648614: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,096501A7,00000000), ref: 09648635
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$CreateInformation
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 425492364-0
                                                                                                                  • Opcode ID: 3be444013b7a783f4f7cc8bdae774b9b05907bb0b3061cac0719e50220764855
                                                                                                                  • Instruction ID: 1b34761752a204ee3a85012ffd744c60fb33e83cd06124b7be3ef30a60800e5a
                                                                                                                  • Opcode Fuzzy Hash: 3be444013b7a783f4f7cc8bdae774b9b05907bb0b3061cac0719e50220764855
                                                                                                                  • Instruction Fuzzy Hash: 9E018630740754FBFB22AF94AC8DB9A76A8DB05711F201260FD19A62D1DBB19F40C69A
                                                                                                                  APIs
                                                                                                                  • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 0964BA3F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateMutex
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1964310414-0
                                                                                                                  • Opcode ID: 3f748d6f9b2ce206037df27f3c31873c57ccdc3202bb72d543494a38560647d6
                                                                                                                  • Instruction ID: ad33bc597fda1d0b799c280631eea13120a0b4ed847d7ef47fd190eecb5f36df
                                                                                                                  • Opcode Fuzzy Hash: 3f748d6f9b2ce206037df27f3c31873c57ccdc3202bb72d543494a38560647d6
                                                                                                                  • Instruction Fuzzy Hash: 6A012570814388EAEF12EFF0E848BAC7BB4FB05304F40615AE504A22D0E7B25A90DB47
                                                                                                                  APIs
                                                                                                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0964AE76
                                                                                                                    • Part of subcall function 0964B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 0964B5FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustInformationPrivilegeQuerySystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4254901982-0
                                                                                                                  • Opcode ID: 8932e5afdfaffea10e4df0fb5a49c41f751c3fb84282fd62bef8a296e549d51b
                                                                                                                  • Instruction ID: 40c57fa616690095b449b50a5c4ce7525084c8902ef03bfe202850f35f46644c
                                                                                                                  • Opcode Fuzzy Hash: 8932e5afdfaffea10e4df0fb5a49c41f751c3fb84282fd62bef8a296e549d51b
                                                                                                                  • Instruction Fuzzy Hash: 9B014470A41308FBEF11DFE4CD4DF9EBAB89B04714F504194BA14AA2D0E7B58A44D751
                                                                                                                  APIs
                                                                                                                  • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,?), ref: 0964D09B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustPrivilege
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3260937286-0
                                                                                                                  • Opcode ID: 31f6d8335d152ca58db3fdd3b07ef8fe2ab288ce3904f89a2c3aef015fa2ec5d
                                                                                                                  • Instruction ID: 4d415777cc27127eefdbe419790c82fccfdc69a7179ffa2e956f4a8d708191fa
                                                                                                                  • Opcode Fuzzy Hash: 31f6d8335d152ca58db3fdd3b07ef8fe2ab288ce3904f89a2c3aef015fa2ec5d
                                                                                                                  • Instruction Fuzzy Hash: F0D05B71E18215A7DB205DD47C11BE6735C9745B91F000355FD16D71C0EA537A1681D6
                                                                                                                  APIs
                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,00000000,?,09649673,00000000,00000000), ref: 09648714
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3298025750-0
                                                                                                                  • Opcode ID: 8b698ba73c5805e18fc70854006fc148f8a1bc1835c2a9a9d33f4edd6d2d9b2d
                                                                                                                  • Instruction ID: 3acfdeba55f9dd56343f732d2017f179a409f655368a67e0e1e7aecc929cc30f
                                                                                                                  • Opcode Fuzzy Hash: 8b698ba73c5805e18fc70854006fc148f8a1bc1835c2a9a9d33f4edd6d2d9b2d
                                                                                                                  • Instruction Fuzzy Hash: DCD01231540708AFC711DFA8E805F9A371CAB11600F854414F6094B1A1D776D8A0DB59
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000008,096494F6,?,096494F6,00000000), ref: 096486EC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 1dffca6aacfb9ff3860f9e08aa2df086a75d22ef686dde84a94de1058fc25ec2
                                                                                                                  • Instruction ID: 288d47e20a00668a518e87db3afa6c9f647d4669025f4c961e42a820cb1c6e48
                                                                                                                  • Opcode Fuzzy Hash: 1dffca6aacfb9ff3860f9e08aa2df086a75d22ef686dde84a94de1058fc25ec2
                                                                                                                  • Instruction Fuzzy Hash: BAD01231184708AFCB519F98A805FAA7758AB30600F858414B6085B161CB75D490EB55
                                                                                                                  APIs
                                                                                                                  • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0964BE0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DriveLogicalStrings
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2022863570-0
                                                                                                                  • Opcode ID: b79860715e9fcedc1b99cf16649922701b998bf615ea2e89154da2252fca41da
                                                                                                                  • Instruction ID: 25d49fc96fc1fe1a0dcb27a3f5a7f049ffee2e38e587db85f3131b105e2c3780
                                                                                                                  • Opcode Fuzzy Hash: b79860715e9fcedc1b99cf16649922701b998bf615ea2e89154da2252fca41da
                                                                                                                  • Instruction Fuzzy Hash: 1CC09B36000208EF8B019F84D404C557FE9FB587007048051F60847131C732E920DB95
                                                                                                                  APIs
                                                                                                                  • GetDriveTypeW.KERNEL32(?), ref: 0964BB2A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DriveType
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 338552980-0
                                                                                                                  • Opcode ID: 37a27fe2b0178b8a338b428886e9566dd33e738801d54b43fed68b31345db2f9
                                                                                                                  • Instruction ID: b822d6025a65cab3e98e4e5036cd63d2ff13fa97595aa46fadadc4ff83761fdc
                                                                                                                  • Opcode Fuzzy Hash: 37a27fe2b0178b8a338b428886e9566dd33e738801d54b43fed68b31345db2f9
                                                                                                                  • Instruction Fuzzy Hash: E1B0123100020CF78B015A41E8048457F1CD710650B004021F508001118B3359209596
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl
                                                                                                                  • API String ID: 0-3734605506
                                                                                                                  • Opcode ID: af19ea24aacb0a78f01a19c4797468e7e465132484e17a746dbeabecff383b3a
                                                                                                                  • Instruction ID: 8e2235c7fb92d315b2c9c6292c0fe82a30c1cbcb06e042599657e018d24375e1
                                                                                                                  • Opcode Fuzzy Hash: af19ea24aacb0a78f01a19c4797468e7e465132484e17a746dbeabecff383b3a
                                                                                                                  • Instruction Fuzzy Hash: 5C41B136A00244DFCB20CF58C544AAAB7E1FF85351F59885AFA569B293C730DD41CBA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ea8bea3be0692aa784b39e043ff819d5e402cc6598cf038becbaccfac2748b0f
                                                                                                                  • Instruction ID: b2b251666669d112d7b86b7ac081493f52a76714dcb64515bc233d1ae1cf2ef3
                                                                                                                  • Opcode Fuzzy Hash: ea8bea3be0692aa784b39e043ff819d5e402cc6598cf038becbaccfac2748b0f
                                                                                                                  • Instruction Fuzzy Hash: 127218B4B00215DFEB14CB58C844B99B7B2FF85714F15C0A9E949AB351CB72ED828F92
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 59076ab976fb9a8caee634ec12ce547a9dcaf00e163718ba554101535d5ef20e
                                                                                                                  • Instruction ID: ff50a4746386a0c2564570e597feeeb2df27b3e2f3d3f29b1dda62e946e26ead
                                                                                                                  • Opcode Fuzzy Hash: 59076ab976fb9a8caee634ec12ce547a9dcaf00e163718ba554101535d5ef20e
                                                                                                                  • Instruction Fuzzy Hash: 16C10B75A05259DFDB05CFA8D494A9DBBF2FF88310F648159E804AB3A1CB71ED81CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0b81fc488c2515a90b45131b2186e4638e27b5f71080f71f1d4b5e0bfc5d39a3
                                                                                                                  • Instruction ID: c97aebebc82d1ef7c1593bc3e08aee8917779072c587457938d4a6b25a62c408
                                                                                                                  • Opcode Fuzzy Hash: 0b81fc488c2515a90b45131b2186e4638e27b5f71080f71f1d4b5e0bfc5d39a3
                                                                                                                  • Instruction Fuzzy Hash: 2F51C135909384CFC706CF6CC8A05A9BFF1EF86310B29419AC445DB2A3D3349C46CBA5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7a7367d6f2f689c1d59e3463802cde4b4090aa58fa2e8321ef60fb6c0f5c6fcb
                                                                                                                  • Instruction ID: 7280df9396b903c8ec259c7cd244583e94ae1676cdb641df56b525b37396f920
                                                                                                                  • Opcode Fuzzy Hash: 7a7367d6f2f689c1d59e3463802cde4b4090aa58fa2e8321ef60fb6c0f5c6fcb
                                                                                                                  • Instruction Fuzzy Hash: 9451B535A09384CFC706CF68C8A4869BFF2AF86310B5882DAD445DB2E3D735AC41CB55
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4f22ea223c110494076b9e036c4e1045efb0a30593ca911614c64634faa3e2eb
                                                                                                                  • Instruction ID: 0ddd16d2e3f01b0e0ea0384d1de5ba7ddeb224bbae3509a2a007b698a0b95c98
                                                                                                                  • Opcode Fuzzy Hash: 4f22ea223c110494076b9e036c4e1045efb0a30593ca911614c64634faa3e2eb
                                                                                                                  • Instruction Fuzzy Hash: C651DA75A01209EFDB05CFA8D594A9DBBF2FF88310F648159E405AB365CB71ED82CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e1fdf803a7af865cb5d8f81bb6be10ea898be6b75267f4a23d5e9cc596fbe77a
                                                                                                                  • Instruction ID: 3a724d2d843db081e1b5e1d43d5a844327caf76293fa99a8269ccce616165030
                                                                                                                  • Opcode Fuzzy Hash: e1fdf803a7af865cb5d8f81bb6be10ea898be6b75267f4a23d5e9cc596fbe77a
                                                                                                                  • Instruction Fuzzy Hash: 9651E935A00209EFDF05CFA8D584A9DBBB2FF89314F249559E405B7365CB72AD82CB90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f44074ddf62acf62cdbf8696eded8c994a7c3096162c5620a0890449aac0b29e
                                                                                                                  • Instruction ID: 8b96253eaaa83a53f788190f9336c2472872c03fb389a228d1179d47b53c9aed
                                                                                                                  • Opcode Fuzzy Hash: f44074ddf62acf62cdbf8696eded8c994a7c3096162c5620a0890449aac0b29e
                                                                                                                  • Instruction Fuzzy Hash: 5B11E77A3106169BDB289E6AD40056BFBDAFFC5222728C47FD95AC7744CA32D811C7A0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 252f4f0404e05ec0289825d0298ef937a002ebbcf5ea5f34710c713ccf7d4904
                                                                                                                  • Instruction ID: 10d84a802fa13e758d85a827482774b4faa4128b4764aadb27085f6c196846b6
                                                                                                                  • Opcode Fuzzy Hash: 252f4f0404e05ec0289825d0298ef937a002ebbcf5ea5f34710c713ccf7d4904
                                                                                                                  • Instruction Fuzzy Hash: C9212974A0021ACFCB04DFA8D4809AEFBB5FF89310B148199E909EB352C735ED41CBA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680154835.00000000096D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_96d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0104e79d94d7613b39c14b9c2247413d73550c792363536ad9875f1b8e81633c
                                                                                                                  • Instruction ID: 1ed1832c1d769107699d93a6c32df4288a3722eb5b07b28bfc93e305098073f3
                                                                                                                  • Opcode Fuzzy Hash: 0104e79d94d7613b39c14b9c2247413d73550c792363536ad9875f1b8e81633c
                                                                                                                  • Instruction Fuzzy Hash: 52114C72800349CFEB10DFAAC445BEEBBF5EF88320F14841AD519A7240CB799544CB95
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fc29427d3fa41dac016c02e13f32e6acad8363b861b6bc52ee31de056adf12d9
                                                                                                                  • Instruction ID: 8c92dfd848603a26ccd3e0a097ef020d6b1a981bc8356595902b1057f817e88c
                                                                                                                  • Opcode Fuzzy Hash: fc29427d3fa41dac016c02e13f32e6acad8363b861b6bc52ee31de056adf12d9
                                                                                                                  • Instruction Fuzzy Hash: 4A11AA35A05209EFDB45CF98D894E9DBBF2FF88314F688159E405AB361C771A982CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3b7993903f5aada0c211076acbd4bd40c8eaa435d2dc4c2bc7b24ebd3c11b299
                                                                                                                  • Instruction ID: 57c098bc5bea0eea8265cd084d6fc7b02edbc827b0715528a3f73a38acdbaec5
                                                                                                                  • Opcode Fuzzy Hash: 3b7993903f5aada0c211076acbd4bd40c8eaa435d2dc4c2bc7b24ebd3c11b299
                                                                                                                  • Instruction Fuzzy Hash: 5E11CC35904209EFDB05CF94D884E9DBBB2FF88314F289559E445AB361C772AD85CB50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a824361a5b8b428b63b2a28386f4216bb5930cce682ba07857ab41137f4a6a79
                                                                                                                  • Instruction ID: ec1c169b4f9abc742e4830755a730eedfb98fb08fa455688fa5ca95397e643af
                                                                                                                  • Opcode Fuzzy Hash: a824361a5b8b428b63b2a28386f4216bb5930cce682ba07857ab41137f4a6a79
                                                                                                                  • Instruction Fuzzy Hash: B9017B77205B419FC3158E2A88005A2FFE9BFC721231D80ABE859CB252C731E900C7B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ee1a6f7e7b659ec2ef4f99b4c2d960ff3bf8643916627b9c497c744388a8232
                                                                                                                  • Instruction ID: 9ab37adafa74316ef57b1a598118bb2975b297e9e86b146370af4882fd7dc3d1
                                                                                                                  • Opcode Fuzzy Hash: 9ee1a6f7e7b659ec2ef4f99b4c2d960ff3bf8643916627b9c497c744388a8232
                                                                                                                  • Instruction Fuzzy Hash: 79012878E40219CFCB00CB98D490AAEF7B1FF8D314B249169D91AA7361CB35EC02CB91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2607125982.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_e60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c08725a6b2544e1e22e2d5c03ad92c2aea9a46b7e5712f4b57472eb005f483e7
                                                                                                                  • Instruction ID: 424f98eeafdfb83e8bffea760874a2eee963986916204ef5d881cf221a346c51
                                                                                                                  • Opcode Fuzzy Hash: c08725a6b2544e1e22e2d5c03ad92c2aea9a46b7e5712f4b57472eb005f483e7
                                                                                                                  • Instruction Fuzzy Hash: E9F0D435A00109DFCB15CF9DD990AEEF7B1FF88324F208159E615A72A1C732AC52CB60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                                  • Instruction ID: c686030ede4eaebee6ba6d83582fdc651cf1771915b0715e28324022869e1703
                                                                                                                  • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                                  • Instruction Fuzzy Hash: 3EE04FBB70D3425FFA28895174533A78387C7805B5E26849EF406DF2C0EF1BE8A52055
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$(fjl$`9<!%$b9@!'$x.[k$-[k
                                                                                                                  • API String ID: 0-850837324
                                                                                                                  • Opcode ID: 62220c0877942474edfbf1b991fa2ecf403957e149ee5ebe23d2998ce0ecdfed
                                                                                                                  • Instruction ID: f5286c9d887b3163be9def9595f818a1ab7930fc6ceaf40cd1daa9d48db65301
                                                                                                                  • Opcode Fuzzy Hash: 62220c0877942474edfbf1b991fa2ecf403957e149ee5ebe23d2998ce0ecdfed
                                                                                                                  • Instruction Fuzzy Hash: E6027070B00214DFD714DB68C865BAE7BA6AB85700F50C095E509AF396CF72ED828FA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (e4$(e4$(e4$(e4$(e4$(e4$<Q4$<Q4$<Q4$Tb4$Tb4$Tb4$Tb4$`l$`l
                                                                                                                  • API String ID: 0-1038911595
                                                                                                                  • Opcode ID: d6bb38a468ec332645decadf1192c2b7bedc01fc85eaa76006677447b864da18
                                                                                                                  • Instruction ID: 92f3ed73535872189ab4b1e4b519805cfd3830d5516a87c646a56dd0b26dd276
                                                                                                                  • Opcode Fuzzy Hash: d6bb38a468ec332645decadf1192c2b7bedc01fc85eaa76006677447b864da18
                                                                                                                  • Instruction Fuzzy Hash: 36D10436B04255CFCB15CF7888117AABBE1EFC6310F1884BAE545CB262DB31D945CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$($c$x.[k$-[k
                                                                                                                  • API String ID: 0-3523168053
                                                                                                                  • Opcode ID: 62d17f8f91764cf57b57ee475e3c2a86821adfbf2494e67ba9d6da9bf45a4680
                                                                                                                  • Instruction ID: c5e7826175236083545d7ba07f4e2aff55fd2021cf5e50870418f5e695f5a1c0
                                                                                                                  • Opcode Fuzzy Hash: 62d17f8f91764cf57b57ee475e3c2a86821adfbf2494e67ba9d6da9bf45a4680
                                                                                                                  • Instruction Fuzzy Hash: DDC1B170A00314DFD715DF64C855B9EBBA6EF84700F5084A9E509AF396CB72AE828F91
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2678951284.0000000009641000.00000020.00001000.00020000.00000000.sdmp, Offset: 09641000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9641000_powershell.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CountTick$CreateDialogMenuParam$BrushColorCommandHandleLineLoadModuleTextWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 354372533-0
                                                                                                                  • Opcode ID: fbb815574a41809aba3f19ecd3cd7924174cf1b2ff49af17232248e64252e7b8
                                                                                                                  • Instruction ID: 5f27cc112d7748e70126bea2785ea4265f122987602832b30874b67e01eb6d2b
                                                                                                                  • Opcode Fuzzy Hash: fbb815574a41809aba3f19ecd3cd7924174cf1b2ff49af17232248e64252e7b8
                                                                                                                  • Instruction Fuzzy Hash: 62F02D118207A8E58D063FF9841EB0C9AD42E80991FD9F06EFC8F486207FE22148E17F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: X@U$`U$h2]k$hU$lFU$lU$lU$tU
                                                                                                                  • API String ID: 0-803114352
                                                                                                                  • Opcode ID: cfb91f3636d069da0e01eec70f67cf3b048c05f7355b29198973501a3a44b976
                                                                                                                  • Instruction ID: ad42f4ed02907fc36f7ebbcc0a637969704d0744ed8cc8e282bb51b95e6b50bc
                                                                                                                  • Opcode Fuzzy Hash: cfb91f3636d069da0e01eec70f67cf3b048c05f7355b29198973501a3a44b976
                                                                                                                  • Instruction Fuzzy Hash: 77D15A34B14201DFEB14CF54C450BA9B7B6EF8A744F66C16AE9059B351CB72EC42CB91
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl$84hl$84hl$84hl$84hl$84hl
                                                                                                                  • API String ID: 0-1851113435
                                                                                                                  • Opcode ID: 5160028d78f041d92641f9fc0c49d782c2ec58282104a1e44b7cd8dacad898e0
                                                                                                                  • Instruction ID: be6ace32f2f686a4e36e6ea4dbd4ed80fe437c728b06c1811f449f9941c92d77
                                                                                                                  • Opcode Fuzzy Hash: 5160028d78f041d92641f9fc0c49d782c2ec58282104a1e44b7cd8dacad898e0
                                                                                                                  • Instruction Fuzzy Hash: 18E1D9B1B00105DFEF159FA8C854BAABBA6AFC9310F14C179E9099B751CB71EC41CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680154835.00000000096D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_96d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ph$4ph$Hph$\ph$pph$ph
                                                                                                                  • API String ID: 0-1662492405
                                                                                                                  • Opcode ID: 5ca618c30a78f60ee8ff8401b0c51dad5b7393ad51994ab959c09e250a6a47a5
                                                                                                                  • Instruction ID: 9377044ca36fc77b1661c5e633805a6e4f95729a0d8b60efe55f591636259a82
                                                                                                                  • Opcode Fuzzy Hash: 5ca618c30a78f60ee8ff8401b0c51dad5b7393ad51994ab959c09e250a6a47a5
                                                                                                                  • Instruction Fuzzy Hash: 1EC113B4B02240CFDB59DF78D485ABE7BE2ABC8304F20416DE55A8B355DF34A9028B52
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: <Q4$<Q4$<Q4$<Q4$<Q4$<Q4
                                                                                                                  • API String ID: 0-3600009658
                                                                                                                  • Opcode ID: 0a88c5715581aa61059651f0ad1d6a9f65d8a2c3264c9ea6e736bd714a8aaa01
                                                                                                                  • Instruction ID: 61f2c08b87815ca02a7a9267d3db272d1c47534bbc51e228a7ebd7ca50205f09
                                                                                                                  • Opcode Fuzzy Hash: 0a88c5715581aa61059651f0ad1d6a9f65d8a2c3264c9ea6e736bd714a8aaa01
                                                                                                                  • Instruction Fuzzy Hash: CD314737B00255DBCB209EA988006ABFBE5EFD5351F14802BF905DB242EB31E910CBE1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680154835.00000000096D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_96d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0Th$DTh$XTh$lTh$Sh
                                                                                                                  • API String ID: 0-4168143742
                                                                                                                  • Opcode ID: 45f1f3042922a3e3b5004e2b86a3c62472c5a63b1fff394c8009d8394a865dbe
                                                                                                                  • Instruction ID: 94b1e4894f6d4799ebf4b77aaa21aa54d9c8e9c3fe2d25764df32219e6b23942
                                                                                                                  • Opcode Fuzzy Hash: 45f1f3042922a3e3b5004e2b86a3c62472c5a63b1fff394c8009d8394a865dbe
                                                                                                                  • Instruction Fuzzy Hash: 41F15C70B022558FCB58CF28D851A79BBF6FF89700F2041AAE54ACB755DB349C429F61
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $h$8h$Lh$ph$h
                                                                                                                  • API String ID: 0-1223968164
                                                                                                                  • Opcode ID: 86912d69336e8f527eb7b0e1aea418a4d2951fea684474acab88c5e6a80e1c2f
                                                                                                                  • Instruction ID: c546089d7495ae414948d8cfd4e0d51108b68c25f7536cdbe782bb0fb27c49b9
                                                                                                                  • Opcode Fuzzy Hash: 86912d69336e8f527eb7b0e1aea418a4d2951fea684474acab88c5e6a80e1c2f
                                                                                                                  • Instruction Fuzzy Hash: 6AC11374B01244CFCB59DF78D594AAE7BF2EBC8344B208169D54ADB385DB399802CF52
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680466451.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9700000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $h$8h$Lh$ph$h
                                                                                                                  • API String ID: 0-1223968164
                                                                                                                  • Opcode ID: c79967a4779bd9497ab09a3bf6a37021223cfee0f3dce45525489305a072e8be
                                                                                                                  • Instruction ID: 7e4e60df17454db661b2433c9a475848e937dcb3f4946f2fe86d154a1eb1d946
                                                                                                                  • Opcode Fuzzy Hash: c79967a4779bd9497ab09a3bf6a37021223cfee0f3dce45525489305a072e8be
                                                                                                                  • Instruction Fuzzy Hash: B4C10274B01240CFCB55DF78E594BAE7BE2EBC8344B20516AE54ADB385DB399802CF52
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: <y$<y$pU$x.[k$-[k
                                                                                                                  • API String ID: 0-4084566023
                                                                                                                  • Opcode ID: 349f18e66ec470dc89b6d1d8a981fc13e102cb9037fea4f28960709f183f96c0
                                                                                                                  • Instruction ID: 627c2e29111fca872971985dbb0ea4f2438d93b0ba89a13be855420c027bfdef
                                                                                                                  • Opcode Fuzzy Hash: 349f18e66ec470dc89b6d1d8a981fc13e102cb9037fea4f28960709f183f96c0
                                                                                                                  • Instruction Fuzzy Hash: 9ED12C70A00219CFDB14DF54C994B9ABBB2FB89304F14C5E9E509AB352CB71AD82CF95
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (.c$(.c$(.c$84hl$84hl
                                                                                                                  • API String ID: 0-752920791
                                                                                                                  • Opcode ID: 2613874cf3441d40116ca0d0139d8d112949478fb3af304661d8bb0bf912513b
                                                                                                                  • Instruction ID: 31b437e25af60ea59e7d659e738a8dec4176819a972692a048489260ae5cb6bd
                                                                                                                  • Opcode Fuzzy Hash: 2613874cf3441d40116ca0d0139d8d112949478fb3af304661d8bb0bf912513b
                                                                                                                  • Instruction Fuzzy Hash: E6610032B102058BCB219F6898106BAFBAEAFC5751F24847BE605CB341DF72DC42C3A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (4$(4$(4$X!c$X!c
                                                                                                                  • API String ID: 0-1684765325
                                                                                                                  • Opcode ID: 6f4d0bbac004d553bc93efc0aa874f6deb5c29f06fb1e66af8f19218a5422369
                                                                                                                  • Instruction ID: 0b2ec4ac31d95995cdf1162bd133113de288e336888cd82b0307989f5e4dedb5
                                                                                                                  • Opcode Fuzzy Hash: 6f4d0bbac004d553bc93efc0aa874f6deb5c29f06fb1e66af8f19218a5422369
                                                                                                                  • Instruction Fuzzy Hash: BD610631B002148FDF14DF68C8116AABBE9EFC6314F1484BBD58ADB352DA35D842C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: _4$_4$_4$_4
                                                                                                                  • API String ID: 0-530444870
                                                                                                                  • Opcode ID: f81a23ffe51fd7e1dfa18afad7a3d87ec274a1d5466b5e617f359b0756353f9a
                                                                                                                  • Instruction ID: 69e9fa2707eb117e43b0b56b09a9579e80cc0a5d14fb63ed1a0b80c5229d7ae6
                                                                                                                  • Opcode Fuzzy Hash: f81a23ffe51fd7e1dfa18afad7a3d87ec274a1d5466b5e617f359b0756353f9a
                                                                                                                  • Instruction Fuzzy Hash: 85E14536B04355CFCB119F6888116AABBE1EFC6311B1984BBF505CB253EB31D945CBA2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `l$`l$`l$`l
                                                                                                                  • API String ID: 0-3794947543
                                                                                                                  • Opcode ID: 0512038395f84e85a5880388e0e46bd997691936f95a64189dda0b31db47c9e2
                                                                                                                  • Instruction ID: 5bcc30985a448f199dc93f5a368e1835e59758966d64d56a058db6b9f634c567
                                                                                                                  • Opcode Fuzzy Hash: 0512038395f84e85a5880388e0e46bd997691936f95a64189dda0b31db47c9e2
                                                                                                                  • Instruction Fuzzy Hash: 720294F4B10206DBEF14CB68C451A6AF7B6BF89710F14D169D819AB745CB32EC42CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (C4$(C4$pC4$pC4
                                                                                                                  • API String ID: 0-662067848
                                                                                                                  • Opcode ID: c109dd37ee03aa91e98a3b4d5e48ce2f977fa41db4b3d2f88ed8d72308a88067
                                                                                                                  • Instruction ID: eb04cc0ddfac3545db6c0bb8094e27c156c6b2e33bd6257072e679bc6ba10900
                                                                                                                  • Opcode Fuzzy Hash: c109dd37ee03aa91e98a3b4d5e48ce2f977fa41db4b3d2f88ed8d72308a88067
                                                                                                                  • Instruction Fuzzy Hash: 29D113B5B0020BCFEF249E75C8007BABBA6AFC1314F24847AD549CB251DB75C942CB92
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl$84hl$84hl$84hl
                                                                                                                  • API String ID: 0-1660550548
                                                                                                                  • Opcode ID: 69864d6df85cc34aee83eaabc39cef31a7577631d9c85777473207080b18e049
                                                                                                                  • Instruction ID: 95e09a9b1f19abec49762d5f1894742414ec445cfeaefe50a69c193792190db3
                                                                                                                  • Opcode Fuzzy Hash: 69864d6df85cc34aee83eaabc39cef31a7577631d9c85777473207080b18e049
                                                                                                                  • Instruction Fuzzy Hash: 04B1E4B5B00205DFEB159F68C410A6AFBE6AFC9310F248479E90A9B381CF71DD518BA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: P-c$P-c$t-c$t-c
                                                                                                                  • API String ID: 0-3784637036
                                                                                                                  • Opcode ID: 4d10790f735f7684987939d81f9a172e0707ea34ae284fe89f74931d1f1af7ea
                                                                                                                  • Instruction ID: 36daee9fde516f96d6e7935c1c11021119158ca686838a41d2cbb2ce18eb3390
                                                                                                                  • Opcode Fuzzy Hash: 4d10790f735f7684987939d81f9a172e0707ea34ae284fe89f74931d1f1af7ea
                                                                                                                  • Instruction Fuzzy Hash: B2A13B317142148FDB16DFA8C8156AA7BBAAFC5310F1484BBE506DB352CB36DC46C7A2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: `l$`l$`l$`l
                                                                                                                  • API String ID: 0-3794947543
                                                                                                                  • Opcode ID: a58fc4bd51b58366f895911a8192acc24e83edcef06637e5277714344c013b55
                                                                                                                  • Instruction ID: 0fe1cc7e2c4c7739734247d76c31252c5d40930a782d47f8166483a8f2977f6e
                                                                                                                  • Opcode Fuzzy Hash: a58fc4bd51b58366f895911a8192acc24e83edcef06637e5277714344c013b55
                                                                                                                  • Instruction Fuzzy Hash: 7F91D1F1B0420ADFEF249E69C4047AABBA5AFC5220F14C07ED40D8B651EF35E941CB62
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: XRjl$XRjl$XRjl$1Zk
                                                                                                                  • API String ID: 0-396751945
                                                                                                                  • Opcode ID: 6776d2dd4d64f5c3386787ca3e6e707fbe3724ae7e23781a7ae0d465b956514c
                                                                                                                  • Instruction ID: 8b32dc6ef180e672f35b6c588e27bfc57641dacd25c4b52df7bfa81b29c813b8
                                                                                                                  • Opcode Fuzzy Hash: 6776d2dd4d64f5c3386787ca3e6e707fbe3724ae7e23781a7ae0d465b956514c
                                                                                                                  • Instruction Fuzzy Hash: 1E9115F1B10206DFEF259A68C8046BABBE2AFC5210F14807AD509DB691EB71CD41C7A2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl$84hl$<tM$<tM
                                                                                                                  • API String ID: 0-4192712960
                                                                                                                  • Opcode ID: e2eb5b672234ccc56fff17b87a05e9f629096fc6de463fdb313ae5753d763e7b
                                                                                                                  • Instruction ID: 6de9e8d1e2c9b3d76d24e4c0da140bf17c465e8de0505f76713159795a79baa5
                                                                                                                  • Opcode Fuzzy Hash: e2eb5b672234ccc56fff17b87a05e9f629096fc6de463fdb313ae5753d763e7b
                                                                                                                  • Instruction Fuzzy Hash: 6B91E3B1B10205DBEF269B68C80466A7BE2AFC4750F248479E9099B7C0DF71CC91CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0c$D0c$D0c$p@
                                                                                                                  • API String ID: 0-2227870457
                                                                                                                  • Opcode ID: 4e451e16d7b912e701b1dcc3288bdd5148b7eb032a729f66a17bfd6e22539938
                                                                                                                  • Instruction ID: f128c81c827d2ce9d07f0c1ae58dd50ecaa43cbb7bd57cf5ac6f31230e18cba9
                                                                                                                  • Opcode Fuzzy Hash: 4e451e16d7b912e701b1dcc3288bdd5148b7eb032a729f66a17bfd6e22539938
                                                                                                                  • Instruction Fuzzy Hash: 79715832B013549FEB259F78980077ABBE6AFC1750F14846AE545CB362DF71C842C792
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (e4$(e4$(e4$(e4
                                                                                                                  • API String ID: 0-2738708405
                                                                                                                  • Opcode ID: d2f356f3ca37c3d095c628a415038166235a00f109f65015ed5357184a38ad7f
                                                                                                                  • Instruction ID: d0aabe4cf0b316b82325e8fc67d4822364dfae1d202d234ad1d6d2227962e472
                                                                                                                  • Opcode Fuzzy Hash: d2f356f3ca37c3d095c628a415038166235a00f109f65015ed5357184a38ad7f
                                                                                                                  • Instruction Fuzzy Hash: 7B515837B042548FCB25CE6888413AABBF1EFC6311F1880BBD505DB262EB359945CBA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2679761063.0000000009690000.00000040.00000800.00020000.00000000.sdmp, Offset: 09690000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9690000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 84hl$84hl$8R$8R
                                                                                                                  • API String ID: 0-216135091
                                                                                                                  • Opcode ID: 3c31a247a90d6375ad6f4f3b5fb5bacb204f621ba96e21103311550a098e1676
                                                                                                                  • Instruction ID: fcc22b2b54d299fdca3b1cbc80bf4f94e0edc7cf251370af014c12cae129c75d
                                                                                                                  • Opcode Fuzzy Hash: 3c31a247a90d6375ad6f4f3b5fb5bacb204f621ba96e21103311550a098e1676
                                                                                                                  • Instruction Fuzzy Hash: 3D5133317143559FCF208FA8C800B6AFBAAAFC6710F28806AE9459F395CB71DC41C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: M$ M$84hl$84hl
                                                                                                                  • API String ID: 0-567448085
                                                                                                                  • Opcode ID: cd9276ede0f57565485d1a61c8750f4fbfc0e75436a7ff5277cfe2b13f6aec86
                                                                                                                  • Instruction ID: 4298837b7a44073a2cb9f26df63168abf949adfcd460c73e660167d39d000644
                                                                                                                  • Opcode Fuzzy Hash: cd9276ede0f57565485d1a61c8750f4fbfc0e75436a7ff5277cfe2b13f6aec86
                                                                                                                  • Instruction Fuzzy Hash: 6D410AB0A15346EFDB218B68C814B16BFB1BF85314F28C5AAD449DF296CB71DC41C791
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (e4$(e4$(e4$Tb4
                                                                                                                  • API String ID: 0-2275104276
                                                                                                                  • Opcode ID: 6169f5050cc64154e9786e2765c947e0a0c3fc2d9a632c29f55966d395e4dabd
                                                                                                                  • Instruction ID: 1d0e45079156e672e344d9756dda5e6e09ef820fc4efc5e7df7cea56f31d6954
                                                                                                                  • Opcode Fuzzy Hash: 6169f5050cc64154e9786e2765c947e0a0c3fc2d9a632c29f55966d395e4dabd
                                                                                                                  • Instruction Fuzzy Hash: 3D110436A04261CFCB20CF69884536ABFE4FF86704F0940BAD5059B263D3309945EBA2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2680735726.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_9740000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (e4$(e4$(e4$(e4
                                                                                                                  • API String ID: 0-2738708405
                                                                                                                  • Opcode ID: 4b826b7786e89e9cae08cfaee2fc6d83cc8bb28c1565524900eee227c26a6383
                                                                                                                  • Instruction ID: f9c8c039573c48010037c4a54395e280f3059dafdbbddc18afc75e6a33753b42
                                                                                                                  • Opcode Fuzzy Hash: 4b826b7786e89e9cae08cfaee2fc6d83cc8bb28c1565524900eee227c26a6383
                                                                                                                  • Instruction Fuzzy Hash: E3012B77B0011887DF38CD99CC457E577D5EB81314F8500B9AB0667251CB786948DAA2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2649950734.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: okl$ okl$Ljl$Ljl
                                                                                                                  • API String ID: 0-1784108060
                                                                                                                  • Opcode ID: a27e34e8566e15515f5955351b8b2ed5a9c2734d40c42216e7b1d83f7c36b938
                                                                                                                  • Instruction ID: bd63c218d04eec182adae9b81f062ddbd037f8622dbc8af57da45ad250f22142
                                                                                                                  • Opcode Fuzzy Hash: a27e34e8566e15515f5955351b8b2ed5a9c2734d40c42216e7b1d83f7c36b938
                                                                                                                  • Instruction Fuzzy Hash: 68F02BB3B30105DFAA14495C88425667A9B9FC6A50B240136EE09DB794DEB2DC0187DA

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:40.2%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:1%
                                                                                                                  Total number of Nodes:196
                                                                                                                  Total number of Limit Nodes:8
                                                                                                                  execution_graph 877 403983 881 40389c 877->881 890 402a78 881->890 883 403903 885 403914 26 API calls 883->885 920 40362e 883->920 934 4028ba 890->934 891 402a9e 891->885 895 4026c0 891->895 893 402af0 CreateMutexW 893->891 948 4024f8 895->948 897 402729 897->883 897->885 901 402f18 897->901 898 4026e7 CreateFileW 898->897 899 40270b ReadFile 898->899 899->897 902 402f2e 901->902 902->902 952 40227c FindFirstFileExW 902->952 903 402f67 CreateFileW 905 402f57 903->905 908 402faf 903->908 904 402faa 907 4030c5 NtFreeVirtualMemory 904->907 909 4030ed 904->909 905->903 905->904 906 402fb4 NtAllocateVirtualMemory 906->908 915 402fe8 906->915 907->904 908->906 908->915 910 4030f3 NtClose 909->910 911 4030ff 909->911 910->911 954 402e10 911->954 913 40311f 913->883 914 40304b WriteFile 914->915 916 403068 SetFilePointerEx 914->916 915->904 915->914 917 403095 SetFilePointerEx 915->917 916->914 916->915 917->915 921 40365e 920->921 958 403144 921->958 923 403673 923->885 924 403678 GetLogicalDriveStringsW 924->923 927 403695 924->927 925 40371d GetDriveTypeW 925->927 926 4037c6 928 403809 926->928 931 4037f9 NtClose 926->931 927->923 927->925 927->926 930 40375a CreateThread 927->930 963 40217c 927->963 928->923 929 40381e Sleep 928->929 929->928 930->927 974 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 930->974 931->928 931->931 935 4028dd 934->935 938 402760 CreateFileW 935->938 939 402797 938->939 944 4027da 938->944 939->944 946 4020bc 939->946 940 402802 940->891 940->893 941 4027f6 NtClose 941->940 942 4027b7 943 4027c0 ReadFile 942->943 942->944 943->944 944->940 944->941 947 4020c8 RtlAllocateHeap 946->947 947->942 949 402512 948->949 951 402760 4 API calls 949->951 950 402522 950->897 950->898 951->950 953 4022af 952->953 953->905 956 402e2e 954->956 955 402e37 DeleteFileW 955->913 956->955 957 402e7c MoveFileExW 956->957 957->955 957->956 961 403155 958->961 959 40318d CreateThread 959->961 970 403478 SetThreadPriority 959->970 960 4031c6 960->923 960->924 961->959 961->960 967 401d94 961->967 965 402192 963->965 964 40222a 964->927 965->964 966 40221b CreateDirectoryW 965->966 966->964 968 401da8 NtSetInformationThread 967->968 968->961 973 40348b 970->973 971 4034af 972 4034f0 WriteFile 972->973 973->971 973->972 975 403349 GetTempFileNameW CreateFileW 974->975 976 4033a9 DeviceIoControl 975->976 979 4033a4 975->979 981 403258 976->981 978 4033fd CreateIoCompletionPort 978->979 982 40326d 981->982 984 4020bc RtlAllocateHeap 982->984 983 403283 983->978 983->979 984->983 1103 4032e4 1104 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 1103->1104 1105 403349 GetTempFileNameW CreateFileW 1104->1105 1106 4033a9 DeviceIoControl 1105->1106 1109 4033a4 1105->1109 1110 403258 RtlAllocateHeap 1106->1110 1107 4033e9 1108 4033fd CreateIoCompletionPort 1107->1108 1107->1109 1108->1109 1110->1107 985 403956 986 403963 985->986 987 403976 985->987 994 4019d4 986->994 1032 4016b4 994->1032 997 4016b4 9 API calls 998 4019f4 997->998 999 4016b4 9 API calls 998->999 1000 401a05 999->1000 1001 4016b4 9 API calls 1000->1001 1002 401a16 1001->1002 1003 4016b4 9 API calls 1002->1003 1004 401a27 1003->1004 1005 4016b4 9 API calls 1004->1005 1006 401a38 1005->1006 1007 401b70 RtlCreateHeap 1006->1007 1008 401ba1 1007->1008 1009 401ba6 RtlCreateHeap 1007->1009 1024 402812 1008->1024 1028 402836 1008->1028 1009->1008 1010 401bcb 1009->1010 1010->1008 1080 401a40 1010->1080 1012 401c03 1012->1008 1013 401a40 RtlAllocateHeap 1012->1013 1014 401c59 1013->1014 1014->1008 1015 401a40 RtlAllocateHeap 1014->1015 1016 401caf 1015->1016 1016->1008 1017 401a40 RtlAllocateHeap 1016->1017 1018 401d05 1017->1018 1018->1008 1019 401a40 RtlAllocateHeap 1018->1019 1020 401d55 1019->1020 1020->1008 1022 401d94 NtSetInformationThread 1020->1022 1021 401d7a 1085 401dc2 1021->1085 1022->1021 1025 402836 1024->1025 1026 402850 RtlAdjustPrivilege 1025->1026 1027 40284e 1025->1027 1026->1025 1026->1027 1027->987 1029 402849 1028->1029 1030 402850 RtlAdjustPrivilege 1029->1030 1031 40284e 1029->1031 1030->1029 1030->1031 1031->987 1033 40176f 1032->1033 1034 4016cf 1032->1034 1033->997 1035 4016f5 NtAllocateVirtualMemory 1034->1035 1058 401000 1034->1058 1035->1033 1037 40172f NtAllocateVirtualMemory 1035->1037 1037->1033 1039 401752 1037->1039 1043 40152c 1039->1043 1041 401000 3 API calls 1042 40175f 1041->1042 1042->1033 1042->1041 1044 401540 1043->1044 1045 401558 1043->1045 1046 401000 3 API calls 1044->1046 1047 40157e 1045->1047 1048 401000 3 API calls 1045->1048 1046->1045 1049 401000 3 API calls 1047->1049 1051 4015a4 1047->1051 1048->1047 1049->1051 1050 4015ed FindFirstFileExW 1050->1051 1051->1050 1052 40166c 1051->1052 1053 401649 FindNextFileW 1051->1053 1054 40162a FindClose 1051->1054 1052->1042 1053->1051 1056 40165d FindClose 1053->1056 1066 401474 1054->1066 1056->1051 1057 401641 1057->1042 1059 401012 1058->1059 1060 40102a 1058->1060 1061 401000 3 API calls 1059->1061 1062 401000 3 API calls 1060->1062 1063 401050 1060->1063 1061->1060 1062->1063 1064 4010fb 1063->1064 1069 401394 1063->1069 1064->1035 1067 40148a 1066->1067 1068 4014b8 LdrLoadDll 1067->1068 1068->1057 1070 4013ee 1069->1070 1071 4013be 1069->1071 1070->1064 1071->1070 1072 401474 LdrLoadDll 1071->1072 1073 4013d2 1072->1073 1073->1070 1075 4014d8 1073->1075 1076 4014ee 1075->1076 1077 40150f LdrGetProcedureAddress 1075->1077 1079 4014fa LdrGetProcedureAddress 1076->1079 1078 401521 1077->1078 1078->1070 1079->1078 1081 401a5d RtlAllocateHeap 1080->1081 1082 401a79 1081->1082 1083 401a85 1081->1083 1082->1012 1083->1081 1084 401b5b 1083->1084 1084->1012 1086 401de9 1085->1086 1087 401e12 1086->1087 1088 401df2 NtProtectVirtualMemory 1086->1088 1087->1008 1088->1087 1111 402126 1112 402141 1111->1112 1113 402158 1112->1113 1114 4020bc RtlAllocateHeap 1112->1114 1114->1113 1089 4019b7 1090 4019e0 1089->1090 1091 4016b4 9 API calls 1089->1091 1092 4016b4 9 API calls 1090->1092 1091->1090 1093 4019f4 1092->1093 1094 4016b4 9 API calls 1093->1094 1095 401a05 1094->1095 1096 4016b4 9 API calls 1095->1096 1097 401a16 1096->1097 1098 4016b4 9 API calls 1097->1098 1099 401a27 1098->1099 1100 4016b4 9 API calls 1099->1100 1101 401a38 1100->1101 1102 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                                                                                                  Callgraph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  • Opacity -> Relevance
                                                                                                                  • Disassembly available
                                                                                                                  callgraph 0 Function_004026C0 39 Function_004024F8 0->39 1 Function_00401A40 40 Function_00401E78 1->40 2 Function_00401DC2 3 Function_004024C2 4 Function_00402B44 5 Function_00403144 38 Function_00403478 5->38 55 Function_00401D94 5->55 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 83 Function_004020BC 15->83 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_0040205C 19 Function_00401F5C 20 Function_004022DC 21 Function_004020DE 22 Function_00402760 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 26->15 27 Function_004032E8 27->15 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->1 33->2 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 39->22 62 Function_00401E28 40->62 42 Function_0040217C 43 Function_0040227C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 49 Function_00402104 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->43 58->51 59 Function_00401F9A 60->0 60->37 60->58 69 Function_0040362E 60->69 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->18 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69->5 69->27 69->42 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->40 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorInfoLastLocaleObjectSelect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1586701277-0
                                                                                                                  • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                                  • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                                                                                                  • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                                  • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 4 402f18-402f2b 5 402f2e-402f33 4->5 5->5 6 402f35-402f5b call 40227c 5->6 8 402f67-402f8c CreateFileW 6->8 9 402f5d-402f61 6->9 11 402f8e-402f96 8->11 12 402faf-402fb1 8->12 9->8 10 4030bb-4030bd 9->10 13 4030c0-4030c3 10->13 14 402f98-402fa6 11->14 15 402faa 11->15 16 402fb4-402fe0 NtAllocateVirtualMemory 12->16 17 4030c5-4030e4 NtFreeVirtualMemory 13->17 18 4030e7-4030eb 13->18 14->15 30 402fa8 14->30 15->10 19 402fe2-402fed 16->19 20 402fe8 16->20 17->18 18->13 23 4030ed-4030f1 18->23 25 403000-403003 19->25 26 402fef-402ffe 19->26 22 40301b-403020 20->22 29 403023-40302e 22->29 27 4030f3-4030fc NtClose 23->27 28 4030ff-40311d call 402e10 DeleteFileW 23->28 31 403015-403019 25->31 32 403005-403010 25->32 26->31 27->28 37 403126-40312a 28->37 38 40311f 28->38 33 403030-40303a 29->33 34 40303c 29->34 30->8 31->16 31->22 32->31 36 403041-403048 33->36 34->36 39 40304b-403064 WriteFile 36->39 40 403138-403141 37->40 41 40312c-403132 37->41 38->37 42 403066 39->42 43 403068-403088 SetFilePointerEx 39->43 41->40 44 40308a-403091 42->44 43->39 43->44 45 403093 44->45 46 403095-4030b6 SetFilePointerEx 44->46 45->10 46->29
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                                                                                                  • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                                                                                                  • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                                                                                                  • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                                                                                                  • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                                                                                                  • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                                                                                                  • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 590822095-0
                                                                                                                  • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                                  • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                                                                                                  • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                                  • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                                  • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                                  • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2011835681-0
                                                                                                                  • Opcode ID: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                                  • Instruction ID: c3badfffa75a89a0abcd59fd2fd34812244497566a58eab59887ac76a1f04a4a
                                                                                                                  • Opcode Fuzzy Hash: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                                  • Instruction Fuzzy Hash: D6510A71A01209AFDB00DF90DD49F9EBB79FF08700F2092A5E611BA2A1D730AE45DF95

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                                                                                                  • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 00401660
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                  • String ID: C:\Windows\System32\*.dll
                                                                                                                  • API String ID: 1164774033-1305136377
                                                                                                                  • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                                  • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                                                                                                  • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                                  • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 102 40362e-403671 call 403144 105 403673 102->105 106 403678-40368e GetLogicalDriveStringsW 102->106 107 403886-40388a 105->107 108 403690 106->108 109 403695-4036af 106->109 110 403898-40389b 107->110 111 40388c-403892 107->111 108->107 113 4036b1 109->113 114 4036b6-4036cd 109->114 111->110 113->107 116 4036d4-4036eb 114->116 117 4036cf 114->117 119 4036f2-40371a 116->119 120 4036ed 116->120 117->107 121 40371d-40372a GetDriveTypeW 119->121 120->107 122 403735-403749 call 40217c 121->122 123 40372c-40372f 121->123 129 40374c-40374f 122->129 123->122 124 4037ba-4037c0 123->124 124->121 125 4037c6-4037ca 124->125 127 403809-40381a 125->127 128 4037cc-4037d2 125->128 130 40381c-40382b 127->130 131 40381e-403829 Sleep 127->131 132 4037d5-4037d8 128->132 133 403751-403775 CreateThread 129->133 134 403755-403758 129->134 140 40382e-403831 130->140 131->127 136 4037da-4037db 132->136 137 4037dc-4037de 132->137 133->124 139 403777-40378b 133->139 134->129 136->137 137->132 141 4037e0-4037f6 137->141 139->124 142 40378d-4037b7 139->142 143 403833-403854 140->143 144 403835-40384e 140->144 147 4037f9-403807 NtClose 141->147 142->124 150 403862-403866 143->150 151 403856-40385c 143->151 144->140 147->127 147->147 152 403874-403878 150->152 153 403868-40386e 150->153 151->150 152->107 154 40387a-403880 152->154 153->152 154->107
                                                                                                                  APIs
                                                                                                                  • GetLogicalDriveStringsW.KERNELBASE(00000068,?), ref: 00403687
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DriveLogicalStrings
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2022863570-0
                                                                                                                  • Opcode ID: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                                  • Instruction ID: 4dd69471dbc29d4f16846e3344e2d9633d6215cd74752d72760f366e6b0bc30a
                                                                                                                  • Opcode Fuzzy Hash: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                                  • Instruction Fuzzy Hash: 33815CB590160ADFDB10DF90D948BAFBB75FF08306F1086AAE511772A0D7399A41CF98

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 179 402760-402795 CreateFileW 180 4027f0-4027f4 179->180 181 402797-4027a9 179->181 182 402802-40280b 180->182 183 4027f6-4027ff NtClose 180->183 181->180 185 4027ab-4027be call 4020bc 181->185 183->182 185->180 187 4027c0-4027d8 ReadFile 185->187 188 4027e4-4027ea 187->188 189 4027da-4027e2 187->189 188->180 189->180
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                                                                                                  • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                                                                                                  • NtClose.NTDLL(000000FF), ref: 004027FF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1419693385-0
                                                                                                                  • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                                  • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                                                                                                  • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                                  • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 191 40286c-4028b9 NtSetInformationProcess * 3
                                                                                                                  APIs
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                                                                                                  • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1801817001-0
                                                                                                                  • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                                  • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                                                                                                  • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                                  • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 192 401dc2-401df0 194 401e21-401e27 192->194 195 401df2-401e10 NtProtectVirtualMemory 192->195 195->194 196 401e12-401e1f 195->196 196->194
                                                                                                                  APIs
                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2706961497-3916222277
                                                                                                                  • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                                  • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                                                                                                  • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                                  • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 289 4016b4-4016c9 290 401859-401862 289->290 291 4016cf-4016d6 289->291 292 4016f5-401729 NtAllocateVirtualMemory 291->292 293 4016d8-4016f0 call 401000 291->293 292->290 295 40172f-40174c NtAllocateVirtualMemory 292->295 293->292 295->290 297 401752-40175a call 40152c 295->297 299 40175f-401761 297->299 299->290 300 401767-40176d 299->300 301 401774-401781 call 401000 300->301 302 40176f 300->302 305 401851-401854 301->305 306 401787-401798 call 401e78 301->306 302->290 305->300 309 4017c9-4017cc 306->309 310 40179a-4017c4 call 401e78 306->310 312 4017fa-4017fd 309->312 313 4017ce-4017f8 call 401e78 309->313 310->305 316 401815-401818 312->316 317 4017ff-401813 312->317 313->305 318 401830-401833 316->318 319 40181a-40182e 316->319 317->305 318->305 321 401835-40184b 318->321 319->305 321->305
                                                                                                                  APIs
                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2167126740-0
                                                                                                                  • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                                  • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                                                                                                  • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                                  • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                                                                                                  APIs
                                                                                                                  • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1974802433-0
                                                                                                                  • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                                  • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                                                                                                  • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                                  • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                                                                                                  APIs
                                                                                                                  • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4046476035-0
                                                                                                                  • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                                  • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                                                                                                  • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                                  • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 159 4032e4-4033a2 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW GetTempFileNameW CreateFileW 162 4033a4 159->162 163 4033a9-4033ed DeviceIoControl call 403258 159->163 164 40346f-403472 162->164 166 4033fd-403415 CreateIoCompletionPort 163->166 167 4033ef-4033fb 163->167 168 403417-40342d 166->168 169 40342f-403447 166->169 167->164 168->164 173 403461-403467 169->173 174 403449-40345f 169->174 173->164 174->164
                                                                                                                  APIs
                                                                                                                  • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                                  • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                                  • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2011835681-0
                                                                                                                  • Opcode ID: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                                  • Instruction ID: db71fdc1c22404a5b670ef955f883ff194a6135e3213665c05072d4c5e51ce30
                                                                                                                  • Opcode Fuzzy Hash: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                                  • Instruction Fuzzy Hash: 3621F871901209AFDB10DF94DD45F9EBBB9FF08710F208265F610BA2A1D770AA41CF94

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 197 401b70-401b9f RtlCreateHeap 198 401ba1 197->198 199 401ba6-401bc4 RtlCreateHeap 197->199 200 401d8a-401d90 198->200 201 401bc6 199->201 202 401bcb-401be7 199->202 201->200 204 401be9 202->204 205 401bee-401c05 call 401a40 202->205 204->200 208 401c07 205->208 209 401c0c-401c3d 205->209 208->200 212 401c44-401c5b call 401a40 209->212 213 401c3f 209->213 216 401c62-401c93 212->216 217 401c5d 212->217 213->200 220 401c95 216->220 221 401c9a-401cb1 call 401a40 216->221 217->200 220->200 224 401cb3 221->224 225 401cb8-401ce9 221->225 224->200 228 401cf0-401d07 call 401a40 225->228 229 401ceb 225->229 232 401d09 228->232 233 401d0b-401d3c 228->233 229->200 232->200 236 401d40-401d57 call 401a40 233->236 237 401d3e 233->237 240 401d59 236->240 241 401d5b-401d80 call 401d94 call 401dc2 236->241 237->200 240->200 244 401d83 241->244 244->200
                                                                                                                  APIs
                                                                                                                  • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                                                                                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 10892065-0
                                                                                                                  • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                                  • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                                                                                                  • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                                  • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 247 403478-403488 SetThreadPriority 248 40348b-4034ad 247->248 250 4034b3-4034b5 248->250 251 4034af-4034b2 248->251 252 4034b7-4034bf 250->252 253 4034e8-4034ee 250->253 252->253 256 4034c1 252->256 254 4034f0-403513 WriteFile 253->254 255 403533-403535 253->255 257 403515-403520 254->257 258 40352e 254->258 259 4035d4-4035d7 255->259 260 40353b-40354f 255->260 261 4034c8-4034e0 256->261 257->258 262 403522-40352a 257->262 263 403629 258->263 259->263 266 4035d9-403625 259->266 264 403551-403561 260->264 265 403598-40359c 260->265 273 4034e2-4034e6 261->273 274 4034e4 261->274 262->258 270 40352c 262->270 263->248 271 403563-40356a 264->271 272 40356c-40358f 264->272 268 4035ad 265->268 269 40359e-4035a2 265->269 266->263 276 4035b4-4035cc 268->276 269->268 275 4035a4-4035ab 269->275 270->256 277 403596 271->277 272->277 273->248 274->261 275->276 283 4035d0 276->283 284 4035ce-4035d2 276->284 277->276 283->276 284->263
                                                                                                                  APIs
                                                                                                                  • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00403488
                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,?), ref: 0040350E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePriorityThreadWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3596769661-0
                                                                                                                  • Opcode ID: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                                  • Instruction ID: 02d7b4ff8a3576d09fe5cde13513df6eb5b6ce77b27be8b8a28bc97f0a3a62b9
                                                                                                                  • Opcode Fuzzy Hash: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                                  • Instruction Fuzzy Hash: E75128B1101601EBDB10CF50DD84B577BB8FF08305F2052AAE905AE2A6D379DE95CF89

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 322 4026c0-4026e5 call 4024f8 324 402730-402734 322->324 325 4026e7-402709 CreateFileW 322->325 327 402742-402746 324->327 328 402736-40273c 324->328 325->324 326 40270b-402727 ReadFile 325->326 326->324 329 402729 326->329 330 402754-40275a 327->330 331 402748-40274e 327->331 328->327 329->324 331->330
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                                                                                                  • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CreateRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3388366904-0
                                                                                                                  • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                                  • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                                                                                                  • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                                  • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 333 401a40-401a5a 334 401a5d-401a77 RtlAllocateHeap 333->334 335 401a85-401a94 call 401e78 334->335 336 401a79-401a82 334->336 339 401ac5-401ac8 335->339 340 401a96-401ac0 call 401e78 335->340 342 401af6-401af9 339->342 343 401aca-401af4 call 401e78 339->343 348 401b4d-401b55 340->348 346 401b11-401b14 342->346 347 401afb-401b0f 342->347 343->348 350 401b16-401b2a 346->350 351 401b2c-401b2f 346->351 347->348 348->334 352 401b5b-401b6b 348->352 350->348 351->348 353 401b31-401b47 351->353 353->348
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                                  • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                                                                                                  • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                                  • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 354 402e10-402e35 356 402e37 354->356 357 402e39-402e4e 354->357 358 402eab-402eb7 356->358 362 402e50 357->362 363 402e52-402e57 357->363 359 402ec5-402eca 358->359 360 402eb9-402ebf 358->360 360->359 362->358 364 402e5c-402e6d 363->364 366 402e70-402e7a 364->366 366->366 367 402e7c-402e8f MoveFileExW 366->367 368 402e91 367->368 369 402e93-402ea9 367->369 368->358 369->358 369->364
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                                  • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                                                                                                  • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                                  • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                                                                                                  APIs
                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00402227
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDirectory
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4241100979-0
                                                                                                                  • Opcode ID: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                                  • Instruction ID: 9ce072fc3005d4f78cf2e49f7f895573a995d668e844b6c98341eda9cf3d519c
                                                                                                                  • Opcode Fuzzy Hash: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                                  • Instruction Fuzzy Hash: 81117CB5601105EFD700DF94ED88A87BBA8FF08300B1092B9EA15AB262D731D955CFD9
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00003478,00000000,00000000,00000000), ref: 004031A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2422867632-0
                                                                                                                  • Opcode ID: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                                  • Instruction ID: e5ec22d449c3d307afb1fc97fd659449252656cd0b8efbbc1ce39923ac99279f
                                                                                                                  • Opcode Fuzzy Hash: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                                  • Instruction Fuzzy Hash: B5115E75741B05ABD310AF94ED89B8BB768FF08711F2043B5EA10BA2E1D7749D418F98
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                                  • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                                                                                                  • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                                  • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                                                                                                  APIs
                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Load
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2234796835-0
                                                                                                                  • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                                  • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                                                                                                  • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                                  • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                                                                                                  APIs
                                                                                                                  • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustPrivilege
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3260937286-0
                                                                                                                  • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                                  • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                                                                                                  • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                                  • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000B.00000002.3558522487.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000B.00000002.3558489221.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558556481.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558587334.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  • Associated: 0000000B.00000002.3558616958.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_11_2_400000_E8D5.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                                  • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                                                                                                  • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                                  • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4