Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
22V6t8mgjo.ps1

Overview

General Information

Sample name:22V6t8mgjo.ps1
renamed because original name is a hash value
Original sample name:2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c.ps1
Analysis ID:1579858
MD5:0eff1f3ca94f1c8aeb4b720d6dd54fc3
SHA1:9397b1ce2b42e8b08431ea55afa951b0d0402c28
SHA256:2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Found post-exploitation toolkit Empire
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 5040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6816 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 8521.tmp (PID: 7060 cmdline: "C:\ProgramData\8521.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
  • cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.\r\n\r\n>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a cold wallet, such as https://electrum.org/ or any other cold cryptocurrency wallet, more details on https://bitcoin.org By paying the ransom from your personal cold cryptocurrency wallet, you will avoid any problems from regulators, police and brokers.\r\n\r\n>>>>> Don't be afraid of any legal consequences, you were very scared, that's why you followed all our instructions, it's not your fault if you are very scared. Not a single company that paid us has had issues. Any excuses are just for insurance company to not pay on their obligation.\r\n\r\n>>>>> You need to contact us via TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you: \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion\r\n\r\nTor Browser Links for CHAT \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion\r\nhttp://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion\r\nhttp://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion\r\nhttp://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion\r\nhttp://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>> Your personal identifier to communicate with us ID: 07AAB9B790E0235B36B753D4CEF58A32 <<<<<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\r\nhttp://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\r\nhttp://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\r\nhttp://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\r\nhttp://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\r\n\r\nVersion: LockBitBlack4.0-rc-001\r\n"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x153bd:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    • 0x8c:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
    00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
      • 0x14ffb:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x15152:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x14c8d:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      • 0x14de4:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmpEmpire_Invoke_GenDetects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
      • 0x14820:$s1: $Shellcode1 += 0x48
      • 0x17ef0:$s2: $PEHandle = [IntPtr]::Zero
      • 0x1a874:$s2: $PEHandle = [IntPtr]::Zero
      Click to see the 8 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 , ProcessId: 6816, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", ProcessId: 5040, ProcessName: powershell.exe
      Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\kF0wnCN24.bmp, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6816, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1", ProcessId: 5040, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\ProgramData\8521.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
      Source: kF0wnCN24.README.txt5.3.drMalware Configuration Extractor: Lockbit {"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency b
      Source: C:\ProgramData\8521.tmpReversingLabs: Detection: 86%
      Source: 22V6t8mgjo.ps1ReversingLabs: Detection: 31%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Source: C:\ProgramData\8521.tmpJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZIPXYXWIOY\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GIGIYTFFYT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\CZQKSDDMWR\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZIPXYXWIOY\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GIGIYTFFYT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\CZQKSDDMWR\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\kF0wnCN24.README.txtJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1853562919.0000000003102000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D294BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,3_2_09D294BC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D293E0 FindFirstFileExW,3_2_09D293E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D30F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,3_2_09D30F48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2930C FindFirstFileExW,FindNextFileW,3_2_09D2930C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D27AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,3_2_09D27AC0
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040227C FindFirstFileExW,11_2_0040227C
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,11_2_0040152C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D292B8 GetLogicalDriveStringsW,3_2_09D292B8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

      Networking

      barindex
      Source: powershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: powershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt5.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt43.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt12.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt7.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt44.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt4.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt3.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt20.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt16.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt13.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt19.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt31.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt14.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt34.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt40.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt15.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt28.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt25.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt21.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt47.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt51.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt23.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt45.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: kF0wnCN24.README.txt42.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt24.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
      Source: powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
      Source: powershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
      Source: powershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion
      Source: powershell.exe, 00000001.00000002.1772472289.000002B05F588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1717216894.000002B050C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.1717216894.000002B04F311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858280007.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000003.00000002.1929011115.0000000009869000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onion
      Source: powershell.exe, 00000001.00000002.1717216894.000002B04F311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.1858280007.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: https://bitcoin.org
      Source: powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: https://electrum.org/
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.1772472289.000002B05F588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1717216894.000002B050C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drString found in binary or memory: https://twitter.com/hashtag/lockbit?f=live.
      Source: powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drString found in binary or memory: https://www.torproject.org/

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: C:\Users\user\Desktop\kF0wnCN24.README.txtDropped file: ~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~>>>>> You must pay us.Tor Browser Links BLOG where the stolen infortmation will be published:( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/>>>>> What is the guarantee that we won't scam you? We are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a Jump to dropped file
      Source: Yara matchFile source: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1885450230.0000000006462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\kF0wnCN24.bmpJump to behavior
      Source: powershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : All your important files are stolen and encrypted!
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\PALRGUCVEH\PALRGUCVEH.docxJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\BJZFPPWAPT\DUUDTUBZFW.pdfJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\PALRGUCVEH.xlsxJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\TQDFJHPUIU.pngJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\PALRGUCVEH\QCOILOQIKC.mp3Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\ZIPXYXWIOY\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\PALRGUCVEH\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\ZIPXYXWIOY\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\PALRGUCVEH\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\jones\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\jones\Videos\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\jones\Searches\kF0wnCN24.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file

      System Summary

      barindex
      Source: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000003.00000002.1885450230.0000000006462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\8521.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2B5D0 NtQuerySystemInformation,3_2_09D2B5D0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2CDF0 NtSetInformationThread,3_2_09D2CDF0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2AD80 RtlAdjustPrivilege,NtSetInformationThread,3_2_09D2AD80
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2D0A8 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,3_2_09D2D0A8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29C7C NtQuerySystemInformation,3_2_09D29C7C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2CFE8 NtQueryInformationToken,3_2_09D2CFE8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2FBB8 NtTerminateProcess,3_2_09D2FBB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29EDC NtQueryDefaultUILanguage,3_2_09D29EDC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D28AFC NtQueryInformationToken,3_2_09D28AFC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,3_2_09D2D660
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D28614 NtSetInformationThread,3_2_09D28614
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2AD7E RtlAdjustPrivilege,NtSetInformationThread,3_2_09D2AD7E
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29CC7 NtQuerySystemInformation,3_2_09D29CC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29CAE NtQuerySystemInformation,3_2_09D29CAE
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29C7A NtQuerySystemInformation,3_2_09D29C7A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2B609 NtQuerySystemInformation,3_2_09D2B609
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2B622 NtQuerySystemInformation,3_2_09D2B622
      Source: C:\ProgramData\8521.tmpCode function: 11_2_00402760 CreateFileW,ReadFile,NtClose,11_2_00402760
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_0040286C
      Source: C:\ProgramData\8521.tmpCode function: 11_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,11_2_00402F18
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040362E GetLogicalDriveStringsW,GetDriveTypeW,CreateThread,NtClose,Sleep,11_2_0040362E
      Source: C:\ProgramData\8521.tmpCode function: 11_2_00401DC2 NtProtectVirtualMemory,11_2_00401DC2
      Source: C:\ProgramData\8521.tmpCode function: 11_2_00401D94 NtSetInformationThread,11_2_00401D94
      Source: C:\ProgramData\8521.tmpCode function: 11_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,11_2_004016B4
      Source: C:\ProgramData\8521.tmpCode function: 11_2_004032E8: SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,11_2_004032E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D29EDC3_2_09D29EDC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D304DC3_2_09D304DC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D270B43_2_09D270B4
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D26B9F3_2_09D26B9F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D26BA43_2_09D26BA4
      Source: Joe Sandbox ViewDropped File: C:\ProgramData\8521.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: SecurityJump to behavior
      Source: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: 00000003.00000002.1885450230.0000000006462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: 8521.tmp.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winPS1@7/147@0/0
      Source: C:\ProgramData\8521.tmpCode function: 11_2_004032E8 SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,11_2_004032E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
      Source: C:\ProgramData\8521.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3c327a3c730976ff4c65a77122158495
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2wmou2y.dvl.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 22V6t8mgjo.ps1ReversingLabs: Detection: 31%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\8521.tmp "C:\ProgramData\8521.tmp"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\8521.tmp "C:\ProgramData\8521.tmp"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\ProgramData\8521.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\ProgramData\8521.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\ProgramData\8521.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\ProgramData\8521.tmpSection loaded: ntasn1.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1853562919.0000000003102000.00000004.00000020.00020000.00000000.sdmp
      Source: 8521.tmp.3.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AFD00BD pushad ; iretd 1_2_00007FFB4AFD00C1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F60A95 pushfd ; iretd 3_2_04F60A9A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FB8F0 pushad ; iretd 3_2_099FB8FA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F8AFD push es; iretd 3_2_099F8B02
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F3E4C push cs; retf 3_2_099F3E5A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F30EB push esp; retf 3_2_099F30F2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FD518 push es; iretd 3_2_099FD526
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F9405 push cs; iretd 3_2_099F941A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F9430 push ss; iretd 3_2_099F954A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F37F5 push cs; retf 3_2_099F380A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099F3758 push cs; retf 3_2_099F3762
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FB745 push ebp; iretd 3_2_099FB74A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FB680 push eax; iretd 3_2_099FB68A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FB6B0 push edx; iretd 3_2_099FB6CA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FF668 pushfd ; iretd 3_2_099FF672
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_099FB662 push eax; iretd 3_2_099FB67A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D25471 push 0000006Ah; retf 3_2_09D254E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2546F push 0000006Ah; retf 3_2_09D254E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D28012 pushfd ; iretd 3_2_09D28016
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D25408 push 0000006Ah; retf 3_2_09D254E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DBB88A push eax; retf 3_2_09DBB8B1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DB287D pushad ; iretd 3_2_09DB2891
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DB286D push eax; iretd 3_2_09DB2871
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DB7282 pushad ; ret 3_2_09DB7283
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DBF438 pushad ; ret 3_2_09DBF443
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09DD19AD push 8BD68B50h; retf 3_2_09DD19B2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E00AC0 push eax; ret 3_2_09E00EF3
      Source: 8521.tmp.3.drStatic PE information: section name: .text entropy: 7.985216639497568
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\8521.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\8521.tmpJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\jones\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZIPXYXWIOY\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GIGIYTFFYT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\CZQKSDDMWR\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZIPXYXWIOY\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\PALRGUCVEH\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GIGIYTFFYT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EWZCVGNOWT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\CZQKSDDMWR\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\kF0wnCN24.README.txtJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\kF0wnCN24.README.txtJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2AFE0 RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,OpenEventLogW,ClearEventLogW,3_2_09D2AFE0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
      Source: C:\ProgramData\8521.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2108C 3_2_09D2108C
      Source: C:\ProgramData\8521.tmpCode function: 11_2_00401E28 11_2_00401E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2108C rdtsc 3_2_09D2108C
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4223Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1511Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7619Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1731Jump to behavior
      Source: C:\ProgramData\8521.tmpWindow / User API: threadDelayed 1535Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1936Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\ProgramData\8521.tmp TID: 6764Thread sleep count: 1535 > 30Jump to behavior
      Source: C:\ProgramData\8521.tmp TID: 6764Thread sleep time: -153500s >= -30000sJump to behavior
      Source: C:\ProgramData\8521.tmpLast function: Thread delayed
      Source: C:\ProgramData\8521.tmpLast function: Thread delayed
      Source: C:\ProgramData\8521.tmpFile Volume queried: C:\E9E954CD FullSizeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D294BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,3_2_09D294BC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D293E0 FindFirstFileExW,3_2_09D293E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D30F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,3_2_09D30F48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2930C FindFirstFileExW,FindNextFileW,3_2_09D2930C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D27AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,3_2_09D27AC0
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040227C FindFirstFileExW,11_2_0040227C
      Source: C:\ProgramData\8521.tmpCode function: 11_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,11_2_0040152C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D292B8 GetLogicalDriveStringsW,3_2_09D292B8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\8521.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2108C rdtsc 3_2_09D2108C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D278BC LdrLoadDll,3_2_09D278BC
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\ProgramData\8521.tmp base: 401000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1 Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\8521.tmp "C:\ProgramData\8521.tmp"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2108C cpuid 3_2_09D2108C
      Source: C:\ProgramData\8521.tmpCode function: EntryPoint,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,11_2_00403983
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09D2D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,3_2_09D2D660

      Remote Access Functionality

      barindex
      Source: powershell.exe, 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
      Source: powershell.exe, 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
      Source: Yara matchFile source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      PowerShell
      1
      DLL Side-Loading
      112
      Process Injection
      1
      Masquerading
      OS Credential Dumping311
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network Medium2
      Data Encrypted for Impact
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      121
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Proxy
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
      Process Injection
      Security Account Manager121
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Software Packing
      LSA Secrets4
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Indicator Removal
      Cached Domain Credentials133
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading
      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      22V6t8mgjo.ps132%ReversingLabsScript-PowerShell.Trojan.Lockbit
      SourceDetectionScannerLabelLink
      C:\ProgramData\8521.tmp100%AviraTR/Crypt.ZPACK.Gen
      C:\ProgramData\8521.tmp100%Joe Sandbox ML
      C:\ProgramData\8521.tmp87%ReversingLabsWin32.Trojan.Malgent
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onionpowershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drtrue
        unknown
        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1772472289.000002B05F588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1717216894.000002B050C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                unknown
                http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onionpowershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drtrue
                  unknown
                  http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                    unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                          unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                              unknown
                              http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                unknown
                                https://contoso.com/Licensepowershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://electrum.org/powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drtrue
                                      unknown
                                      http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                        unknown
                                        https://www.torproject.org/powershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drfalse
                                          high
                                          https://bitcoin.orgpowershell.exe, 00000003.00000002.1943477215.0000000009FC0000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drfalse
                                            high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                unknown
                                                http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                  unknown
                                                  http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                    unknown
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1858280007.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                        unknown
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1858280007.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://contoso.com/powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1772472289.000002B05F588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1717216894.000002B050C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1885450230.0000000006157000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                                unknown
                                                                https://oneget.orgXpowershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onionpowershell.exe, 00000003.00000002.1929011115.00000000098D1000.00000004.00000020.00020000.00000000.sdmp, kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.drtrue
                                                                    unknown
                                                                    https://twitter.com/hashtag/lockbit?f=live.kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drfalse
                                                                      high
                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1717216894.000002B04F311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                                          unknown
                                                                          http://www.microsoft.cpowershell.exe, 00000003.00000002.1929011115.0000000009869000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1717216894.000002B04F311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858280007.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/kF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                                                unknown
                                                                                http://xvt5hvgldlzbll33sytrafy4sczfnqzrzdfuxe272iiaaw7pgogcxbid.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                                                  unknown
                                                                                  https://oneget.orgpowershell.exe, 00000001.00000002.1717216894.000002B0508B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onionkF0wnCN24.README.txt5.3.dr, kF0wnCN24.README.txt43.3.dr, kF0wnCN24.README.txt12.3.dr, kF0wnCN24.README.txt7.3.dr, kF0wnCN24.README.txt44.3.dr, kF0wnCN24.README.txt4.3.dr, kF0wnCN24.README.txt3.3.dr, kF0wnCN24.README.txt.3.dr, kF0wnCN24.README.txt20.3.dr, kF0wnCN24.README.txt16.3.dr, kF0wnCN24.README.txt13.3.dr, kF0wnCN24.README.txt19.3.dr, kF0wnCN24.README.txt31.3.dr, kF0wnCN24.README.txt14.3.dr, kF0wnCN24.README.txt34.3.dr, kF0wnCN24.README.txt40.3.dr, kF0wnCN24.README.txt15.3.dr, kF0wnCN24.README.txt28.3.dr, kF0wnCN24.README.txt25.3.dr, kF0wnCN24.README.txt33.3.dr, kF0wnCN24.README.txt18.3.drtrue
                                                                                      unknown
                                                                                      No contacted IP infos
                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1579858
                                                                                      Start date and time:2024-12-23 12:32:11 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 6m 26s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:15
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:22V6t8mgjo.ps1
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c.ps1
                                                                                      Detection:MAL
                                                                                      Classification:mal100.rans.troj.spyw.evad.winPS1@7/147@0/0
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 66.7%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 128
                                                                                      • Number of non-executed functions: 11
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .ps1
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.109.210.53, 13.107.246.63
                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5040 because it is empty
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                      • VT rate limit hit for: 22V6t8mgjo.ps1
                                                                                      TimeTypeDescription
                                                                                      06:33:38API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                      06:34:51API Interceptor1510x Sleep call for process: 8521.tmp modified
                                                                                      No context
                                                                                      No context
                                                                                      No context
                                                                                      No context
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\ProgramData\8521.tmpzhbEGHo55P.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                        LB3.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                          LBB.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                            ggjLV4w8Ya.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                              yEB1xvr2rZ.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                71p2xmx6rP.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                  98ST13Qdiy.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                    c8JakemodH.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                      Document.doc.scr.exeGet hashmaliciousLockBit ransomware, TrojanRansomBrowse
                                                                                                        Rcqcps3y45.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\ProgramData\8521.tmp
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):13369344
                                                                                                          Entropy (8bit):7.999986558978796
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:196608:4hWM3JnlkIQC5ALYBQ4N/brBhl3jCwxtRmMyN3YXVQ+iqIBR+dAw:1M5lkIQC54RezthhOwx/ra03tU+qw
                                                                                                          MD5:C4EB4C17A37E344E06DC265FA03B0F62
                                                                                                          SHA1:7004ABFB798F6D61704710C29E523074D91A227D
                                                                                                          SHA-256:A9E25A4FB1AAB1E7835A188CAFD7F088FCE236315E07C3ADFFA9792705A48431
                                                                                                          SHA-512:92D169EAF27FD1BDCA04B325CDE30573C543AA9FE510435584653034424E82F9497C8A1A94D375AA709D191A2C45E7E50927837A5C5278A401054BC8E13B9564
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:...h)4..f-D.`....)....r.CI....v.x9S...D.o..7./....@....."..dZ>........l..0.....B,~w..K.K..W$.....^!22..|.*g.p ).]...8.b....}...8.a..I...6.A...7....F.b..2C..f...g...`...,WN..]'..l........... A.W.l.@a(.$3.X.h.5.#wJ...@._.I._.T......Y..<........d.C...:.".FF.E2b.):.}Z...+F.;=...cx.b......f.3....o....e..`...#..v+.x..Fvk.X..k.R....^*CJb.[.Aq.V..;....Tr....9...J..M...Z..{.:........t...Y..H..[W.8.# ..../1........|.P....`K.1Hd.Gy/.1..$...f...g9.R...c..,.Z..^....A..H$........O....$............."/..Z....pfE...K...r..Z..H...B.=...B%.D.."..2..+$~-v.....`Q.EX......,..TQ........?..39[.Lz..p..V>.S.]X.z..>6.fs.^...{8.>..`{.O.|Fr..UpLs.JK[/.......S....kCM..#..o..R.....3.C:3I.0..@.}......Xj..zJ....)t...9`.Q7/.F......R..?7..5.N..b..P.-...)N.._.F..]..p..)...g...?.<Ko.."..)C.g}.%...t....&..k..&....))......].....q....x;<3.....p=.Ys...u...>...7..c,3.n..\...c.Cu.xi..8.<.}....cZ.4....`6<YU.$./d.....@(9..M.........#...X.....X0:.`.).0.Vj.d..e...I..T.3.J,..H.8
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):14336
                                                                                                          Entropy (8bit):7.4998500975364095
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                                                                                          MD5:294E9F64CB1642DD89229FFF0592856B
                                                                                                          SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                                                                                          SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                                                                                          SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 87%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: zhbEGHo55P.exe, Detection: malicious, Browse
                                                                                                          • Filename: LB3.exe, Detection: malicious, Browse
                                                                                                          • Filename: LBB.exe, Detection: malicious, Browse
                                                                                                          • Filename: ggjLV4w8Ya.exe, Detection: malicious, Browse
                                                                                                          • Filename: yEB1xvr2rZ.exe, Detection: malicious, Browse
                                                                                                          • Filename: 71p2xmx6rP.exe, Detection: malicious, Browse
                                                                                                          • Filename: 98ST13Qdiy.exe, Detection: malicious, Browse
                                                                                                          • Filename: c8JakemodH.exe, Detection: malicious, Browse
                                                                                                          • Filename: Document.doc.scr.exe, Detection: malicious, Browse
                                                                                                          • Filename: Rcqcps3y45.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 16, image size 2621440, cbSize 2621494, bits offset 54
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2621494
                                                                                                          Entropy (8bit):0.20314583509010126
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:GKm71jTv37T1BNrdVRd3fF3bdJf7vhpnzBxD1fJ/tBfJvTLtFFdF9tlFNtnvDdFJ:2
                                                                                                          MD5:94A28C5B7B4726AA99126ACB2C08481F
                                                                                                          SHA1:1E9F8562FCB99F9E431602FC1113F938DC9003E2
                                                                                                          SHA-256:EF4683F06D7539970875A72E1FCC950BB29C3C4499F5B27DAB8A89441F2FC700
                                                                                                          SHA-512:B01FEE850669550E0927CB07E00E29D11E31CD1D150540B734A72E158662A7CA1F94E600AE4B6CCE53039E913A6E6738CB76A8ACC5D8BE2CEE708250BDF07E49
                                                                                                          Malicious:true
                                                                                                          Preview:BM6.(.....6...(.....................(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                          Category:dropped
                                                                                                          Size (bytes):15086
                                                                                                          Entropy (8bit):4.262047636092361
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:jpBaAlHSa2vU9G/8MMBD7O1lXFMB8VMJP7:jpjmkMYD7IFMRx7
                                                                                                          MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B
                                                                                                          SHA1:CE9F87183A1148816A1F777BA60A08EF5CA0D203
                                                                                                          SHA-256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
                                                                                                          SHA-512:ABAFEA8CA4E85F47BEFB5AA3EFEE9EEE699EA87786FAFF39EE712AE498438D19A06BB31289643B620CB8203555EA4E2B546EF2F10D3F0087733BC0CEACCBEAFD
                                                                                                          Malicious:false
                                                                                                          Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):239
                                                                                                          Entropy (8bit):7.104035310025878
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:u9DeYEHtH/C4ccVUqa8D9eH4Fgh8YetJIKYTt7guWFVKMT:FVq5p8peHmgh8AxTtOFVXT
                                                                                                          MD5:27638354EA655BC4831762828F991120
                                                                                                          SHA1:E85CA4DC3191DD4BE5A7F4F69E428FFCB98462AE
                                                                                                          SHA-256:FC153AE049C036E0621B6DAB98CAA12937CFC2C3FF16B582C25F96DEC00BA04D
                                                                                                          SHA-512:34ABD459AFAE7F4D780C3C627F7C09BE8391F86B45047B8F27C483863EEC786FE381760132A328FCD9182528CFD28006CDDC1C2A146F0503B0B5B1FD6C80A2DA
                                                                                                          Malicious:false
                                                                                                          Preview:.&.,!E3.<^..Z@.........a.@L.....9...HK..<..1~n...$T'.9#...p/.M..Y...;..6uT..k....).5... {..^......7|...a......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):64
                                                                                                          Entropy (8bit):1.1628158735648508
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Nlllulvh2th:NllUE
                                                                                                          MD5:1C6FEFD3AEFA5BA7595E7FC2E4284A86
                                                                                                          SHA1:1061961FD8D9427258B32E58594747A9009930B7
                                                                                                          SHA-256:AB4853F85060BF67D37B111333E3852386DF7BF6AA0499E6CEF96B10CE5A1621
                                                                                                          SHA-512:03A091C2C65B6C22EFB336B4155E8579A540C773DB34E8F8654BC3D7044C00434020096B41BF2959245CA8722CF3913B38A653DE361A5BF0FDF218A6F07B6626
                                                                                                          Malicious:false
                                                                                                          Preview:@...e.................................~..............@..........
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6222
                                                                                                          Entropy (8bit):3.7092282095458033
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:KTdipC4P8PkvhkvCCtqsZI9gHApZI9bHAQ:+diRPUqsZkpZxQ
                                                                                                          MD5:688C009A57F268DD573FE4337A205BCD
                                                                                                          SHA1:DCE0D657472014176C3883BEFD1A78ED820AFE77
                                                                                                          SHA-256:53DDA1BBEDBA3812290728A65436413D5FDABC16D709D66BC37FD9A7E509BF7E
                                                                                                          SHA-512:2A572D52D5BA999505F418A884A3B254A328FD750B777F8675C6BA0587DC5D26EEE4166116A77DC50473CBC716E3FC2777804E7F3FAF9E8E9DD396D999E7D0C3
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ......Yd.....~.U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...f.ow.U..T..~.U......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y-\..........................d...A.p.p.D.a.t.a...B.V.1......Y*\..Roaming.@......EW)B.Y*\........................../...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.Y&\............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.Y&\..........................c>P.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.Y&\....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.Y&\....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.Y0\.....0..........
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6222
                                                                                                          Entropy (8bit):3.7092282095458033
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:KTdipC4P8PkvhkvCCtqsZI9gHApZI9bHAQ:+diRPUqsZkpZxQ
                                                                                                          MD5:688C009A57F268DD573FE4337A205BCD
                                                                                                          SHA1:DCE0D657472014176C3883BEFD1A78ED820AFE77
                                                                                                          SHA-256:53DDA1BBEDBA3812290728A65436413D5FDABC16D709D66BC37FD9A7E509BF7E
                                                                                                          SHA-512:2A572D52D5BA999505F418A884A3B254A328FD750B777F8675C6BA0587DC5D26EEE4166116A77DC50473CBC716E3FC2777804E7F3FAF9E8E9DD396D999E7D0C3
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ......Yd.....~.U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...f.ow.U..T..~.U......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y-\..........................d...A.p.p.D.a.t.a...B.V.1......Y*\..Roaming.@......EW)B.Y*\........................../...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.Y&\............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.Y&\..........................c>P.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.Y&\....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.Y&\....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.Y0\.....0..........
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\ProgramData\8521.tmp
                                                                                                          File Type:data
                                                                                                          Category:modified
                                                                                                          Size (bytes):477825
                                                                                                          Entropy (8bit):7.997068957090049
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:Tx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4g:d4WDy4WDy4WDy4WDy4WDy4WDy4WDy4g
                                                                                                          MD5:140B900A1774374A41798C42F53280F1
                                                                                                          SHA1:A7CAD8A5594A3FC67946E1083C74412C599E303B
                                                                                                          SHA-256:8E416D25B506109502E45341CA5F00A1DFD94C131D879EDD7294843377BA164F
                                                                                                          SHA-512:AEB138389B9CD106E9C8A6AF5ADF678CDB487ADB7FD3A65E0292D6E046795290B94E0D828ADE700CD863C4684669B00B8EFCDB5C0F45B188CDF5F3827870E91C
                                                                                                          Malicious:true
                                                                                                          Preview:..(.e...... kt....D.[...8l.6d....V....$..9.>..Y....L..\.(...U... . ...;.@...V...~..7.b_p..... ...4.F..h...#.....S0..d... ............W..c.INE..#...py^........Ro.ugN....bemP.../JT|+:}..^.1d.):.7V}P.....b....Y...+.#..P......x...'..],.g.0.<.g........1.b.. .Q..Z..U.tB*0w.e..b(......~.\...G.+....Zg...*...y".\z.S...I.._#!.o.....Y.....&..W.e.....K......|..!.E.h.9..b<..vN..u...`..%.h..`........1.0'#.Wn..;H......b.I.._...nI..0.E...~....PG.Vut!...g.u.).(5.f.j.u.ioi.S...u..s.k...]..K......w....{.=\.0.v.......C..w.{'v[..%....U..P..7.J..W....;.O.[..X..d.>..M..p....j4..PV..F.8.jm....p~V.lY..H..|....N........./.."0.......r.(>.2$.f+l..B!N..6.(...z...0.r....l.i...6..cb.O..O'..S@u,_.....AB...%....kw.J':.!..qUdMA(.O..Nlt...c/{..i.#.f.9$..K.- ..m.Z....\J../..o3.S..a. ._.., .P........b.....k..?.YEYH.C..e.]..f..Z.0.7...< 6.....e..L.M..8~.^..1...E.FR......H.n{cf.~.....lM..oEPc..}......I.....fgu.q.u]pH.&.....?...oDg.......b..s.e.u...?.+S...o.......Jp.fi........F.%.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.837827976380538
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:N13XPJ+mjnvgjJLYjVY+jGO3jnSVMlAIHOrjN+OUnaCaD5m81a/Saoqpw/fek86G:PHsIgjJkjVvGOOiltHOj7CEc81gSaYfg
                                                                                                          MD5:BA1C2048EA8DA420852DCC9430E49CAA
                                                                                                          SHA1:B67F4F5BE994FF4331144D140BBE6D4ECBB7DB84
                                                                                                          SHA-256:D7A84BEF4880187D336E7FD4CEC5EA716F63AC215363204672B65CEF31CD627C
                                                                                                          SHA-512:DD8F45B79AAFD6F42B09C3170210459360D91528D3AC8FB853506E8465758C853E160ED2732B440B9042209FEA0BCE3076031942EA62D8F38F7C24BBEB97A6C8
                                                                                                          Malicious:false
                                                                                                          Preview:.4...c../....{..=J.cxA..V.. W. .r..Q.]....!..6\......T..9..#M..._.M...GRs..P.....&.7..O........].)...X..f....<.=.W....S...B..G")...[..}D0nc..B..#J......w.BH.M.4Vw.`..GQ..XC.w.1....QK..CA.G...o.&...M..9.;[..c...K.0.Q...aAN/..o......!E.G8Ua{m..m(.4...c..6....q.."F.qfW..\..-U.&.j..E.W.....:..&W......V..5..4N...].._...LS...Q....2.=..P........Y.7...W..ve...4.2.T....D..C..S.i'.vde24.....L,..&...........Z.^Xa.&.s.[.W7...|.O0#.`.O.6.T.0.......=`Q....JC.........sI.BGS.....t7b..\6(..n............L..c...>.......%...`.....*|..kv.~..^..D;..rP.K...Q..9T./..y......:._ )0..[Yw.j.....!..b..f.v.L.`.TUkI.@^.;e..>...]...M..T.t".owm,9.....B ..'.........Z.@M~...}.S.I?...a.B&(.v.O.+._.#.......'`S....OQ..p.....~M.NC\.....k4u..@4"..|......J.].~A/....#.w.j_..\..2..........._..{.$%.@A.7...*+...BA@o.Z.d.6..KL.#..:.v.......h.d......YYh.....T_.~.$.........AT...#]6....d..D.'.&....T.....V...Kv%.x.oJ-.=...{.....s........l...R.6...>H...I.E...S....7m..w.p.>./..dU.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.837327065890527
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:z3AG+apex45MOHnP/cqHNdg/FNZjFl5DEqEutfZOZaKU5WNXow5n86hO7j:b9Dsx4XH8+NdgJRlJEqEutfKU5e5n86G
                                                                                                          MD5:14A2708D89EE0A6E24293BCA354598E7
                                                                                                          SHA1:34263181001CF24CEFFD7EDF7D650FD5AECD0472
                                                                                                          SHA-256:82B99D2D50466AC96BA3A9E43C496163F2CA2643143E4B3AA92E6B6CF901395B
                                                                                                          SHA-512:27BF1EFC7FD348E31CC6C45B6FBC655948C880F45BCADA947BF4F66E18CD7D26A87C5343AD46D5CC1872808EDB4D2B7BE927A7E9CAAAD2C922E2FD7107158C02
                                                                                                          Malicious:false
                                                                                                          Preview:.y.#X.-_RI...6.F..W.u...wWA...b.J.[.=/....s..*.a!.....U..g.....v.j...r.0...-....o''.G...F...z.NF.A;0..m1.-._m.C?@.T1.Ge.....C.m.d1\zu.....1..p...|...5...2(l]i(.....2CY.?.E.....B!.Q..\3'.p.......LQ.cK.....l.L...H...._..'@C..t......zF.....SB.P:.y.>A.;GDP....".@...].k...`EL...r.A.O.7?....h..:.f*.....W..k...d.u.q...}.0/..,..~22.[...@...t.RK.T?9..y(.-.Ow.\$H.[2.Zx.....u...E..fA..L....MK.r*.&.\...>@]T...S..i>....A.\.[i..<...At.M..".].u...Q..btI.G.........n..zu.Z3j.d..T.}]....-.l..LW!F..#y......Q.i.V5.65...BA.}.r.Z.V.'.2.....k......eX....b..E....c.m..a..Bh..P.....W$F.z...+er..l-.g.G..w....o.4.(.........0....p...X...R..A....CE.u%.+.T.}.>XCR...L..c0....I.P.Fi..7...[t.P..?.Plq...O..xtK.S.........d..~u.^<n.x..C.xA...~?.a..\J=U_.@..}..=q..... .^.#...u.A.i....>....\.66o7...k+J..S.u...D.KW..{.z..;.EK2U.h.M....HD..Dt)x...._.].*a.aZ6..]Z.|=w6..._v......[.'+.}rxH.3EW.{...1|N....|.&.+T&fy>g.:.....t.......o.....?<~...C".$..i?...U...9..7......sJ...I.O.;vTIT
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1269
                                                                                                          Entropy (8bit):7.849990257214696
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:WFHcUm93h1EHfnsRAz51HO+hfZE+pEch+TzSDCyakG86hO7j:WF+93kHfnw41HbBpEcKNyakG86G
                                                                                                          MD5:F4588C7C584B61C8411D83F9BAF7BC17
                                                                                                          SHA1:B4D0D5D2BA6A0A6B82D325EF79BBF4EC105CA681
                                                                                                          SHA-256:267842473DDECE60487D28EC7BFAE8043637FA4764F6880D6EAC8869DE44909D
                                                                                                          SHA-512:D092FEF8586C3B41F134F27002A75ADA56B90C978A51FD749CA77F18C46794AFD61A4335EC8087458A8C8C94C12B8D8D3B235D98225AEB3F6F10988CC431056A
                                                                                                          Malicious:false
                                                                                                          Preview:0v..1.3".H..D......r..]<.0)...E......2..=).......kg.IE.P.^.L+.[Fu.$.js./k.=uu.kC.r..i......9.;..;R.%>...(L........S...zlR..b.U.?.U.. .Mf-...$\.....#....&..M.a\....x..g.#Jd.U.\jG.B...i]..... ...........1.M.1.\{.7|.,..).#5..j..._...=.#..h3.?<...L..%d../.'"..Q..X.....h..I3. 1...U......$../".......lk.AF.Z.S.\;.CGs.3.no.4~."~p.b[.z..l.....(.$..8@.<3...!S........B...ngU....A.gW!Z..I.O>...."..0....5"...-.{~...>....W.b.tU......J....d.`..N^.(me.F..W..m.....=I.%.uEvA,....u@e..:F.O...\.....U.>.N..h..l+m%#..V....|...n..h..v..Jr.}..y...H(.7..E.....`.....5y..T...n... ....T.....{.Pu..4..8..xB...^..7.O#..A.....T5.!Y...%..n...R.t\?U..L.C(....<..7....0"... .ga...!.....R.`.l^......_....}....UJ.?wl=S..C..q....(Ky=.}GqK0....`Lh..+T.N...P.....\.3.I..x..,.].A..]).^.4..z..o..1.@.sx..Cl.U..cIr...`...b.t..M`..g6Q..;~.Qo..7&bU..R../..4.".qfA*...&..T.5....^.x........A..~4...~v.....\...z..@!3.9...K..w..u%.....|).,.-.N..e..g.N..t..<..z.&.....d.8a......nI|.].J.dJ...c..l:.....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.829895841361815
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:Bb9K+FknFikFmf/i4YTposvwoIQ3e8rqQsS01fD2ywKfTiNSQbCOm+HqeVqC86hY:BvFk7YK5posvwoIQ3zqQsf2YkPPP86G
                                                                                                          MD5:3FB028CEF5D8BB3440761B8F2AA6F853
                                                                                                          SHA1:7C5F324F5C98DA4E089DD5A4D9FC97F9A73E8B66
                                                                                                          SHA-256:A160687D34F3A75B7E3C1E3254F8641887118786E78FBEE1ECF078776297DAB4
                                                                                                          SHA-512:D1DB54CC29DF90E8B626511CB65852937CF91A1BE53BED0ABA91634113A8D9D773718593C8D74F02BDF37F946FEA91614CA1ED8EF5E6C811C2804C344DCBA40A
                                                                                                          Malicious:false
                                                                                                          Preview:.n%..N.J.x.._.P.....G.)..udt....S...j....`.nI..PP...k.cOK.N@..=..oV..F..@Gs..].@A*.n...<...l.K..f/......9...$....;.:o.&...K!..yae&../.D..DpD...iH.[...[..E.qA..A...}?....J....r....n....:......Sl.x..0.Nz"o.a....r.......D@.4...|+.u.}../.,cl#Uy>.a0..R.Q.m..E.U.....J.7..z|i....]...j....g.tS..F@....m...kAK.D@..9..uA..J..Y_`..O.J\8.........n.J..i6......5...'.....$.<n...z..KH...?.r9.Y...U..vA2..W........]N/G..L.T.T''8....f..mL..2.S2..i`.2[X).=+eOTzub..t....H...!.Kn.6.;.G......l...R.G.u..K..).u.[...T"..Qv..l.9$..Z.y..$..|.E.S....T..m...}.d.....W.....O..y..s.U.........w....F........cd3./...V`...4Qa.VU%..G..m..M@...>?n8.H...U..wI!..A........EU7M..P.U.A82:....c..pZ..1.L,..cv.%CH:.99u\]{tt..s....J....2.Gy.%.<.T......c..J.J.|..7......Q....`..!...QH.\5.Fy46...Q...#.VM...Hf.YB..1..`^x"...%.."...3.=.&B.....%.FlQe...+.u(..'n..4.U...YcGd.......ge...\...2........)..v.,@A.#...... ...me.1c`...L...;..`u\.A.8e..M@.V.../..R}...,..?..7}Y..K.Mvt'.e....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.8619533287192604
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:3aEznKXEpcDOTUcZO9W2eCJWrsGitRiFZ5UlsYnwOwKL86hO7j:qKnbmyTUGSPek83FHusY2KL86G
                                                                                                          MD5:8324B96AC767821916B727B0D527F5B6
                                                                                                          SHA1:44543191D4C8A79F7B70F49A083CD371A796CB34
                                                                                                          SHA-256:CACE06047A747101DAE855326EDD43085CFA21FC23153066CC71D41E2E66DC47
                                                                                                          SHA-512:1F85A6542AF6EC07026EE294641954CF69B379B97388D7E7ABF4DDE1E14D66C932170E65567D7B06AB6C6E3037AB235EC1A0D5E6CF84AC31DC84FCC527D13736
                                                                                                          Malicious:false
                                                                                                          Preview:.;.u./7d....~...q.bd...+....}.h.}...r.!V.d.\..^.<......K.g_..j....T...9....`....+F3./}H..-....S.+e...6.,Q.;.........@.O.^mru.....=wYJ|.8.W.M.S(...."=e..#..R..E..l....K....@[z........h...O...n..4.....f....\M.`X/*.....B...t6!..z..vMB..2.f..k.[..Z.,.c.;<h....i...o.cr...8....p.}.f...t.)\...T..S........O..F..j....[...=....x....:V9.,uS../....[.5m...'.+D.#......b.N.M.W.....QS..D..].......j..|....1...qt.EU..;5.$...:|...6..(.OQ...=.b..L2..{P.i.....8j..X)..39.i..y~....g... ..%q..?..7b.u...=ws+//.j1 .........|[.9D.-R..D.....y7.1.@KAg.\...T.....U....B......!:K<..cmy...Q..K......Iz.j.Ii.rn.-z.m...!i.[..A..Ii..Z.....^\..[..X.......a..w..../...k}.JC..").)....y..."..6.SM...!.f..V9..lN.r.....%f..E0".? .x..yu....v....(..#}..=..4g.z...S.'.=.....I.02b[.Y...\R.....O(h../....f.k....6.......ZH....Y.B.*._"HL...%..X.\..X.$.P..b.c.W q.S.....0.d......C.:...).y...e..`.2..3.d.y...p{;R$P.>.B...%.....G].@...b0.|.5C.l...b,.....%.....L.o....Nr....;...T1.F....6....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1274
                                                                                                          Entropy (8bit):7.855483460118342
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:bYWvN0mKwCAGLlqGibBSCdy8v65j3ZBeXZuXmbuFuYpC+0v61rRKrVIZ+YUh86hY:MWvN0ACAGoLBScs5j3jeXZbusY4+0bYx
                                                                                                          MD5:95584C46AEE17E379EA12D66682A7440
                                                                                                          SHA1:3C7F9A4C7D5FE3AB4A84785F4826B486AB284C79
                                                                                                          SHA-256:A3EFDC94499CA4F128138BBD2F82CDE9B60D5A89D89AC27D60F6A11FE850C0DB
                                                                                                          SHA-512:025335231B3BA7F090CFD2EA44513301BB13ECA9E30B9D7B431B0FECFC0E3200C366501DC0E234B00156270A185CAABB1319A1D970FF4BFE36EACF77E86EA07C
                                                                                                          Malicious:false
                                                                                                          Preview:.\eB_U.<.:....F'n?9..$v}...?.u....C...o..3.........'A..z2:o..............N.....`....... ..3}.+..~~......O.o...f}.P;0....`..CQ.......}G.L@t.'.....p:..&.SB-.......J.4.JU.sX\J.6A....R.A...xO.)..`hd6.Y.(....Fe....0....,e..BmS..8*|g~x.~.{q.qIx._....JnCZR.=.8....[,h/1..<~`...?.}....K..k..(.........;\..h-,g..............O...q........"..%x.;..ey......_.n.5.|k.B0(....c.}.[o.zHizOv5?...2....L.....v..*.?[..&...Iq.59B\.ic..3..dj";.....y...\m..(Z..Z..).W.*f.e.I;S.y.....Z'.F..Xo*z.@.d~...`.J._........h.ml=7'...>8*1....!..!...K.t.rkD!J.c-^`,.A6...p......H.6,.....iW..c....B*Br....I.E.3.....1]...<.).".9.n.}....Elt.e....|.Ou.nT~sOp5<.f.2....].....d..).,^..#...\f.(+[D.bb..0..nr36.....g...Hy..0L..Vd.#.@.)x.w.T5R.h.....G0.]..Dl%o.D.gk...h.I.F...".;.-#..LT.....D.?RlKq.0g.D.v...p...].&..p.?`........(yI....P....h#.)..3........6P..V.a.q..C.F...k<..^..`?...Tb.....:...'...../=..1.n.%.8.N...j.X.F....H.E....{..i...;..s$.xs.%iJ.w..*.Q\...Zo..R.4HW..T`...S/9Y..|........
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1270
                                                                                                          Entropy (8bit):7.824009500406341
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:ywI+zeQpf0rhtpg0OZnrpAA9jBDQyFWPxfGyJIZqSiW+KeQL0V1p86hO7j:yLgpf0rO1p9Tc5Jk5+3Z86G
                                                                                                          MD5:8A6ADBDF58A92B5DE9804259812395DE
                                                                                                          SHA1:ED1A5B78D2B1D00B642FCF994520B4B6A493DBED
                                                                                                          SHA-256:174180F139EBEC52A8E46B11C85C63B89F65945DBAB227620E204E80D4CAD655
                                                                                                          SHA-512:46FCEB4859C5CD0765F5A062767FD430060DED81E81E7771A2C90F65152A16B12A18DAA3D90FE40997098F9DCD12762CBEBA86A6A636C6BDB989BA27A8E6F688
                                                                                                          Malicious:false
                                                                                                          Preview:.6..,.Ng.h.....z"])......i.tw...P...&.........W|..-.u5O.MB.x.8.H....aC+.m.O+k.r.w3...~.B?.nO.m..Fp$..M.W...w8+.a/.0.....V.M7.Igok.{.....L.....=......T..y..16.....f?R....q.}..9I^I......*e5..o..g.e.#.?/.5l...7..kk....e.c...r.ggZ.1.tvn....".K1.Z..2.. ..*.Zx.k.....c&Q:.......~p...P...)........X`..8.h(B.X@.i.8.B....}S6.s.N!p.x.m!...u.C*.}E.h..Pd*..A.@...l(9.m+.>.....W.C......uJo...Be#..W/._shY..,'..f....M6......e%.p&B.....U/D..t....g3...5./.Q..@`.yW.Z..j..6...].ky..M..c.&......5.......OJ.Oy.....\!.~l.C..C..HloC.h.M.>...... .S6l..6.>2c.q%..;.5t/k^eF....P*..&..'6...9}...g.zxQ+..R..<P...$.N.C.`..[.....0...(....Q.}.......bIr...Xe&..[$.UboQ..,%..i....B(.......~5.g%A...S<Y..y....h"..$.+.D.Xw.nI.Q..n..&...L.bg..H..{.%.......&.......UC.N..Ua.......V#.....X.76pzX.c.}....3.M...#.....@..Wk..d.....:..Yx...&..m.h,.%&a...!I....a&J'..[.Qg._.."....X.F...|...3.H..e_...uFn4.O..Cw;J..X.0.7x...o.\.}/../b..Ky.q.a...!..:..11...Bb.c...1...............5.p~.Q..F.}....5
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1269
                                                                                                          Entropy (8bit):7.828603778585427
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:njtkBt9MYnUf7dCvMox3Lv+ARJI2W3WU+PHDo9Vw+o86hO7j:nxkH9MYnUJCkox3iA+Hw89Gp86G
                                                                                                          MD5:7FA7E1E8667D87BFA06022AD84E1E958
                                                                                                          SHA1:CA312086EE526B409666A5B168C53AA16B05B9B7
                                                                                                          SHA-256:6291E9E1A71F3295010FBB2D1F122E6E8E906723BE40110D5B36514CE23C15C5
                                                                                                          SHA-512:760A604F9DEFB22C0DECD899D6A67C6446C6488E5FFFE29D1E2823BCB8141C24EAE28CD54E040A510B271C3CB42A2B5C0CA579944CE79EB25D682767DD252809
                                                                                                          Malicious:false
                                                                                                          Preview:..p.Fs/W.5....W.!......T..R...l\...0..b*&..Z.`.....W^...Z..~P.f.hJ.s..7]..bK.=..0.-.~.D.H?C...`.<....9$.!....e.Xx]_......zk.WX...]........'..RJ...)....).SCg%.....M.>.-.k.h....X..:.H.."h....K...*....-.\..;D......X..#.....o^..5..<.q.~.^1..@r...x.Pg/P.,....N.)......]..J...|Z..."..d<4..O.n....._]......J...V.q.lV.h.(V..kS.5...>.:.r.F.D D...r.1....&6.-....p.S.H]....N..z.$.../d....%l..J..0.If{OU...%{X.V.WMj~;..y.^q.M.Xl.J..*....I..zAQC.W^$...s..0..7...}h.....y.z.L.= .W.....|..i.>:........1F<).R%..*.x..E.....Q..9V..=..X.k..u.r....U.W..5..o.....EG`{L...)......y.k.0P...........V34.h....E`}.Q......,.'Wp....]..u.2...9f....?k..[..0.AwvPI...8d@.F.RRhf#..d.Vd...X.Aj.]../....\..rUFA._I)...q../..=....l}.....k.v.D.>1.R.....k.).V.G. .ro..r$.+.dXJ.t.kR.......fl.....)(...;.u}8m.!.....wjv......vX...=wE;..I.._.xx...s`....mG.Wt.k...P.5..D....Ga^.q....L...r...Y^+.&<....,".R.K(....0.1a.p.%8.7.........<.3ha..P..'...G..kF.[LSn9q..F'...u....7%..7....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.8262622388016085
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:X6CloRle5ICUuJzdgX+rvmtMiA4xsbThtLeZiy4WHqqq86hO7j:X6IoRle5muzdqqOtNYhAl4W886G
                                                                                                          MD5:04A53716A47B18EAF399FDFF2FB24C1E
                                                                                                          SHA1:B1499D17A9F6A72FE64490466E3D67302DC687E7
                                                                                                          SHA-256:EA17B817747B6BC7F6ED65A26764D602C6DF8B69F229F0AC56FA7EAE08BD8D8B
                                                                                                          SHA-512:EFB146949879558ADBC913B2C7812A16CDFD8E9F6C677315038971DB9BCD68E6EB6F5DE6B859737CAB99738C67D210E964E30EFBB6B53E33D54608CB89598A92
                                                                                                          Malicious:false
                                                                                                          Preview:'......+&...............xl3..X..M5.So.@0W0....\e.a.'.&R`8....`......r.@..M.jd...j...!:x[...K..r....X...a..*?...r.'...+F_..M~.e.y=./.+.X...V....h.K..Lg..+y..n.V`...$.G>(Vl.... .4oz..P.+.%f.,.Q...ZLD...*.M...2:.......p....5...e.h...,....S. .7......>=...............}t<.B..R;.Yn.[+T4....Fh.w.<.&Ts8....v......h.I..A.i}...w...<(~J...F..|....]...n...&:...o.;...4]Y..]~ld.d..m.a.....Q.2..9C....|*./...e..$.......0.F...[.....F....]i\~.hs.tDi{...^k....3t...`D..../.....W.....B]......?O...Z....m}..).X -.X.."...a.r^0..........W.......(D.....`..K..nq_O.A'.r.;HkJx.h/.9V..#.T.p........s..j.FM.l.....|.C.zE. ..;..]t{|.b..n.`.....T.-..7B...j%.#...}........./.D...B.....U....CbQt.dd.dWc....Wj....4v...dH....:.....X.....ZO......,W....U.!.....zr.D...w.C.}.%.Wj...D....z..B.....aD*..F#..#c.....#../.J.'n.Y.N-:J.U...S..KS\.i...bl.....t|3{...N.[w..<.&.....=..z...TD(7..x..[...D....i.e..O.....0......gc...K.P..k.....K/4.NN%.S5Z..k.qS"..h...:..m...N..>.tT!....Y
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.841489446281507
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:IGIpeQtDlOpr1v+6wkuCan7Xvx6fQMlSTHDHFFhNHOBZG86hO7j:4o0DCvdpcn7nMlSTJBaG86G
                                                                                                          MD5:EDDCE7E0CA12D33FE2740F4316E62C15
                                                                                                          SHA1:A2029FAC774515DB2DACE21BD870C5C33BC7F243
                                                                                                          SHA-256:E31DC05CE67F98ADB4886072764162B73FC9CD63DA2C6B411AE8EFBBBF8E444D
                                                                                                          SHA-512:5E21BEAF20217FCBD77DCFE8435DAE92E84AF2CEE1E9A29F2BE03A572051288DE4E6A7E3F18F2484526415CDC8B2BEBA53A1266D522DCE91AF658813431F60A5
                                                                                                          Malicious:false
                                                                                                          Preview:.Q.".7..3.#Ewoz...W.._x...z.9U.Zlss.J_.{...<. ....1...l....F<..x..*.(4.p..+.}.,$....%..#.S...?...`.=....i*9rH.,.....D e....V.L..F..*...I..Y[d...x..ed{.Y..II).......I...........N=........6.(eDBl..X.T...).Z.nbf...?.......vn..L.`.......&.!^.=.^.$.'..(.6]luu...^..R~..u..#F.Ebvy.J^.`...;.:..d...*........F*u.f..3.2#.t.s3.e.'9....7..9.K..1...a.2....k?5wA./.....[;c.b.K..@.K|.z.30.D9.Vh.j.2.Zl.|[.BTf.......c}..j.. ...1d..[.....#.%..O.......C....[...u.KJ%.-..HS...`}......a.Ky%h..tS....5..0..uj.$..5.i....p]...yT#. .W.+P`V.W.=.|......Q.P.r.?P7.C.25./.r..?.a....._../k...S6..z..|.7>8...g.t.L....O.|..[.....3..v..8.b.\..F.J..{./1.U2.^w...<.R..gM.N_`.......cf.k..5...?}..V....*.;..E.......G....Z...w.IV-./..YJ.....`n......e.Sk-z..mN....<....,..{....>.X........g.cv...U...AN........fB..2#..%..c'.&...k..'~>.....7".jw..u7Y.<..AZ}.c.s......Gh.{...&Q..?k...^.=.TK.-..|...#.o..Bsa.....<?.vB,.......v...g1].V.=....Cm..J.,.[.?..$.xA..0;..~.5.rp#........q...lJR}....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.857375328007295
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:UptZ7PaePNNZZW/NzruWKbsyvFmYbRtGidgxxuBiQStqz+O1IHWLB6aOwLGIY8ig:crhFNeNuHAyv1zdGxxuBimyOC2IkLZY8
                                                                                                          MD5:CA8DE6501B82CC1F168A7B081C89CD7B
                                                                                                          SHA1:216B11B093BAEA3F92DAF263B43AEBF9687952DE
                                                                                                          SHA-256:0154814404645EAEC4A8BB62ED2FB8AD8233F80C4DC8022E13939B2F9919DAE9
                                                                                                          SHA-512:82EB0D64B3BA3BAE453F1C6292E45A1D4972E8ABFF60BEA674DC6442BD1CE55DACC775B95924F79300D749FD03789FD0406DB488AC767D5EE75FAD5E218366BD
                                                                                                          Malicious:false
                                                                                                          Preview:.]..p...m.;..z.3..s.2B*.w.t.4..s!.,#..%.+$Y.v..n..U..PQ...q$.O.V...._.k2.%..N...>.0..c..`R..c%QvRG5...?.])H...XY.[..qh}q..;...N....1c.......`.B..N1...E.@.{.N...Di...o_.....:.H..._.~.~X...|.fU..].eS.*.R.9.'.&........kI.E.55.....b.........v.J..w...q.%..g.-..e.$C9.o.y.!.....*".. .?,\.{..|..O..IU...v5.Y.]...[.z0.4..^...:. ..`..w]..j6VwZK+.....Z<_...MP.G..kfbs.....\..*l.1.6...tJ..:~.I.x.z"v..E...@C...:.uw.:...g..<G...s..^..F!@._Ek... x.}W$~.[...OZ..?$.}5O.J3<-/.j^8xo....x^.h"....f...7.......C.#q^fO.#L..O...a.c.7 .J.=.B\T..o...v.l._?......i.!./,f.,4y........x._...~....g{.p...}.....:M....ew.M..._....m....S..%k... ...pV..:u.A.c.o0h..C...VF...&.wp.3...b..(R...o..\..@%N.ENa...(c.nQ$d.V...NG..3(fm$[.J8<"*.{M3|h....cK.v8....t.a7..~eAp+/S.w.y ....X...8.o...I%G...;9...A.YeI.E..Gm...0!Y.k..'..%.....Z..#Y.....o..uU..m.=,......k0..c;......v.jo.}.(.\.m.yR.Ak......"T.....aC....>..Z......{..yu._..@...:.........c."-.B....1..!....r'...,._I.w .hn...C.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.851191974743539
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:KPTsvskkJAR4JvWVK9acfd78fam1bYUvq3mIz47GbWfU6ezvE7RegAq86hO7j:SqsBiR4J+VK9acfd78v8UvqhzNbSKEt6
                                                                                                          MD5:ECD35945B9090A20C39F1323B0BE48F5
                                                                                                          SHA1:FBC1141A339AFC1C89DB549D84A2DB1571A7E424
                                                                                                          SHA-256:F7935D93BF5DD243835976596F8A573DA59E533C72DCB98D3A8F4B29A1E450D2
                                                                                                          SHA-512:31CF0EEA568CED94BD507411BCE9B9D917F044EC004CD77FBB085A5072F7F27F18B13C5651233D1B2BC50046E23D07CE4274EB68AEF0F9C4E99A62C05F582DFF
                                                                                                          Malicious:false
                                                                                                          Preview:.u...w}f.^*.A{.6..EE.33....A$F.d.3..r....G.jS..._...r...w.....'EM..?.r~.>.tY.......l...E..R.....:6..P.'o.g.kb83.v.$.n.).3..d_wf....?...........t.m...6......C.c.........#...Q.h.:..t!.....PD[!.0.g....l2U.r..1.4..8...U|1>..Zv..<;D<2...P../.....T&.W.:..b...cvj.B*.[l.!..UD..%....])J.u.?..t....S.oN...M...p...~.....1HF..<.vz.<.eW.......}...F..E.....=7..N."u.v.lw/+.q.1.g.".)..fF~=.g+.......uc]51\x...#..../.1o=V.t48@!...hQ#....Z@..p...........gY#..R..:...kC...).Qd.y.n./....;.8QC.8...p._g..0...S).Z..........TX.....n.C...mG|....V.Ll$..\.LoqR....rZ.S..e.!...`.ea./'...O...{..g...#5..^....j.....h@Fgbc...0.....[K..!. .9..G..4.f$......peN1-Qs...+....:./l(H.n="O7.b.qM?....ST.1l.............{_'..H..!...pX...3.\y.r.s.#..../.8ZC.=..{.Wh..+...I*.E....X...i..K.X..D_..J...%Z.d}...C...>).T>........!.;;Rxp.|.B...&..i.Sn.../W..+.Tz!..i....Q..ZK\.7.K.j ;..]..g.......<....J...XH'..89.al8U....z..".u.x............{..wG....<.......&..$.....;.0.k......|..S............%.....(..JJ
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1267
                                                                                                          Entropy (8bit):7.84923562502112
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:dumsBI1nuqdNX8yDonRi0rBbCXHKDa1DW+u9NqwS1MCC1Gw3LRa/XK86hO7j:MZBIEmNbObbcqDa1gqnqR8mE686G
                                                                                                          MD5:F392040F8C174998B78233982021755D
                                                                                                          SHA1:A5C99E7B62D0E6DB4FEBBE57540B76BA12A2126B
                                                                                                          SHA-256:626FCB60F592A6A757073DC998496A3CC06112518F0F45B9B4B0F2FD29625C31
                                                                                                          SHA-512:866E9508DFA73808C2026CC9D346CD393A3307EA9E22568457B4FF66F5F7809EDD98252E5395C4A159253D197FF95F05389999911AB9A3493F05A29AA84EBDAC
                                                                                                          Malicious:false
                                                                                                          Preview:~......R.Si).../.U..A .%...DT. Q.J...:...c.k9..V..;..{..Bks*t..N.Q..o.-.`8...2#ah=.....H.x....g7.r....*.hGGK...M.Lb..mW...j#L..4.....iC?O.#vZ.T..D@}.E...(.m`26...)H...7..(....K..^...}....d.4W.7. ..5H. =Ni.....DG..D..........@......(.U......n......G.F.(..1.Wn.O3.$...SC.:L.D....*...h.|+..L..%..|..Ow{#s..P._..n.5.x#...2=|h;......F.b....d1t~....>.m\BN...D.Ya..p.....,.ZQ....:w/.~~..1K....N......M[...k....#.Q.....=w..Iw..|.1<..'...}..\.3.5L......."./..s..,<..t....<(....`.......\Z.y.8...wF....@{...e..v..X..+.....h.H.r.e..........=>.*f*.. ........;.N..<-.B..(J....r.w...j?.0.#p.....v~.+[/.J...h.....g}.MP.p.....3.WH....>c%.ep.7X.....T......QK...i....0.C.....;w..X|..{.:4..'...}..].#.:H.......#.#..j..?;..d..o.0&...`.......KX.}....L.&..p............06....,e:p.o9.J}`(.....Q...U....Kn7P"-.E...ll.=S)*..T..a.s..#..w.[.c.kd.....&..V..x...e........#}..e....2....I-m].Lq..;uI.+.z....$.$wxF.Ji.w~....'k....o.....p.j..L...xCx..\.F......"...$.Ei.....<.).
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275
                                                                                                          Entropy (8bit):7.851207935824393
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:f79UkzQY6y2AD+VRXr/AHhnC+WeCftWPtKpbc86hO7j:D9UkzQY6zA+RXkHpCHIP8486G
                                                                                                          MD5:FEC20CFB1E8AF28302FEF892F650EBED
                                                                                                          SHA1:EE5E2AA36F5990A906A8BB796C45B85F212D93D9
                                                                                                          SHA-256:D93394EE88A52E5E57300A18854B7452A8F58BFAC84C63D6103F6C30D10D4CD1
                                                                                                          SHA-512:59CBC5FC6F588EF102317E0459B529D7D43437FB8757649DF136DF73419F23C580303ACD868C0808AAD3A6A250F6EC0A4337B6E860D7B83CEDF63DFF34B7B11C
                                                                                                          Malicious:false
                                                                                                          Preview:....@<..t..'.&.;.Z6.{..T.|wE.d.....*E....az.=+.g._...i.....$...o.qV.D..L...}yR.d;.%9.p%L.i.cA..... .U.6C6..o...I..F..%wb..ODD8(......L.:.<...\,...m+...-f"69/.....wR.P....<..35.......OF..7..E.o^..Z.N#B.L......$.R.E.....*eS..C....Y.y_.1o.*.|..{.....E;..x..1.>.0.J>.u..I.x}E.l.....9W.....z.57.o..C...{...;...m.jU.\..B...jeS.u%.8#.u.N.i.fP.....7.A.*V&..t..._..T../ka4)...J"...r_..E+f.N.4.......*..w....JI.Vr>..$......2....U..+.F..f.."...u..Zg..b.J.) ..b.W-.W2...C.{7..R}.o..q~..O6...D...v...p.BQs..?b.X....v.Y.p.WO.X'..r3... ._.R.....D.t^/,....0Z+..Q..&Zn.:..>]..E.=.....Ql~!...[....}`.*...W...[.N..p.k.......B..N4(...K6...rY..G2z.@.'.......8..t....O_.Ps+..9..6..~!...._..&.R...x..,...p..Bg..y.@.>(..x.I0.V$...K.}*..Ix.s..df..L#...Aw..u......D..ND.u.Qo.O.-z.$-m...Jr...k../H...-[....w...R%m......hv...,..............gQ.g2F....x.~..Nw.`.qq6.dC.7.}.....J..y.y.'m...r..g.....T.r......'...+:.....t0e.;...].....?B.*.p........I6.. !...y..6..t{...s..:..L.~..;
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1274
                                                                                                          Entropy (8bit):7.855780738371097
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:aJnIyPkeons/wHz2ijCi66mhv6NADRygpfTGVHcYYUs5/86hO7j:hGV8yiGi9m6CMVHcYYz/86G
                                                                                                          MD5:E62F35FF93EA508FFA855F78DFB2FDBE
                                                                                                          SHA1:04E4C3B13BB2EA9E129464A11947C075C3DA2AE0
                                                                                                          SHA-256:B6978936D9117AE190B781C95C32623617E4233619BE6B4A3426A8FFD61D428E
                                                                                                          SHA-512:EFBFB64382BBE4B174CF7AB64289B6AD97F83880DF308071C784B5AED07FE7AF71A003B34AAB92F4F98F3B5D224BAD34B4BFF7EFCDC21FF8DAEA867F94CF6A33
                                                                                                          Malicious:false
                                                                                                          Preview:....ys.....b..QZ5.;.}B.u."....`....*hI..c.<...-....Lp.V.yD9.....].....o./"...wR..7.8>..:.Yh.n...I.H..*.5lf..m.9..8..G.c...va.I...>_...c....Gk.".$Z....C/..t3t..96....t..kJ....u...$.`...p&..aY...3b.'.F=L.a..F.....$.h/........yb..K;.?./|E@..yq^..d8#}....|t........Z\%.'.eJ.~.(....j....9zM..x.<...9....Ql.D..qK(....._....x.!8...kS..).%$..?.[r.x...N.S..?.2x~..}.8..4..Z.q...rk.J.ENd........=.?./1X...........w.)q...m.....&".W..-....J.....T.A.O{?..y+...7|.....:U4.t...k...x.Ax.C\..m..Z..+...6%.Wvch.Ry.........M....P.0.....^...?.g)..#2d#+#x0o..e ...nh'..C]..U},..<. .J.&H...+..>...c..U.9$..#.Hj.b..............Z.4../[..DSp..........?.#.!'K..........t.(b.....k.....4;.O..>....@....._.U.M|1..y....7s.....2V*.f...}...p.Ge.NG..q..O..5...7;._l`k.Nv......B:.A94..+....^>BjO5.x]...f.{`.^.T.),J7[..@.....h7....o..Ag....B.-.F*.._.:.>...........k...f.m....d..........IsF.....7....3...).E...o}...dJ..:.R..}..*.^H.L.IF..+O.......... ...b.F....hB.M.fx.%7.X.?.eW.&[..){....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.830369774894626
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:d+Yc6Ni0l+YF6Twgx19kvRv8NZvNtOx3gFnjnqYP1z70rVCCHIqHOgTIi86hO7j:g6ImF6TwgvCivNtOx3mnjquOCAIqbv8b
                                                                                                          MD5:FAE00C87574BC0551EB9C6CDF1039E8A
                                                                                                          SHA1:9B06DB05D2D89A6BA039964E1711D7B0FEB68B00
                                                                                                          SHA-256:15F5605D3090F13CE64ED864A609767E0BEA8EAD6219A6CE35AE53090E04521C
                                                                                                          SHA-512:E9549D43397A087734C734F1243D88D19AE8651655984AAD2E361C4F4F4D95879B38FCB6011B272D0F134C164A26497791E42EE398690F2D6D48A3B47287DEF3
                                                                                                          Malicious:false
                                                                                                          Preview:.....<..VNc.B.........Z;..........6.\..F....o..r..As...7.......3.Mm@....~f.D3.6.5w..........J..yM...q.B....9..& ......=1@,....ui.(.{..V.G.@n.......z+.,b..2.2.8>......X........m.h.....i...f.Y.;.i.3.3..0..&..@Z5......%..C.}.....]C.`.,...Z....}.Lc......,..MQv.Y........\%..........3.]..]....h..h..Wc...1.......3.XiY....zl.\0...>j..........G..w[...}.M....>..#)......$.[*.........._.h.....z...l..L@L0.oKF....^~}..J..........<...>...!.%.M2....W...".!.y#..`..zX..z...}.f.;...6...Q4..."...q.,!...XPs..9..(.z..,.:..;... . 6...W...s.`~i.......+S._..uP.*..;....c..Q.S7..<...Fk.i....6...,R.P+...+.....~i..[.F{./.k...I.l.._..........\.i.........l..DS[+.`XJ....Iff..J........<...!...2.&.S9....@...(.3.j*..v..}Z..x....~.s.,...1...I0...*...h.?9...Q_ek../...N#...._#E..v`.K ...x..bC(N.....'.?.B...MV=.}.F.......h..E.. .........z.....ej..@..W{B...I..x....(...C.~.G... +........k.+.._u.Mm....#..D..e.Os...!g#(.$...|h..2......&....3}/dQ..ng` "%D....y.TC..W.%$..P...u.gv!<.m.B.4
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.849905412188919
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:Um6nfPOjz1a7Rjb7dL+HJXox8TuRlD20kfqbTDPrw7XKXAkLDYV0L86hO7j:Um6n3OtwRjdCHJXox8C7C0kSTyaQDV0k
                                                                                                          MD5:540503A24D6257AA7068CC93E6E0A77D
                                                                                                          SHA1:FC88512941E9ED2F1816AF8816372FFCB119F5B4
                                                                                                          SHA-256:DCC62F21049669B1B2EEAF99296231B558ACB9FE29480B92C4C84945D2661346
                                                                                                          SHA-512:94073C8604AD108A45C71E2A0FF2BFCC95B3B22A37B4E6FC830B330B3F16BF906DAA23BB36A14E7AC623B757960FB9AD1172777718FFD1E2BB76E4BA1B484E9E
                                                                                                          Malicious:false
                                                                                                          Preview:].ho.......`....n`a...(..5..Gm.......D...d..+..x............m&..cp..L..#............u.;.l..t..=.0.i.h.+......I..|....>....,]..l..d.)O..=......V...F.n..4.\..P..y..e..+.......l.f.Y.u.G.%..e...)u.v6..Z.K.]e..D0....cu: ..sE...cz.0itn......6...V.L.wy.......z...pp`...;..-..Kx......A...a..(..`............f)..jt..N..-.........b.9.e..u..#.5.r.|.>....j@..w....<...P.qK.,5.A..E...;}.Zs.C.bk?'.GY...'.p..72..+.`?O.S.....d?.8-L.ta.`.b.(.2..<.. ..#OA..x....TL.....E5.....o...B.b.`...>N!V.q.|....).....4S..0`.!...T.h.).....,.-.L"..D3...I..s.........3!..+....i..U*.......Hr7...-....^...@..2..]43.?.....8...-..F..Q.xD.+?.[..V...0}._{.X.p~-9.RG...=.f..!+..&.g:F.V.....p*.&0P.ic.|.f.6.9..+...;..#UR..s....X@......N5.....d...M.d.{...$M$I.u....|..W|H..@(.......Ej.....Q.+.'..).,.s.rb.{.Fd..M?.m.cu...*C.,.d...tn._....pYG".AsuL!.T..=..)m.x!..b[N.......k.<tryr.........iR.l.+.$...d.. Z.k,f8..%T.D&...X3FY.qF..X..{.Eba...H^.F?...R.C../.G..-.Dz...,V._...#..?}.u.....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1267
                                                                                                          Entropy (8bit):7.866232392555665
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:Xx3SIGqxHnNazCSOcnnTMoZuEM/sr2rF4jkh86hO7j:cIGqxHnaGcTMoj2Ga86G
                                                                                                          MD5:8EB15EC4B3DA3ED7CD0A6B24A55B77D8
                                                                                                          SHA1:345AB71E7A339087D5344D44366262342FD65EE9
                                                                                                          SHA-256:8B3CFD1B872077692401DA6635756AB13806418DF59A1B50DD496FC03DA729FD
                                                                                                          SHA-512:6CC5DD2C1CC50AAC284DD39FB97FE0F65E63F8C6FA4ABC3C23A9402F417627A12250DFBF02926387B36CF001C3D4759E4BFF237C6B7CC595045A4E7D15142B9F
                                                                                                          Malicious:false
                                                                                                          Preview:S..WD.@N.!...P.1...~_.....!1.<.5....h.g.R...*v...z.......[.S .>.U!.)........./X....?F7.*.a.]Zk.`...uM.w.......HU...&.....T4.|s..]]r....C!.F..6k;)....=K......G.V.R)....=.B%....3...?.}..e....9,.g.w.0...O...X...Je..].+d....su^.me...q.+[..(.$M.C..HT.W[.*..~V.=...o^.....,#.+.8.....p...E...!f...........R.^<.7.E2.).........7C...."F1.,.e.SLq.`...sF.u.......MC...!....K..b..]X.......~..WW;..tGF....l..q..<..))....c.{d..A$.....;.(:.;.....3.C.%.&...o.WS.h...9o....w..Y.9..=...Vs11..V.:.b.......VEc..#...1I[.....]...j.8...Z...t......;2<j.7nC..*/...T3Z...............=.u.y.C/y.....E.[c.An..0..6..$.S.j!..S.....\..b..BF.......t.YH>..tQJ....z..... ..,1....b..v..A......0. =.0.....4.H.,.'.o.a.SN.h...8n......^.)..8...B`;1..F.7.u....OhZM..........oX._...{$..H*....):.....2#.<*.z.........m.w..u...W._...d.b...r..x.?y.H..(.ww.....lqaH.:/.z....G...3...vu.....Y...n..l.R.W....Y.R7a.dOO.z".............aj...B...A..y.w.O\...LLl.j..a..Lj....;7.?.2{@Gxa....+...
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275
                                                                                                          Entropy (8bit):7.869800034020616
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:h7EIanuWEzlvq3ME3U6oH1VXFOjoRrLcKQ2jQ086Q50o0Tkyd586hO7j:dEIeuJi3peTUjyLDHQP0gy386G
                                                                                                          MD5:13875B13B95A7820E8A9B3207BA64001
                                                                                                          SHA1:7F57134299F06A9CE1A9A2063877D19698F8CAAB
                                                                                                          SHA-256:112C7CAA973DBEE36EC439136E09CF929CF1D5096D8C1D26BA374B5E2CCB8C7F
                                                                                                          SHA-512:0CDE459DA6BC10463F4A03F44E3795D437596F76712ABB650A16333A522E72795355A42A2E0B56B6B6E57C683DE6A8E44DE817AD81217E53908CDBFE585E915F
                                                                                                          Malicious:false
                                                                                                          Preview:.......[{../....E.-....H..@lN....i..3.I..L...ax&..o/k..(.'6...S..L.:ZRyH.mT\.X..m|.......A.V.@...A.../..f...Cq..Bj.O0..E.`.cY..Y...X*..G..vB...,..e.|0.F..Q.D%Y........I.vf.1.3.T[.z.../...M.gp..,]5.).(...M..Y4I....^..!.{...-......./.......-Tu......Zw..9.....U.1...3C..QdV....{..6.W..D...vz:...}0}..<.5*...P..[.4@Sy_.lMM.E..ki..,....P.Q.[...V...3..e...Ok..Ax.W7..F..(.........J...Euf.Q...fw.Q%....c;d..e.M7Q-K...Q(.(u.E6.=.z.}.j.b...M*...?.;..(.....'E7......(X.g...."=2v.-.Z.....7.."...OO\P..#w|.5..lK..!"K../.wP..3!...J...E.b.Qh=.w.......`..Y.4.t..6+.b.0".n.y.......\.....d[.1P...]g.i.v.RDl...U.ak_.....~..5......v....H...Kcu.I...d`.C3....p>a..|.L"F+V...I#.;a.\ .%.w.i.`.|...Y>...).;..3.....$[-......$X.u....98;j.".B.....)..8...S@.......;..WEd..&G..2...l.|T...........h...Z...O..h.5.\x...A.\m.....h%......9.hC.A..Z..l.+.....<.w^C..PNG....(.|..J.u.#uV.1U-8K....2q...J..Q...c^.$|..]..L...&..ILQ.4..%...O.P....../..Z.l6w.k-...O.4.?8.EY5...n.E.....*.O..,
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1268
                                                                                                          Entropy (8bit):7.850174473916882
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:DymJbmKOVtz/xHBRYsAHr/xdWvNXo/UMlKtFfAt8BF5Px3nfzz86hO7j:DFbF+xJhRYsA7cLJLQa3fzz86G
                                                                                                          MD5:2BFCC9D07D7F579BD5AEE4667F24F82A
                                                                                                          SHA1:75A1D3D8BC441B604E226B2F209D32444642A4BF
                                                                                                          SHA-256:49C29EE58200415E88F3BB08042862E9F8BF52F0E54C741441F0C1AD1D92BC9D
                                                                                                          SHA-512:C12933766D578D7D51FA417732FCD8A345A38E88F66640A25A685D71C0204750EEA2EE40BFB61D0DEDFC4E3F1B4904F50D54CEE498A336A17919669B39CAEC61
                                                                                                          Malicious:false
                                                                                                          Preview:..?...~J.&.h..!.~..E.S..5.J/.CeBI..5.h-YS...|.....|08.V..v....a.....A..-<.f.#.c..*...6..:..s.>.lvSXj..........fU......_.d^..................z...".K...r1..v.....:[..\N.\y|..N..(os.".c|u<.]..EX$Yh...5.T2.....3.....(....dz...`..nL..~.f.@.V......!...hL.*"f..<.x..G.D..#..J?.IiZF..$.l!HQ...e.....s >..^..r....y...|.P..3;.c...l..'...7..:..o.,.doRJy..........sO......K..."+..I....!/...--`..@$.;n|.!....0t.p.Ha.N......j.6.+-...#..7.c..%J..}......S.......d.M_D...:.....c..).7K.......S..b...O4..[....n..2U..P.X*..C.6.......".O.B.4...%Cx.E.....=...H.T..!c.uf.6.....V.B..<..v...U.#.C0.+.C].....O.8bT ....;..b..T...-4..A....&=...#.d..@3.:ab.9....&x.j.Dp..Z......h.2.36...$..5.a..3T...a......H.......i.NP]..w<.$...c..8.3P.........A...KB'*..Dxl...uv+....<........i........Z.u......H.7W.{.R... ......k_............E...[V!....>^......Y.R~.....v$C8,....(..Z"...0.|...tW....B.8N.....<......pj.2V*-....W.zk:..m..+.g.l.3.t..\...zl.....@.e.b7hW.{.bn.^Q.y.....V."j
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.875119374787498
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:G5GBYrpGP87v5hMTySOl3iCQjIjg7fEbpROdvYgWURq62M86hO7j:G5GG988z/MT4SRjMg7AOCnURl2M86G
                                                                                                          MD5:A33EA2F4B4284C3E7F1708CCF30368DE
                                                                                                          SHA1:15DD9B51728BA92F2225AD7119D2BD0FA1A6F2E6
                                                                                                          SHA-256:C623C23A54A68B0B50D7ED6F2EDE711038F6A26FE73E9523ADC6168CAA8D80A1
                                                                                                          SHA-512:C3D39AED78D4A0939DCA4949F1DA5F269D7D1D43E1FEC5627604FA40EC33B08B5E51DE5D85B6472EF3F893C4C09D6BDE84673D5CF04F560292765356CA622044
                                                                                                          Malicious:false
                                                                                                          Preview:.?..n.K.~.^&..*J....+...z..m.$.G.V....L.*.8*.G<..9oa)j.W....rH.J..0....LM./.3....`.G.......s.N(..8.d.q..C.t... .-A+..Y..".q..4.....#f+...". .......M|..}w..f{..$.....b.O..S....:.J.=uM'..........[4.QK..rC.'.......wE.<.......2..<.q+.30-.....qii.].!..n.P.v.A<..9D....7...p..l. .^.S....@.'.7:.K/..6.t+o.G....c\.C..6....]T.!.&....l.@.......k.W?....8.y.j..F.o...(..^-..V..|.mQ^4..2...".+.!..=....q.b.].x.?\K.;>.bE:Z....z.......;..>..[z..s...%..5ep=......~......k....Ph~.@(.pnT..c.H..g....I.(..!..=Az.!.xt....hT.M.$......L.T;\..z.>....sx....v.,V...r[r......7&....6....=o=.....*..."a.(.dR.\H...V....]..D.........Y..L..g.nK[4..8.6.#.).*..2....h.s.Y.t. _W.*-..J1R....a.......4..8..Xv..s...4..:|~8......`...*.{....^eg.G8.bqX..|.Z.vf...._.%...g.*Jy!...P7.Tq.....q..V.(..z''.js28.'.,BdLe.|$.?...d.+"...pl..1.>......V...u.y,....<..ba...U..A.'*...<p..8Z...._...h..\..i.u...[={..}.1:.......0.E..I!#.1QM.~......F.../.B...(.Z..3.9g...L..3.>.`B.+.........j..[....vK.S..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:OpenPGP Public Key
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1268
                                                                                                          Entropy (8bit):7.838185136153536
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:02i3JkOl8gDa3/3SrEdPPp5IoJFam7AJ/JtMnq63yU/NCT5Eyz886hO7j:028Vl2Pir+Pam8Zuq63vq5EH86G
                                                                                                          MD5:77EBA27D61D4329A3475B5FF23FE0DB7
                                                                                                          SHA1:F1F56031B54DF1DDEC9CA93A068A9EB11DE77503
                                                                                                          SHA-256:223BBC32189431B844521F013294E5198F4290D93A6B044DC854FA5E253AE434
                                                                                                          SHA-512:C9ED68CDFEFEB72154925CB769000135DCB59966386E2A151D7E91998E286E20C8A9E69220F77650051C066511B6AB568606623693F1AD57DB0D95C956FBC782
                                                                                                          Malicious:false
                                                                                                          Preview:.N..._....+...-.8.0....f..).. ?.k...|...N...e......{V9V?...-z..|.x.`..../H.......h......+.3.....=...g<2(.G.;..}...E...4. C...<..{.qi.....M.o.&......)&..#~././...G..$q).2.~..o..qt.p..C,..\YR.}}._...R...*.."..9D.......[.J......".g!d.q.......P!.G...J....'...#.6.2....r..9..,'.f...x...K...e......hP1]-*..;~..u..u.k....4E......g......7.!.......s<-6.A.#..h...N...<.3.Sa.PRHC.{bN....}].y..K.Z.4.,&..t@......Jd....LQ~w......J..8d......wd.r.j[k..WK.i.p~..F.....:$.sWY |...E...(.D.?...:K.,...(G...W.\.cIP.#...-.W.L....d...i.%..=.,c..].8.mLZ....o.."...J..;G.sg....hJ\%...*......K\P.5....Sn..c%;c.f....]..n@...\..Ue.^]WF.sbY....`L.w..A.M.5.2:..sM......Fu.....OVve......M../c......mr.z.}Gn..XT.}.me.._.....1'.jPI(z...A...-._.4...!P.>....b.m.4...<..<._GhO=.......P..O.....@=.`R.i..C...n."..~;;..u+M...N.;s8.U8. ...9.....".*.|.iK...._..W..y..Xo........o..;@mc+,Gut...}..^N.y.._.b{..U..S2....8..x....m....s..)(".K...B!.?R..}:.a.....r{..Z?.&p.4Fb.....avl...G..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.856491601203771
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:zJWMmzmtC3BplH/FZkjsJ/0gCubmvrTep6L86hO7j:zJWiMXlGsJ/MveEL86G
                                                                                                          MD5:89A3FE336CB9CC798223DDACCABB1669
                                                                                                          SHA1:5B49EA880FF479819F83B51DA3EDE3938E61FE34
                                                                                                          SHA-256:A3390106333CAD8AF45F22748032518D18B70A1A4272100978C006044EFF5BF2
                                                                                                          SHA-512:9B448D3493A0906401E3916576098F40957F7102479D5F85B59252B77E20E340C3FDAD6A588EAC0982DBDB3A16EB2A2769B34B5EA6843B066B6A341CA3B77792
                                                                                                          Malicious:false
                                                                                                          Preview:...?...Pwi...s`....s'...c..s2.z....M...........P|.H...2.B5D...Zu+.5.#v[......yv....f=.....C....cK.......p.."....)^...<...U....&...1.[F..&_....jc.v...K}F..}F..oG..Zi.....['#W.n....'...._......L.....SC\.@..$.....{4.t`.Q!I.U.t....,o........0........)...Xqv...`n....o/...w..w1.r....\...........E~.X...3.S!^..\y*.'.:iU......{v....a/.....Z....oK.......t..5....6X..&...y.......[....@....VI.........z....]..O`..Y3..I.....!.......=..\....m.U.=....'....yi 8.S.z..9....7..l......]:....".9...lBU..mx..k..D...!....r.$ ...C...-. ./...b.N.$..gJ....K.3.xH...D.".....%..M...2.).. m{d./..HU..j..{.eM............EF.2.:sd}...;..c.......A..{.K....UA.......v....L..^s..V8..^.....3........>..A....|.V.$....8..gk)-.[.j..%.......|......B%....4.%...aBKW..;y{.s.i..!.....QN...... ....a.xe{....er..C_.3n>...0A.....8..}#.!.|.~.j.+.>......<$....-E....E.C...Q..&...F5w..r.Ls........L..9...pf.p"m...&./....&.a.c.C.....d..F.Ob}..O..g.{..B-.a7...O{W...?u..x.......-.MVA..l.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1270
                                                                                                          Entropy (8bit):7.829218110251922
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:xnPilfeL32kq+fBg6aoPYn9J1hn8zRQjrWTphj45eLmDPn984LThv86hO7j:xalfe72kq+kcYnHQVE6FhjWomDP98sJg
                                                                                                          MD5:5114F771594007B76C0BAC6A3640E790
                                                                                                          SHA1:560D6BD201B65C8D72C315245B56A31B7FE8C244
                                                                                                          SHA-256:EDBBC41B44552407593530902A6C94524E466DFC93F95D6B0E03C717020FDE11
                                                                                                          SHA-512:0630D2B67E33DB35CF2B96DBD20D40E4DFFF1246D17755822EF16699067B85C4C43B535642BD7BF1FE104CD0C6384F2A6ADBAA356398224D75B3D472659294CA
                                                                                                          Malicious:false
                                                                                                          Preview:..-T$Ivsv:.I}q)...[..L..Y.B.nN....p..".:Kw.Z!Y..=..G..vX.w..S.o.ld.g....1..y..=..<.l....~.....X.F.......5.@.r.}X.U*....,.Dy.=.:...P,..]M..iW.hLl."U..J3l.._t.l.Q.i....7.`.....?...,JS.X+..a..9....Y.YP.h|..v.|B9k.t9.m6$..C...#.'.lN....\bK..S..'":..?I"]blq:.[cq;...W..M..O.H.pV....|..,.8Q..Q>^..?..S..{V.u..W.a.g..f.../..s..7....e....k.....A.R.......".U.b.oT.K$.../+.=..w.....^8...G.F+.....4.!.qn.qS......wh..S.P..Uq.g.Xa.2!..%.....t....R.T>U.?6'.<./y3..1.k.&..?.j..r.+S...@.@R.o.[.......O...&.7....*n!lCv.z....^..}..N'S...IH.i.._n......4.h.......Z.@.2S{..V...j..".Q...T.. ..l....x.t........##RJ..h.E.PG.....>...<..~......V*...B.Y'.....<.-.sq.~S......rz..L.U..[f.d.Zd.,...8.....n...._.Q:L..#?.).1b8..5.r..(..6.p..{.3I...W.YB.|.C.......B.L...gm.,OxA...p.u.?]...p.....F.:...q./..<Y....xO....Q.!........K...@..>..r...............~EtSL.w(a..a.;Ke.@U.=|......cU[.2..E..R....uL..<....M-....d.Ss..P((...6[JY.......;.....GV./Q.........]~M<A..d..O..=..x..`......_.?.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.841672159422994
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:zkcoP4yL1btdoEHf5+9ktRsio7oxhmYAN9tEUM/wRzsh86hO7j:QbZL7KE/5+iqimmwrTtOYRgh86G
                                                                                                          MD5:FEC2429045A052C1138F3ED2CB1F7317
                                                                                                          SHA1:4001F6494957D9956D72F4CFCA91DFB58231EA9D
                                                                                                          SHA-256:B9C1F052B52E3713DA90DCD2B2D3F98EC71AD6E7BF4AF0E3376D774D87161599
                                                                                                          SHA-512:504230477F825472AF3983D7A86240BCE5A7CC35521CC7F6A37FBD47E5E0ACADA22B4DB7DD5F0EF005C9A8214EE33D624221112E2EC02CBCA2E0F27401AADBFD
                                                                                                          Malicious:false
                                                                                                          Preview:..~.......e.Uw.3...8..O,.8../.....%=..{...s..!L.....A..2....M..|f..4...z......E......)....].5...N./.[...*...RLH.O.@8..MY.s...$.v!/x]....3...[2.UvG...$.9.8.@.....C...(..X`I<F.=.....[.E..b....B~.Ox;..E..=.YJ.!t..\e...h>.......N.r. z.*.........}.......|.Ht.'...'..]2.:..8.....=6..`...e..:[.....A..4....A..t}..*...u........W..."..2..1.T...8...P.;.T...0...ZFG.L.]=..\..?.-.*....Sv...E......j.c...^Y/B.$.=..L.C.gqW.F.W.'...UO...gFos.Zr1...>...a..u.;..Z.'1..8.?...t^.X.\#l...) .h*..z7.....A|.@Lz...O/.....t.=.h.l.W>..c.c.@V%Ir.%lG.@4@...0......l.....B8..o.e.w....*C..7H..T.$Fx......>...rP...rq^K.1q{.P....o...Z..P...0.:.#....@~....[....g.k...^A1Du$.#..N.I.{f_.X.N.,...CD...}Fan.Qo0...)...{..j.+..H.+>..?.5...tR.W.K?|...>".t(..{%.....\`...QD..t.......1.3..s(.*7.XH.q~..P4F..z..d.1....h........Hr.......`=%.....r....GM..D..5.&.XTl[..EO.LF.v...;.gI..._2.G..~.T.F.R-..Z.j..o..l.....o.p...b...uM.....Z.J..M....8....2.>W&w"....'A..y...-@.[w..>.M.....^b..',}..M..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.853964211309913
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:XkgVYNmG3+LZAsdW8zx7lryCBHu78sJD+5ClYcK6/UndkIE+x+lU9Oi9w4U86hO/:0kGMAsxF7IxlWcLMk/+xm0W4U86G
                                                                                                          MD5:9D2AD8E722DA6709D0DC9DF66C506A37
                                                                                                          SHA1:B7B35CAAAC10B6702114A240BC6D1488DB3F0611
                                                                                                          SHA-256:5FBB982E3E31661136E7169DB067BA584047908B72F723DF5976C5DBBA555BCB
                                                                                                          SHA-512:46364CA00156D09C5DF4C525E87970C03F837F7FA1C011A2F63D7691F6534A560142CC2F0D5D025078CF61FE6468A2D23E153BC6D09A28081FF69B15E582EA57
                                                                                                          Malicious:false
                                                                                                          Preview:.5..A..2.....m.Gh......:..;C..?:^Iq0 (=....7...8`U0..h.../.....d.Mb.........s2....R...~N...P..{.^hj.F...W...R.=l{ ....h....L.K....8...R.....s..>..>/67.a...+e2...g.#%..@...v..hc....p.R.p4$.XV`.../*|.y<Fe!0...+xk>...>...i...#...P......^..9.b.....Z1S.5..\.$.....n.Sb.....,.1T..=:XYi;=<&....#...(kR;...... .......N|..}......r>....G..2jU...O..u.Beh.B...C...B.=s`(....u.....*|..Vec8....1n..5...E5Q.?......Sq(.DP.Z..t...iVRQ..7....2....M...~7...w.....\J...j...q.....9<....pt.S...w ...TR..^..W...%..-`'.....a...2.;..y...m...6.x..2`......d_...n..........KH......o....gt....7:M...b......@..p{i........u.l.Xh...e. %y.._xf:......&p..;...J4\.7....U{(.ZE.X..h...aO^Z..:....(....P...o ...w.....CO.......{..*..68....ow.Q...}$...YT..C...P0-.Ad!...\~..%.....s.ix.........>6v..L.4...~.f....]r?.>.X..e..%../G..qB..yK"..L.r..u...[.%y...o_...Q..{.....sM+.8g({9...q#I...M(.d:[F...7...5...)cE..&.9.%.E....t...@O~V,.J.hp.8o;:2?_..,..@.D.%.\\..F.:..f..0.`M..p..L V..*.9
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1269
                                                                                                          Entropy (8bit):7.788915037763048
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:OPA7Ji0fs9VLN626Vc8maQX9nFbvpbEj9w3JE+XOOoDcVc4l68Z86hO7j:OPa09pIv+JXnvpbEZw32KOGi4r86G
                                                                                                          MD5:1C27066C1827BE1C3C7413B274E357B7
                                                                                                          SHA1:AD0E56348FED950720DD50A4022D7EF91ACE4E23
                                                                                                          SHA-256:2020BA55B2F7E1CBA8AACA88CAE28D1B7F1CE4A3452EAB0AF133D99F0F6F47AE
                                                                                                          SHA-512:86AD7D18D7585EB87DA042A8E5EED18A4ECDEE6237DB4249E8BA35DE93A431E197C7AEEB00EA27FFA113ED36092C8602FB555663AF8EE5883A4711A4FBB5F3E1
                                                                                                          Malicious:false
                                                                                                          Preview:...F...|........Mli.c.A.EXP*.....OP8..7.[f.3..X4.Q...F.W.2.0.....<y^.f..;.dxI'tSn..{........d..}.7~.(5..u.qk..NJ.r[.Ol;...@'..d....E.'.N..S6.I*..U..U...^T..C.........N..|y....6[!..2.rR....&[4(..yU.oOB...@>.M.."K....T.uFz..b.@a........U..i..d?.^ ...N...|........@dx.y.].JQ^:.....I[;..;.T`.!..R!._...A._.1.:.....+a_..q2.'..mD8.Vd..e........h'.l.(y.+'.x.ml..AH.`@.El*...T,..P].2.TW..oP......I7.; ....,.........4.v..O..}2...@...>..28....M.Z.. .......i'..+.?..4..#T!,.*G..Z..C.A....i.N%...;..N3.w.....]..[4\.~7cc.U..t&..R.... [.7~..].I..1....pkM...t.Z-p.7....2).N...V7.;..K..<z....m.L...y..8..y......@:....d..v.pK.{.......H_.&._I..yU.......W/.<:..,.........+.s..O...*...]...+.3-.7..Z.A..7..l....~%..<."..6..<\#+.6I..K..N.P....e.F)...>..^>.p.....2..D....sl..$oD.l.&I`.oD%I........J..I|....'..=w.Yy.....Cn..}S...o|NA_.`.Q....!.8.Ys ..c. E.k]......o#.Ab ,./#<9.U...p\|.8..!...F...5_..?..M).VX.7.....M..6..<S..u.....XA...E.o..H\.yc5I>-.p*.. ..Y.....9zN.|o.....A...R.4.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.862012799778207
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:TfqgYjCVA5yhn1cPdiYut+3q9nIYEC8GvNGdgU9dPvOHqU6fi486hO7j:OU4Awi3t+3qOYEgU9RvOTe86G
                                                                                                          MD5:1100CCB6230E98F613C708145079807E
                                                                                                          SHA1:CB46BD771FC7F449FE8E9355418ECBCB0DBCE036
                                                                                                          SHA-256:D7BBA1DA281D2F98BACE51073A531F787706C24E4D587B7B429F4DFEBABE4F0B
                                                                                                          SHA-512:5E2659B90FFA481EC2636811A678A302048543230BF6494954D4675F110BC6163C9C6197E01D59B126E18FAD3F1840541E91FA6D2024D8FD70B9AE2B927AD6A1
                                                                                                          Malicious:false
                                                                                                          Preview:.k..w.PoV.mR....'F.M.o.n....I.x.$..~....(w8.!){G.[..Hg^.V.....3..j...J.#...=,eh.ufcA-..3C@..<S.w....8..S..a..C..tW.>....[s~.4.P.7*.B}..4...c....C.:..K&..._...h[q..#X./..e;..7M[...........O.....~..bk.....K..:..t....O.*..Sx.4...^~Q..Ppq.Y........d..f.LzM.xJ....#Y.A.b.p....T.k.;..t....3t<.&/a].@..^|X.P... .%..t...T.4...14fq...htdK0.."Y\...@.a....!...T..mz.W..yK.-....ZeI......!.,.n..x..e.,.9#.#..Z.+p......T....x..1~..}._.n@..xr.q.N.O...Y...1..N.r.....Hs...,.<7..OZ@.Al....-.*....q..5..;...%........N....0.cr.5{.~.Qm?.*...R.....\-...J.0.>)...........AY!.V/.&. ...<.s)FG......y....c."...C..9WL..=-+..E.{.....W&I......".-.r..i..m.,.9-.+..A.'{......L....y...k..}.F.qM..ka.x.P.B...A...5..G.s.....@a...=.?$..XZS.Fc.....5."....b..8..4.0>.....Rh..a.%a.<..S...D.....-B..mB.Z.b.?IP.4.Xn....*QB..j.}..Q&.|.Pw.$kaK.\...se.._.g(...~u6Ds[.q..4.ae.....9.|. r..P.|.(&8..k.....n...C..6d:#vA...U.[...,1.8.?$.I$......@......1.S..#|...1N..L/....Y.{f^...t.z....4F.u...
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.843271602361614
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:0gZ73FyVQkb3h0dab+V7do+AU3nmQ2/249jjNE1iylzSGQOw986hO7j:003FyVzb3W7VZDCfZ+pO986G
                                                                                                          MD5:3BE4B0242318807C4853BC25688780A2
                                                                                                          SHA1:4C135B9FD2F1993E7C89195661FC37F402FA3FF9
                                                                                                          SHA-256:DC187E145075B2D89E2EC717B6B1BD711C6890489B2A63D09339531536AD26BF
                                                                                                          SHA-512:37E4A58EE911A43C8C4E51E771CAE7562A3822E882F919ABB5591B0428E528873D6AFD4A1185CC015FE24BC2D674D709F453FCA3AB2C7154130BA339D18E7EE1
                                                                                                          Malicious:false
                                                                                                          Preview:...a...GY..;.....QA...W..2...N.Fy.oe@~.@..K5>e. ..Gu.Z....@.*....[...kR.R.9c..l....S.*...)#`v...?......V.@m..W.h[z.^....,m........qz...k...q....F.6..Rwa...\....D..M2>a..ob.L..I..._..%.....D..#w..vFk....B......"..A<`.S=..`c..y.r..%.Yh.z...J.S.....w...AE..!.....A@8..D..*2..[.Jv.idHt.[..N(3f.2..]w.C...G.*....T...oC.].7{..b....C. ...&!}....3......B.Uz..P.}Rs.U.e..5dT..k...}..m.2..n\.....R.i....n.].b..?...).O.j......H.hK_...g..*.V...`*.#.c.X.:.........F;..W./...k..].d..T.s..8...*...[.{.Y.~.........Lt.]DW>.o^...y......"..<..N.3.[..... D..{.....#...<.".Ff......g..=U/..}...81.%..a3.....".(H......<Ym.9.T...]..d...w..{.4..rQ.......@..w....g.R.g.&...+.J.o......].vVC...d....H...{=.+.x.^. .........J7..F.,...d.}L.o..[.u..-...)....I..."E..>^.B.O0.Gd$'.+~..C."..{H.V......vS.t9U..H;..=@.z.R.p.$x.;V......k.c.@./..A..2~$..&.M..4d.J()..OM.g&"S..-5..~..K..M...mr.H..I..QNP.;.C.PE(.h....B=.....[..L.c.u\6G&.....A8...H. .<F...o(I..n~iaf...W.;.1...!mD.Ed..Q.....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1274
                                                                                                          Entropy (8bit):7.843560510141065
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:wBqDYpjMT17GWexNA5xxEXkkqXk6ZM4Bhn1akS+RKYUVkwPiDF86hO7j:QqR6KfkGVZ9BhndSHYo6p86G
                                                                                                          MD5:0A8329FC17B8A610E699521E93E5D651
                                                                                                          SHA1:1BE4E78B01E728F1DB3AF5C542769DE32C3C17C8
                                                                                                          SHA-256:32CA39F8757AEDF0BF6217F8F95FE769A142993BB882F4E000F19C974A13EBBA
                                                                                                          SHA-512:38AA262FE8FD2D4FEC6AEB333C17F643D342C74CCA327448D268B5185440346A6FBD04F2D8E710DF9A02449AFF23235310EBC08A4E83A0E485CEBCCCB75A6492
                                                                                                          Malicious:false
                                                                                                          Preview:4....II<z...h....Ymg..[..=........hk.S.F.8.....S.}..O.=.%...8....+....=.."Tb......4._!iK1.."@..l..e6.s6.2.S./A.X.$V.(p....d. .@....F.?.~..PyX.w..6.;.8B5....4C....=.C...s.G;6..9~.....op.I....P...........Xs..._..o......o.ai....`.z...0r......IO#....HE>i...u.(..Ec...P..=........ls.H.F.0.....O.q..Y.2.1...&....3....<..>U{.....!.T#sK'..2G..k..r1.k*.".R.4M.N.'D.0w.u..O.I1."i..Y.......x;..:.#P..,o.+....4..w.a.o....w...\..x.}K..1\E.*..q...$.|../f`v.E.b.Hsa....Z0E....n%e."..j.(...T..*|Y......n...........8.\9.#.z.....{Db.!.......W.b.Y>.Y.......c:..P.!n..!...<.KIKwKO..:\.#.@.._"..tp.P:-=2../E.*.C3.+a..d..cA...+O.T%.#}..P......v-..+.!G..'l.*...1..v.v.r....|..._..r.lF..;H[.-..e...<.p..%xw~.[.p.U}`..R"C....k,y.-..n.+...Q..).@..K.!......->...lw.k..s:..w.....!@].:.......]..sj...J.!b...........l..L8.M.rs:..(VB..%.*....^.i.04L..Kx...tp.zC(1..r'Z..[.8..?..../F%.y.-..~4^....l. .S.../!.....:D..l..F......4.Gf....b.4%.q..;.u.~.&:..p/.W.....f4.8xi......{
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1270
                                                                                                          Entropy (8bit):7.856625144159148
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:tInGSXxQ1W0wPLv9R7mP74Zz8CzP4DBZxyR9T8mewPD4LI0dGH86hO7j:irxQM0TP7uHUD3xyR9UwR0sH86G
                                                                                                          MD5:78FB3E0022E83701F2C8FDAA058F0368
                                                                                                          SHA1:8938B853A52395C65A1C920BB00349018F58A29E
                                                                                                          SHA-256:C79436524B9993BD889C52CF2BD7D9A33D4883A1407BB45DA7B9DE218D307623
                                                                                                          SHA-512:0124AF203F9C218487FEC8EC33644FF2490EDADFBD927F50858E4F8CADFFB13D2A2662CC476CCA060CA4E17ECBDB2EDD2A0F1C46CEF58E1B83C2E4D26F9DCFD0
                                                                                                          Malicious:false
                                                                                                          Preview:...."Pi. [...1._i.....2..l..KF....}Isf..T... ..0}=..J~....?.l.k.B.%.c4K.#~h.d....:|....'L.%FM.....hU_...h..<..,.Y.!...S..WN..o. W{..-..R.Y.z.V.>...-...S.........s#............\..D^.7i..l..<...p.{y.. ..8..6y.'...... .hd.t.<...[.9..E....v/...4B....$D}. X...#.Fm.....$..r..K\.a..fGsd..K.../.. h).._|.....4.p.w._.;.b>P.)sr.w..t.;i...."R.3RC.....zBS.*.z..8..0.Q. ...B...Q.....z..>/.g....i.!......5[9....Ss..%-v....).......75.#.v.U..1.......H...:..K.1bM=B.J6.HQ...e.G.J.X;G[..W".I.....R.I.o.~D..=.\.E...}?...P...6....k;M..V........h..?.I...I.V....]..^4...i...:D....W......u.1...Ka.C&..qW.%.9j..y.X.zb1&O....9..F...R.....|..;:.k...n."......5A0....Va...8(m......+......#8.3.l.D..<........]...9..U.!bC<S.C(.YT.....V.W._"WK..O;.X.....SB...6.Ua(..k...'......O.Y.d..^...5@d.,.8....T.@......lW...6#.J....p...6..lt......3.6}......w^C`.....Q..z..H..Y..@Pqy?G....@......a.j.7.4.Q..].w?.a.Y...X..#..>.......E..9.k...n2.....x.%7"u..^s%...R6.+..f.*J..L%..zW<3...
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1269
                                                                                                          Entropy (8bit):7.851870053883693
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:shIVatiUismPI8B29cJIaJ0rEOzp7QQlyZlM1Gj0mPDxBUV8bF/86hO7j:smktZugtP404mp7SuQdBUV8bF/86G
                                                                                                          MD5:5E5681EF78338D72DAF3885ACC4FE31A
                                                                                                          SHA1:1095E32AB7D107F1BDCBB07B9943CBE2AA4ED7D9
                                                                                                          SHA-256:CC987A9FC62B6871DB7EAD8D30B3590D92087355BB4AF5BAA0E6408EFD9EEC3B
                                                                                                          SHA-512:3EEB0767F92AD97188E992E9C4525578ACCE0AB81B273ED3B411753BA731208D90C76F2310600C97A95A09328CC540B7E486E0D7EB7D61CA78FEC4992F4743D8
                                                                                                          Malicious:false
                                                                                                          Preview:.qJl..3..3..`.p....>...v.Y.J.{.....(..VY..I..#-..a....#_.......X[........ .......\.R..b].A.....:.Rq.G.U...^.;O.'......dYn...UV.!Q..t.?u.s.g......K..}}...+.v.y..s6#O.%.c......Q .o>.{...OA...7......l_.q..H..............*:4./...^...W|...a.....cPd..'..4..~.m....6.......I.R.r.....:..Y_.B..6/..p....+\.......OC..........-......A.W..uH.H.....?.@c.J.I...Q.$].+......pRi..7n;q9.9..p...p1..Z`.."e-b.P.7.H..#..=iHy.v.....y.?...)x..qN0..Q.3\f.......vI.m.X......".....E...T.....*..E.?..4.Ci._q0.....l.WB..*.v...=...&0...,{z..9^.BiP.S...b....Z.yL..:o.l...-v..tn8.....'N.m....n$.d.N..J.....O..F..+..(=.u..S.'._*...Y..)"Q./l(e*.'!.f...f3..O~..%.7s.U.7.Y..?.. tWa.y.....a.-...8p..aO%..W.$\}........~].o.P......$.....O...A...?.8..I.7..%.Fi.O|$....x...a..S..a.I...'......%.g..k......R..|)..b=lW...G.U........h...&od.{...%XH z.#.....$..6:/...3.)5...2......%..(7e.;...../T..37....}.N.l..Ow..TL...._....u..\..i..s..._u..q..L.&...lp}`..+....Y>.j....5..+....c.-[..-9.qT
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:x86 executable (TV) not stripped
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.834704082997344
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:lvvxiWJtXumu48/JiRm8qhFDP6tu974v19HqNI686hO7j:LZX3K/8RvqPSbjg86G
                                                                                                          MD5:8E9DA6C35329B891C87D471C23C60F9E
                                                                                                          SHA1:9C2D336CF0636262920B3E81334F4DCB0FC402AA
                                                                                                          SHA-256:441124F2B9643DCB85A0443A6D4504EC76CDC841461FD9EBD238FDE6E2266873
                                                                                                          SHA-512:58B091ADD338C878D5ACFD583BCA8B6577F43E9B5A643E692C90E0754BE263AEE68F446FB3C0B3D615D3A8531C509C67AC2C4D10373D4E4FF6FD086352B7F219
                                                                                                          Malicious:true
                                                                                                          Preview:I..\..>.BJ&....J.kq..d+....x...C.3...........{^......+s.W._.Z.3hP>... ..K@DJ.}TRy.]!..q.......Q..wYJ.........._#.f..Z..#....6..X.*j...J..w......F7.w.'.Z...+..uu.!S..P............gkpgas>&g.$G~......{..qh'....B..b.K.L.........qZ."z.@..@...."...5J..Y..Z..".YU3...pO.tx..z.....k...F.2...........`H......8s._._.P.-}T'...*..HY\Y.`FUs.O'..i......P..x@G..........R?.u..A..5..(Bc.1.3.T(...j...o....M`.....I...L...gZ...jOfL*..8.s......L....&.A@.G,B..j.@......O.....v.oiO.E......T_]'....U.;...h...)../U(1.u...u.q~ ..G...WpdS.N.}......S...O.g.Zoc..........@..e$.W..'[.#..&.8...t...{O.._.h`....3..sAO...B.z..2.e0_..-L..w..?Z~.9.0.U9...{...p....Es.....E...W...g[....MpL$..'.n......R....>.RJ.U<Q..k.W......K.....c.xi\.B......LMU5...F..6...~.>...h?!..q.%.P....L.tJc.m..X.Nd.g:...~L..^.&ll.OJ.^.6W..2..h...w..P.......@.E.5....x(.?0.~6..}...cvz...DE;....]...^3..K.D.C...GGY}v.S..}j.....R.#..\^..t1..(i.i.....Q..=.^.<h./.V%........F[G.).<R\E.G@.j...`....-.5$..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.868496403472837
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:5A1xDxdMghaQ2CQAbpBcFNOkWJ3MVibkJTazS5Jb3YWNKjIN/jHOGKt86hO7j:kxDxdMaaQ2C3bTcFZacUktazq3H7wt8b
                                                                                                          MD5:F7E20A9A7D6FDE40A13046EF247CAA38
                                                                                                          SHA1:43FD432D48F2D538FE692BD42123C70937BCD4C1
                                                                                                          SHA-256:EF963DCB967FE74A50886BDD53280AED2FA2D3C9329FFB10B28F71BB3118B571
                                                                                                          SHA-512:0C99E2DC7D5E7D8EDEAD748FA6EADA29010874C847588657BD0B9A049984CAF524A20BBD199DDC972C28B98936C53E8BB35E32029C1F886E9C5A3435525AAEBD
                                                                                                          Malicious:false
                                                                                                          Preview:^_.....W.F..He....&7.uv..V.DqA.JV.i...n[.D.w&T.."......H?..4..d.S..6..'z./J.56...T9..)S..w.y...g.....",...p+.4.Y^}.1.&.P..^..S.&.s.p..QH.s..RS.^G.|...Vj9.fH.*Oc..-....2wz.Z..>...v.=m0...b.K..$._W}1Qt."..a.2.#l.e..UVP@GJ..p..onzK. Y.3v..j{u.A.NP...o.L.S..Rj....*2.sh..Y.YkR.UX.h...m_.C.m+O..4.....N7.."..z.W..,..#p.7I.-%...^$..8I..z.j...h...../#...|.. .DSa.".9.V....0L..(...........P..;......@.uK...A..j..Z..R.._.>+..v..wA.6.@ ...}.p.y.x...-vl..k.0.C..2..s:5....h..7...03.q[......|r.N.....y..s .....P.C.q.. ).7i.....%p3r..........g.t._.....b....O..eRb...Z........v....>"..G.vd.k...\l.e7..{..g.T.~o..F...}...kF..'T..)..........O..;....h.V.fG...Ch.q..Z..R..J.+)..x..hL. .S#...p.f.n.h..m=ee..|.7._.<0..b#6....h..0...(7.iI......oj.C.v....]D..a..U"^.oj...Z..xU.E>.G.X...}..k.a?.Xgm.B>..oz.Q.h.8..;.......9/...|..""..U.....g........9.......8.>u.T........`w..\ut....I..&/.._5"M.GgT...i....F6...$.F.o.Z..p.... j{jQ..k...a....;.}~o.....:...&h..%}..<.....N....Km..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.845151859558502
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:PgcEreq96WEuEn2v2E2QLgJ1fB9Mi/anyeOw3R86hO7j:lUcgEhEE3Z6choB86G
                                                                                                          MD5:3625EEDEBEE45B7BC63E266D10D7899D
                                                                                                          SHA1:EA745FB3941E377733FC566849BC53C428550C3E
                                                                                                          SHA-256:59A229C03C1F97E058EEF05F44273D49B2B7FF8A4D7DECE05FEF3BF0994FA0E2
                                                                                                          SHA-512:8F0A8939748F54AB156A8E447037A5116DF1890B99DC77029A1AF7EE7727BF09D86E676D0A67FEA65B02A3FB559F5BDEB5ADA83E36F08219F8DC31F87E121286
                                                                                                          Malicious:false
                                                                                                          Preview:.+.l.T..^$..4U.BT....E..ma........W_M..:....>...!.I.H3@t.>h...:.....l.<._.......!....A,...n`.N6e.....R..?..........B.O..B..@...!R.....EU...,Pm.k.=..C.W.!..C.Uc.F..%...00.._<ol.....(g....U.a....p..........l....fI.......J.J.'..e.vy.....A........<.z.@..X8...#H.DJ....S..gg.c......LYL..?....#...3.Q.J6Yp.&q...,.....e.8..P..........K/...ab.G%b.....H.+..........^.R..]..I.t.....L....7....h.D.3...\r|%.....C.SJ<....?....s#...S?..z...q.x1....D.:J..g.9A....m....dV.S...j...#.j......Kr%k..z.Y..U*%E}..i.;r.v...|K~.-.....cI{.iWZ)..0c..x'.4&UA..S~|...2.~;8q...%..+..W.##.;_.'_m6.!N&..a.+.&h..).r.D._c...oyS.9..A7#.j..F......v.....F...1....c.O.8...I`b&..e..U.N\%....8....l?...G*..g...s.d7....N.-T..|.?A....a....hZ.J...j...&.{......M~>~..`.\..Q8...N...]ID.{3.^...k?.~.>.gh.Z..].....G.0.f..MM..).eAi...M.4...+..#c...D.....$....P..vN..%E...w.qV..Xu...y.n.U.CN@....G...#........)..-.....m....9..0=..k.m...PF.C6......2....2%.=}4..p.%.K.,cm...:.g.E....W..%.1.1......;Yig....
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.818520564505411
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:yi5t7bYMEbe8Oi1gwrikuKlEAIz/my9fDE9SuRa1xrPCm3WjptQ7O0ALsSE86hO/:yK7dERN1OkeArytDE9BRcBJWrQ7OtLsM
                                                                                                          MD5:96A80DE14EAD541299D98A55CDFC46BD
                                                                                                          SHA1:FF1A2B5D404CCB3B2109021C6DC3ABA04F23C993
                                                                                                          SHA-256:52CB953A177B95A6BB658B387798812C2766ED16AE4AE1C34BF865C84D04E259
                                                                                                          SHA-512:FF3AE912D2BD4B3D17497493607D95621A78013D76A5B27CCAA667DD6DAA1F5EF5D52C2740E330A7E4E01CFDA935533A92C27639B060251D17E2B15D2157CC55
                                                                                                          Malicious:false
                                                                                                          Preview:J.\..}......V.....A..H.. 9[Y.Ym..t.xI.l..?c.oO..{..R@..f.|-r(..Rx........2.Y.....h[=...{m..a..&.`:.1v......V..a..GV.....X..6lB..-XZ..?!....j...i.;uT.n.L.~xK....Z^ ..9...<..a_<..r.F*...Ck1...>$..d.T..[.D....1....c...0...e.......m..Z$.5..,...a...[.C..i......K....W..I.&!GT.L|..{.~H.i..7f.bL..c..WY..~.{<r>..]w........<.I.....bQ>...to..r....z!.%q......C..}..]X......F.C.+..{g.@.o.....-.Lw.b8....e........8.s....8..M..Wb.~[P.&.....G..5.oB....(.......]Ukc.C...CW.3..Z.......6..L..!.}.2..o0.8;mP.+ .V.{...+e.xu.t.........F.....?(..|..'Q.A.....02.h..U.....I...d.n.j..s.q.n...tF>..@....2#..aV..G.....A].c.n......I.L.,..aq.F.s.....%.Wl.w*....c.......$.~....=..H..Bw.cGL.$.....Y..?.x\...(.......@Lgo.Z...@W.3..X.......=..W..?.~.-..}.....)....4.a.n...V..:.K.C.i..Jbj.x6..W..P..P..(..CV..~.<.$..o..B.6'{..5.....c...".......5.....*.....V.Rq.Y...d.b.>..*..".n.. ........9s..........L..O.E|kU...z..5..YO.N{^.8c...t...Hj!$'.q...7.......~]..3.d&..[..g.o...t..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1267
                                                                                                          Entropy (8bit):7.849153979787053
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:1Q/9IpDwgR/BHIPQAdvBXdevpDBsL1u+b20Wzfm86hO7j:8mNwgxBYBbexD+19b5j86G
                                                                                                          MD5:A9935CBCFD99A860DD3B7B1ECC77F732
                                                                                                          SHA1:3400112EED23DFC3796EB1C070B5C1DE4038C2D3
                                                                                                          SHA-256:8B600AFDE17FB5D037DF6F52556A4DB620D6EEA88F2DE82A6B44907697FEA102
                                                                                                          SHA-512:E1548A44452E1B05EC27898176C0116C1B901EDC55F3A498B67959F722F9DEB5A556639D0CD878DA9A235F572D8D8C3230F61647010154FABC9D7D7EE56B041D
                                                                                                          Malicious:false
                                                                                                          Preview:s#|]WO.W..P...O+....c..E.o.....t....a..$`...Q.r77^...N2z.A..U.Mm&\g)W$.@..@nT..D....;.]....$.......S.....R.D.sZ7>.;.>DV...36h..3.Zd.cyLWj....1......<...C._.j_c ..I..A#..iq...D.....7.S......L&.T.#10.s.Y..c<^....Yu.....6..Z....;v.|..CL"r...'P....N...c)yBGW.@..[...I<....r..V.n.....y..l..<c....Z.e%%[...P3p.F..X.Ed!Lt7W&.U..AqL..\....;.@....%......S.....^.E.mN<;.>.(NX..j0.pf.......?N..;.J..W..y....9#.}n..3'.3.V.`.....|26|...;5.#ja-.L%.80.?6<....&mv=.=c-..&\..C.E...}].E.k..Q.......:sS...(..{....3y..._.....zo..KS..9K.....Y...)=....L.l_..9.m...S. W..i...P......FJ.9:..@.......aM.K....&E....S.%u;S....."...v8vz\.G.=......~f.......!C....Z..]..w....95.nj..%;.=.@.p.....}/7o...=5.2la7.]..07.4>3....4fv4.<v=..)X..C.I...qF.\.c..V.......4tG...!..d....#}.."H..V.b......,.U7.O.^.$........b6......+....-%.|..O...bgM..*g.?#.;.....C.im.\'..`....v....<G...J..W.VT........#WE....n.,.jmiD..+..b.$.-F............k..`..F.....:./.A.lP+.@St#Y..C.....&....p[y..@.m.4,~L.%..iP@......H.;Em
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275
                                                                                                          Entropy (8bit):7.836852356063371
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:SJ0Rapqi0CbPBsnVyeKhlMTl33xsa0X6oVxyQTHoY692LwYxqxNh86hO7j:laACaVyHlTa0KCwsoY6WweqZ86G
                                                                                                          MD5:3E639E675FE5EEB038D3186E0A5F38A0
                                                                                                          SHA1:F7D64A4323A32E4B7CC9C867B5206BEC30F96839
                                                                                                          SHA-256:39633DEB0E89257324CAEC04CAC3D9350153B612F5487DB02FB7904161FE7DEE
                                                                                                          SHA-512:56BF0AE86211BAEF25DF72B7F849A722926C9C3690B85D24EA076C723561C75982CFEFF560A56A8FEAC38860BA2FB3301D58BC85F550EA640CD4FD4CF32F5636
                                                                                                          Malicious:false
                                                                                                          Preview:.vk..\....d..D6......)*0..Pc.........[.M..EY.>.#.%'.G.=._...........A..@..Y.h.v.c.3(.j...I.....7.+.....8j.d..I.y.!J.g..QYl....y.%..]....Di+..4.4..}#....'y.."C....!Q..(E.-..6....jYc.q/%..q.....<..(E.)..E.5.E..F....d>.......#:....jm4\oSOH.X...``..[....w..\+......!7;..Pr..........C.V...ME.6.!.8;.U.+.P...........Y..A..E.q...k.e.6#.p..X.....4.<.....(i...._..k.9M.m..'m.rb...[2.x.F[.'Y........IC__Q...}.....#6..r.U.<....}..x# a./..C.pF...7=......^4>.../*.0{0...I......5..%wK.9{.N.<&v..L....a.A?..1VHc...m....aq.5.i....zlk.(.....%..9..H..<..H.l.t`...8.....B...a.7.........1....Y......+.j.Ix.'.DC...6...Y9[.'.e..P>.&p.hc...R2.x.DB.'W..........[UT\^...k......%+..j.^./....e..`7+k.1..M.dF.../=.....I<=...17.1m!...O.....)..0oO.:n.O.9.l..U...qG.M.=...[..@Gm.'.J....F.q.!)$X..>.Z..@...Z..z..Y.......W?a.<..&.LOG..>J......#....j..E..b..n<.xn.N.h....;3f...h..v.tt.z..+@.,......b..7`..........E...Xs..A...vRXy..U...dK......).=x^..A..8.u..E.{..vxb.>......m.8..!...b.u.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1274
                                                                                                          Entropy (8bit):7.851824215297802
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:z8yGnBnVlSd5PTCJjPknYWJ0EO4A5+10BfYYUieRju86hO7j:z8yyBVlc7pfeEU5I0BwYvAju86G
                                                                                                          MD5:7465E547EAC50CEC6379B590672CEBE8
                                                                                                          SHA1:FF4A4C10EFB82A34AEB67F4956A95F8781744FB3
                                                                                                          SHA-256:9EDC15312AFE8DD1DFCA327255AD73172A7464FD4F3BD016DA79F32755A278BC
                                                                                                          SHA-512:26828B1BFCBD8E13027C4651A8E29DFEDC0BCA521EBF88707422A3BFAD01266C693A5CE02D9C606ACDE59D4EF8FAF77C33DCF2C3C39945211ACAFAEF7366A3E9
                                                                                                          Malicious:false
                                                                                                          Preview:.D'R..u.t... |;6... 6.`.%.R...s$....eK......eKd..}bi..L'..+.....\!.fA..}.....g...e%....)N.{...Rn.....RK.L.N`..).?.. ..D.g^...2.`.)...n.s....Z...>....*.p....P..t.p... ...._.v.......\.s..~w.p.c...?Yt.qlz.i..X.nH.M...e.P...9n. ........|..g/.I..\.R,S..w.x...=d&=...<8.}.!.R...y5....wO......mWp...~t..^8..$.....B#.}B..j....f...x8......3N.j...Ii.....JW.\.O{..3."..+..N.d"i>.Mfn.N.m\L.0.....z.....J.I..HT....g..5.`...<\.I..`.;rZ..H|2.TR.^.i.X.q....4..v..\!).~.?..Y..;...........}.1....m...B...e..X&/....>U.D....Q.U....gn..2../D3LP.?....^@......\8...P..d...W.C.?.c;Bg..0...t.=.]_.q...Q.. .T...._...P).i2.wF.W..;Rn$..v.'.."h#.Wgz.Y.mZL-2.....i.....H.]..CW....b..,.a...!N.Q..a./qC...Yq*._X.@.n.L.t....;..l..K)*.d.!..X..7..........~.$....x...G...f..Wm\.h...i4v....t........R.%....<.._..o..I.L}.....-.Wp.._...eH....I\..AU.l.....6..#.E..|..6.....x.H7Ir...0..A`.@...y.B6......sL.rQ..x ...bbC....Sx....a.q.[....$@W.~..k`...n-./8.YF..1..D.~.]..a.Qv...p..5f....kI.._....`t..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.843880894504867
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:usSO1djTAW62is549fwyfCQPJ3uUcNZ24n7e45FxHOpbWdb86hO7j:7SIXA12ZixfCi+xV5rqbWdb86G
                                                                                                          MD5:3061CB4534BADA9062EE951AFE92E324
                                                                                                          SHA1:DEF18D7D48A1C1F5F1DB28B8DCDE4DD0872EC042
                                                                                                          SHA-256:DE90129E8AC54ED62477ECDD26B041EC4194DD869EF00A0C1ED2B38B6FD69348
                                                                                                          SHA-512:52E445F210C1C41F2D277A6018080B6EA1D42F63559E7C8085615D39176D030CE2345608023580F3B1FADA0ADA2633D9CCDE121133F5E09D012C2510D7F9F5F4
                                                                                                          Malicious:false
                                                                                                          Preview:|..X...70..]G....C).~.......U.... ...M....S...%).G.Dcu...Xi.....@..+..[.#.. :V..\..K....L..x..$..9.........Rz.v8..x....^.k..{...... X.v.....IYWK...&.......w<0.e..h.....[e..D.+. ......-.R...._'......>U..q{.!.D.3....Ea._...d.....]..... .r'ng..vl..^..."+..F].....O,.x.......F....*...V...I...39.\.Def...Vi.....^.."..W. ..31K..V.yZ.....B..w..=..&........._f.e!..~..U..\'...2Y.>......x....ki.*U.(p.....s.."...A.tj.x1.*.AJS....-(<l........"....._.`.U..!+.a.x./.".........;,....R...h...gk.)f..I...\.....<.o.U*........{.QE2Ot|.~AL.-..j.`...........F...?..X.:.}6...R.-}.R......|..?=&...] .3.1DQIqJSwO;...o..y..N.d..U..D:../1C./......x....x~.<Z.${.....k..>...T.ah.x?./.LWE....267a.....&.....^.w.I..#/.p.{.:.5.....=....)$....O...e...q.2..#.7.W.=`.s.Bq.F..*4Su.f-....._D....a.\...M..?....^:F_..za'!,.3[..S-..........]....#O.>.A...0I....0.Am..=A....q.|...9sj..K,......I.h..s*N....Rk...Y....r)..........5..2\&.z..=7.......@..w....('.$l..]...~A..[..?....I.).
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.8349827692027585
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:eJd3rd9JHBSpE82lg+Yt49pnUt7LhwQq6O1t2D3m3tt2/sFWoALuc86hO7j:Ypd95g+YtqUt7lXq71t2DW3tt2DLJ86G
                                                                                                          MD5:00EFC47916892DA8E069660A61A94540
                                                                                                          SHA1:16C9BD84A2206CD36FE7F559F31A8D9408A4589C
                                                                                                          SHA-256:DB421D2407FCA6427C4A03B514DAB120846247F21C6200D20567DA4E6ED23841
                                                                                                          SHA-512:9AA2D7AA28BFC92FEC7F6093A0210B4F795B1DB75C724CA5340302B25D544562C799CC2E0CA8AB09BB9EF63995E53CEAAEF6B6AF5CE768790CE2A04B219CDAA9
                                                                                                          Malicious:false
                                                                                                          Preview:7. ..../}..O..;U.4^"o........+,.U.|l..@.-J.!.]....q...)....xNH.<i....(........>].........|.q..SjS:.c..n...6..NSyJ].oO.Kpz.zy.%...7.?]?..........Yj.kSSY~$9.7....SD.6..d.0TE..Q2..Op.....z.n..%..R.g.9....X..u.*.....Q.<^.4.M.B) ..T........A..).Gs..&.?....#{..Q..&B.*N#y........'9.Y.gj..J.6^.$.P....i...0....._H.1b.....,..........1Y.........a.b..[fM2.y..z......VFpCA.rU.Trc.,|..}....@......(+.c.&f.l../?|<*&r4...\..l`.Z._.?.^0zV...`....a&...gl@...T..H.|.*P}gN.x ..o7.(....z...$..ia...9..z+.7...?t...f.~D...I.:....T.4..@k........X.b...uP...[0.S.}z.$e@.Y.S...}.q?...........:@L.uu2..J.L.`..|.\.0pEx...?/.:&.x'...m..b..B.;.%~..t...._......4&.c..m.w..=!.)4 h=....A.p|.X.V.:.B5.T..~....c%...irZ...C...S.z.0CpzB.y=..c..9....z...5..mf...?..o).-...0p...)_i.w..U.t.........i.....U...'...O..Y.L).B.Y...."0L.Z..w+.M..`!.J...BOc....`.m.p6%.nw...X.x.....H..gi.r.......S../MjL$.<..#y...E...P.+.....(..ktF.;...I....z.T.9....\.M..D|S.....L.h.VMD.M.....w...d.j(.z.....L...u.4..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1267
                                                                                                          Entropy (8bit):7.86675132791817
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:rrFkz91d/FCWFU2DHprtlBtBXQAt+at2mt1hlpPZ0ylIvQL86hO7j:HFkaWy2DHpdQWV2mXhHnT86G
                                                                                                          MD5:0406F670744D9F1E76679B4B9A59E55C
                                                                                                          SHA1:6DEB930AB59B7C51FF7F85D8C89A5766361B3F5F
                                                                                                          SHA-256:F4C184FFCC6E3D80C2BD69EB5B5BED441F2892A63EAD563E4C7DE4781188E58D
                                                                                                          SHA-512:9A1B70147AEBE1BB9484BB3B5E66DEED806420244CD7BC5523CBF426D56BDD2796D129E8EE090D4DEB807006CA879BFB0A7F85894F78667A3FDEEC64B719A4AF
                                                                                                          Malicious:false
                                                                                                          Preview:%Uq.......6.....Oj..wA.!.......L2.%.l..BZ..S...!.....]B....G..M.....Q.7...o:.U.4....F...,.P.Uhm....c.\....]G........p.J.\..t..(.*..)='}.r|N.H.qHTr...;....:o....#<wl......v.......~.#Y.......ZQX...8..rG].u....5.QM.ZjS.E..G..$(V..[z.#9. $j\./...Tg...5_t.......=.....Ct..f@.2.......X?.8.b..]B-.D...*.....GZ....\..C.....B.5...x;.M.-..F...,.[.T|i....c.I...._F.........~.M._.....D&.z...T..]0..T....N.E..........|@..L5....>.y....&.XY..@pm..f.*.......o.....O..].Q.%9|.....h.Y}.K3,.LC....:Lp..7.W...aFf....2.-..a.~?.nt.....w.(;V.F6e........~..-l.".y.HT.R..@...F.*.fF.H1=..0......Eew~...%.'zH6.uaV.Xa."..io.^JJ..,O6....Q..s....D9.e...^..M4.V....H.E........ .j\..I-....?.}....,.^Y..Kee.2m.%.......p.....R.X.].$8p.....o.Bm.F#).BD..../Eq../.U....F....#.!.P>....'.....o..B?V{..b..S./.s...p\Oq.@e....8\....?C..Iu...n...A...*...Y..O..5=..D*.A....d.;.n].....k....JL.....yR.7/.6....Est.ob....B'..`.r.P1....).....`.i.b..n....Wv..fS3.A'8czOX..=#V...K.%9t..~`6...is.(/*.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275
                                                                                                          Entropy (8bit):7.842325476244734
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:+85e/TFAqQjG3kFsBiIsGDKiAbj609GTqUA26iIpV632D4to8R86hO7j:+EkTFn91ilHnClTHwn632D4q8R86G
                                                                                                          MD5:CEE2659796E117D93E84464E1813EF22
                                                                                                          SHA1:094F400179107F3F3A92A1734559376ECCC7CD0F
                                                                                                          SHA-256:98881B0FCE034C3706BC71CBFD241D98CC15726811BCD6D947D0133D78B4D372
                                                                                                          SHA-512:4C1286A48AC532BC6507CA9E1F41EA640A6CEBFEC59847946DA056659EC1BC4050DBDDAE7AAF78DF9D316D8BFAE0405486309D94F8D010319C0DED3D660BD142
                                                                                                          Malicious:false
                                                                                                          Preview:<..?.z......zVV<.K.X...9EW..f..O.R.M...dl.r..oS..^..i..^.%]...\..*{ ..J..^...D.R.).[p..?....'i.y.l.`.u.....k.q.2....{..va.<../..J.h#.G;PNP...=_..!k..:......o......#...R..4_... .1.1Z&.._T....i..5..j.m.bq:...L..v....CzK.4{c...z.C........lG.B.._..+...:.x......g]P,.W.@...=OW.~..G.A.I...de.n..xQ..B..v..Q.1B..^!.)|8..D..^...].L.4.]e..=....6y.v.k.u.r......p.}../........u....^...U....n......<.p=.,.Y..6...$v...S.Q`.n...a.......c$.t .....B...^o..r.dP......h.R...%[.k.RU.6..+.A...~f....qV.,..w.Xa...|u(6....>.....V.....'M.......:.D..~...r.c....2iQ.p...@3.\Q?...KS.Ig..[....jh.}?.....q......K^U.qu..tO~5.Zv`.D..4....k4.<....D.:.B....m....../.a;...M..=...7s...J.Pu.h...y.......{5.l4.....E...^j..j.k\......k.H...+Z.z..ZG.+..0.H...fb....oS.6..n.W.E.......J.hH..u...^.E...0z?.`.TY.x7b_o......y......Z?...MN..&..g.L-Q..Z[#...J....z...-...`.1.|.....1..=.7.7.l.428...J.7..$..../..+.....c..N..."(.n...,.h.... .T.<Z...Ib...EZ.U.!8..2`..B...SkE...6MJ|\.[p.....Uv.$f..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1268
                                                                                                          Entropy (8bit):7.854516750903763
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MuBFwo9HjD71gbLPsJjXMO5hBuujNe4Kh8NHzvpRqO86hO7j:vDwo9HpgfsFcs3uN4KMTvDqO86G
                                                                                                          MD5:6BA8EF24CEA4DF149EE2D6212DCA3308
                                                                                                          SHA1:0995E116FD87738C577B9909EBEB9CEF3DBCDA94
                                                                                                          SHA-256:6211DF4B348E2FD38CC0D981495E00F32323724DFB835FAED7533940AFEB1C1E
                                                                                                          SHA-512:0D6546C800C552B02A08082A671D75D1BDF51C3EA19A4308661F962F0CBE1DAC178055F89A1EA7DF34FD7591868CA5FF844A31630FD62779FCDF38E212CDEA8F
                                                                                                          Malicious:false
                                                                                                          Preview:....j..rD....[K".^....Y-..q...W...qNS..%.......!....V.\.X.KYb.....S..mjXB.. jJ.!.5.......5....s....>.b!..........'..P.b.8HZ............-.b.....*........3.Qt....@h.......L..dO.cy.5..1z/)-.A.'F.....O....}...::BmU.ly/.......T_h_Y>..;E.....3.........wH....FE$.\.....M!..i...Z...uBB..5.......1....].X.J.OAe......X..uoCO..0xG.*.4.......!....`....>.|1........3..X....m...$..,..4.2....._.'~z...AB..5"@..L.....JD...?..P...d...I..w.".r.j6..$..?..R@S.P.pSB..&..V$.nAe..E%.H.C..C:x .z.H@.U.2D.~..jT6.>c....X..rx.w.l.....ku...W.).Z....T...^......d.p.sE.X........j..).....v.d...8.....#.".Q~..v....?.g..T.=..@V.^..oG....c...:..;..3./.....Z.'im..UZ..4#V..V.....^L...7..R.......^..r.>.o.|(.3..<q.MLG.M.qW[.. ..U+.iQm..O+.L.Y..F>c=.h.J[.X. ^.v......cd...Z/a..&..}....u..j.[.9Y..".K..a5....#...G.~.T(....2G&.9.PH..y./...r....`yz.:9.`.[#&{...]........EG'..'.6..u...6.........MF..B.yX..b.5p...'..)...k.{Xk....cY.......?p...._.j. T....^.ysd...m.e<....l..Wo...6.@C^...
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.862920989619387
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:fAFeQNGKM1qy7g9EY08evVcZr4LVRkvIvQ+C1tkrdaF1Nq6jn86hO7j:ooQZM1qy7g9Emev+ZrarkvIvQok/lD8b
                                                                                                          MD5:748F8C6E62D03891FA4156301B406BF7
                                                                                                          SHA1:290CB4F75078806C4B1CE5984E2EEBBBB4CEDB0F
                                                                                                          SHA-256:D1FBE8D0121C6A9334E1C7943F1BA94E48532B0197191C8B71A5535F44169CE0
                                                                                                          SHA-512:9F7B1108588201FF8B1562374ECA38F279A55393434AC4918CBC8638BA40784144680021120A78368044E4B6AA427220D289AAC0BE51995877D32C6B605AEC2B
                                                                                                          Malicious:false
                                                                                                          Preview:.(c. *.Tx....,.....AA......U>.O..&54.sU...C...\.@XZ....J..P[+e.....p+...;...g..B..H.1....1....W.l.4..gJ.d.NQ...^...P..d.8.../.R...l.>;.q.\...x...v.u..Z.&.........y..n)..s.Y..=&.(.$u....2...y.|...Q.......?.g.x...M..'....M.B9hLV.$W...W.....I|N.B.6i. 7.\~....."....]I......T4.L...06.wD...X...P.DQU....Z..OJ?......q>...$....m..N..Q.7....)....^.o.4..|Q.l.JJ...X....T..~..!<.c...M_9..k(..u..c.P.s.J...X.A....... .....d..Nt..xI*t..cjk....=qt..,...6...H....x...$}...1.A.,.{.(.!..n..3e.>m,.(.`M..Q.d..'..d.P..r3....Y.XX..Jh.....$...a...:...T._......./..t....m..$\.f..A.".gV...2......ykP.....#.....+.d,.pYJ..q...&KNi.;?.f...GP!..j,..~..l.X.l.^..T.M..-....1.....l..]x..jJ-}..`l}|...,qg..=.../...F....w...1y...).H..!.b.).>..l..!z.?{$.1.x@..{..P..9b..fFs..K.XrD.a=..|o..e....I....[..q.Xh!kXs.l.X.N..OJM....M.....SJ=.....WRI/mOF.]#..}M._...Z8YE..F...."U.4..Y...:0Q.3...P.)..?...sz...~.sh..>.(.(.ie..B9...Z..SY...H...]6v.!PJ..qf.]..... ..7?...B...*=a.]........
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1268
                                                                                                          Entropy (8bit):7.843481563375782
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:E0TsgInboxfTTN0CaS+kjeCclhGLyo8b4h0TVWLonx9mPAHu4uT86hO7j:EysgInMxrhfeCclHb4EVWcnzycFS86G
                                                                                                          MD5:6BD333E31EB493876B1EF7A8D8741FAE
                                                                                                          SHA1:F4A6D43DA27672638C3C4CD072E849E6AEBADDC2
                                                                                                          SHA-256:FD6A0C7739B3D98BD37DD47C26ABD96E68FBE4CE9A6A7158C83B609326CB3D7D
                                                                                                          SHA-512:DC7D54F844ED9F21C514611D3B518CBBA169A605C686F4D5F7C36F7E46A1355D4FC1804331125A996E6CC92CC30F9BD9D3AD97E3371857B6BFC4D700383B7A0F
                                                                                                          Malicious:false
                                                                                                          Preview:...J.rh.~......\....f.%= ..w.^e..v... %.cSW...?WA...k6.....Q\...e.....@.K$...Q.L....[....8.:.$`.uu|.TvF}uJ..-p........1.N=..7.G...._..[.M......$....T..~.K<l.f.....&....*.0...s.T3.z..[.C}._G.$q.2.l.<..J..+TI..-Lr......:..............N...=.E....H...@.g~.{......A....d.2"7..{.Fo..y..."!.rQR...?UF...m%.....KN...l.....K.U#..5\.C....P....8.6.*r.}l}.GjLraJ.=v........?.F5.o1.q..".P..,.L.....}v.....K..Z;Ng.....y<XsL...d.;;......r..H.1|.u..b...t....0..D....&eD..u2*|.,07.../..QH.)..F....,.P...V....V....5..j5....q......d...e...Zn... ........S....GAj.^KN.5.D&.5....D~v..1......0.P@.{....h3."...N.H....8....|..G...."p7.a..=.N..;.D.....~r...J..F/V`......o0IaZk..g.3).....f..O.4~.w..t...c....?.P.....?f@..x9)s.<81...+..AY.-..M....3.A..?..(.F..S.I.%A..p.'.3...pw{&D.....G&.=.Q>:...[.....0..OMj.(.YyaD...F..W.ol....Ur--.w:..7..$L..R.2.!..,/.. 1.(.h.M...Cn.w...O.l3.*2X....:..>.k{..ro...\o..y_....&$./....w...?".s..@................+..h..1..%..G...^..K0
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:OpenPGP Secret Key
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.84702586562392
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:jQMju9bgSc/VbKkqT0BV2XaBKDNaCZvWvgn1aBlyGkn12ul4bA0776Aqpnn86hO/:jQ3eGFT+2XNTn1pGkn1Bl4bb+Aqdn86G
                                                                                                          MD5:45F55D005AA9061A490CD224ED657BFF
                                                                                                          SHA1:A39AE684CB32DDD8F4FE4501CE1454C72A70FAD1
                                                                                                          SHA-256:5CF336E86A1B812B68A569DDB79D52202DC8093402C59B1D2EABE391DE548B6B
                                                                                                          SHA-512:C8CEB9E823340FE8E882327761F8E032F4CE113B53AEF97B9650FBE4D7B686A6AAE9922F794FB9AF9159862977A20ED95E0A49DC8D720616798E3F31CF14D60E
                                                                                                          Malicious:false
                                                                                                          Preview:.NDe. .o.........T.OCc..IJ...].;.9@.L....8e..s.6.oh..{&i...5....<Y....k./.q..vd....;8+..j...lA\......v.,..!n.G..^.u.%.^.......B%z.. ..a..9......7P3Xh.P..=.mv.{] f..!.....v...[D@j.;.Z.......I.2\Z..._....=.aJ{..q......MA($m.m.0..{kx..,t..6.f.....|.PNs.=.h.......].SKv..BE...^.".<B.H....#j....2..}..k6y...$....:U...t.1.d..lh....=9,..r...uVU......m.$..:e.X..].j.!.Q..g..]..b...+..l...q.f..W.4.....0c|..D".o....g:.W.x...^..P%Y...@[o.CY.F...{..uO+.E....b...!...Nv.Bn:..;Y<<PLV.....o-+.{......eW....A....h...(..Us+J..!...T.k{=.........}$...V.o..6.u..D.MJi.UX~.y..-.a1].."m..r,.3....N<"...2..y?.|..l.;.r...1. .>|..X..e...1..h.....e..H. .....<bc..F3.c....i-.[.w...J..S#O...]Jo.YA.@...u..{P:.X....f...:...Co...C|%..9F#.OEW8..w +...d2..jr@....$.|.8.........=..a..bPZK.....h?. .R.z..... ..a....D...`.._..f^......\..^..Y...$x@K.>$.?.'.M..#].8.dt.~...7.......Q0".....d6j.....`...Apv......M.cr.s......H`S........x..c-....p.t....G.m...2...6...m.g.n.].v.]..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1270
                                                                                                          Entropy (8bit):7.8467549980259665
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:Q3DZTHRRp+JV4kaQHwi1brlYT3yzHg6HSDs0jN/P4wLUVmLiJp186hO7j:0hHRcJQi1bra7uHKskDw7r186G
                                                                                                          MD5:5176413A4C08F1F50FDEC57894FADDD8
                                                                                                          SHA1:F8F24682E9CFAED4340EF3E9283478FCBB308927
                                                                                                          SHA-256:9F10F43E131B49BF761311F29B5CE5D0FDAA48AF522A24DC8AB8B568D881FE64
                                                                                                          SHA-512:3650616186F1C21D1F5335B02D736FFABC1588B1ADA3913BF472CE254A250E6FD63E201F4AE06A61726AA54A69824DD57AC0FADD3264ACF522B1D0ED106800E3
                                                                                                          Malicious:false
                                                                                                          Preview:s2...t..N...Z.3Nv3......s.T...` T.....d)....<.k....1P......D....'........$.M..{u.H...B....d.....?k...XD...c...s.......Ci.....mW...@...Sb.i.<.F..0.._.'Y.. !5.H......v.`...:m.*...M..K{Jt........g1.A@cH....ar...-.....+H......-.KC..G.ym.e...;H.Y..h$...`..I...D.!No7..3...x.N..x2T..a...j)....7.l....%M......@....<.......?.G..if.Y...W....z.....*{...TQ...q...}.......M./..l.HjVZ+..%...'..I..\...o.@.C...k.....9..m...f:.8Ri/..m...)-......Y@Q..R....rK....g.(....6._...O~P/.......n..........-.V...?..Y$-.,?....L.N.a...t..R.Q5.{2.w.2..........|(.....?\B.d..db.*s..Pp*[.....rjo:.5.:.....vh..........0...B...@#D......+..i._iKR9..%...+..C..T...m`K.C...d....%..h...q9.8Pl!..k...= ......ER\.{K....g\....t.6....'.V...JwP7.......w..........$.W..W.....QK.V.Q~.X.;..f....,e......=e*9.qv..(.e.n.....P..V....&.... ......>B.E/.j.X....Y..'.jL..P..x...H.?...8]....V....lE.8.iQGzgs...2JP..N..`.F.~...&%^...B..KiI..'.y.>.l%..q..&.0]cO..Z......ri...].y..>..0......h-...Vj+...
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.852253270668189
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:ajVKu3gnAI+b9sKqUH7YCfjcWvspa3b3vziPxgZi71LJlw0sN86hO7j:ajwPAI+zwSczajziPKiBLc0sN86G
                                                                                                          MD5:54B6C2232882F03FE4F1A9138DB97010
                                                                                                          SHA1:8C1127C6ECB68D84ED881A37056DF4E3DBA2B1A1
                                                                                                          SHA-256:2E2E8089F65630274156536889D1D25A4110770E4097A30DB546522C0DE06D18
                                                                                                          SHA-512:446266A14DAB3EF881160A844870F4D2D233198AE8B78FC23B9CAA9857EF65D0E74469C4FEE377F88797A28C046040C099C8AB023E099AE367ADCF5173AF6D8A
                                                                                                          Malicious:false
                                                                                                          Preview:4.Z...R..,...~ld.A......P.In.8..l...|....,0-..}^..}......0C..G.rW(L|..t...Q.......zV.P...k...TN.`[.!bU.e....Fe...@.[.9].O8.......C..=...yX2.B..#.......V$.a.q.K(./.........-......c...?ll..jv.&~zSj~.<;Mj....%...1J/.....<..<....9.=..T5..^...._|3.Y...R..:...}sp.G.....F.Id.*...j...a....:$1..rN.%}.......<V..D.iG*Csm.u...].......fB.Z..z...YL.iE.5{Z.l.....No...].^..L.E......D...0.PIL..x8..{..cW..L;...qy..~Y.m.{@9.....W.k......0....F..l...%.'.IM..ljl..M.....J.. ..........;.x.g..%..A6Bi..v..p........F.:.<...ba.}.e.e.5.................Za..F]......>.....4...(...S..:v.b..K.l..^.LF.....K.r...=.X..$..z.w.d..t.G!..Q]Y.K....A...8.]F[..e6..|..nG..N'...ws..`L.o.qN%.....N.`..r...:....[..q...!.0.W\..lhs..R....._..:...........$.o.b../..S-Oo..k...U...P.1....~...E....WX@&.._.....Jh.-..T..}d........9 .:.iu..$.h...|.......q.1.p=|.;.^.0U...J...'.Z.......<....sS*#C.Z.z..K..H!g......<...<....?gd.'.....HZ.0a..fC.H...%Z7/..fx.ug..y....c..x?..+[....;.^FY..EP.^
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:OpenPGP Secret Key
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1269
                                                                                                          Entropy (8bit):7.851482625084258
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:hKHgLk9j+NWmt90jGJiTMcg7l15p3bcvIMTcBKtdAtZtbWDnIj86hO7j:UAII53aGPlwQHJtZVKO86G
                                                                                                          MD5:4BB10EE7211EBDA88211DF0CBB19CE15
                                                                                                          SHA1:B02E2FB5EDC1A6B18E8363FCEF9E98E37BCEE845
                                                                                                          SHA-256:3DA55B249BF2135C998432EE22678B9F669ECE4B6246BF6681E1EAF643D27B32
                                                                                                          SHA-512:340E345F5BDBCCE36EE61A47F7BCE107D897C06B4A19F1B40557707C8403A1F4D5A09469EC7E7670214FDFAC30FEE3DCEEB4D82037AFC6AE976AD174DE760DC0
                                                                                                          Malicious:false
                                                                                                          Preview:.-.L&..4..^..>llI..K.....q%.......(Y4S.Y=Rl..9.@...H.&h.+..=......h.s.Fx...n.....'A.m...C1...6v.....T.#Y.6<...A)......K..a'.7w....^.b>.!.#..+...-.z.2p;.t.yJ..Q...I......g..w..zr..l.i.C.C.........S.n.KaR...g.."<..(@6.+<8O-q.TVz...`.@.....3j..$pTLM.a.?.D8...3..[..#uaA..Q......5.....+\&_.V;D~..3.N...O..`.4..5........w.Kc...e...../\.h...V=...:i.....M.!E.?#...S2......^..f2...........E......{...... ..........vwM.......u\.=!...Q.....+#-..tk]..'P..T....H<.. .......2.~-,...Em..._,KCi.p.'G.QZ.$%..I....Gz..y|...\#J.#.S&..*z...9..4........r.T. C....r.R.........o.V.y..b....x.h..>....S5 B&[....M.j8...m.<.O=...(..-;.............S.....a...... ...........ygM........dT.+1...W......47...~iU..%L..Y3...N$..".......'.s*=...Da...N(NC`.}. [.AD....4..^....a@.`.UB06 ..1....C`...V..`......H.p.U.7.-....f(..i.h.....h...<py..@d....d.U..,.....@. .pnu.....00...D...;...Q9.!....O.........4.R'uJ..P[..+.dMq.?~.z..P5.hQ....wL......&..9...o=b|...FD.........3.A...7..:.6.a
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.854772578675309
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:NKR5E+zx/V2JCu/fx0FoFY934SBzCMbR3d/FSeHq4Ix2Nvq86hO7j:NmE7W9oSBzCMbR3d/oeCxYS86G
                                                                                                          MD5:315C4264505E8B23513C2414AFDB9649
                                                                                                          SHA1:5CE12855865DB3A68D398B1FD1605157D6929116
                                                                                                          SHA-256:50BA049EAD69B775681AF7162AAEEA60A8BEF1EDE351D3EF5A434692D8A8205E
                                                                                                          SHA-512:8E77580403CDD6C41985131D06C9C32063A4935615F9DB1B68036347FED481F240EF800F717CEFD0687B099EB30097C113DE5D0D771620B2E487E7F70D6206C1
                                                                                                          Malicious:false
                                                                                                          Preview:.@8...O......7ev.8.I`......Z`......57..[5c....`Z.....!.._RU.f"....q.S..%.>..S.<.}..o......$.,...o.B|..P..>5...........9..X9..b..3..b.u....8z...J...d.c2.W=V}..f...2...ia.d......MX$...A.7$.."..).@gX.,}...Y..A..E.Q..J...2T./.^aRy....E=.:.MG.W9.+..O-...Z......2ai.4.Df......@s.......4,.._-d....{L.....'..YZ[.p(..j..o.D...).=..@.!.z..}......7.....j.[q..W..20.........?..r.:m.r;.7.Y.m......|.V\.1...M.-.j.W.m.3...m.z.l....n..H.....).*e....]F...w..S.}s..$.(......r.^w!er.#......=...$...5.6;=.......B..H..s..'...lJ....Te.p.Bx.'..A..<]..r.U35..%...\.K..b.K.<.b...Owd.T.U.n.pm.m6...U.T&....e.3......U....1.a.t.d..@...r.-u.t3.4.X.q......c.C\.0...[.>.a.W.z.(...v.z.y....n..W.....*.5{....QQ..}..C.tr..3./.....*~.Gt2p~.#.....%...6...;.%#6.....V>.|.]|....c.......{M..H..U....5.pR3-.I......>..[.t[.x0......X).3..=s..X....7...G1o"f.....zp.<..`.A=.........S7.....K...v=.).`BZ.....#...>..`..'E...F.v.......z..Ak.}X......)>#..f.-....b..9..#........i.9..c..5..D..KTh..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1271
                                                                                                          Entropy (8bit):7.844449264249257
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:Yook4FPLVzR+YVnvOcdzaaS6yDMDwBtXqmHKf6ymazHpRKAO3DJHO5k86hO7j:iDVjvOc8Px1qmHvLKpRbO31H86G
                                                                                                          MD5:BD857B66FAB478B88954CE264F3D7F75
                                                                                                          SHA1:82FD483DE1F511C28AFBA474DB0DC41B5DF168E0
                                                                                                          SHA-256:B01DEE834AADD3E7C30E76A8075112C1EADB29EDCFC519425CDE1371016D239E
                                                                                                          SHA-512:DE5DE3878D4D18CC9B57E14282E6BCCB7FF32B1DDB51A75B3FA9330B79E51566086E7D3EF0CA4A9581A15D5DE969E43913889C98AB085465D8D6FFCFF0EA67F4
                                                                                                          Malicious:false
                                                                                                          Preview:.......T.Di#....3......|L..3..q....P|.Wp...9^..Xe{p. .@.?.BA.m..X>.)....5to7?.p...v.E...K.IBG(.x....k.]...9..l6Zj4.......=.>..wD.y*..P.......2.w...{w7.0.`UwV....{.g^...@d.S.-..!.B..h.,...4Y.ztK{.k{.?.D^.....J.1.L..b. ..v....V>.2..."Ujh..../.......A.[|;....,......dC..)..1.....Kg.Sh...#S..Hs`v.&.@.7.BW.m..A .>....-wv/,%m...k.C...S.ZLQ*.y....f.B..5..x5Gg(.....+.X7...;...m..S.C..W..H...9.t...._O....t......M..IBU.a..b.....Y....m..E..IS.._J$).2H.L.H ...Yy4.x.+_..k....2&ROO.I.R...1...6r....A.$.Q....bM..a`D....W... .X...._U...kk..c....s.2}....bb.^.yQ..$Ak..OU...RA .$.5O..o.sH...2..,.m..{..u:gh...o'.7."O.J..R ...3...l..R.R..H..H ..*.o....TI....o......B..\@C.o..}.....Z....`..I..Y@..MZ7 .3^.N.J<...Uh-.k.'H..o....*"[W].[.\...)..?}...K.\......K.w.E...?..w.^.(.Q../j.....;......k..C.".......8.o....9..J:.....y.7...:.1...l....SMty@...(aS.-.Y..D=`/..N..g.sP2.M(1...qp.....J.t.V.z...r(....W....uO!...2.%.0..9o=....j......R.".p..S.Wl.^.....5......S.aY..?.=
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:OpenPGP Public Key
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.856560539092315
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:JgaHlqz+s90OXZQP1hKqTFqx7YykRjEJUofwMNlx1/LgOw33Q86hO7j:iaFJsqKZ8EYqx7YykREa+wupLmnQ86G
                                                                                                          MD5:72F81A3562BC8C49E6FA27BCF7BDF2E3
                                                                                                          SHA1:B2A8EBC9A33EB42BD1F9F0AF0348AF703C7FC6C4
                                                                                                          SHA-256:656BEFA41951BFF465BA6218F79CEFDD6514BF00E8565E220DB49AAF02E25691
                                                                                                          SHA-512:51E548E5468E26A0778F6D6D85E30AEF3431F4D375A40B0020A5C3922AA8A75175E2215A0811049C4B4907A07DEAF45F0477D152E5AD6B31096CAB6A9F7448AA
                                                                                                          Malicious:false
                                                                                                          Preview:..1.=W..5.."a.........,4.B02.$w...L..3^..T./R...h.g..hQ]...?.....[..$.._%..]........Y....w.)=..{..........N5^......aU.<..$..&.P.S..t.J..]...t!.L.a../...{.....X.:Br..>r.<$....=P.....`..k.l..X...~j.v....*..].k....g...........M%.....9.`X.....Y....:C..3..8v.........&2.O<'.?{...D..'V..Y.?@...j.~..qVL..r4....._..+..G&..W........B....~..<..e.z.........I-K......oJ.%..4...W....i....".-6'..A......{/.....u...}'+PXCR.$o.&..Z.dO .i.......+........A.......P.......O".9....|x.$.....v.zX.t5.....oV..\...w... "..?......-6..R#).......S.!....a....q...1..R..?ZO.z...`0i.s.v...?.r{l..y.3..)J..v......\2...U.DAg.xr....5...P....l..../.-="..Z.m....n1.....p...a;&R_F[.!p.#..N.qQ=.u.......1.......G..."...I.......L".9....x..+.....t.`[.k:.[...!'..4.O..5c.2..L1.d.7Pk.E.B.x.......yeMuJ.C.`...'........+...=.P..%5H,3..*".......R....G.|.L.."...b.#p.k~.\h...e.P..[.%.gx.m...1. .je...D.6.*..>.R......k0|<Z....V@q....:..-GE.yo....3.:(...R...Q.w..'..on.._...tb.%.s.=o
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.842257787600838
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:d+aThKSphacsJCAihqUF1nn+1Mg5FuKfWCYnVOrhAp2pt86hO7j:d+PSPapUAIqUjnn+Z2n9M86G
                                                                                                          MD5:6927101B026E44E2B3F2BA15D960D1DF
                                                                                                          SHA1:CC009E30CDB869CDB268B73899CDE4680545B5C5
                                                                                                          SHA-256:316166C1C8CDAF5901D03FE2A8732D55C012F5622F746212588C529DC4BB771A
                                                                                                          SHA-512:DE7BB2A8A4DA0051985A6BA4B2F39F634639BAB4A72FFBA9F768C62474D71481982E300B0B22BE06889E8E4E48393C7364C9E338E4B65258C6FBE63B0D0BEA4F
                                                                                                          Malicious:false
                                                                                                          Preview:..m.i9.].w...'....P.[.....y..0".p..h.[._.....$sRG.L. ..J.Bs..I....4K....[.}.<.9.G.^a...&...h.ycO..".4..d..|..AVe...V......Y.K....0.1.....|o..?........e.....tC. /......K.....x..6%....).....X....@.w.].EJ.N;....>m.]-F./....R*V.f....eU\9..7.I......r.n-.Q.k...0....@.M.......e..!9....i.Q.D.....'c@S.N.9..R.Ss..B....0O....U.m.3.).M.Vz...;...i.u}G..9. ..s..{..H_y...X.....a.D......&.y..i..G..}...W........e.u...B.A.1...:...)....).Iv.Gk...PE.}/@%`-Q.^%4..q.......-Y.......@.L..-..9....5.....}].W.i.W/.N.V.D.1./..h...L.f.R....-y.Oy.l.`#............1C.A.....N..9.=..P..M.#...>..G...Ko.hIv...|.K.../..S.B.t.......`..g5.c.K......<.|..u..G..u...E........l.c...[.].3......,....<.Tj.Zi...JN.f8^-{6B.^?'..}.....4I......B._..*..2....+.....oMBf.4...^[.2F.1Z...Q.......@zE......P..a.p.Y&.:......r....D.XT.9..3O.....`^y...]L....o ......Lb.4w..A....Mm......9.....&.K+ZV.(N.MF.f.f9..!..G+.*e.d.2.'..>.1..6...#+.p:.......9.O.1a.kM.1h..W..I...{...+..V..K.J..$I..|:.B
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1267
                                                                                                          Entropy (8bit):7.837865068326337
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:1s/eddgf2yMMH07uOfR+ppv0mYNyqRKERP7rRgQhc86hO7j:14edJdj+rkNyqRbRTrRthc86G
                                                                                                          MD5:87D4EE9E7A043DBE4E460C98901418F6
                                                                                                          SHA1:40C5FB4D854C90CFF84F06A8AA28BE4BAB84E2AF
                                                                                                          SHA-256:58645D9DC152A3DD0ECF179A31506990902157E328D5E51F7064ED9570777BE3
                                                                                                          SHA-512:D3A977759A5BF03DAB7AC725F93248EC1009F913F3FE78975A06F6ECEDCC7B8F8C45876F42A9A38E2068D105E7314ACEDD5722C03F546864C1789CC46D574714
                                                                                                          Malicious:false
                                                                                                          Preview:...1.2........j.I-....P..?...c.r.\...^.U..HUb..NN.[v.L..Kc..R.4....c.R.*/....B;#f.e.'f.nX....e\.}.....H....N...0.8.PC.....C..m.0.Iw.$U/V.....D.e.g.q..O....y....+ .:.LN..W..&Y...Bk0..t....!.;f.....t....N......J,..}.,+f.q...K.jf!.=Lc.gbD.Y.zJF..[.WZ...!.?.....i..}.W2....Q..-...n.o.R...F.E..C^r..\K.Co.M..Lj..N.=....a.G.=.....Y8"f.{.'`.hY....sF.}.....D....Z...5...YD....W..X....a.b...l.>6..i?zM..A-M.gi......Q.{.!N....}.a.N?.[...A....NYGx.m..v.......P..].S*......?.N\!.;....p#O....We.....~TK..nN..4w<tI....p..h............. ....$..p....,iow...T..Y.Q.-.D.J...c,.}mU.D.M.q./;....1L"...iA.g..m.5..-....B..........XW..X....l.h...h.44..v:|^..[=[.`g......I...<O....{.p.N%.J...F....N@@j.m..w.......F..^.Q+.....,.IG1.6....w7\....Vu.....nP]....s....:9..../...{.V..xe..Ygz..........P..w.-G........~.\.B..d.x."OO_.....%..#....\.5HX.-..v..c..lm..-.C.`..pR..Kvp..&..H~.%n._.\Z....;@......."...b.#Y...P...d..cr@....i.q.cs.#p.8E..[...GmU.ru..R%.s.?...p}.q.B..W.,...1z.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275
                                                                                                          Entropy (8bit):7.828025430676921
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:/Dkb3/QyEeVJiTsEHpZUOhtniDQm54JVjz/BAm6RHNqdfH86hO7j:/mvQVTsCnViDKJlB1GHNqp86G
                                                                                                          MD5:4B2D4A4F4F9A614F6D9D1B718702674A
                                                                                                          SHA1:A7171D9EAA7D60BD184330B1AB8CF3E9E78607E6
                                                                                                          SHA-256:586D21E8A106DF889EC135270406A81B028726655466B1078F101F9763E31D21
                                                                                                          SHA-512:C14085CCDCA0A3A7956CF56EC07783C653749EC4443ECFA8E9E8762F6843F992415062A2D1994C4C4EB31F34CB21C5E65C07207E4F5BF70BA32BBE15A223DFFD
                                                                                                          Malicious:false
                                                                                                          Preview:lK...w.j.x.}U.....9OhW........C..cL)i.i..>.yVQr8..5).t..\6f.0..P...U:..f...ySTmp....C< e.g...q'x..p...,..A...N.MCC.k.*i.(.h..|4.[..f..KT..).gD*.b.=D..l[VO....Y.c..u....V.~....<..Y=;.<.,.{..t'...M.qH.5SM..K%..,....w.l.LBf...E...N=..88.q....82.Z{]...u.h.n.eH.....7W`J........R..b_;m.l..>.qJEz/..(5.f..S'r."2.R...R"..h...nOUta....E)%n.g...a w..s...4..Q...U.WU^.y.2n."..;>h........#..S...V.....s..-.$H.xi X...n.....(.......p\58@.x...j...U.yU-...En..~8.T.`..G.k.3.M.nv.k..^.c.......\.C..r.h...i....2..M../.Yg..g....I>..s.&...3.@.L.#....?</$g..VT...T..`.K@..L.Lr.m...Pn...sV.M..76....7?|]N..)..../.%.T..O.V+q.J..'.S.;?u........#..J...@.....{...?.'G.kl%N...y.....#.......aQ-,K.l...d...P.oM-..._d..v;.N.~..F.z.3._.sa.p..B.l......].F..q.q...6X.....%E.B..y...(.:&.?.mM.h......9\iK..i':.+"...FiA..{e..}....yj?...s.5....W..D)...3[. ...l+ge).U.2..$.Y8..wE.O.}.K...X.GT......Q..``9...P.....L:..+..C[...>...N`$....BS.d.%.^..q..M.|%..(=.qo.[.6..oh/.I..[.4...`5.E..C
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1274
                                                                                                          Entropy (8bit):7.858615227895769
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:bgbNPxXqhvUP1CTIWZVIs/Qk5Ezyr0QP3nkJ5iwWfO+nfpEYUZ7986hO7j:bexGve1OuaFOyr0Qvn5ZnfOYI86G
                                                                                                          MD5:BFC57A9B4B076E4DE4EB93583E5E0579
                                                                                                          SHA1:868271E52002AE8B21E8ACC99CE4AD24DFED5E14
                                                                                                          SHA-256:2F249D7B68DA680EBBE3300A792FEE2DB64114B38736BD55D50FBCA880F6A329
                                                                                                          SHA-512:DB931266D4A3D7B088E142D264A3EF6563B60114B04A2C620F0EBBDE0A65BD268C3C432DC7A3ECD713EE7FFBF6CF35CFF0F23A8D6A26B2901EAB8B223023227B
                                                                                                          Malicious:false
                                                                                                          Preview:>.*.s?.B.Ow...N.._^.$.A. .kKq[0.i.L..dH....u.........#{.Q...G&..Od#..5..u...G.I...e..wM.O....l..Z..:ha.Y...}.;..W,..U(...rAmY..........#..QfNW.....)+,(.;8..RcI..EO.L.]........-.^.~.Q..La^JTuK.Ig..N>.>.t.L.V..z...j_..f..FN...F....1.]9.12..y.Sp.E).!.v8.C.Md...S..OV.*.I.+.aK`S(.x.D..vL....|...........<m.E...Y$..Lc;..;..u...^.T...p..uW.Y....c..Y..=|y.L..f.7..T>..R,....J...=1394....h...n.C.H...yR..{h...,..D{.....oj0.4.."...>N_......+{...[A.6BPK.s>.Tk..C..;Uc..ZM.4.uG........5v...\1Z....A./.*C...d'G......'`.Z.#B.j)......7..zx..E..M....i........\....uJjf...P..e?}.|../..6..=.$...W.. -..-8.,.1r..m.Kk..m..P.....O .K...<%/.=....q...x.H.Y...nF..pk...)..Ab.....}s(.?..6...4VN......5y...OA..THK..%.^u..@..)K~..L\.4.gA.h...... n...I [....B.6.%.c.....d...d.^h.0....`A.Z..\......l...m;*_)..%..4-......_J..C7...!.-...WA.._.~R?...O.I.+......H........w=.....m.R....}.Y.A....=.j.b2.. .z.O..d......6P....c....4...5...[p"..K.Y....../.R...........I..'.@...0.n ]..b.e.F..kx..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1268
                                                                                                          Entropy (8bit):7.8371944697315294
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:jLgv21t8KUD83l4dnSrCagaPhgZGdRtv7opKrIwqxDJrv86hO7j:vP1NVqdnmCE5XjoXzxJrv86G
                                                                                                          MD5:20DDADAE1A947E7BB43B615D07F1E84F
                                                                                                          SHA1:C538ED0EF5AB341DB3593B9790FF27960F67FE20
                                                                                                          SHA-256:1D8B0EC3474C1D8AFFD8BDB4B2E741B7A361D3338F5911F5214C9B2BB09AC77A
                                                                                                          SHA-512:5AD5FD1F3FE63FD95427D6BF1475940F4C74F35E0D8294E0B771E9A00328BB4F389CB1A42177F2690B26AF89959189786AC6A1832C1FCA39174CE7346FE472D7
                                                                                                          Malicious:false
                                                                                                          Preview:Iu.gRU+.Kpp...aA.1".1.7..=.uj.u....+......|L..<l.../T...SF......$.....a..e...P....,.d.....z>.4.r.~..vJ. ..\.....0.+VD..wh.f.%.H..../.<....4.(.oa$..5E... ....../@...?y|.r%L.e....N....z\6..g...).J.Xi!.P#....1...&E....&..w..L....j.@i.......i~K|.mN@=.N||...x\.7,.3. ..+.yj.....7......lS.>k...)G...AB......'........`..._....#.f.....h*.&.n.q..iT.&..[.;...;..,^L..WB'....X...:6.....=.I.k[.....q".ox8#:...SF......\&.nX.A.7....8.~N=L.T.@.ni.7.^i....v/...#^M.._..p...i..(......e....*.}..C...a.#..p.'.a....i..|F.[.....;)!%..R.u....._h..........9h.7p.D.T..J.$.qm<...4.w.OJ.~n.&/....=.0,5.{6:..-.S.S'..m.D... ..SR)....X...=$....9.C.|L.....v/.nn48 ...ER......^$.i@.F.;....:.|S'Z.\.W.kj.8.R}....r6..~%SF..F..r...i..-....g....8.l..../.a..r(..[...a.m..`x3....p..!.hb... ...T.o..D2....m..X{j...9...,...C.4}7.6.P...a..[.*.V...'...O.D...S....R6. ......c...A.sN.wd.C..@....%+.@....=......z...l....!.6....DO>|.Q2A.........f.J..Lz..A5].|......J:4.M9.m.eS*.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1272
                                                                                                          Entropy (8bit):7.8392922286187146
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:0aMFv0yWF4D6SFpFbsPrcY+vdlIKwVKlGQ/UdUoZzwSWmUDNievP/y/wwS7f69w9:0hWOmSFpFbsDcY+Q9hzUs2QevPaDLH8b
                                                                                                          MD5:64B674CDA2AE83BB2B51E9CD9E42E770
                                                                                                          SHA1:035008D9B79EDE18F181BF97FC004FF8491A97CA
                                                                                                          SHA-256:2D218CC490FB5466CC4FC59A5FE9EF902E1DB56E160F608328D87AE52FDD81C1
                                                                                                          SHA-512:1B3C24B55D9115840C693E2A987E0B7455BA1C5CE86940E95DB78C9C75B036988788FF9693E3E562CDA3DA395787D6E3E8CFBFCFEEDB9889A76ED79957E76F8F
                                                                                                          Malicious:false
                                                                                                          Preview:-.?.....'....j..2..w4..|.....n.M..s.....ANy...y..".....D.t.{.@` .B.U..._J.U...w....v...b..C.0(j..;...Q...3=oZ:..*w.b.2.Pw.Ge8...0.I*..B!%..<s.<.SY?.....mxq...Z.,0.F...n.......H......%..H.0gC.(.......XgN..LP/x.;ud7. tx........+.El....ig....I1nU..H7*.5...../....d..7..k<..v....m.T..q.....LUv...}..2...T.u.j.Zi8.D"T...FU.K...m....q...p..B.%1}..8...L...;8kA1..,..a.4.Jx.[|..}A.J.d.#8>._+... o...a.Eq....-;.b.. .......{mz..G..$.5.8..h......Iyr....*.."-......u.k'uvi.....2.$q...W..@.-.]..'.j....A...)D....-S/x..X....G.)Y.JO.Yx...u..4kG..}y.+.*.A..2 Y../B......AAX..4..<...Gp.N...:37\...^`.d...1.3.....i...$.....I@gg..gD.W.y., $.^/...1a...c.\e....#7.}..2......uzi.dN..'.<.7..n......Zcj....3..8#......|.o/lfq.....+.4p..R.._.2.\..>.r..p...qc.....}....$e.~`=.gh..{.........`.n...._...6.y....i.mSa'.h..SXD...BFQ.r..IV.%.kRG.4.&.KJ1.!.CK0.m~b.\.......8...t>o{*.4Cu.L..y..#.M"uv.... u>....1..x.u.y%.5P....Z.F,..}....4.@.Z&w..3...t'.r...^-...A..&g.@.;.5...E.A...-u
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1270
                                                                                                          Entropy (8bit):7.863927882639245
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:PwVPi4ZTflHn+Q/4Of6wcd47Zcv4I8sp/2mE/pBcO7QDcAdZMbyxmLDK286hO7j:oVK4tflH+Q/4Of6wkE/pBcUQAA3286G
                                                                                                          MD5:9342E3951626AE731018E77763DF66F0
                                                                                                          SHA1:D3FB869564D9CC3B469E457063B2B20ECFDAD891
                                                                                                          SHA-256:EC5334075F30F84B2A594A26BD56E53C4F9D2DC993745E2110805CC397A4D11F
                                                                                                          SHA-512:3E2A620E6EB60828917DE181A5B4CE808780D9A4FD59CC4D21EE6E8292FAE86A56E0B82D141462001D035038CAD4B30DCFDA85B1DDE50AE7C78238E3D8E434E8
                                                                                                          Malicious:false
                                                                                                          Preview:..x.......h..Q..|v.#L.6.0....9i. .}..7A.....j&...ll0..0..l...o~'yU...w.#.8oU.1dN|....h...#.~.|-......{.Lm..J|....).....\.Z)P.~....6={o...k.2......os .......<..R...F.>...B.i.w..............~.F..~.P.*8....j.X .1....D-.2G.0Y....Tr..<..oa.w...N.d0..p.]....~.......v..Q..ok."H.'.*....+i. .q..9A.....u!...|y$..=..n...op-rN...g.&.&n_.*nCf....c...6.t.y3......k.]..._x.....-..2...].]'...A..=.r..5...\.d.Mn&......[.Z^.x00s.9H....<-..<...H.[g.....[;.K........MEY..d.T.yu.-..QV`.66....8..*.t.5U....S.K....... ....Y.:J...WN.._.~M.-.U........2il.*z....:....w]zG.9.yI.......w:1.b.|.I..L#.......zY....e..c..).X..<N64..}.|......A...$Z...N...>.z../...C.o.G.!......P.ZD.b?.q.+J...'=..?...M.Ta....R+.Q........XTL..s.Otzf.3.._Wq.?(.?..8..;.c.,E...J.Z........4..-. Vr..m.....<..r7.6..O<I;~5]6..4..EY!.>d...M...C....B7...&..r<../......`Xr.........V...A.d.)\.........#.O.0....n..<...w.../....i4/......PE.1}...).g&.N...........o..>9e.Fq..g....i..t....A...........@w...qo.....!..._.,
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):350
                                                                                                          Entropy (8bit):7.414866371872187
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:SjMQwAyMY51jKOAUzMWDM7kcPiUtwkWTcF7B+6OC8YetJIKYTt7guWFVKMT:BQzsKOAvWY7BVWQ7SC8AxTtOFVXT
                                                                                                          MD5:188ECB0CDE364518DA3CC228D805ADA7
                                                                                                          SHA1:59F62389809FD884D55C5D49B9EE852C4861C417
                                                                                                          SHA-256:EC7FFA0CE85D4CF80C28F26E14D6BCEE03D4D6AD2322C953D64E17FB579E35CA
                                                                                                          SHA-512:97E3B2CEA855C8F17EA4DEEEFD383BF9486EB5C3BEC5F449597FD8BBBA571CA908755C638E1A4E903188254EB2FA69E2B42904F95F73FF2FBD04365C6A628ADA
                                                                                                          Malicious:false
                                                                                                          Preview:G.%.~...b5.r.t..:.E...U.[.K.nz(\v..i.pw=.O_.h....P...../..q5..%.YE..X........4...HK....e.I.N.xn?e.o.B...S^..N@....x~.]..a. P.,...:...KK...wW.....'..L]9q.fL5....S......`............r....`.,.....=_.{ .I.....i......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):443
                                                                                                          Entropy (8bit):7.5449351110779554
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:bOPKoLN/Nh4rTmnJ7/Yxhek3I8AxTtOFVXT:byhLNX4CBT4I86hO7j
                                                                                                          MD5:09C298D3B9D5989455BF56D62BBB84EA
                                                                                                          SHA1:09B628F6547A2E855B3B0C200410A67D4B00DBD9
                                                                                                          SHA-256:2B74D08F673AF985A9FBC7B52203B1A8BAB199728096C2265B52BC72187671D8
                                                                                                          SHA-512:27D925999C25825ABD66A05D50F6CE39ABD37098FEE3CE07AC7AD0813FB7E872727FB12B2242C7D6C8126382F20B69AB1E924A69AC4B7129965F671D716E9D65
                                                                                                          Malicious:false
                                                                                                          Preview:(..c|.g%.........B..S..x~.^.....5....$...p..f.Q...M..$....M..n.n... ."...G{5.l.Iv*f.D^...t.r)T.J..n.....<......M...E.....vk....F._...!..$.-a.......8l.5._.`.p......(.R..%V*f.rC.....c.5.F.....%l..P^..A@..Y.c~.]...BL......:...HK...wW.4v.......A.h...~T.ABE...M.t....H`.....k .69..m...u.Y..........e......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):355
                                                                                                          Entropy (8bit):7.376577301706556
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:SbNHy0jtTMuWP2LtwwMczdjK1bGm535NLi8foei4+atA8YetJIKYTt7guWFVKMT:IGa+wBc1fZi8fDir8AxTtOFVXT
                                                                                                          MD5:E49CCBD2D9C79FB5F0E56B4BC7E7A3D1
                                                                                                          SHA1:DB6D9231DA5D8FF26740E2E4E2A7867BC8ED4026
                                                                                                          SHA-256:4C680388569AB53DEFAC66B17A43D517CBA4784F2B972CCBB00801073701C60F
                                                                                                          SHA-512:C8FEAC6368C57B3DF79096672559BF027BE44F6DC269EA862072020D7E60DAC0C23C8B23679FAF3FCA2AD8E5803ED263F0C5351D513D640243277C8D6818A17B
                                                                                                          Malicious:false
                                                                                                          Preview:|...,zJ|g...].u$..J..A...khj."?..!.qL...u....X.b.Ka.6.2K(j~..... .sv..*.........}U,.D.X~..K&...Q..x......OJ..T^..L@....yP...@.5B.B...:...K....wW....hC.....>%9......()cJ.....2O...X(...F.>.]%......P.H...Za......(5.l......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):347
                                                                                                          Entropy (8bit):7.305405922022433
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:lFdcso9HTUjE6CgERPsiFAX2lNqPtV8YetJIKYTt7guWFVKMT:lF097FgER0i82lNstV8AxTtOFVXT
                                                                                                          MD5:2ADB5BD0B8C2BE4D8BC6A83B11F4CFDA
                                                                                                          SHA1:E9FBAD9CBAD234C1C2C91269A5BD39AD67029407
                                                                                                          SHA-256:49A2A4BA10845135C388CBE7FAB459D67E726FF0630074BEB9F63E4826C0E467
                                                                                                          SHA-512:AC83796AB8C8D5C13314D24E70DB572D13514DF376E7D26F93D948223C81CB1D3FCD0B2FB8AA205B950327E22AC2817736A2BA15BCFCC3A71101E1B5BA24A280
                                                                                                          Malicious:false
                                                                                                          Preview:....0..4...v.H.....ni..........@..H..D?&5....P.n..4.:...nP++...q...1..n..f..&.n...-.....|..!..9...F........cU^..*..Fy#........N.....:...KH...tW....}.Y0.rj..N..jG...`.8....0.Hz..^.k..?T...vR.#...n...8q..'.f......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):344
                                                                                                          Entropy (8bit):7.341639700889253
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:f3xewyH1QjU+/ASkI7XCN/LvM1xYd6AbWdHdrq8YetJIKYTt7guWFVKMT:f3sHyjU+4SBXi/YxVACdHdW8AxTtOFVj
                                                                                                          MD5:6D1D0DF9EC3935A3D68187706756FE96
                                                                                                          SHA1:DEB0C79624099905643426C0057A6880E316437B
                                                                                                          SHA-256:2C965C71E9EA35BF9D1C7F1D1A8CDC3E5C9B41E9BE558921F09AD462920DB480
                                                                                                          SHA-512:534B53BC9232B4903A9A319414F3D69F19E7CFFBE0D1F1444397EF3F3191C9B929FAEEF2574937DA761417C7471B9C1267AAD5D6C50D1DE3776E4E083D07594C
                                                                                                          Malicious:false
                                                                                                          Preview:g.).Y...MO..p..^.=.%i...........&...jG.g.b.H.B...*o`...;&..pdm...2.\.[..Z;...D....{....N..:.6..T.8^^..Y@..Y.c~.]...BL......:...HK...wW..N....ppp...0..v...;....4.+ ..fN...D..q@h.<...a!`.=.`."..d..e......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):353
                                                                                                          Entropy (8bit):7.424372745916605
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:C/vzdte6SN2SVSNwEVzluPkYxtfO9y5NU2F4+eRS22jkpkC8YetJIKYTt7guWFVj:srdC2SVGXuPpc2F4+wS2WdC8AxTtOFVj
                                                                                                          MD5:445FCA5D342A8A8614D748ECD996CBD5
                                                                                                          SHA1:EA5260290453F34D4F06CD890CF08303687344EE
                                                                                                          SHA-256:9FD392966C35FD48A55A16C4806A3612553B6871CF7B0013254D867857D19D6E
                                                                                                          SHA-512:8132D4366A8000891F8DEA941CA2B6D19FB2C1EA378377AD7E786C9E37D91A39384F7D1D487C1649BAA53FA00E34731F55655891524853830887E08D0CE03FFC
                                                                                                          Malicious:false
                                                                                                          Preview:B.j.?..=..s]..gm.;.?.....'A..J...# ..%N.W@t......3;/.I......a....i......!.&K....c7...R".7)w.......i.M.;&Xj....\^..{@....s~.].f.>Q.....#....K...wT....hCe.v(F......Hf.......h..:\W..x!c..)k.*..}.k.>...sL......q.?..k......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:huf output
                                                                                                          Category:dropped
                                                                                                          Size (bytes):349
                                                                                                          Entropy (8bit):7.3838018882077865
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:XFsu1alqTULLK8JySyjJ9YcIDm8ShQC8YetJIKYTt7guWFVKMT:VsjlqILtvezYNDNSh/8AxTtOFVXT
                                                                                                          MD5:1AFCB5E655947B406B11ED59EF564E87
                                                                                                          SHA1:901567E861FAAB1D1A1E9AFCB64D1B243E87583B
                                                                                                          SHA-256:B360AF6E40D27B499251EEF6DFDFE1C28CE9B73EB9B326631A46D6580587C21A
                                                                                                          SHA-512:1FFF9845B8A30830A75ED69F6F9309C261432EFD870F80342F41BCC4F7003B46469E9FA6766BEA314B37E67DF26F8084993A61BFF7D9220AE51350F72CB63320
                                                                                                          Malicious:false
                                                                                                          Preview:..&.......W.&......k...Sr..'].H..b..h..d.. ....F.ZX ..kk.2S...G..`$.W..L.6...6..rNy .Gt.-r%.O.L|=.V9.eT..4@^..Kn.Cy2.......,W......:..KK...wW...&.#../.......8....D.>*........dLv)A..........V...!...1.X...H}h......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):350
                                                                                                          Entropy (8bit):7.350893916084865
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:h3lSzKID0gxnt7MDWyNc5Z/y1E8ij+x7kPC8YetJIKYTt7guWFVKMT:hQL0ghTy1E8ij+xQa8AxTtOFVXT
                                                                                                          MD5:179596DDD46A50A1B907D8D4BA2B96F1
                                                                                                          SHA1:21188B27CA51CA47894CE08D54BCC73C4E95C765
                                                                                                          SHA-256:25CBF4B46B2F2D9263657E94408E6F7C287CCABDD0DE4FD12A8A8CDF7C853D52
                                                                                                          SHA-512:2D112AED84ED380897865ED3F6765B16D218A26FAE8236CE8337ABB742E6922264FA5F151C66C78732C47E2DCF67895AA8D8C7CA8D9BB75808F223D5707BC6A7
                                                                                                          Malicious:false
                                                                                                          Preview:........iKDpb.#.g..X{<)..A.(G..=...c.....")...h.k..l..-pc.........;...+3..l....HU....T.......z_*.E..m..a}F^..F@..r#.......,.......:..KK...wW...n-...Ce".v}s.z...e.k.....J$...E.Wf.X(.K.\..].p...Y..j?&.`.....h......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):356
                                                                                                          Entropy (8bit):7.32909128927704
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:goNQTy0K8eWvUy6lNF86xmcvMQJkFGm57/htwpgrxnH8YetJIKYTt7guWFVKMT:NY0PWsTDGcnM/2eZH8AxTtOFVXT
                                                                                                          MD5:7B4F37E899775B45BB7A291B6E00108A
                                                                                                          SHA1:9EFA71DBC8799A9650410A0B91D2748876C49C6D
                                                                                                          SHA-256:1C22BEFF8FB06F5E9B792D53B08FA24A175AE319FFA61ABE20A69C891CD550D6
                                                                                                          SHA-512:9B47C87A0BEBB302DFD7EF64D25475F79E0D9E39C7EA7EAE20EB907C5862631F3F0D3519857B5E7D2EEBBA3863570E94823C84B7F8BA08D4DB15F22357022664
                                                                                                          Malicious:false
                                                                                                          Preview:...P........{Q0!g#..g.T....Lr~..o\.An.m.M.<z.i..;S......<...M.M..r.Ss..q..J...*8M..N.|je.....8...M..........E^..Dn.Zy#.....@.5..PBB].:...K....wW....hC.z......._z..]..A.4...../...m.6....*m.S..".I..lj..r.C.Rg|...V|l......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):350
                                                                                                          Entropy (8bit):7.386221138875148
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:zbxbaimefPrIp6BaGbFwXIcb7yUNJDAuC8YetJIKYTt7guWFVKMT:zbxbaimefPrU6AXIcbOUNJDAB8AxTtO/
                                                                                                          MD5:202350EC1A0E9FE958077F62ADDFC30C
                                                                                                          SHA1:38BF56C6F99699B9205C9EB90AB9844AFAC78C12
                                                                                                          SHA-256:B1F9AA03317F746AC2F4F1FC9D993DBACB5C739B825025174A39375D415291BB
                                                                                                          SHA-512:EAD88548CE3288942E3A5EA80D8C2CC5286E942440A3D8E7BE5C81212BEE9A7389FEEAF0D5BDCC22609D24C5191939317BD10A6E9A4AE2413FAD53D67CA4BD2A
                                                                                                          Malicious:false
                                                                                                          Preview:.V.kQ..Y.A.j...x ... Q0..S........g.y..*~..7,b9@.A.|.qn..(...B...h{z.my...Y)..@...!.........L..P3p.]Aq.[.K^..Z@..~$.......,.......:..KK...wW...V.....`^.(...kvy..6...l..m.;A.gN..Z....H.*o.y.e.5$J...x..?IVP.h......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):497
                                                                                                          Entropy (8bit):7.5571689511570925
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:n5ZIYDccVcqh10z9Z6Qgt6mO8AxTtOFVXT:5qYDc+t1C9th86hO7j
                                                                                                          MD5:9F617CC385F777B9EF0753BABC2714BB
                                                                                                          SHA1:2F8A8C7F3B36D6A85CF2B898F77BEA1B9785D38D
                                                                                                          SHA-256:9314DD49914280FE23172913E5A06BBB7C8FF42D3824C3F5FB29F3CEB10C9B21
                                                                                                          SHA-512:D44CF562E18FCF51FF2274AFCF6DC60D08EF195BA448400CB68E2E414CB996C367076F824F507FEACE36F02B7D033ED5DDCA7D862A044A1C6FA971F29235FAD7
                                                                                                          Malicious:false
                                                                                                          Preview:._.8.\.\.....*...s.v.0Z|;>..@.5.?.8..D..Dl-@.r.U....G....W...#..o..v=..a..C.h.A.~R...v.....#....4.Kno.R......t=..E....Y...N.E......e.]..v....v...1..$v..q..|.6_P.(@.M..N.#..g..z.....t.f..M<....z.g.y.}...M..U.b..J;.+s.k^.v...1.i.)..[~AX....W^..J@....a~...V.n..O....#.'j...wW...hC.r+R....VA*ZG._s....q.(...,.I.y.M-N....2...Pk...t.....z.y>K'..C..z.(?.s......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):511
                                                                                                          Entropy (8bit):7.591089824742715
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:KGBSk/p6JT/bCk8S01mJkU3p5RTDC8AxTtOFVXT:dBSUQxCX1mS+/PC86hO7j
                                                                                                          MD5:E901521EE20954BF6DE38966EC029D66
                                                                                                          SHA1:14213E7BCB1A45CE68D4E4D38643FCE045D66DF3
                                                                                                          SHA-256:334A1721BBDAC79F7E19BB6A8F7B52B2F919D5DC20D2C2C3514D96E4957FB698
                                                                                                          SHA-512:7B9B3F694A328BB06E773A289B57D873B408E474532468868D1FD19DCCCAC13CBC64BC06485467047E40DA97BB87CD7962BAC14504901BB5470AD2B43ED92221
                                                                                                          Malicious:false
                                                                                                          Preview:.N...@..C9.....z.dk.=+..........u....`..RP.,.Sj....S..*."..i;..>...,.z.40o...'}..wf.'.'..'w.X.....{~....aGoP.>.#.l\..L.....h..Z.`R.P...T.h.m...h...{...mxrx...m.6.;{.M............v..........2%...dj...w....i......c.%?..#.. .}...U.]r..;Hv..Kq[^..K@.......|..|./p...,......e..BS%...^.*p.R......O.h@..c'......WI.$3]:.C..m..B...;.....pu..G,*..M^.^.I..s_V.c....:.u%.G.........&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1173
                                                                                                          Entropy (8bit):7.834677880321757
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:1+q53czfbA8eapYXVRSc7HSGEft/kTLjmlzzY/L45ha2EITHEsIWIG86hO7j:1ObALciVRSsyGk/kTLeza2FTHEsLIG8b
                                                                                                          MD5:0529A077A2FF8A295073173EFD38FEC9
                                                                                                          SHA1:AED4535637C26DD9D1931BEA392B00D24C550E00
                                                                                                          SHA-256:B985FB8A1ADE7C9D825A068DD0DE54569C4E586056D76B074A2E2A4CCF408CC4
                                                                                                          SHA-512:02D551C455BAE33E23C953406296BF5758E1354E1323107159EA90C8E59A9D6C7082013F79CB4ED6E51EDD601463678A70B70B2EDF6059827EEC8FB9EAD205CD
                                                                                                          Malicious:false
                                                                                                          Preview:..R.&Z=$.XR."...8.J..}..........9.f.....A.........f..*.)..,A.."V.._..zS....[....`........7.m.9...l."..]'G..Clx..D.sv...eF..X.J....(...*..x-.a.M...e._...9.tY.....X.:y.46.? qu.^.%.,.)R..Rh?9P..+...!.....V....i..(..._5..>.q...L....s.I..Wu_+8...1.^&/.>..DK.r.=.6.....r.......fI^.!.y}....Al....B.S..%.S+2wC.q..Fz... ...jI... ..].0...f... .J./....-..G&E...*-...(....Z..M..)W-.C..T.S.{....E:..u\.."..Y!. Q&....e.....78...e.Ku.&R...1..a..d.....0._F./.....*.~.7....Z.#.JL.....e..*..;..k..d..P.r....$97..A?...m.G.yR.l7TpU..t|......j..Vj34]..U...+.t......q/8.B..(..M...DI!....B+......H..r......w.1........B.4(.*yv.v........C...>.G.Z....I...9@.D'V.c....o..m.WJ.x.c./..v;...Kh..........^.1b=...D..D.=2.......%. .EL.....C..&..J..f..a...Oy.m..X....5.~&.'Y.0\grhf....x.:..@.&..(.=)..".gg....R.k:.".../{......rZb.a..&n....e^..A@....;P...=.q..........}S..}Bo(...N?B.w.......]-......8D.........T.}.....M.P.o#].).i..yu$~c...QZi...:.."..w .0z.....,/.a.k.
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):239
                                                                                                          Entropy (8bit):7.035456399877081
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:7IvetuYEHtH/NsizC7OAJc8YetJIKYTt7guWFVKMT:7I2tWV/NsgeC8AxTtOFVXT
                                                                                                          MD5:79E1B2CACFE970A2959D7B6E55A843A3
                                                                                                          SHA1:2ABC7EE5DC0BAC3A5AAC4F145C59E1E791F659A6
                                                                                                          SHA-256:592701C67EAC7EC0B51B56959918EBEEF81EFD6E90D16A0642878476F309CAF1
                                                                                                          SHA-512:ABD55E225B4944958FD0448EDCC99BAEBA3AD0C5E28F60D7553F1AC551DF4924131E9D69F786D158A027E9A80E4F81ECF6EED7B3131964D4B707BA6C1064F6A7
                                                                                                          Malicious:false
                                                                                                          Preview:.3.q....M^..Z@.........a.@L.....9...HK.....4]....d.B.P.@..<..l$...7*.=.O.[LM..I,.q...........N......a..a......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):443
                                                                                                          Entropy (8bit):7.566386273444099
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:HLJqSNtr0tUFq/YxBYY//wlG68AxTtOFVXT:Htdvr0tHQ4v86hO7j
                                                                                                          MD5:7F0F78DD34BD1D293D703135AC1F783C
                                                                                                          SHA1:280DE357E1E2DC2067FD9B94445D0D489E425A91
                                                                                                          SHA-256:313873730BFC16AE83193657CB15258667A23CB97944AFA6B32BCA1972FCD32E
                                                                                                          SHA-512:EDA7710180FF79884C7641D1889C72BCCEAEEC31A1F6C72826D3555142FBAAFCB99F534755DA617A68DA068B83012421F284F0E8A36EDB7A8268CD1F9E7BCEFC
                                                                                                          Malicious:false
                                                                                                          Preview:$%..:+}..Y...V...q....m.......!@o......f.>..............".t $.4..%.M...B,..&..B|.....d.t*..J...".:..B.W..I..Qp.?Mi.+.h.h..........6.....rGq..`.g..iO...6..H0..$y..d......o]`....4hJ....Wm.....'..[..E.P^..A@..Y.c~.]...BL......:...HK...wW.P.....lB.?WT....k...(F...Tu.fi.....p}..j8bm....._...7..9B....e......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:false
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):497
                                                                                                          Entropy (8bit):7.595568310462776
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:VzeXGMIaHY/j2mPTAaMlN5Ev+ci9Z66y0Mzc8AxTtOFVXT:VKXUbKwmci9vf86hO7j
                                                                                                          MD5:DD6F51ED3F5418E363BD8EC0520B412B
                                                                                                          SHA1:21CF9A69E229F0185DFF68F5E81D21A698E1870B
                                                                                                          SHA-256:81947D41BC1D784E26F0D882AEEC1FDFF46BCCD281F7FE5C7D89699FB7F9DE36
                                                                                                          SHA-512:113B313CD183ACAC8C23DBFF128AE24CD0DA9C90EA9BF59B9EEF7F95CB85DE8F2504CE8D234D240540EDD5588FBDB168223E358C22BE4EEE452FC4DF9287E361
                                                                                                          Malicious:false
                                                                                                          Preview:.pZ~h.d.hQ7.t.F@.+.........N..r..X..,.......H..y..Z.3..y..~?.Zs.Ox.q-_.j...R.......Fj...@....a..'..]s.,....b..a..._.!...3(.^Q....1..v[....6e.X/Z.....5.7%X......P{....C..>..r.....L..w<...:.S..t.kTq.........Y:..:..E..Y.n.9d4..v.j.=.<.W^..J@....a~...V.n..O....#.'j...wW...hC.r+R.........x.4...:.*...[.y.....u.G..e(.6.Y'Dd9.J.k.A.;...&.S....(.s......&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):511
                                                                                                          Entropy (8bit):7.536818604525788
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:wmBrV1YwDzesCsTtHR7UeJKQrpNEV73OC8AxTtOFVXT:1BrbYwDzesCsTtHR7Ue4ONEFeC86hO7j
                                                                                                          MD5:225515798FE5A983281A3BCA73311BC7
                                                                                                          SHA1:D2254A7400A78552E9F39D4B0343F76FD7B9ADB4
                                                                                                          SHA-256:0A198D05B9FC0EAA7B842320D15FAD63636C69D88C1767D02A886AA34C712ABE
                                                                                                          SHA-512:8EA59CF21405E467E34ACD739D39EC9AE726D9F2388C2E734FFF52C2412E608796099EC7B6129279FAD0DD60799AB6F9F1F2793AAB24B903994137A678BE8892
                                                                                                          Malicious:false
                                                                                                          Preview:.......b.Zr_[...o...+#.1..$.M..d.B.0J/..Z.{..-......D..A|..&$..v]L.F...dj].8."+.4. ../..p`.....}wFXk....qR....,..h...$....Q...z..?.P.=.......Y.0....A..%"..2`,...X......t...w.A...w..X....9.m...$".o...]{...2...]@....}.j.60c.sX>.h..^[^..K@.......|..|./p...,......e..BS%...^.*p.R......O.h@..c'.....y....x..dh..C.....}...E..@...x...*X..z............#."#q...........&.y3..8.NuU.%_.!*..7+....t..h.bNPi....&.y.N.)ls.i..."v...<...Bc.c..*..3..o.......<...s.7+<1[...Sr..E9..&9Ya.G...Mi...@
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1174
                                                                                                          Entropy (8bit):7.813990160176353
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:kG9ceJKvTFS1PVaTqBY6JUffgfCXzHEpC286hO7j:pyy2S1PkTqBY6uAGHEA286G
                                                                                                          MD5:B11DE21C51B62FE43A3435995B296E57
                                                                                                          SHA1:5D5266DC512C90B566E14B70215B941777F810FD
                                                                                                          SHA-256:30667FA9B5A4745EAD17937CE7CF98187C1CFB2F59F7D8134A77DD91F3AC5079
                                                                                                          SHA-512:4D7D0E6199D2DFA6B2A4F99DF4E59829365082F73F4DB4011AE3E811A8A88235EFCFC537070E9D5D87721E5E608167BA26284169B2768323030418BB5B18B633
                                                                                                          Malicious:false
                                                                                                          Preview:..1G..=)Cv......S..I..b.S..=\.Q+..Gt%.O..c.K8..(..NL9.IJ.`..j....>.P..[-.....P;.&.?.......%.:..^.\.!......>......J0P..F...y.r^.[...ML...M..u....P~.=.@..].m..T..LH.K......o.f6-{.....7...4ZVa.A.v...........M.<.1\#..PeH&Q.ZOb..U....^,..._.O.v.!7.E<NS..=g..>.Rj...=.].....m.C..4..:r.._v:.$..t.X....V...h....@..^.....ik.9'.i..3f@.M........ .-..H.M.O....I..<...K...yL.`>..e.qK....-...S...Z?...$I.o_..^zA......C....x.3OQ...=.3........o.w...I...gR},.tM...m........bSxi..x4...0.B.H.]...r....?a.ZU.."1hxBB.DH.....:.f."..H..F.JqK.,+......k..2i..D...$....LFc...%..i..I.0R.xeD.9......]...e..r.t.......U..0.f.._..!.).#wh}..LON.....v.3.}..P.Y..Iq.3"..qYy...E.c#.r..z@<+....s.lb.....wb.z'g.?..... |@..<..z&.-....v5=.*4.h....6.=.K.R...ui...?m.Z$....&4hN..V{.b..I. ...fK....-....4.......qc.E.q.hUB.\.d[Q..q....A.i).^.,..IyP.S........D..C.e^..A@....;P...=.q..........}S..}Bo(...N?B.w.......]-......8U.............X.PF..H..).i...u$,1...QYj...9...C..,$...I\...*n...$..
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6291
                                                                                                          Entropy (8bit):5.028611992754787
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiSUdiS1u1slkGijwwqwwuiSOQYTbt6:biSuJXW0Wp0GMCi1imkAOi0
                                                                                                          MD5:9BA778C4ED0A8BD6CFE0635BF28B6033
                                                                                                          SHA1:16A6942CF881381A283606A4FE0A55ECF41BD3E5
                                                                                                          SHA-256:A5499A55DDF2CD63570F0E4E6E63310684722420030C1094E9FA6622949BCE01
                                                                                                          SHA-512:E0900212B340E22653DF5C7AB41D20D0F5DF7F0478F2B5D1FD14EC746C4E460F99B11E72BF402C0678BE4A95AFCE6102F64C3293DE56D7A4579B0051F8F5D08A
                                                                                                          Malicious:true
                                                                                                          Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                          Process:C:\ProgramData\8521.tmp
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):477825
                                                                                                          Entropy (8bit):7.997068957090049
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:Tx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4WWIkx4g:d4WDy4WDy4WDy4WDy4WDy4WDy4WDy4g
                                                                                                          MD5:140B900A1774374A41798C42F53280F1
                                                                                                          SHA1:A7CAD8A5594A3FC67946E1083C74412C599E303B
                                                                                                          SHA-256:8E416D25B506109502E45341CA5F00A1DFD94C131D879EDD7294843377BA164F
                                                                                                          SHA-512:AEB138389B9CD106E9C8A6AF5ADF678CDB487ADB7FD3A65E0292D6E046795290B94E0D828ADE700CD863C4684669B00B8EFCDB5C0F45B188CDF5F3827870E91C
                                                                                                          Malicious:false
                                                                                                          Preview:..(.e...... kt....D.[...8l.6d....V....$..9.>..Y....L..\.(...U... . ...;.@...V...~..7.b_p..... ...4.F..h...#.....S0..d... ............W..c.INE..#...py^........Ro.ugN....bemP.../JT|+:}..^.1d.):.7V}P.....b....Y...+.#..P......x...'..],.g.0.<.g........1.b.. .Q..Z..U.tB*0w.e..b(......~.\...G.+....Zg...*...y".\z.S...I.._#!.o.....Y.....&..W.e.....K......|..!.E.h.9..b<..vN..u...`..%.h..`........1.0'#.Wn..;H......b.I.._...nI..0.E...~....PG.Vut!...g.u.).(5.f.j.u.ioi.S...u..s.k...]..K......w....{.=\.0.v.......C..w.{'v[..%....U..P..7.J..W....;.O.[..X..d.>..M..p....j4..PV..F.8.jm....p~V.lY..H..|....N........./.."0.......r.(>.2$.f+l..B!N..6.(...z...0.r....l.i...6..cb.O..O'..S@u,_.....AB...%....kw.J':.!..qUdMA(.O..Nlt...c/{..i.#.f.9$..K.- ..m.Z....\J../..o3.S..a. ._.., .P........b.....k..?.YEYH.C..e.]..f..Z.0.7...< 6.....e..L.M..8~.^..1...E.FR......H.n{cf.~.....lM..oEPc..}......I.....fgu.q.u]pH.&.....?...oDg.......b..s.e.u...?.+S...o.......Jp.fi........F.%.
                                                                                                          File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                                                                                          Entropy (8bit):3.4800709631764826
                                                                                                          TrID:
                                                                                                            File name:22V6t8mgjo.ps1
                                                                                                            File size:477'825 bytes
                                                                                                            MD5:0eff1f3ca94f1c8aeb4b720d6dd54fc3
                                                                                                            SHA1:9397b1ce2b42e8b08431ea55afa951b0d0402c28
                                                                                                            SHA256:2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c
                                                                                                            SHA512:c22d6f6a6147b70ec651322ff7417e92328a68264a495996dabcfb6d38cff74cf9eea86445dd32de60a33f96b778eb840fbcbda5d4f2b979ae2542531464c9ea
                                                                                                            SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJ5:VR
                                                                                                            TLSH:A1A409F0636099E3B6D94993B265195E3B2A103F7AC635D84083FBDD1C7BAC08A19CD7
                                                                                                            File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                                                                            Icon Hash:3270d6baae77db44
                                                                                                            No network behavior found

                                                                                                            Click to jump to process

                                                                                                            Click to jump to process

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Click to jump to process

                                                                                                            Target ID:1
                                                                                                            Start time:06:33:31
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\22V6t8mgjo.ps1"
                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:2
                                                                                                            Start time:06:33:31
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:3
                                                                                                            Start time:06:33:39
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\22V6t8mgjo.ps1
                                                                                                            Imagebase:0x800000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000002.1885450230.00000000063C7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000003.00000002.1885450230.0000000006462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000003.00000002.1885450230.0000000006462000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:4
                                                                                                            Start time:06:33:39
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:11
                                                                                                            Start time:06:33:52
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\ProgramData\8521.tmp
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\ProgramData\8521.tmp"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:14'336 bytes
                                                                                                            MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 87%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            Reset < >
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1798267434.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffb4afd0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e779995a79fe2de385d5479971fbaa86698d173411aee26707d34087ece88290
                                                                                                              • Instruction ID: 94cd73a274913c6264f7418fe08f424de686e161348e737a6bfa5fe50d5538f7
                                                                                                              • Opcode Fuzzy Hash: e779995a79fe2de385d5479971fbaa86698d173411aee26707d34087ece88290
                                                                                                              • Instruction Fuzzy Hash: AA01677115CB0C8FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3695DB36E882CB45

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:4.6%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:20.4%
                                                                                                              Total number of Nodes:746
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 58681 9e01700 58683 9e01705 58681->58683 58682 9e0180b 58683->58682 58689 9e01e49 58683->58689 58693 9e01f78 58683->58693 58697 9e01c28 58683->58697 58701 9e019f8 58683->58701 58684 9e017ef 58691 9e01da4 58689->58691 58690 9e01f27 58690->58684 58691->58690 58705 9dd1a66 58691->58705 58694 9e01ecf 58693->58694 58696 9dd1a66 121 API calls 58694->58696 58695 9e01f27 58695->58684 58696->58695 58699 9e01c5c 58697->58699 58698 9e01d3a 58698->58684 58699->58698 58700 9dd1a66 121 API calls 58699->58700 58700->58698 58703 9e019fd 58701->58703 58702 9e01d3a 58702->58684 58703->58702 58704 9dd1a66 121 API calls 58703->58704 58704->58702 58707 9dd1a6b 58705->58707 58706 9dd1cb9 58706->58690 58707->58706 58711 9dbfa19 58707->58711 58720 9dbfa20 58707->58720 58708 9dd1c5a 58708->58690 58712 9dbfa20 58711->58712 58729 9d28176 58712->58729 58770 9d2818d 58712->58770 58812 9d281bc 58712->58812 58855 9d2d0a8 58712->58855 58861 9d36464 58712->58861 58869 9d2b7e4 58712->58869 58713 9dbfa8a 58713->58708 58721 9dbfa60 58720->58721 58723 9d28176 11 API calls 58721->58723 58724 9d2b7e4 16 API calls 58721->58724 58725 9d36464 119 API calls 58721->58725 58726 9d2d0a8 5 API calls 58721->58726 58727 9d281bc 11 API calls 58721->58727 58728 9d2818d 11 API calls 58721->58728 58722 9dbfa8a 58722->58708 58723->58722 58724->58722 58725->58722 58726->58722 58727->58722 58728->58722 58729->58713 58730 9d281d4 RtlCreateHeap 58729->58730 58731 9d281f1 58730->58731 58732 9d28329 58730->58732 58902 9d27988 58731->58902 58732->58713 58737 9d27c3c 7 API calls 58738 9d28239 58737->58738 58739 9d27c3c 7 API calls 58738->58739 58740 9d2824a 58739->58740 58741 9d27c3c 7 API calls 58740->58741 58742 9d2825b 58741->58742 58743 9d27c3c 7 API calls 58742->58743 58744 9d2826c 58743->58744 58745 9d27c3c 7 API calls 58744->58745 58746 9d2827d 58745->58746 58747 9d27c3c 7 API calls 58746->58747 58748 9d2828e 58747->58748 58749 9d27c3c 7 API calls 58748->58749 58750 9d2829f 58749->58750 58751 9d27c3c 7 API calls 58750->58751 58752 9d282b0 58751->58752 58753 9d27c3c 7 API calls 58752->58753 58754 9d282c1 58753->58754 58755 9d27c3c 7 API calls 58754->58755 58756 9d282d2 58755->58756 58757 9d27c3c 7 API calls 58756->58757 58758 9d282e3 58757->58758 58759 9d27c3c 7 API calls 58758->58759 58760 9d282f4 58759->58760 58761 9d27c3c 7 API calls 58760->58761 58762 9d28305 58761->58762 58763 9d27c3c 7 API calls 58762->58763 58764 9d28316 58763->58764 58915 9d28614 58764->58915 58766 9d2831d 58918 9d33c18 RtlAllocateHeap RtlFreeHeap 58766->58918 58768 9d28324 58919 9d28640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 58768->58919 58771 9d28192 58770->58771 58772 9d281ca RtlCreateHeap 58770->58772 58771->58772 58773 9d281f1 58772->58773 58774 9d28329 58772->58774 58775 9d27988 3 API calls 58773->58775 58774->58713 58776 9d2820d 58775->58776 58776->58774 58777 9d27c3c 7 API calls 58776->58777 58778 9d28228 58777->58778 58779 9d27c3c 7 API calls 58778->58779 58780 9d28239 58779->58780 58781 9d27c3c 7 API calls 58780->58781 58782 9d2824a 58781->58782 58783 9d27c3c 7 API calls 58782->58783 58784 9d2825b 58783->58784 58785 9d27c3c 7 API calls 58784->58785 58786 9d2826c 58785->58786 58787 9d27c3c 7 API calls 58786->58787 58788 9d2827d 58787->58788 58789 9d27c3c 7 API calls 58788->58789 58790 9d2828e 58789->58790 58791 9d27c3c 7 API calls 58790->58791 58792 9d2829f 58791->58792 58793 9d27c3c 7 API calls 58792->58793 58794 9d282b0 58793->58794 58795 9d27c3c 7 API calls 58794->58795 58796 9d282c1 58795->58796 58797 9d27c3c 7 API calls 58796->58797 58798 9d282d2 58797->58798 58799 9d27c3c 7 API calls 58798->58799 58800 9d282e3 58799->58800 58801 9d27c3c 7 API calls 58800->58801 58802 9d282f4 58801->58802 58803 9d27c3c 7 API calls 58802->58803 58804 9d28305 58803->58804 58805 9d27c3c 7 API calls 58804->58805 58806 9d28316 58805->58806 58807 9d28614 NtSetInformationThread 58806->58807 58808 9d2831d 58807->58808 58946 9d33c18 RtlAllocateHeap RtlFreeHeap 58808->58946 58810 9d28324 58947 9d28640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 58810->58947 58813 9d27988 3 API calls 58812->58813 58814 9d281ce 58813->58814 58815 9d281d6 RtlCreateHeap 58814->58815 58816 9d28329 58814->58816 58815->58816 58817 9d281f1 58815->58817 58816->58713 58818 9d27988 3 API calls 58817->58818 58819 9d2820d 58818->58819 58819->58816 58820 9d27c3c 7 API calls 58819->58820 58821 9d28228 58820->58821 58822 9d27c3c 7 API calls 58821->58822 58823 9d28239 58822->58823 58824 9d27c3c 7 API calls 58823->58824 58825 9d2824a 58824->58825 58826 9d27c3c 7 API calls 58825->58826 58827 9d2825b 58826->58827 58828 9d27c3c 7 API calls 58827->58828 58829 9d2826c 58828->58829 58830 9d27c3c 7 API calls 58829->58830 58831 9d2827d 58830->58831 58832 9d27c3c 7 API calls 58831->58832 58833 9d2828e 58832->58833 58834 9d27c3c 7 API calls 58833->58834 58835 9d2829f 58834->58835 58836 9d27c3c 7 API calls 58835->58836 58837 9d282b0 58836->58837 58838 9d27c3c 7 API calls 58837->58838 58839 9d282c1 58838->58839 58840 9d27c3c 7 API calls 58839->58840 58841 9d282d2 58840->58841 58842 9d27c3c 7 API calls 58841->58842 58843 9d282e3 58842->58843 58844 9d27c3c 7 API calls 58843->58844 58845 9d282f4 58844->58845 58846 9d27c3c 7 API calls 58845->58846 58847 9d28305 58846->58847 58848 9d27c3c 7 API calls 58847->58848 58849 9d28316 58848->58849 58850 9d28614 NtSetInformationThread 58849->58850 58851 9d2831d 58850->58851 58948 9d33c18 RtlAllocateHeap RtlFreeHeap 58851->58948 58853 9d28324 58949 9d28640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 58853->58949 58950 9d2874c 58855->58950 58858 9d2d0b6 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 58953 9d28778 58858->58953 58859 9d2d0f8 58859->58713 58862 9d36493 58861->58862 58863 9d3646d 58861->58863 58862->58713 58864 9d281bc 11 API calls 58863->58864 58865 9d36480 58864->58865 58866 9d2b7e4 16 API calls 58865->58866 58867 9d3648e 58866->58867 58962 9d339e0 58867->58962 58870 9d2b7e9 58869->58870 59474 9d28dbc 58870->59474 58874 9d2b82b 59510 9d28bac 58874->59510 58876 9d2b83a 58877 9d2b848 58876->58877 59513 9d2db18 58876->59513 58877->58713 58878 9d2b7fc 58878->58874 59548 9d2cea4 RtlAllocateHeap RtlFreeHeap 58878->59548 58881 9d2b822 58881->58874 59549 9d2d430 RtlAllocateHeap RtlFreeHeap 58881->59549 58882 9d2b854 59516 9d2d07c 58882->59516 58886 9d2d0a8 5 API calls 58887 9d2b863 58886->58887 59520 9d2cfe8 58887->59520 58891 9d2b86c 58892 9d2b8ca 58891->58892 59551 9d2cbdc RtlAllocateHeap RtlFreeHeap 58891->59551 59527 9d2e38c 58892->59527 58896 9d2b8b1 58896->58892 59552 9d2cf60 RtlAllocateHeap RtlFreeHeap 58896->59552 58897 9d2b882 58897->58891 59550 9d2c84c RtlAllocateHeap RtlFreeHeap 58897->59550 58898 9d30214 2 API calls 58900 9d2b8fd 58898->58900 58900->58713 58903 9d2799a 58902->58903 58904 9d279b4 58902->58904 58905 9d27988 3 API calls 58903->58905 58906 9d27988 3 API calls 58904->58906 58908 9d279dc 58904->58908 58905->58904 58906->58908 58907 9d27aa6 58907->58732 58910 9d27c3c 58907->58910 58908->58907 58920 9d27920 58908->58920 58931 9d27ac0 58910->58931 58912 9d27c67 58912->58737 58913 9d27988 3 API calls 58914 9d27c51 58913->58914 58914->58912 58914->58913 58916 9d28628 NtSetInformationThread 58915->58916 58916->58766 58918->58768 58919->58732 58921 9d2797e 58920->58921 58922 9d2794c 58920->58922 58921->58908 58922->58921 58927 9d278bc 58922->58927 58924 9d27960 58924->58921 58925 9d27974 58924->58925 58930 9d27870 LdrGetProcedureAddress LdrGetProcedureAddress 58925->58930 58928 9d278d3 58927->58928 58929 9d27901 LdrLoadDll 58928->58929 58929->58924 58930->58921 58932 9d27aed 58931->58932 58933 9d27ad3 58931->58933 58935 9d27b15 58932->58935 58936 9d27988 3 API calls 58932->58936 58934 9d27988 3 API calls 58933->58934 58934->58932 58937 9d27988 3 API calls 58935->58937 58939 9d27b3d 58935->58939 58936->58935 58937->58939 58938 9d27b85 FindFirstFileW 58938->58939 58939->58938 58940 9d27bf6 58939->58940 58941 9d27bd3 FindNextFileW 58939->58941 58942 9d27bb5 FindClose 58939->58942 58940->58914 58941->58939 58944 9d27be7 FindClose 58941->58944 58943 9d278bc LdrLoadDll 58942->58943 58945 9d27bcc 58943->58945 58944->58939 58945->58914 58946->58810 58947->58774 58948->58853 58949->58816 58956 9d286d0 58950->58956 58952 9d28762 58952->58858 58952->58859 58959 9d286f8 58953->58959 58955 9d2878a 58955->58859 58957 9d286d8 58956->58957 58958 9d286e6 RtlAllocateHeap 58957->58958 58958->58952 58960 9d28700 58959->58960 58961 9d2870e RtlFreeHeap 58960->58961 58961->58955 58963 9d339fd 58962->58963 58980 9d2b4e4 58963->58980 58965 9d33a03 58966 9d33a24 58965->58966 58972 9d33a4a 58965->58972 58978 9d33a19 58965->58978 58968 9d2b9b0 3 API calls 58966->58968 58967 9d33c10 58967->58862 58968->58978 58969 9d286f8 RtlFreeHeap 58969->58967 58970 9d33b91 58974 9d33be1 58970->58974 58975 9d33bbe 58970->58975 58970->58978 58971 9d33b6e 58973 9d2b9b0 3 API calls 58971->58973 58972->58970 58972->58971 58973->58978 58977 9d2b9b0 3 API calls 58974->58977 58984 9d2b9b0 58975->58984 58979 9d33be6 CreateThread 58977->58979 58978->58967 58978->58969 58979->58978 58998 9d322e0 58979->58998 58981 9d2b4fd 58980->58981 58982 9d286d0 RtlAllocateHeap 58981->58982 58983 9d2b50d 58982->58983 58983->58965 58985 9d2ba52 58984->58985 58986 9d2b9c3 58984->58986 58985->58978 58993 9d29de0 58986->58993 58989 9d2ba05 58991 9d2ba25 CreateMutexW 58989->58991 58992 9d28778 RtlFreeHeap 58991->58992 58992->58985 58994 9d29df7 58993->58994 58995 9d2874c RtlAllocateHeap 58994->58995 58996 9d29eb0 58994->58996 58995->58996 58996->58989 58997 9d2a780 RtlAllocateHeap RtlFreeHeap 58996->58997 58997->58989 58999 9d322ef 58998->58999 59000 9d32369 58999->59000 59002 9d32342 58999->59002 59003 9d3232a CreateThread 58999->59003 59046 9d292b8 GetLogicalDriveStringsW 59000->59046 59002->59000 59004 9d3234b CreateThread 59002->59004 59003->59002 59421 9d2b440 59003->59421 59004->59000 59410 9d2ad80 RtlAdjustPrivilege 59004->59410 59008 9d32395 59010 9d323b6 59008->59010 59011 9d3239e CreateThread 59008->59011 59012 9d323c4 59010->59012 59056 9d2c034 59010->59056 59011->59010 59426 9d29c7c 59011->59426 59014 9d2d0a8 5 API calls 59012->59014 59015 9d323c9 59014->59015 59066 9d30144 59015->59066 59018 9d3240a 59020 9d30214 2 API calls 59018->59020 59027 9d3241d 59018->59027 59022 9d32418 59020->59022 59105 9d31838 59022->59105 59026 9d30214 2 API calls 59030 9d324b5 59026->59030 59028 9d3247b 59027->59028 59198 9d2f994 RtlAllocateHeap RtlFreeHeap 59027->59198 59028->59026 59029 9d30214 2 API calls 59031 9d32405 59029->59031 59034 9d324c5 59030->59034 59035 9d3254a 59030->59035 59081 9d31ee8 59031->59081 59127 9d2a050 59034->59127 59199 9d3333c RtlAllocateHeap RtlFreeHeap 59035->59199 59038 9d3254f 59200 9d32e98 RtlAllocateHeap RtlFreeHeap 59038->59200 59040 9d32556 59043 9d32540 ExitProcess 59043->59040 59047 9d29303 59046->59047 59048 9d292db 59046->59048 59050 9d2967c 59047->59050 59048->59047 59201 9d2930c 59048->59201 59053 9d296a9 59050->59053 59051 9d29aef 59051->59008 59197 9d29af4 RtlAllocateHeap RtlFreeHeap 59051->59197 59053->59051 59054 9d299ba CoSetProxyBlanket 59053->59054 59055 9d29916 CoUninitialize 59053->59055 59054->59055 59055->59051 59057 9d2c05b GetVolumeNameForVolumeMountPointW 59056->59057 59059 9d2c09e FindFirstVolumeW 59057->59059 59060 9d2c2ef 59059->59060 59064 9d2c0ba 59059->59064 59060->59012 59061 9d2c0d3 GetVolumePathNamesForVolumeNameW 59061->59064 59062 9d2c104 GetDriveTypeW 59062->59064 59063 9d2c1a5 CreateFileW 59063->59064 59064->59060 59064->59061 59064->59062 59064->59063 59065 9d2bfa8 GetLogicalDriveStringsW CreateThread ResumeThread GetExitCodeThread NtSetInformationThread 59064->59065 59065->59064 59067 9d30151 59066->59067 59068 9d301b6 59067->59068 59069 9d30186 CreateThread 59067->59069 59070 9d28614 NtSetInformationThread 59067->59070 59068->59018 59068->59027 59071 9d30214 59068->59071 59069->59067 59231 9d2fdd0 SetThreadPriority 59069->59231 59070->59067 59072 9d30230 59071->59072 59238 9d302ac 59072->59238 59074 9d30286 59075 9d3028a 59074->59075 59076 9d286f8 RtlFreeHeap 59074->59076 59077 9d32134 59075->59077 59076->59075 59078 9d3218e 59077->59078 59080 9d32208 59078->59080 59242 9d287e4 59078->59242 59080->59029 59082 9d31efd 59081->59082 59246 9d2be18 CreateThread 59082->59246 59084 9d31f0f 59085 9d286d0 RtlAllocateHeap 59084->59085 59102 9d31f15 59084->59102 59087 9d31f27 59085->59087 59086 9d3210e 59089 9d3211c 59086->59089 59092 9d286f8 RtlFreeHeap 59086->59092 59091 9d2be18 5 API calls 59087->59091 59087->59102 59088 9d286f8 RtlFreeHeap 59088->59086 59090 9d3212a 59089->59090 59093 9d286f8 RtlFreeHeap 59089->59093 59090->59018 59094 9d31f44 59091->59094 59092->59089 59093->59090 59095 9d286d0 RtlAllocateHeap 59094->59095 59094->59102 59096 9d31f5f 59095->59096 59097 9d286d0 RtlAllocateHeap 59096->59097 59096->59102 59104 9d31f7a 59097->59104 59099 9d287e4 RtlAllocateHeap 59100 9d31fd6 CreateThread 59099->59100 59100->59104 59268 9d30f48 SetThreadPriority 59100->59268 59101 9d287e4 RtlAllocateHeap 59101->59104 59102->59086 59102->59088 59104->59099 59104->59101 59104->59102 59254 9d2bb34 CreateThread 59104->59254 59262 9d2cdf0 59104->59262 59106 9d31864 59105->59106 59107 9d286d0 RtlAllocateHeap 59106->59107 59108 9d31871 59107->59108 59109 9d3187a 59108->59109 59388 9d31400 RtlAllocateHeap RtlFreeHeap 59108->59388 59112 9d31b89 59109->59112 59113 9d286f8 RtlFreeHeap 59109->59113 59111 9d31887 59111->59109 59116 9d286d0 RtlAllocateHeap 59111->59116 59114 9d31b97 59112->59114 59117 9d286f8 RtlFreeHeap 59112->59117 59113->59112 59115 9d31ba5 59114->59115 59118 9d286f8 RtlFreeHeap 59114->59118 59115->59027 59119 9d318a5 59116->59119 59117->59114 59118->59115 59119->59109 59120 9d286d0 RtlAllocateHeap 59119->59120 59126 9d318c0 59120->59126 59121 9d31170 NtSetInformationThread 59121->59126 59123 9d312ac NtSetInformationThread 59123->59126 59124 9d2cdf0 NtSetInformationThread 59124->59126 59125 9d286f8 RtlFreeHeap 59125->59126 59126->59109 59126->59121 59126->59123 59126->59124 59126->59125 59389 9d28840 RtlAllocateHeap 59126->59389 59128 9d2a0ab 59127->59128 59132 9d2a0b0 59127->59132 59129 9d2a729 59128->59129 59130 9d286f8 RtlFreeHeap 59128->59130 59131 9d286f8 RtlFreeHeap 59129->59131 59133 9d2a737 59129->59133 59130->59129 59131->59133 59132->59128 59390 9d326c4 59132->59390 59133->59043 59160 9d325c4 59133->59160 59135 9d2a10d 59135->59128 59136 9d286d0 RtlAllocateHeap 59135->59136 59137 9d2a1ef 59136->59137 59137->59128 59138 9d2a221 59137->59138 59139 9d2a207 59137->59139 59141 9d28c54 RtlAllocateHeap 59138->59141 59402 9d28c54 59139->59402 59142 9d2a211 59141->59142 59142->59128 59143 9d2a254 59142->59143 59145 9d2a268 59142->59145 59144 9d286f8 RtlFreeHeap 59143->59144 59144->59128 59145->59128 59146 9d2a31b DrawTextW 59145->59146 59146->59128 59147 9d2a343 59146->59147 59147->59128 59148 9d2a47d CreateFileW 59147->59148 59148->59128 59149 9d2a4a6 WriteFile 59148->59149 59149->59128 59150 9d2a4c7 WriteFile 59149->59150 59150->59128 59151 9d2a4e5 WriteFile 59150->59151 59151->59128 59152 9d2a503 59151->59152 59396 9d28afc 59152->59396 59154 9d2a525 59154->59128 59155 9d2a5a8 RegCreateKeyExW 59154->59155 59155->59128 59156 9d2a5d9 59155->59156 59157 9d2a612 RegSetValueExW 59156->59157 59157->59128 59158 9d2a63f 59157->59158 59159 9d2a69e RegSetValueExW 59158->59159 59159->59128 59163 9d325ed 59160->59163 59161 9d32520 59166 9d2d660 59161->59166 59162 9d286f8 RtlFreeHeap 59162->59161 59165 9d3261c 59163->59165 59405 9d2e858 RtlAllocateHeap RtlFreeHeap 59163->59405 59165->59161 59165->59162 59167 9d2d695 59166->59167 59168 9d28c54 RtlAllocateHeap 59167->59168 59169 9d2d70d 59168->59169 59170 9d286d0 RtlAllocateHeap 59169->59170 59171 9d2d716 59169->59171 59174 9d2d72d 59170->59174 59172 9d2dadb 59171->59172 59175 9d286f8 RtlFreeHeap 59171->59175 59173 9d2dae9 59172->59173 59176 9d286f8 RtlFreeHeap 59172->59176 59177 9d2daf7 59173->59177 59179 9d286f8 RtlFreeHeap 59173->59179 59174->59171 59406 9d2d4e4 59174->59406 59175->59172 59176->59173 59180 9d2db05 59177->59180 59182 9d286f8 RtlFreeHeap 59177->59182 59179->59177 59180->59043 59181 9d2d75e 59181->59171 59183 9d2d77f GetTempFileNameW CreateFileW 59181->59183 59182->59180 59183->59171 59184 9d2d7c4 WriteFile 59183->59184 59184->59171 59185 9d2d7e0 CreateProcessW 59184->59185 59185->59171 59187 9d2d84a NtQueryInformationProcess 59185->59187 59187->59171 59188 9d2d86e 59187->59188 59188->59171 59189 9d28c54 RtlAllocateHeap 59188->59189 59190 9d2d89f 59189->59190 59190->59171 59191 9d2d903 NtProtectVirtualMemory 59190->59191 59191->59171 59192 9d2d92f NtWriteVirtualMemory 59191->59192 59192->59171 59193 9d2d949 59192->59193 59193->59171 59194 9d2d9ac NtDuplicateObject 59193->59194 59194->59171 59195 9d2d9d4 CreateNamedPipeW 59194->59195 59195->59171 59196 9d2da40 ResumeThread ConnectNamedPipe 59195->59196 59196->59171 59197->59008 59198->59028 59199->59038 59200->59040 59209 9d293e0 59201->59209 59203 9d293d0 59203->59048 59204 9d29324 59204->59203 59205 9d29356 FindFirstFileExW 59204->59205 59205->59203 59207 9d2937e 59205->59207 59206 9d293bc FindNextFileW 59206->59203 59206->59207 59207->59206 59213 9d294bc 59207->59213 59210 9d29400 FindFirstFileExW 59209->59210 59212 9d2945e 59210->59212 59212->59204 59214 9d294de 59213->59214 59215 9d29673 59214->59215 59216 9d286d0 RtlAllocateHeap 59214->59216 59215->59206 59221 9d294f6 59216->59221 59217 9d2964e 59218 9d29665 59217->59218 59219 9d286f8 RtlFreeHeap 59217->59219 59218->59215 59220 9d286f8 RtlFreeHeap 59218->59220 59219->59218 59220->59215 59221->59217 59222 9d2952e FindFirstFileExW 59221->59222 59222->59217 59228 9d29556 59222->59228 59223 9d29636 FindNextFileW 59223->59217 59223->59228 59224 9d286d0 RtlAllocateHeap 59224->59228 59225 9d295d0 GetFileAttributesW 59226 9d2961e DeleteFileW 59225->59226 59225->59228 59227 9d286f8 RtlFreeHeap 59226->59227 59227->59228 59228->59223 59228->59224 59228->59225 59229 9d294bc 2 API calls 59228->59229 59230 9d286f8 RtlFreeHeap 59228->59230 59229->59228 59230->59228 59235 9d2fde7 59231->59235 59232 9d2fe3a 59233 9d2fe49 ReadFile 59233->59235 59234 9d30006 WriteFile 59234->59235 59235->59232 59235->59233 59235->59234 59236 9d2ff8d WriteFile 59235->59236 59237 9d286f8 RtlFreeHeap 59235->59237 59236->59235 59237->59235 59239 9d302b8 59238->59239 59241 9d302c5 59238->59241 59240 9d286d0 RtlAllocateHeap 59239->59240 59239->59241 59240->59241 59241->59074 59243 9d287fc 59242->59243 59244 9d28812 59243->59244 59245 9d286d0 RtlAllocateHeap 59243->59245 59244->59080 59245->59244 59247 9d2bebe 59246->59247 59248 9d2be5d 59246->59248 59266 9d2be00 GetLogicalDriveStringsW 59246->59266 59247->59084 59249 9d2be94 ResumeThread 59248->59249 59250 9d2cdf0 NtSetInformationThread 59248->59250 59252 9d2bea8 GetExitCodeThread 59249->59252 59251 9d2be6e 59250->59251 59251->59249 59253 9d2be72 59251->59253 59252->59247 59253->59084 59255 9d2bb6c 59254->59255 59256 9d2bbcd 59254->59256 59267 9d2bb24 GetDriveTypeW 59254->59267 59257 9d2bba3 ResumeThread 59255->59257 59258 9d2cdf0 NtSetInformationThread 59255->59258 59256->59104 59259 9d2bbb7 GetExitCodeThread 59257->59259 59260 9d2bb7d 59258->59260 59259->59256 59260->59257 59261 9d2bb81 59260->59261 59261->59104 59263 9d2ce02 59262->59263 59265 9d2cdff 59262->59265 59264 9d2ce49 NtSetInformationThread 59263->59264 59263->59265 59264->59265 59265->59104 59269 9d30f60 59268->59269 59270 9d286d0 RtlAllocateHeap 59269->59270 59281 9d30f7f 59270->59281 59273 9d286f8 RtlFreeHeap 59274 9d30faf FindFirstFileExW 59273->59274 59274->59281 59275 9d286f8 RtlFreeHeap 59275->59281 59276 9d31122 59277 9d286f8 RtlFreeHeap 59276->59277 59279 9d31145 59277->59279 59278 9d310ea FindNextFileW 59278->59281 59280 9d30e08 RtlAllocateHeap 59280->59281 59281->59273 59281->59275 59281->59276 59281->59278 59281->59280 59283 9d2e130 59281->59283 59302 9d30da4 59281->59302 59306 9d30bac 59281->59306 59284 9d2e14c 59283->59284 59299 9d2e147 59283->59299 59337 9d28794 59284->59337 59287 9d2e164 GetFileAttributesW 59288 9d2e174 59287->59288 59289 9d2e1d2 59288->59289 59290 9d2e1b9 59288->59290 59292 9d2e1da 59289->59292 59293 9d2e1e9 GetFileAttributesW 59289->59293 59291 9d2e220 5 API calls 59290->59291 59294 9d2e1c1 59291->59294 59341 9d2e220 CreateFileW 59292->59341 59296 9d2e202 CopyFileW 59293->59296 59297 9d2e1f6 59293->59297 59298 9d286f8 RtlFreeHeap 59294->59298 59301 9d286f8 RtlFreeHeap 59296->59301 59300 9d286f8 RtlFreeHeap 59297->59300 59298->59299 59299->59281 59300->59292 59301->59299 59303 9d30dbc 59302->59303 59304 9d286d0 RtlAllocateHeap 59303->59304 59305 9d30dd2 59303->59305 59304->59305 59305->59281 59307 9d30d95 59306->59307 59308 9d30bcd 59306->59308 59307->59281 59352 9d30308 59308->59352 59311 9d30d8d 59312 9d286f8 RtlFreeHeap 59311->59312 59312->59307 59314 9d30be5 59314->59311 59315 9d30bf9 59314->59315 59316 9d30c0c 59314->59316 59385 9d30840 RtlAllocateHeap 59315->59385 59386 9d30924 RtlAllocateHeap 59316->59386 59319 9d30c07 59319->59311 59320 9d30c27 MoveFileExW 59319->59320 59321 9d30c74 59319->59321 59323 9d286f8 RtlFreeHeap 59319->59323 59326 9d30c39 59319->59326 59387 9d30924 RtlAllocateHeap 59319->59387 59320->59319 59320->59326 59324 9d286f8 RtlFreeHeap 59321->59324 59322 9d30c91 CreateFileW 59325 9d30cba 59322->59325 59333 9d30cb5 59322->59333 59323->59319 59324->59326 59365 9d30970 59325->59365 59326->59322 59326->59333 59327 9d286f8 RtlFreeHeap 59327->59311 59331 9d30ce3 CreateIoCompletionPort 59332 9d30cfa 59331->59332 59335 9d30d1c 59331->59335 59334 9d286f8 RtlFreeHeap 59332->59334 59333->59311 59333->59327 59334->59333 59335->59333 59336 9d286f8 RtlFreeHeap 59335->59336 59336->59333 59338 9d287aa 59337->59338 59339 9d287c1 59338->59339 59340 9d286d0 RtlAllocateHeap 59338->59340 59339->59287 59339->59299 59340->59339 59342 9d2e381 59341->59342 59343 9d2e251 59341->59343 59342->59299 59344 9d2e289 WriteFile 59343->59344 59345 9d2e2c0 WriteFile 59344->59345 59346 9d2e2ae 59344->59346 59347 9d2e2e7 59345->59347 59348 9d2e2f9 WriteFile 59345->59348 59346->59299 59347->59299 59349 9d2e330 WriteFile 59348->59349 59350 9d2e31e 59348->59350 59349->59343 59351 9d2e357 59349->59351 59350->59299 59351->59299 59353 9d30321 SetFileAttributesW CreateFileW 59352->59353 59355 9d30367 59353->59355 59356 9d3034f 59353->59356 59354 9d2fda0 RtlAllocateHeap RtlFreeHeap NtTerminateProcess 59354->59356 59355->59311 59357 9d303b8 SetFileAttributesW CreateFileW 59355->59357 59356->59353 59356->59354 59356->59355 59358 9d303f8 SetFilePointerEx 59357->59358 59359 9d30464 59357->59359 59358->59359 59360 9d30417 ReadFile 59358->59360 59359->59314 59360->59359 59361 9d30436 59360->59361 59362 9d302ac RtlAllocateHeap 59361->59362 59363 9d30447 59362->59363 59363->59359 59364 9d286f8 RtlFreeHeap 59363->59364 59364->59359 59366 9d309a0 59365->59366 59367 9d309d1 59366->59367 59369 9d30214 RtlAllocateHeap RtlFreeHeap 59366->59369 59368 9d286d0 RtlAllocateHeap 59367->59368 59376 9d309dd 59368->59376 59369->59367 59370 9d30b77 59372 9d30b85 59370->59372 59373 9d286f8 RtlFreeHeap 59370->59373 59371 9d286f8 RtlFreeHeap 59371->59370 59374 9d30b93 59372->59374 59375 9d286f8 RtlFreeHeap 59372->59375 59373->59372 59374->59331 59374->59333 59375->59374 59377 9d286d0 RtlAllocateHeap 59376->59377 59384 9d30b24 59376->59384 59378 9d30a3a 59377->59378 59379 9d286d0 RtlAllocateHeap 59378->59379 59378->59384 59380 9d30a69 59379->59380 59381 9d286d0 RtlAllocateHeap 59380->59381 59380->59384 59382 9d30b1b 59381->59382 59383 9d286f8 RtlFreeHeap 59382->59383 59382->59384 59383->59384 59384->59370 59384->59371 59385->59319 59386->59319 59387->59319 59388->59111 59389->59126 59391 9d3270b 59390->59391 59392 9d3281a RegCreateKeyExW 59391->59392 59395 9d32758 59391->59395 59393 9d32847 59392->59393 59392->59395 59394 9d328c2 RegDeleteKeyExW 59393->59394 59393->59395 59394->59395 59395->59135 59397 9d28b23 59396->59397 59398 9d28b3a NtQueryInformationToken 59396->59398 59397->59398 59399 9d28b35 59397->59399 59398->59399 59400 9d28b8c 59399->59400 59401 9d286f8 RtlFreeHeap 59399->59401 59400->59154 59401->59400 59403 9d286d0 RtlAllocateHeap 59402->59403 59404 9d28c65 59403->59404 59404->59142 59405->59165 59407 9d2d4fc 59406->59407 59408 9d286d0 RtlAllocateHeap 59407->59408 59409 9d2d51d 59408->59409 59409->59181 59431 9d2b5d0 59410->59431 59412 9d2adb8 59413 9d2ae28 59412->59413 59416 9d2adcf NtSetInformationThread 59412->59416 59414 9d2ae4d 59413->59414 59444 9d2ace4 RtlAllocateHeap RtlFreeHeap NtQuerySystemInformation 59413->59444 59416->59413 59417 9d2ade3 59416->59417 59441 9d2abe0 OpenSCManagerW 59417->59441 59419 9d2adf8 59419->59413 59443 9d2aa18 RtlAllocateHeap RtlFreeHeap 59419->59443 59445 9d2afe0 59421->59445 59430 9d29c84 59426->59430 59427 9d286d0 RtlAllocateHeap 59427->59430 59428 9d29c96 NtQuerySystemInformation 59428->59430 59429 9d286f8 RtlFreeHeap 59429->59430 59430->59427 59430->59428 59430->59429 59432 9d286d0 RtlAllocateHeap 59431->59432 59434 9d2b5ee 59432->59434 59433 9d2b5f1 NtQuerySystemInformation 59433->59434 59438 9d2b607 59433->59438 59434->59433 59435 9d2b624 59434->59435 59436 9d286f8 RtlFreeHeap 59435->59436 59437 9d2b62c 59436->59437 59437->59412 59439 9d286f8 RtlFreeHeap 59438->59439 59440 9d2b66a 59439->59440 59440->59412 59442 9d2ac14 59441->59442 59442->59419 59443->59413 59444->59414 59446 9d2b0c1 59445->59446 59447 9d2b285 RegCreateKeyExW 59446->59447 59448 9d2b2df RegCreateKeyExW 59447->59448 59455 9d2b2b9 59447->59455 59450 9d2b3d4 59448->59450 59451 9d2b3fa 59448->59451 59450->59451 59456 9d2b3fc OpenEventLogW 59450->59456 59460 9d2aed4 59451->59460 59452 9d2b2e4 RegCreateKeyExW 59453 9d2b312 RegSetValueExW 59452->59453 59452->59455 59454 9d2b334 RegSetValueExW 59453->59454 59453->59455 59454->59455 59457 9d2b352 OpenEventLogW 59454->59457 59455->59448 59455->59452 59456->59450 59458 9d2b414 ClearEventLogW 59456->59458 59457->59455 59459 9d2b36a ClearEventLogW 59457->59459 59458->59450 59459->59455 59467 9d2ae54 RtlAdjustPrivilege 59460->59467 59462 9d2afac 59463 9d2afc4 CloseServiceHandle 59462->59463 59464 9d2afcd 59462->59464 59463->59464 59465 9d2aeed 59465->59462 59470 9d2fbb8 59465->59470 59468 9d2b5d0 3 API calls 59467->59468 59469 9d2ae8c 59468->59469 59469->59465 59471 9d2fc12 59470->59471 59472 9d2fc2a 59471->59472 59473 9d2fc16 NtTerminateProcess 59471->59473 59472->59462 59473->59472 59475 9d28c54 RtlAllocateHeap 59474->59475 59476 9d28dd4 59475->59476 59477 9d290ab 59476->59477 59478 9d286d0 RtlAllocateHeap 59476->59478 59477->58878 59507 9d29edc 59477->59507 59482 9d28df1 59478->59482 59479 9d290a3 59480 9d286f8 RtlFreeHeap 59479->59480 59480->59477 59481 9d286f8 RtlFreeHeap 59481->59479 59482->59479 59483 9d28e74 59482->59483 59485 9d286d0 RtlAllocateHeap 59482->59485 59506 9d29095 59482->59506 59484 9d28ea7 59483->59484 59487 9d286d0 RtlAllocateHeap 59483->59487 59486 9d28eda 59484->59486 59489 9d286d0 RtlAllocateHeap 59484->59489 59485->59483 59488 9d28f0d 59486->59488 59490 9d286d0 RtlAllocateHeap 59486->59490 59487->59484 59491 9d286d0 RtlAllocateHeap 59488->59491 59492 9d28f40 59488->59492 59489->59486 59490->59488 59491->59492 59493 9d286d0 RtlAllocateHeap 59492->59493 59494 9d28f73 59492->59494 59493->59494 59495 9d286d0 RtlAllocateHeap 59494->59495 59496 9d28fa6 59494->59496 59495->59496 59497 9d286d0 RtlAllocateHeap 59496->59497 59498 9d28fdd 59496->59498 59497->59498 59499 9d286d0 RtlAllocateHeap 59498->59499 59498->59506 59500 9d29018 59499->59500 59500->59506 59553 9d28d58 RtlAllocateHeap RtlFreeHeap 59500->59553 59502 9d29040 59503 9d286d0 RtlAllocateHeap 59502->59503 59504 9d2905f 59503->59504 59505 9d286f8 RtlFreeHeap 59504->59505 59504->59506 59505->59506 59506->59481 59508 9d29ef1 NtQueryDefaultUILanguage 59507->59508 59509 9d29f17 59508->59509 59509->58878 59511 9d286d0 RtlAllocateHeap 59510->59511 59512 9d28bc1 59511->59512 59512->58876 59514 9d286d0 RtlAllocateHeap 59513->59514 59515 9d2db29 59514->59515 59515->58882 59517 9d2d089 59516->59517 59518 9d2d090 RtlAdjustPrivilege 59517->59518 59519 9d2b85e 59517->59519 59518->59517 59519->58886 59521 9d2cfff 59520->59521 59522 9d2d003 NtQueryInformationToken 59521->59522 59523 9d2b868 59521->59523 59522->59523 59523->58891 59524 9d2cdb8 59523->59524 59525 9d2b5d0 3 API calls 59524->59525 59526 9d2cdd5 59525->59526 59526->58897 59528 9d2b8f8 59527->59528 59529 9d2e3ac 59527->59529 59528->58898 59530 9d28c54 RtlAllocateHeap 59529->59530 59531 9d2e3bd 59530->59531 59531->59528 59532 9d286d0 RtlAllocateHeap 59531->59532 59536 9d2e3d9 59532->59536 59533 9d2e5d9 59534 9d286f8 RtlFreeHeap 59533->59534 59534->59528 59535 9d286f8 RtlFreeHeap 59535->59533 59536->59533 59537 9d2e42d CreateFileW 59536->59537 59542 9d2e5c1 59536->59542 59538 9d2e481 WriteFile 59537->59538 59537->59542 59539 9d2e49c RegCreateKeyExW 59538->59539 59538->59542 59540 9d2e4c5 RegSetValueExW 59539->59540 59539->59542 59540->59542 59543 9d2e4f7 RegCreateKeyExW 59540->59543 59542->59535 59543->59542 59545 9d2e572 RegSetValueExW 59543->59545 59545->59542 59547 9d2e5a6 SHChangeNotify 59545->59547 59547->59542 59548->58881 59549->58874 59550->58891 59551->58896 59552->58892 59553->59502

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 9d2d660-9d2d714 call 9d28c54 7 9d2d716 0->7 8 9d2d71b-9d2d734 call 9d286d0 0->8 9 9d2da94-9d2da9b 7->9 16 9d2d736 8->16 17 9d2d73b-9d2d74e call 9d33ec4 8->17 11 9d2daa9-9d2dab0 9->11 12 9d2da9d 9->12 14 9d2dab2 11->14 15 9d2dabe-9d2dac2 11->15 12->11 14->15 19 9d2dac4 15->19 20 9d2dacd-9d2dad1 15->20 16->9 26 9d2d750 17->26 27 9d2d755-9d2d765 call 9d2d4e4 17->27 19->20 22 9d2dad3-9d2dad6 call 9d286f8 20->22 23 9d2dadb-9d2dadf 20->23 22->23 24 9d2dae1-9d2dae4 call 9d286f8 23->24 25 9d2dae9-9d2daed 23->25 24->25 30 9d2daf7-9d2dafb 25->30 31 9d2daef-9d2daf2 call 9d286f8 25->31 26->9 38 9d2d767 27->38 39 9d2d76c-9d2d7bd GetTempFileNameW CreateFileW 27->39 34 9d2db05-9d2db0b 30->34 35 9d2dafd-9d2db00 call 9d286f8 30->35 31->30 35->34 38->9 41 9d2d7c4-9d2d7d9 WriteFile 39->41 42 9d2d7bf 39->42 43 9d2d7e0-9d2d7f9 41->43 44 9d2d7db 41->44 42->9 46 9d2d7fb-9d2d800 43->46 44->9 47 9d2d802-9d2d843 CreateProcessW 46->47 48 9d2d804-9d2d806 46->48 50 9d2d845 47->50 51 9d2d84a-9d2d867 NtQueryInformationProcess 47->51 48->46 50->9 52 9d2d869 51->52 53 9d2d86e-9d2d88e 51->53 52->9 55 9d2d890 53->55 56 9d2d895-9d2d8a6 call 9d28c54 53->56 55->9 59 9d2d8a8 56->59 60 9d2d8ad-9d2d928 call 9d36410 call 9d362e8 call 9d363bc NtProtectVirtualMemory 56->60 59->9 67 9d2d92a 60->67 68 9d2d92f-9d2d942 NtWriteVirtualMemory 60->68 67->9 69 9d2d944 68->69 70 9d2d949-9d2d9a5 68->70 69->9 72 9d2d9a7 70->72 73 9d2d9ac-9d2d9cd NtDuplicateObject 70->73 72->9 74 9d2d9d4-9d2da3c CreateNamedPipeW 73->74 75 9d2d9cf 73->75 76 9d2da40-9d2da59 ResumeThread ConnectNamedPipe 74->76 77 9d2da3e 74->77 75->9 78 9d2da6a-9d2da87 76->78 79 9d2da5b-9d2da66 76->79 77->9 82 9d2da8b 78->82 83 9d2da89 78->83 79->78 80 9d2da68 79->80 80->9 82->9 83->9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: D
                                                                                                              • API String ID: 0-2746444292
                                                                                                              • Opcode ID: 23e614ae1e4895fa6e328d9f2b09140842c0ad22db6ba13de2e5f71c26188900
                                                                                                              • Instruction ID: 14c0624b6bbcb1314edd375406533c4c9f4425aa1bea78ac1865b2524195b616
                                                                                                              • Opcode Fuzzy Hash: 23e614ae1e4895fa6e328d9f2b09140842c0ad22db6ba13de2e5f71c26188900
                                                                                                              • Instruction Fuzzy Hash: 1BE12971984229EFDF20DF90CC49FEDBBB9AB18309F1080A5E209B65D0D7759A84CF65

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 222 9d2afe0-9d2b2b3 call 9d21190 * 5 RegCreateKeyExW 233 9d2b395-9d2b399 222->233 234 9d2b2b9 222->234 235 9d2b3a4-9d2b3d2 RegCreateKeyExW 233->235 236 9d2b39b 233->236 237 9d2b2c0-9d2b2dd 234->237 238 9d2b3d4 235->238 239 9d2b42d-9d2b431 235->239 236->235 244 9d2b2e4-9d2b310 RegCreateKeyExW 237->244 245 9d2b2df 237->245 243 9d2b3db-9d2b3f8 238->243 240 9d2b433 239->240 241 9d2b43c-9d2b43f 239->241 240->241 251 9d2b3fa 243->251 252 9d2b3fc-9d2b412 OpenEventLogW 243->252 246 9d2b312-9d2b332 RegSetValueExW 244->246 247 9d2b38d-9d2b390 244->247 245->233 249 9d2b334-9d2b350 RegSetValueExW 246->249 250 9d2b37e-9d2b382 246->250 247->237 249->250 253 9d2b352-9d2b368 OpenEventLogW 249->253 250->247 256 9d2b384 250->256 251->239 254 9d2b414-9d2b41f ClearEventLogW 252->254 255 9d2b428-9d2b42b 252->255 253->250 257 9d2b36a-9d2b375 ClearEventLogW 253->257 254->255 255->243 256->247 257->250
                                                                                                              APIs
                                                                                                              • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 09D2B2AB
                                                                                                              • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 09D2B308
                                                                                                              • RegSetValueExW.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 09D2B32A
                                                                                                              • RegSetValueExW.KERNEL32(00000000,?,00000000,00000001,?,00000064), ref: 09D2B348
                                                                                                              • OpenEventLogW.ADVAPI32(00000000,?), ref: 09D2B35B
                                                                                                              • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 09D2B36F
                                                                                                              • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 09D2B3CA
                                                                                                              • OpenEventLogW.ADVAPI32(00000000,?), ref: 09D2B405
                                                                                                              • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 09D2B419
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$Create$ClearOpenValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 4090462516-0
                                                                                                              • Opcode ID: 3dc7ace9de83d27e94890a860357e56c732afb181ae0f0e39eba30b0c116c1bf
                                                                                                              • Instruction ID: c422b5661ff1778246c3f35ab42a8c432feb6963f6a323614cab2a5d6faa9761
                                                                                                              • Opcode Fuzzy Hash: 3dc7ace9de83d27e94890a860357e56c732afb181ae0f0e39eba30b0c116c1bf
                                                                                                              • Instruction Fuzzy Hash: 6CC107B0440B14DFEB50DF91D989FA8BF78FB04305F128099E6186F6A2E3768984CF51

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 353 9d294bc-9d294e3 355 9d29673-9d29678 353->355 356 9d294e9-9d294fd call 9d286d0 353->356 359 9d29503-9d29550 call 9d216bc FindFirstFileExW 356->359 360 9d29657-9d2965b 356->360 359->360 370 9d29556-9d2955f 359->370 361 9d29665-9d29669 360->361 362 9d2965d-9d29660 call 9d286f8 360->362 361->355 364 9d2966b-9d2966e call 9d286f8 361->364 362->361 364->355 371 9d29636-9d29648 FindNextFileW 370->371 372 9d29565-9d2956b 370->372 371->370 373 9d2964e 371->373 372->371 374 9d29571-9d2959f call 9d286d0 372->374 373->360 374->371 379 9d295a5-9d295e1 GetFileAttributesW 374->379 383 9d295e3-9d295ee 379->383 384 9d2961e-9d2962a DeleteFileW call 9d286f8 379->384 388 9d295f2-9d295fd 383->388 389 9d295f0 383->389 387 9d2962f 384->387 387->371 391 9d29609 388->391 392 9d295ff-9d2960b call 9d294bc 388->392 390 9d2960d-9d2961c call 9d286f8 389->390 390->371 391->390 392->383
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D286D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09D29543
                                                                                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 09D295D6
                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 09D29621
                                                                                                              • FindNextFileW.KERNELBASE(000000FF,?), ref: 09D29640
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Find$AllocateAttributesDeleteFirstHeapNext
                                                                                                              • String ID: *
                                                                                                              • API String ID: 2270753430-163128923
                                                                                                              • Opcode ID: 998b2d82ff024e8b89256f4b85b24b9db40de01e9da305430812fde6f9f879c8
                                                                                                              • Instruction ID: 4d042ab4b1d3e6d9fd0ba49ee69aac0f58697077bf9b8d391164916f36e429e2
                                                                                                              • Opcode Fuzzy Hash: 998b2d82ff024e8b89256f4b85b24b9db40de01e9da305430812fde6f9f879c8
                                                                                                              • Instruction Fuzzy Hash: 74415A70880128EBDF115F94DD48BAEBBB5FF2038BF008570F415A15A0D7768A64DF66

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 398 9d27ac0-9d27ad1 399 9d27af2-9d27af9 398->399 400 9d27ad3-9d27aed call 9d27988 398->400 402 9d27b1a-9d27b21 399->402 403 9d27afb-9d27b15 call 9d27988 399->403 400->399 406 9d27b42-9d27b49 call 9d2165c 402->406 407 9d27b23-9d27b3d call 9d27988 402->407 403->402 412 9d27b4e-9d27b52 406->412 407->406 413 9d27b54-9d27b7e call 9d21190 412->413 414 9d27b79-9d27b7c 412->414 418 9d27b85-9d27ba0 FindFirstFileW 413->418 414->412 419 9d27ba2-9d27bb3 call 9d211f0 418->419 420 9d27bf0-9d27bf4 418->420 430 9d27bd3-9d27be5 FindNextFileW 419->430 431 9d27bb5-9d27bc7 FindClose call 9d278bc 419->431 422 9d27bf6-9d27c38 420->422 423 9d27bf8-9d27c02 420->423 424 9d27c27-9d27c2a 423->424 425 9d27c04-9d27c09 423->425 424->418 428 9d27c22-9d27c25 425->428 429 9d27c0b-9d27c20 call 9d21190 425->429 428->425 429->424 430->419 434 9d27be7-9d27bea FindClose 430->434 436 9d27bcc-9d27bd0 431->436 434->420
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,00000004), ref: 09D27B93
                                                                                                              • FindClose.KERNEL32(000000FF,?,00000000), ref: 09D27BB8
                                                                                                              • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 09D27BDD
                                                                                                              • FindClose.KERNEL32(000000FF), ref: 09D27BEA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                              • String ID: 0vi}
                                                                                                              • API String ID: 1164774033-463007280
                                                                                                              • Opcode ID: dcb63bde38ba29a7620d4b9bdd910e5b861af6439610a18f1a1b662212e23678
                                                                                                              • Instruction ID: 65735072892ff1a7e867a45183b09714942e4975b4454aecf33c8789eedd69f3
                                                                                                              • Opcode Fuzzy Hash: dcb63bde38ba29a7620d4b9bdd910e5b861af6439610a18f1a1b662212e23678
                                                                                                              • Instruction Fuzzy Hash: C34186708C0364DFEB30EFA0D885BA97B75EB1131AF10D0A5F5099B690D7759984CF62

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 710 9d30f48-9d30f63 SetThreadPriority call 9d21568 713 9d30f65-9d30f6c 710->713 714 9d30f6e 710->714 715 9d30f75-9d30f88 call 9d286d0 713->715 714->715 718 9d30f8f-9d30fcf call 9d2e130 call 9d30da4 call 9d286f8 FindFirstFileExW 715->718 725 9d30fd5-9d30fe3 718->725 726 9d3110b-9d31120 call 9d286f8 718->726 732 9d30fe8-9d30ff1 725->732 730 9d31122-9d31140 call 9d286f8 726->730 731 9d31124-9d31138 726->731 739 9d31145-9d31148 730->739 731->718 733 9d30ff3-9d30ff9 732->733 734 9d30ffb 732->734 733->734 736 9d31000-9d3100a 733->736 738 9d310ea-9d310fc FindNextFileW 734->738 740 9d31012 736->740 741 9d3100c-9d31010 736->741 738->732 742 9d31102 738->742 740->738 741->740 743 9d31017-9d3101e 741->743 742->726 744 9d31020-9d31024 743->744 745 9d3102b-9d3102f 743->745 744->745 746 9d31026 744->746 747 9d31031-9d31039 call 9d30ef4 745->747 748 9d31059-9d31061 call 9d30e5c 745->748 746->738 755 9d31054 747->755 756 9d3103b-9d31052 call 9d30e08 747->756 753 9d31063 748->753 754 9d31068-9d3106f 748->754 753->738 757 9d31071-9d31078 754->757 758 9d3107c-9d31084 call 9d2db9c 754->758 755->738 756->755 757->758 760 9d3107a 757->760 764 9d31086 758->764 765 9d31088-9d310a6 call 9d30e08 call 9d290e0 call 9d30bac 758->765 760->738 764->738 771 9d310ab-9d310b2 765->771 771->738 772 9d310b4-9d310b6 771->772 773 9d310b8-9d310dd 772->773 774 9d310df 772->774 773->738 774->738
                                                                                                              APIs
                                                                                                              • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 09D30F55
                                                                                                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,09D3DF10,003D0900), ref: 09D30FC2
                                                                                                              • FindNextFileW.KERNELBASE(000000FF,?), ref: 09D310F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$FirstNextPriorityThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 247853790-0
                                                                                                              • Opcode ID: f2a5041863bbce94da3639bf1d4e17b3314c3a468f5f2a08eb722c02374779c1
                                                                                                              • Instruction ID: 1166dc8d9453ee6b4bc1f934c8d496f4ca2f5c4343fd89d486d36fc6109597bd
                                                                                                              • Opcode Fuzzy Hash: f2a5041863bbce94da3639bf1d4e17b3314c3a468f5f2a08eb722c02374779c1
                                                                                                              • Instruction Fuzzy Hash: 12517F3088C25AEBDF20AF90CE45BAD7B75EF14387F94D161E415729E0C7718A81DB61
                                                                                                              APIs
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,?,09D323C9), ref: 09D2D0C5
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,09D323C9), ref: 09D2D0D7
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,09D323C9), ref: 09D2D0EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1801817001-0
                                                                                                              • Opcode ID: 92273c96ade16a371936bbcd54f2105ee7cb67538f347f1ebef21950efc45069
                                                                                                              • Instruction ID: 7bd9e9538c9410db623f6ed427e8bd760dcfd4127fe6f502f24ca207a99e6fb9
                                                                                                              • Opcode Fuzzy Hash: 92273c96ade16a371936bbcd54f2105ee7cb67538f347f1ebef21950efc45069
                                                                                                              • Instruction Fuzzy Hash: 2BF0F8B1280264ABEB21AB94DDC9F6537AC9B1A721F508360B231DE1D5C6B08404C737
                                                                                                              APIs
                                                                                                              • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09D2ADA2
                                                                                                                • Part of subcall function 09D2B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 09D2ADD9
                                                                                                                • Part of subcall function 09D2ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09D2AC01
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1715806643-0
                                                                                                              • Opcode ID: af771d59bb2bb0476942fd64065ba74a19af5767c3808e4268224771af4dcd0d
                                                                                                              • Instruction ID: c05ddc21e41e367b885bd6e3d19fe3794bf263c079c2d0db7c175897cc4c89ae
                                                                                                              • Opcode Fuzzy Hash: af771d59bb2bb0476942fd64065ba74a19af5767c3808e4268224771af4dcd0d
                                                                                                              • Instruction Fuzzy Hash: 3A216230A80319BBEB10AFE0DC4DFAE7BB8DF14309F508194B514BA5D0E7B48A80C721
                                                                                                              APIs
                                                                                                              • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09D2ADA2
                                                                                                                • Part of subcall function 09D2B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 09D2ADD9
                                                                                                                • Part of subcall function 09D2ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09D2AC01
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1715806643-0
                                                                                                              • Opcode ID: a88ccfc2a274197f62d906a2175f262d0d59fcf98c4ac45a49a057863bfdda0e
                                                                                                              • Instruction ID: 437cc4d65fe5e2d61bc2c88978c9aefc0004dbdff3b4ef81a84613e9f470b19c
                                                                                                              • Opcode Fuzzy Hash: a88ccfc2a274197f62d906a2175f262d0d59fcf98c4ac45a49a057863bfdda0e
                                                                                                              • Instruction Fuzzy Hash: 2F214270A80319BBEB10AFE0DD4DFAE7BB8DF14709F508194B514BA5D0E7B48A84C761
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D293E0: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09D2944F
                                                                                                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09D2936F
                                                                                                              • FindNextFileW.KERNELBASE(000000FF,?), ref: 09D293C6
                                                                                                                • Part of subcall function 09D294BC: FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09D29543
                                                                                                                • Part of subcall function 09D294BC: GetFileAttributesW.KERNELBASE(00000000), ref: 09D295D6
                                                                                                                • Part of subcall function 09D294BC: FindNextFileW.KERNELBASE(000000FF,?), ref: 09D29640
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Find$First$Next$Attributes
                                                                                                              • String ID:
                                                                                                              • API String ID: 407996502-0
                                                                                                              • Opcode ID: cd606dc2456291d31a5e5ab963b3e71845e70de30297f26e5def66688039b46c
                                                                                                              • Instruction ID: 79816d1054d41221839f89aa1a10c2d5cc5a1d20b52db910f3c1ae801840504e
                                                                                                              • Opcode Fuzzy Hash: cd606dc2456291d31a5e5ab963b3e71845e70de30297f26e5def66688039b46c
                                                                                                              • Instruction Fuzzy Hash: 09211F7198021CABDB10EF90DE59FD9B77CEB14306F0080A5BA09E3190E7759B548B76
                                                                                                              APIs
                                                                                                              • NtQueryDefaultUILanguage.NTDLL(?), ref: 09D29EF8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DefaultLanguageQuery
                                                                                                              • String ID:
                                                                                                              • API String ID: 1532992581-0
                                                                                                              • Opcode ID: 8f00204ecea38e61b8c1c055a01ce03e36a6a908f51a2a3e3b04326945aa6762
                                                                                                              • Instruction ID: f6e6543da31d75830dec19207fd9ec8d4cec697c987fca720edaaaadc90018b0
                                                                                                              • Opcode Fuzzy Hash: 8f00204ecea38e61b8c1c055a01ce03e36a6a908f51a2a3e3b04326945aa6762
                                                                                                              • Instruction Fuzzy Hash: 5A31F816BCA9374AFFB5E810D362BF6A208E7607ACDCD5113F48E53DC9581D8C818662
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D286D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D29CA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeapInformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3114120137-0
                                                                                                              • Opcode ID: 361c74a4ae2cbc4f760a006da87f9b3ee8c85d9354425b1e6ff6c51ea1697beb
                                                                                                              • Instruction ID: 1ca12a17941fccad90dcee9e8265c114a3a87fe32b4530cd1501d9f17392b69d
                                                                                                              • Opcode Fuzzy Hash: 361c74a4ae2cbc4f760a006da87f9b3ee8c85d9354425b1e6ff6c51ea1697beb
                                                                                                              • Instruction Fuzzy Hash: EE218D70880218EFDF019F90C954BDEBBB8FF18309F10C095E518AB690D7B28A41EFA1
                                                                                                              APIs
                                                                                                              • NtQueryInformationToken.NTDLL(00000000,00000001,?,00000028,?,?,?,?,?,00000000), ref: 09D28B47
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQueryToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 4239771691-0
                                                                                                              • Opcode ID: cac1225e620017fc6cb9f710e269800610d00eb47260577be61a5ce7c09039fb
                                                                                                              • Instruction ID: 4c1c2340bf63499ac4b9b42b3eed39b84d15abae4a0cd74c14b80c2fd451fe60
                                                                                                              • Opcode Fuzzy Hash: cac1225e620017fc6cb9f710e269800610d00eb47260577be61a5ce7c09039fb
                                                                                                              • Instruction Fuzzy Hash: 24119DB1940218EFEF008F90DC88FEEBB78FF14359F048169F514A6190D7719648DB61
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D286D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D29CA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeapInformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3114120137-0
                                                                                                              • Opcode ID: 3dc309aa902cb09897bd89d6c3838b80530c4dbaa6ad336a874058309b725eb3
                                                                                                              • Instruction ID: 3989de6db073c6ea82fdf1072c33c3a1c549aa2c359b76a61fbfef39bdc4a745
                                                                                                              • Opcode Fuzzy Hash: 3dc309aa902cb09897bd89d6c3838b80530c4dbaa6ad336a874058309b725eb3
                                                                                                              • Instruction Fuzzy Hash: 27212C70940218EBDF118F90C958BDE7BB8EF14309F108095E514AB691D7B6DA45EFA1
                                                                                                              APIs
                                                                                                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09D2944F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileFindFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 1974802433-0
                                                                                                              • Opcode ID: 5af3797d54b1b28172b1458f0bd03bedb1e3eb6c6a9be662d3210b6b6fcf1985
                                                                                                              • Instruction ID: dd10bef9e4e06891ec2ab9e1367a367c7d5ae645cbc3b2dc6873cc536c3d64f0
                                                                                                              • Opcode Fuzzy Hash: 5af3797d54b1b28172b1458f0bd03bedb1e3eb6c6a9be662d3210b6b6fcf1985
                                                                                                              • Instruction Fuzzy Hash: D1210EB0840218EFDB109F90DD4CB99BBB8EB04316F10C1A5E908A72A1D7769A99CF65
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D286D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeapInformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3114120137-0
                                                                                                              • Opcode ID: edd73f036edd429bdcd3b23a0b082909c89de2a1b525c32535447c3b9dc26aad
                                                                                                              • Instruction ID: f5c2b949aaadda7b9447738c81d4b4177cd7fe170ea56b0e89781d5484d39e5f
                                                                                                              • Opcode Fuzzy Hash: edd73f036edd429bdcd3b23a0b082909c89de2a1b525c32535447c3b9dc26aad
                                                                                                              • Instruction Fuzzy Hash: 0B11BF71D80128FFCF11DF84D880BDDBB74EF25399F1081A2EA10AA550D7769A50DF60
                                                                                                              APIs
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D29CA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3562636166-0
                                                                                                              • Opcode ID: b545b97e088ea7270d40f90bb9d0436843e810ce647e0ddde8313c132ad5ac21
                                                                                                              • Instruction ID: 35700217ec4c48cf54934f0c7e9ed01e3dbe865075caf6c9ed660f6fc5d7cef9
                                                                                                              • Opcode Fuzzy Hash: b545b97e088ea7270d40f90bb9d0436843e810ce647e0ddde8313c132ad5ac21
                                                                                                              • Instruction Fuzzy Hash: B1211D70980218EFDF01DF90CA58BDE7BB8FF14309F108099E505AA591D7B6D645EFA1
                                                                                                              APIs
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D29CA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3562636166-0
                                                                                                              • Opcode ID: 693f8bf69552bf2baf95d2d1bc22950c4d5523a3768986bba42805eaeb4c723b
                                                                                                              • Instruction ID: 35700217ec4c48cf54934f0c7e9ed01e3dbe865075caf6c9ed660f6fc5d7cef9
                                                                                                              • Opcode Fuzzy Hash: 693f8bf69552bf2baf95d2d1bc22950c4d5523a3768986bba42805eaeb4c723b
                                                                                                              • Instruction Fuzzy Hash: B1211D70980218EFDF01DF90CA58BDE7BB8FF14309F108099E505AA591D7B6D645EFA1
                                                                                                              APIs
                                                                                                              • NtSetInformationThread.NTDLL(?,00000005,?,00000004), ref: 09D2CE54
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 4046476035-0
                                                                                                              • Opcode ID: 5531d2c04df69693b7dc57387080fd95c3513b23590b362a75e610ecc5ccf35d
                                                                                                              • Instruction ID: 1b1b2e45dc80a31c77ba4d79fcb324c61437587308911c89f679faa3daf7cbe7
                                                                                                              • Opcode Fuzzy Hash: 5531d2c04df69693b7dc57387080fd95c3513b23590b362a75e610ecc5ccf35d
                                                                                                              • Instruction Fuzzy Hash: F6017170550208AFEB10CF50CC89FAABBA8FB04709F10C1A4F9549B191D375CA04CBA1
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 09D2790D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: 068c55ebe4675ff204390e93ada584859e57e346d40fd6afafff17c031f9b504
                                                                                                              • Instruction ID: 477dbae03241476dc3cda04071ab68e390d816cc5aeb6a73e3240b204edf9d42
                                                                                                              • Opcode Fuzzy Hash: 068c55ebe4675ff204390e93ada584859e57e346d40fd6afafff17c031f9b504
                                                                                                              • Instruction Fuzzy Hash: 7DF03C3698111DFFDF20EEA4D844FDEB7BCEB14359F0081A2E908A3040D630AA488FA1
                                                                                                              APIs
                                                                                                              • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 09D2D012
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQueryToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 4239771691-0
                                                                                                              • Opcode ID: 0907b8cb9d3cb05fac1f0067c47739b80410e0ef44906afcb6bdd680fc65a33a
                                                                                                              • Instruction ID: 324bdba23f39656b3ae0fb03bb65e41f533c8bb5a5ad58431349bbc69c92ae21
                                                                                                              • Opcode Fuzzy Hash: 0907b8cb9d3cb05fac1f0067c47739b80410e0ef44906afcb6bdd680fc65a33a
                                                                                                              • Instruction Fuzzy Hash: B8F03031641208EFEB10CAA4EE89F99B7ADEB08315F508161F914D32E0E7719A44C651
                                                                                                              APIs
                                                                                                              • NtTerminateProcess.NTDLL(09D2AFAC,00000000), ref: 09D2FC1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ProcessTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 560597551-0
                                                                                                              • Opcode ID: 66beb7862dac02d335ddafac55e20155e7f079cd77272d760b902c2041be37e7
                                                                                                              • Instruction ID: 9a66a5b58694e47d8cb55848457d770ce8e7f778bbb10a3a9e5a296ae9aff7ba
                                                                                                              • Opcode Fuzzy Hash: 66beb7862dac02d335ddafac55e20155e7f079cd77272d760b902c2041be37e7
                                                                                                              • Instruction Fuzzy Hash: B6019A71940208AFEB00CF90D958BDEBBB8FB09319F148599E504AB281D7B69646DF91
                                                                                                              APIs
                                                                                                              • GetLogicalDriveStringsW.KERNEL32(00000104,?), ref: 09D292CF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DriveLogicalStrings
                                                                                                              • String ID:
                                                                                                              • API String ID: 2022863570-0
                                                                                                              • Opcode ID: c748de56397c2ec9405d76cae062d017bd27c3a696a74911b61e14987939b9bb
                                                                                                              • Instruction ID: 4013cd0f5f2fc8ee1e14f48f52ece10ba32b1bbd56c8c8f0bc48a24b573bd5c8
                                                                                                              • Opcode Fuzzy Hash: c748de56397c2ec9405d76cae062d017bd27c3a696a74911b61e14987939b9bb
                                                                                                              • Instruction Fuzzy Hash: F8E02B3358073A57CF3069D46DD5AEBB31CDF15305F400150FE58D2940CF50A94685E2
                                                                                                              APIs
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3562636166-0
                                                                                                              • Opcode ID: 8d7ade9c61c69baa5752628571c4315b14f43cc70e4d17bca0f651e8b0a9d90d
                                                                                                              • Instruction ID: a77a4492321f7322b387ea644f5bbb695d0e5601c4947920cc135fef152ebe1f
                                                                                                              • Opcode Fuzzy Hash: 8d7ade9c61c69baa5752628571c4315b14f43cc70e4d17bca0f651e8b0a9d90d
                                                                                                              • Instruction Fuzzy Hash: 73F03031980128EBCF11DF94D980BACB774EB2638AF5480A3EA01AA550D3B5DA50DB11
                                                                                                              APIs
                                                                                                              • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3562636166-0
                                                                                                              • Opcode ID: 15862992e27a4171df731e7fc5fc02130fefc134ffe050ef6ab775cc0807233f
                                                                                                              • Instruction ID: a77a4492321f7322b387ea644f5bbb695d0e5601c4947920cc135fef152ebe1f
                                                                                                              • Opcode Fuzzy Hash: 15862992e27a4171df731e7fc5fc02130fefc134ffe050ef6ab775cc0807233f
                                                                                                              • Instruction Fuzzy Hash: 73F03031980128EBCF11DF94D980BACB774EB2638AF5480A3EA01AA550D3B5DA50DB11
                                                                                                              APIs
                                                                                                              • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,09D301A7,00000000), ref: 09D28635
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InformationThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 4046476035-0
                                                                                                              • Opcode ID: f136a37d53fb1eabf93d22e6aa53f6a60f435ff40ea2b8cce2f35714ff45817a
                                                                                                              • Instruction ID: 02b96564504aef79ee229a1d8bd7d201e6ce373fb3ef448fa4ed6ea3bebbcef9
                                                                                                              • Opcode Fuzzy Hash: f136a37d53fb1eabf93d22e6aa53f6a60f435ff40ea2b8cce2f35714ff45817a
                                                                                                              • Instruction Fuzzy Hash: 02D0A7725D020CAFE7109B50EC05FB6735CD315386F008134B107C64C0D7B0F450D664

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 84 9d2a050-9d2a0a9 85 9d2a0b0-9d2a0bf 84->85 86 9d2a0ab 84->86 93 9d2a0c1 85->93 94 9d2a0c6-9d2a0d6 85->94 87 9d2a6d9-9d2a6dd 86->87 89 9d2a6e8-9d2a6ec 87->89 90 9d2a6df 87->90 91 9d2a6ee-9d2a6f2 89->91 92 9d2a6fd-9d2a701 89->92 90->89 91->92 95 9d2a6f4 91->95 96 9d2a703 92->96 97 9d2a70c-9d2a710 92->97 93->87 101 9d2a0d8 94->101 102 9d2a0dd-9d2a0ed 94->102 95->92 96->97 99 9d2a712 97->99 100 9d2a71b-9d2a71f 97->100 99->100 103 9d2a721-9d2a724 call 9d286f8 100->103 104 9d2a729-9d2a72d 100->104 101->87 114 9d2a0f4-9d2a10f call 9d326c4 102->114 115 9d2a0ef 102->115 103->104 106 9d2a737-9d2a73b 104->106 107 9d2a72f-9d2a732 call 9d286f8 104->107 109 9d2a746-9d2a74a 106->109 110 9d2a73d 106->110 107->106 112 9d2a755-9d2a759 109->112 113 9d2a74c 109->113 110->109 116 9d2a764-9d2a768 112->116 117 9d2a75b 112->117 113->112 122 9d2a111-9d2a136 114->122 123 9d2a139-9d2a1c9 call 9d21190 114->123 115->87 120 9d2a775-9d2a77b 116->120 121 9d2a76a-9d2a76d 116->121 117->116 121->120 122->123 130 9d2a1d0-9d2a1de 123->130 131 9d2a1cb 123->131 133 9d2a1e0 130->133 134 9d2a1e5-9d2a1f6 call 9d286d0 130->134 131->87 133->87 137 9d2a1f8 134->137 138 9d2a1fd-9d2a205 call 9d21568 134->138 137->87 141 9d2a221-9d2a232 call 9d28c54 138->141 142 9d2a207-9d2a218 call 9d28c54 138->142 147 9d2a234 141->147 148 9d2a239-9d2a252 141->148 149 9d2a21a 142->149 150 9d2a21f 142->150 147->87 152 9d2a254-9d2a263 call 9d286f8 148->152 153 9d2a268-9d2a27b 148->153 149->87 150->148 152->87 157 9d2a282-9d2a298 153->157 158 9d2a27d 153->158 160 9d2a29a 157->160 161 9d2a29f-9d2a2ad 157->161 158->87 160->87 163 9d2a2b4-9d2a307 call 9d21568 161->163 164 9d2a2af 161->164 170 9d2a318 163->170 171 9d2a309-9d2a316 163->171 164->87 172 9d2a31b-9d2a33c DrawTextW 170->172 171->172 173 9d2a343-9d2a3eb 172->173 174 9d2a33e 172->174 178 9d2a3f2-9d2a41f 173->178 179 9d2a3ed 173->179 174->87 182 9d2a421 178->182 183 9d2a426-9d2a49f call 9d216bc call 9d21190 CreateFileW 178->183 179->87 182->87 191 9d2a4a1 183->191 192 9d2a4a6-9d2a4c0 WriteFile 183->192 191->87 193 9d2a4c2 192->193 194 9d2a4c7-9d2a4de WriteFile 192->194 193->87 195 9d2a4e0 194->195 196 9d2a4e5-9d2a4fc WriteFile 194->196 195->87 197 9d2a503-9d2a527 call 9d28afc 196->197 198 9d2a4fe 196->198 202 9d2a529 197->202 203 9d2a52e-9d2a5d2 call 9d216bc call 9d21190 RegCreateKeyExW 197->203 198->87 202->87 209 9d2a5d4 203->209 210 9d2a5d9-9d2a638 call 9d21190 RegSetValueExW 203->210 209->87 214 9d2a63a 210->214 215 9d2a63f-9d2a6c0 call 9d21190 RegSetValueExW 210->215 214->87 219 9d2a6c2 215->219 220 9d2a6c4-9d2a6c8 215->220 219->87 220->87 221 9d2a6ca-9d2a6d1 220->221 221->87
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ($BM
                                                                                                              • API String ID: 0-2980357723
                                                                                                              • Opcode ID: 34ea9ede44a5591f7a886c28c1fade05887f8933fa97a2ad54beb4386f64a9bf
                                                                                                              • Instruction ID: 51b2104ad0976ae5833b6baaf79df2b8cd49b77553c66c384d2f27e0160d0ee4
                                                                                                              • Opcode Fuzzy Hash: 34ea9ede44a5591f7a886c28c1fade05887f8933fa97a2ad54beb4386f64a9bf
                                                                                                              • Instruction Fuzzy Hash: D9223771980618EFEB119F90CC49BADBB74FF1838AF108065E106BA6E0D7728944DF66

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 258 9d2c034-9d2c0b4 GetVolumeNameForVolumeMountPointW FindFirstVolumeW 262 9d2c0ba-9d2c0c0 258->262 263 9d2c2f8-9d2c2fd 258->263 264 9d2c0c6-9d2c0cd 262->264 265 9d2c2c7-9d2c2e9 262->265 264->265 266 9d2c0d3-9d2c0ea GetVolumePathNamesForVolumeNameW 264->266 265->262 272 9d2c2ef 265->272 266->265 268 9d2c0f0-9d2c0f4 266->268 268->265 269 9d2c0fa-9d2c0fe 268->269 269->265 271 9d2c104-9d2c10e GetDriveTypeW 269->271 273 9d2c110-9d2c113 271->273 274 9d2c119-9d2c121 call 9d21568 271->274 272->263 273->265 273->274 277 9d2c123-9d2c16b 274->277 278 9d2c19f-9d2c1c5 call 9d216ec CreateFileW 274->278 286 9d2c18b-9d2c18f 277->286 287 9d2c16d-9d2c186 call 9d2bfa8 277->287 282 9d2c1cb-9d2c1f1 278->282 283 9d2c2be 278->283 282->283 288 9d2c1f7-9d2c1fe 282->288 283->265 289 9d2c191 286->289 290 9d2c19a 286->290 287->286 291 9d2c200-9d2c20c 288->291 292 9d2c264-9d2c26b 288->292 289->290 290->265 295 9d2c22b-9d2c231 291->295 296 9d2c20e-9d2c215 291->296 292->283 294 9d2c26d-9d2c274 292->294 294->283 298 9d2c276-9d2c27d 294->298 300 9d2c233-9d2c23a 295->300 301 9d2c250-9d2c25d call 9d216bc call 9d2bfa8 295->301 296->295 299 9d2c217-9d2c21e 296->299 298->283 302 9d2c27f-9d2c299 call 9d216bc 298->302 299->295 303 9d2c220-9d2c227 299->303 300->301 304 9d2c23c-9d2c243 300->304 312 9d2c262 301->312 315 9d2c2b2-9d2c2b9 call 9d2bfa8 302->315 316 9d2c29b-9d2c2a2 302->316 303->295 308 9d2c229 303->308 304->301 309 9d2c245-9d2c24c 304->309 308->312 309->301 313 9d2c24e 309->313 312->283 313->312 315->283 318 9d2c2b0 316->318 319 9d2c2a4-9d2c2ab call 9d2bfa8 316->319 318->283 319->318
                                                                                                              APIs
                                                                                                              • GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 09D2C07E
                                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104), ref: 09D2C0A7
                                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000040,00000000), ref: 09D2C0E2
                                                                                                              • GetDriveTypeW.KERNEL32(?), ref: 09D2C105
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 09D2C1B8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Volume$Name$CreateDriveFileFindFirstMountNamesPathPointType
                                                                                                              • String ID: '
                                                                                                              • API String ID: 2925825261-1997036262
                                                                                                              • Opcode ID: ec893788072a2ff103dac47f19b533515cfdd93ba19282d2872eee56a793eb88
                                                                                                              • Instruction ID: 775a25f3e09afbd475a597b03dcfe57d6f9759419cb8eda8d5c4ee36bf82ddd0
                                                                                                              • Opcode Fuzzy Hash: ec893788072a2ff103dac47f19b533515cfdd93ba19282d2872eee56a793eb88
                                                                                                              • Instruction Fuzzy Hash: 0271B430890264EFDB319BB0DC09B9E7B78AF1271AF00C1D5F585A65D0DBB45A84CFA6

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 321 9d2e38c-9d2e3a6 322 9d2e5df-9d2e5e8 321->322 323 9d2e3ac-9d2e3c1 call 9d28c54 321->323 323->322 326 9d2e3c7-9d2e3dd call 9d286d0 323->326 329 9d2e3e3-9d2e3f4 call 9d33ec4 326->329 330 9d2e5d9-9d2e5da call 9d286f8 326->330 334 9d2e5d3-9d2e5d4 call 9d286f8 329->334 335 9d2e3fa-9d2e47b call 9d216bc CreateFileW 329->335 330->322 334->330 335->334 341 9d2e481-9d2e496 WriteFile 335->341 342 9d2e5ca 341->342 343 9d2e49c-9d2e4bf RegCreateKeyExW 341->343 342->334 343->342 344 9d2e4c5-9d2e4f1 RegSetValueExW 343->344 346 9d2e5c1 344->346 347 9d2e4f7-9d2e570 RegCreateKeyExW 344->347 346->342 347->346 350 9d2e572-9d2e5a4 RegSetValueExW 347->350 350->346 352 9d2e5a6-9d2e5ba SHChangeNotify 350->352 352->346
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D286D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 09D2E46E
                                                                                                              • WriteFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 09D2E48E
                                                                                                              • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 09D2E4B7
                                                                                                              • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 09D2E4E9
                                                                                                              • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 09D2E568
                                                                                                              • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 09D2E59C
                                                                                                              • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 09D2E5B4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Create$FileValue$AllocateChangeHeapNotifyWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 2786709897-0
                                                                                                              • Opcode ID: dfe6ec19b4be89474852393553883dfd6bdc56253b2fbdd728287e26eb6301d0
                                                                                                              • Instruction ID: 2c28b0ba1ea2851c73b64813203b26815cb5306be998dbdd0f15976a9485ab0d
                                                                                                              • Opcode Fuzzy Hash: dfe6ec19b4be89474852393553883dfd6bdc56253b2fbdd728287e26eb6301d0
                                                                                                              • Instruction Fuzzy Hash: B9519271A80219BFEB109FA0DC49FEE7B79FB14706F108124F605AA1C0E7B1A654CBB5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 437 9d2e220-9d2e24b CreateFileW 438 9d2e381-9d2e387 437->438 439 9d2e251-9d2e26a 437->439 440 9d2e270-9d2e282 call 9d217a8 439->440 443 9d2e289-9d2e2ac WriteFile 440->443 444 9d2e2c0-9d2e2e5 WriteFile 443->444 445 9d2e2ae-9d2e2bd 443->445 446 9d2e2e7-9d2e2f6 444->446 447 9d2e2f9-9d2e31c WriteFile 444->447 449 9d2e330-9d2e355 WriteFile 447->449 450 9d2e31e-9d2e32d 447->450 451 9d2e357-9d2e366 449->451 452 9d2e369-9d2e376 449->452 452->443 455 9d2e37c 452->455 455->440
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 09D2E23E
                                                                                                              • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,09D3F000,?,?,?,00000000), ref: 09D2E29F
                                                                                                              • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 09D2E2D8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Write$Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 1602526932-0
                                                                                                              • Opcode ID: e278520cc9a38ca440079686aa7324a3d2e00f9590ae77a0a590b2caf7ff9c6b
                                                                                                              • Instruction ID: 6cc6a3f82d548f2d3380623fa0724e09176a34323a274ca4ce41f1a69f28da83
                                                                                                              • Opcode Fuzzy Hash: e278520cc9a38ca440079686aa7324a3d2e00f9590ae77a0a590b2caf7ff9c6b
                                                                                                              • Instruction Fuzzy Hash: 37415D31A4014DEFDB00DBD4E845FEEFB7AEB58322F5081A6E604E2291D3714A54DBA2

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 457 9d2fdd0-9d2fde1 SetThreadPriority 458 9d2fde7-9d2fe06 457->458 460 9d2fe36-9d2fe38 458->460 461 9d2fe08-9d2fe10 458->461 463 9d2fe3a-9d2fe3d 460->463 464 9d2fe3e-9d2fe43 460->464 461->460 462 9d2fe12 461->462 465 9d2fe19-9d2fe2e 462->465 466 9d2fef8-9d2fefb 464->466 467 9d2fe49-9d2fe7b ReadFile 464->467 477 9d2fe32 465->477 478 9d2fe30-9d2fe34 465->478 468 9d2ff01-9d2ff4a call 9d220d0 466->468 469 9d2fffd-9d30000 466->469 470 9d2feee 467->470 471 9d2fe7d-9d2fe88 467->471 510 9d2ff63-9d2ff6b 468->510 511 9d2ff4c-9d2ff61 468->511 473 9d30006-9d30045 WriteFile 469->473 474 9d3008d-9d30090 469->474 475 9d300dc-9d300fb 470->475 471->470 476 9d2fe8a-9d2fe92 471->476 479 9d30047-9d30052 473->479 480 9d30089 473->480 474->475 484 9d30092-9d30096 474->484 494 9d300ff-9d30107 475->494 495 9d300fd 475->495 482 9d2feb0-9d2fed7 476->482 483 9d2fe94-9d2feae 476->483 477->465 478->458 479->480 488 9d30054-9d30072 479->488 480->475 513 9d2feea 482->513 514 9d2fed9-9d2fee4 482->514 483->470 485 9d30098-9d3009e 484->485 486 9d300ac-9d300da call 9d21074 call 9d286f8 484->486 491 9d300a2-9d300aa 485->491 492 9d300a0 485->492 486->475 537 9d3013c 486->537 520 9d30085 488->520 521 9d30074-9d3007f 488->521 491->485 492->486 498 9d30109 494->498 499 9d3012d 494->499 502 9d3012f-9d30131 495->502 504 9d30110-9d30125 498->504 499->475 499->502 508 9d30133-9d30136 502->508 509 9d30137 502->509 526 9d30127-9d3012b 504->526 527 9d30129 504->527 509->464 517 9d2ff7a-9d2ff86 510->517 518 9d2ff6d-9d2ff6f 510->518 516 9d2ff8d-9d2ffa9 WriteFile 511->516 513->470 522 9d2fee6 514->522 523 9d2fee8 514->523 530 9d2fff3 516->530 531 9d2ffab-9d2ffb6 516->531 517->516 518->517 525 9d2ff71-9d2ff78 518->525 520->480 528 9d30083 521->528 529 9d30081 521->529 522->470 523->482 525->516 526->475 527->504 528->488 529->480 530->475 531->530 534 9d2ffb8-9d2ffdc 531->534 539 9d2ffde-9d2ffe9 534->539 540 9d2ffef 534->540 537->458 541 9d2ffeb 539->541 542 9d2ffed 539->542 540->530 541->530 542->534
                                                                                                              APIs
                                                                                                              • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 09D2FDE1
                                                                                                              • ReadFile.KERNEL32(?,?,?,?,?), ref: 09D2FE73
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FilePriorityReadThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 3643687941-0
                                                                                                              • Opcode ID: a91f33e5b7048a8c536c274c967447c1b7ee95bd5aff0a28dc9987e612cf45b5
                                                                                                              • Instruction ID: 37dc486430a4090688cad50f5ab62845cec925fc69b975bced296b81f78d58df
                                                                                                              • Opcode Fuzzy Hash: a91f33e5b7048a8c536c274c967447c1b7ee95bd5aff0a28dc9987e612cf45b5
                                                                                                              • Instruction Fuzzy Hash: 84A1BD71580245EFEF228F44C9C8FA637BCFB1835AF108662F919CA986D770D644CB62

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 543 9d322e0-9d322ed 544 9d32318-9d3231f call 9d2ce84 543->544 545 9d322ef-9d32315 call 9d28948 543->545 549 9d32321-9d32328 544->549 550 9d3237d-9d3238e call 9d292b8 call 9d2967c 544->550 545->544 553 9d32342-9d32349 549->553 554 9d3232a-9d3233f CreateThread 549->554 563 9d32390 call 9d29af4 550->563 564 9d32395-9d3239c 550->564 553->550 555 9d3234b-9d32367 CreateThread 553->555 554->553 555->550 558 9d32369-9d32374 555->558 558->550 563->564 566 9d323b6-9d323bd 564->566 567 9d3239e-9d323b3 CreateThread 564->567 568 9d323c4-9d323eb call 9d2d0a8 call 9d30144 566->568 569 9d323bf call 9d2c034 566->569 567->566 576 9d32425-9d32439 568->576 577 9d323ed-9d323f4 568->577 569->568 586 9d3247b-9d32482 576->586 587 9d3243b-9d3243f 576->587 578 9d323f6-9d32405 call 9d30214 call 9d32134 call 9d30214 call 9d31ee8 577->578 579 9d3240a-9d32411 577->579 578->579 580 9d32413-9d32418 call 9d30214 call 9d31838 579->580 581 9d3241d-9d32420 call 9d301cc 579->581 580->581 581->576 590 9d32484 586->590 591 9d3248d-9d32494 586->591 592 9d32441-9d32455 587->592 593 9d3245c-9d32476 call 9d28948 call 9d2f994 587->593 590->591 596 9d324b0-9d324bf call 9d30214 591->596 597 9d32496-9d3249a 591->597 592->593 593->586 613 9d324c5-9d324d3 call 9d2a050 596->613 614 9d3254a-9d32551 call 9d3333c call 9d32e98 596->614 597->596 601 9d3249c-9d324a7 597->601 601->596 619 9d32500-9d32507 613->619 620 9d324d5-9d324ee 613->620 624 9d32556-9d32559 614->624 622 9d3251b-9d3253b call 9d325c4 call 9d2d660 619->622 623 9d32509-9d32510 619->623 620->619 630 9d324f0-9d324f9 620->630 628 9d32540-9d32548 ExitProcess 622->628 623->622 625 9d32512-9d32519 623->625 625->622 625->628 628->624 630->619
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A440,00000000,00000000,00000000), ref: 09D32339
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009D80,00000000,00000000,00000000), ref: 09D3235A
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00008C7C,00000000,00000000,00000000), ref: 09D323AD
                                                                                                              • ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 09D32542
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread$ExitProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 3195946472-0
                                                                                                              • Opcode ID: 3e7e1a50108ae73f0ad7cfa451534ac181ec0f3087d606d7bf925fe9a9aea0e1
                                                                                                              • Instruction ID: cd7776ea20fb1549ca141b54c0e088d2d596d6cdb0699b86743bf295ba553ce0
                                                                                                              • Opcode Fuzzy Hash: 3e7e1a50108ae73f0ad7cfa451534ac181ec0f3087d606d7bf925fe9a9aea0e1
                                                                                                              • Instruction Fuzzy Hash: 3C61AC709C8294AEEB216BB0DC09BAC7F61AB29317F54C164F26176AD1C7F45580CB36

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 633 9d303b8-9d303f6 SetFileAttributesW CreateFileW 634 9d303f8-9d30415 SetFilePointerEx 633->634 635 9d3046d-9d30474 633->635 636 9d30417-9d30434 ReadFile 634->636 637 9d30464 634->637 636->637 638 9d30436-9d3044b call 9d302ac 636->638 637->635 638->637 641 9d3044d-9d30455 638->641 642 9d30457 641->642 643 9d3045e-9d3045f call 9d286f8 641->643 642->643 643->637
                                                                                                              APIs
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 09D303D1
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 09D303E9
                                                                                                              • SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 09D3040D
                                                                                                              • ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 09D3042C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesCreatePointerRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 4170910816-0
                                                                                                              • Opcode ID: 2a48878bc691ca75bee5c39ae9e00e6837aab8ab7a769cc3530594be9f7fd6be
                                                                                                              • Instruction ID: 1369ee68e3b71488816640609711c5710eaa05da218a7a653b9a3e24afdda938
                                                                                                              • Opcode Fuzzy Hash: 2a48878bc691ca75bee5c39ae9e00e6837aab8ab7a769cc3530594be9f7fd6be
                                                                                                              • Instruction Fuzzy Hash: D1114F30A80309FBEF209FA4DC45FA97BB9FB04702F50C064B604A75D1DBB19A54CB25

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 645 9d2967c-9d296ab 647 9d296b1-9d29914 call 9d21190 * 10 645->647 648 9d29aef-9d29af2 645->648 670 9d29916 647->670 671 9d2991b-9d29933 647->671 672 9d29aa5-9d29aa9 670->672 676 9d29935 671->676 677 9d2993a-9d29949 call 9d28cc0 671->677 674 9d29ab6-9d29aba 672->674 675 9d29aab-9d29ab0 672->675 678 9d29ac7-9d29acb 674->678 679 9d29abc-9d29ac1 674->679 675->674 676->672 686 9d2994b-9d2997d 677->686 687 9d2998e-9d299b3 677->687 680 9d29ad8-9d29adc 678->680 681 9d29acd-9d29ad2 678->681 679->678 683 9d29ae9 CoUninitialize 680->683 684 9d29ade-9d29ae3 680->684 681->680 683->648 684->683 695 9d29984-9d29987 686->695 696 9d2997f 686->696 690 9d299b5 687->690 691 9d299ba-9d299d3 CoSetProxyBlanket 687->691 690->672 692 9d299d5 691->692 693 9d299da-9d299fd 691->693 692->672 698 9d29a04-9d29a23 693->698 699 9d299ff 693->699 695->687 696->672 700 9d29a29-9d29a2b 698->700 699->672 701 9d29a2f-9d29a57 700->701 702 9d29a2d 700->702 705 9d29a95-9d29aa0 701->705 706 9d29a59-9d29a8e 701->706 702->672 705->698 706->705
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Uninitialize
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3861434553-2766056989
                                                                                                              • Opcode ID: 3dd6883eed583881d94f7dc9d3c3a21fffc1792a756bb450a00ec9978571a79e
                                                                                                              • Instruction ID: 293d2e42bbf96a6ddc3b79a490aa8a780f3c6ae803610f2120dd0ae91fd02973
                                                                                                              • Opcode Fuzzy Hash: 3dd6883eed583881d94f7dc9d3c3a21fffc1792a756bb450a00ec9978571a79e
                                                                                                              • Instruction Fuzzy Hash: 6AD101B0940219EFEB10DF90C989FAABB78FF04314F11C195E518AB2A1D771DA85CFA0

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 776 9d30bac-9d30bc7 777 9d30d95-9d30d9e 776->777 778 9d30bcd-9d30bd7 call 9d30308 776->778 781 9d30d8d-9d30d90 call 9d286f8 778->781 782 9d30bdd-9d30be7 call 9d303b8 778->782 781->777 782->781 786 9d30bed-9d30bf7 call 9d30818 782->786 789 9d30bf9-9d30c0a call 9d30840 786->789 790 9d30c0c-9d30c1a call 9d30924 786->790 795 9d30c1d-9d30c21 789->795 790->795 795->781 796 9d30c27-9d30c37 MoveFileExW 795->796 797 9d30c3b-9d30c46 796->797 798 9d30c39 796->798 800 9d30c74-9d30c83 call 9d286f8 797->800 801 9d30c48-9d30c6c call 9d286f8 call 9d30924 797->801 799 9d30c87-9d30c8b 798->799 802 9d30c91-9d30cb3 CreateFileW 799->802 803 9d30d7f-9d30d83 799->803 800->799 816 9d30c70 801->816 817 9d30c6e 801->817 806 9d30cb5 802->806 807 9d30cba-9d30cd3 call 9d30970 802->807 803->781 808 9d30d85-9d30d88 call 9d286f8 803->808 806->803 819 9d30ce3-9d30cf8 CreateIoCompletionPort 807->819 820 9d30cd5-9d30cde 807->820 808->781 816->796 817->799 821 9d30cfa-9d30d1a call 9d286f8 819->821 822 9d30d1c-9d30d3e 819->822 820->803 821->803 826 9d30d62-9d30d78 822->826 827 9d30d40-9d30d60 call 9d286f8 822->827 826->803 827->803
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D30308: SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09D30329
                                                                                                                • Part of subcall function 09D30308: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09D30341
                                                                                                                • Part of subcall function 09D303B8: SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 09D303D1
                                                                                                                • Part of subcall function 09D303B8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 09D303E9
                                                                                                                • Part of subcall function 09D303B8: SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 09D3040D
                                                                                                                • Part of subcall function 09D303B8: ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 09D3042C
                                                                                                              • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09D30C2F
                                                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09D30CF0
                                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09D30CA6
                                                                                                                • Part of subcall function 09D286F8: RtlFreeHeap.NTDLL(?,00000000,00000000,?,09D300CF,?,?,00000000,?), ref: 09D28714
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$Create$Attributes$CompletionFreeHeapMovePointerPortRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 97630321-0
                                                                                                              • Opcode ID: 52cf39ded3b1f1ee6ee9201573911d8f7cc6ff1dbea2b30bc0e647262d808236
                                                                                                              • Instruction ID: b0f2e1ad5641a0b34b0f1ff7d69d542af826b9d413bab5401b508cef4687e10e
                                                                                                              • Opcode Fuzzy Hash: 52cf39ded3b1f1ee6ee9201573911d8f7cc6ff1dbea2b30bc0e647262d808236
                                                                                                              • Instruction Fuzzy Hash: 595144309C0248FBEF216FA0EC08B9D7BB9EB04787F94C164B519699E0C7B59690DF25

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 837 9d2e130-9d2e145 838 9d2e147 837->838 839 9d2e14c-9d2e15d call 9d28794 837->839 841 9d2e217-9d2e21b 838->841 843 9d2e164-9d2e172 GetFileAttributesW 839->843 844 9d2e15f 839->844 845 9d2e190-9d2e1b0 call 9d216bc 843->845 846 9d2e174-9d2e18e call 9d216bc 843->846 844->841 853 9d2e1b3-9d2e1b7 845->853 846->853 854 9d2e1d2-9d2e1d8 853->854 855 9d2e1b9-9d2e1d0 call 9d2e220 call 9d286f8 853->855 858 9d2e1da-9d2e1dd call 9d2e220 854->858 859 9d2e1e9-9d2e1f4 GetFileAttributesW 854->859 855->841 865 9d2e1e2-9d2e1e7 858->865 862 9d2e202-9d2e212 CopyFileW call 9d286f8 859->862 863 9d2e1f6-9d2e200 call 9d286f8 859->863 862->841 863->858 865->841
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07eb82af358b7b1a152692e65255a0301a38e809faf342411050559b79673dee
                                                                                                              • Instruction ID: 56016ab07946a5df53cad4329228eda729e97b8caf50c48c9b3f374e83fba4a8
                                                                                                              • Opcode Fuzzy Hash: 07eb82af358b7b1a152692e65255a0301a38e809faf342411050559b79673dee
                                                                                                              • Instruction Fuzzy Hash: 52212730884168EFCF02AF94D945B9C7B72EF2535AF20C1A0F446659A1C7724F60AB22
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,09D2BE00,?,00000004,00000000,?,?,?,?,00000000), ref: 09D2BE4E
                                                                                                              • ResumeThread.KERNEL32(00000000,?,?,?,?,00000000), ref: 09D2BE97
                                                                                                              • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 09D2BEAF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Thread$CodeCreateExitResume
                                                                                                              • String ID:
                                                                                                              • API String ID: 4070214711-0
                                                                                                              • Opcode ID: ac17ab379dce4d4a7f1e955343cf1fdea12eae5573cf1644accc47bd08a42e3d
                                                                                                              • Instruction ID: f51c014ce5e0f0cea14bbe7fcedcae8e505250d36729a23c163421dc54fba595
                                                                                                              • Opcode Fuzzy Hash: ac17ab379dce4d4a7f1e955343cf1fdea12eae5573cf1644accc47bd08a42e3d
                                                                                                              • Instruction Fuzzy Hash: F5215E35944208FFDF10DF94ED09BDDBB74FB48326F208166F604A2290D7715A14DB61
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000AB24,?,00000004,00000000,00000000,00000000,?,?,00000000), ref: 09D2BB5D
                                                                                                              • ResumeThread.KERNEL32(00000000,?,?,00000000), ref: 09D2BBA6
                                                                                                              • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,00000000), ref: 09D2BBBE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Thread$CodeCreateExitResume
                                                                                                              • String ID:
                                                                                                              • API String ID: 4070214711-0
                                                                                                              • Opcode ID: 6d18c87246bbb22b3d913828d87b7ea91adfcbfc5f7f10f080386739fbfdf079
                                                                                                              • Instruction ID: 5b8560f1f33d63088865f09e052178836b9e7e47933959aa71ce5d30fb3c54b5
                                                                                                              • Opcode Fuzzy Hash: 6d18c87246bbb22b3d913828d87b7ea91adfcbfc5f7f10f080386739fbfdf079
                                                                                                              • Instruction Fuzzy Hash: FC116035584208FFEF109F94ED09BDDBB74EB58326F20C1A6F504A21E0D7715A54EB61
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d2u$h-u$/u
                                                                                                              • API String ID: 0-758700059
                                                                                                              • Opcode ID: a53ae3378941f03a7cc3f77d1ba89173ef434d86b8a415807502be411dc216f3
                                                                                                              • Instruction ID: b7f20f0458dfe612bf2dcde4f6c4840fbf4e25e5599b8f31ef19ce1c71f342b2
                                                                                                              • Opcode Fuzzy Hash: a53ae3378941f03a7cc3f77d1ba89173ef434d86b8a415807502be411dc216f3
                                                                                                              • Instruction Fuzzy Hash: 3F621935A01209DFDB15DF98D484A9EFBB2FF88314F248159E806AB365D735ED82CB90
                                                                                                              APIs
                                                                                                              • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,00020119,00000000,?,00000000), ref: 09D32839
                                                                                                              • RegDeleteKeyExW.KERNEL32(80000002,?,00000100,00000000,000000FF,00000000), ref: 09D328D5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateDelete
                                                                                                              • String ID:
                                                                                                              • API String ID: 2606249652-0
                                                                                                              • Opcode ID: 99b4e1af064dc11273d584bb408f82d6e6334d4947c7d45f8c17dac0d68c77a3
                                                                                                              • Instruction ID: 4bdde45f8ee7cac315ba755c28579d817c236180a282190328c462f288dba64d
                                                                                                              • Opcode Fuzzy Hash: 99b4e1af064dc11273d584bb408f82d6e6334d4947c7d45f8c17dac0d68c77a3
                                                                                                              • Instruction Fuzzy Hash: 6D512971990219AFEB11DF90CC49FEDBBBCFB08706F008195B614AA1D1E7749A54CF62
                                                                                                              APIs
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09D30329
                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09D30341
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesCreate
                                                                                                              • String ID:
                                                                                                              • API String ID: 415043291-0
                                                                                                              • Opcode ID: adde6ca33782bb0bec98864aeb8cff2bae4c7753805664344605f97685dde412
                                                                                                              • Instruction ID: 0730c467840b27fc35e02807efbbfb83899ca189178a9239a7e92c4917179d0f
                                                                                                              • Opcode Fuzzy Hash: adde6ca33782bb0bec98864aeb8cff2bae4c7753805664344605f97685dde412
                                                                                                              • Instruction Fuzzy Hash: A9119E30984208FFEB204FD4DD45BADBB78EB007A3FA0C266F551B59D0C3B19684CA52
                                                                                                              APIs
                                                                                                              • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09D30C2F
                                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09D30CA6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$CreateMove
                                                                                                              • String ID:
                                                                                                              • API String ID: 3198096935-0
                                                                                                              • Opcode ID: 8de16cd0ac9be8f0103b940838e30d7551e1008ccd42f4844b2f0a8ccad87704
                                                                                                              • Instruction ID: 5ec93bff306f84c6a700e6eb13a4bd9c27ea2543830668b657b2696f06b161cc
                                                                                                              • Opcode Fuzzy Hash: 8de16cd0ac9be8f0103b940838e30d7551e1008ccd42f4844b2f0a8ccad87704
                                                                                                              • Instruction Fuzzy Hash: 0EF06D30AC0208FADF215F64EC04B9CBB74EB10793F60C2A6B565798E0C7B19250DB09
                                                                                                              APIs
                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09D30329
                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09D30341
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesCreate
                                                                                                              • String ID:
                                                                                                              • API String ID: 415043291-0
                                                                                                              • Opcode ID: 2cabefd69d4a8c5328402652f456b099a96fed53d52c407981f89363d7179b25
                                                                                                              • Instruction ID: dda9c7b3e5ce00ca3a64825d5df72cc2410363f35de21a5893a97fac1a07e3c3
                                                                                                              • Opcode Fuzzy Hash: 2cabefd69d4a8c5328402652f456b099a96fed53d52c407981f89363d7179b25
                                                                                                              • Instruction Fuzzy Hash: B2E04F305C0304FBEF311FE0DD46B583A68AB04B92F90C121F656B98E0C7B0D540CA07
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942448685.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d90000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: x.kk$-kk
                                                                                                              • API String ID: 0-3772182776
                                                                                                              • Opcode ID: 55c055a5abebf276a4f9bf78f354b164b46ff8abe1ce5a9d190c807e72caa8da
                                                                                                              • Instruction ID: 5e93465b268ea7cae62b6d6b88ed6232182e57e85b2feb6d68e78658f9aebee2
                                                                                                              • Opcode Fuzzy Hash: 55c055a5abebf276a4f9bf78f354b164b46ff8abe1ce5a9d190c807e72caa8da
                                                                                                              • Instruction Fuzzy Hash: F0E14074A402199FDB14EB58C954B9EB7B2FB89300F5081E9D9096F781CB71EE82CF91
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84xl$84xl
                                                                                                              • API String ID: 0-1401467077
                                                                                                              • Opcode ID: 5dc376d0c6bd7ef0ad0c605eb2e9c595a8cef607d674161418e23ab5ba51100e
                                                                                                              • Instruction ID: f3d7020bd3d6e5f3de8bd3c6b5cc65e1bc68e97152b968028f47b6951b7543de
                                                                                                              • Opcode Fuzzy Hash: 5dc376d0c6bd7ef0ad0c605eb2e9c595a8cef607d674161418e23ab5ba51100e
                                                                                                              • Instruction Fuzzy Hash: 869179B1B002059FEB189F68D8507AFBBA6FFC5610F18846AD865DB2C1DB31D941CBA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942882932.0000000009DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9dd0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84xl$84xl
                                                                                                              • API String ID: 0-1401467077
                                                                                                              • Opcode ID: 99823f22290248af75c1904b33c8f59f9a21c246d34d4b2d0526b54b95049439
                                                                                                              • Instruction ID: 2d838e49fca76d89ec7ca85dfb432d56b04d3a482ed3c0324d7220fb2b5da0e6
                                                                                                              • Opcode Fuzzy Hash: 99823f22290248af75c1904b33c8f59f9a21c246d34d4b2d0526b54b95049439
                                                                                                              • Instruction Fuzzy Hash: 6D712535A85209CFCB18DF98D4507AAB7E2FF89350F14856AE846AB780DB31DD41CBA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: h2mk
                                                                                                              • API String ID: 0-4060781620
                                                                                                              • Opcode ID: f9585b32e1a1bf5def35823f0221de243f14167a06414bb525ef0b96d6557bec
                                                                                                              • Instruction ID: 1a024e5bb8e16621a779fb824a9ac67f1dd2e8631ab47e14cc1723294a884536
                                                                                                              • Opcode Fuzzy Hash: f9585b32e1a1bf5def35823f0221de243f14167a06414bb525ef0b96d6557bec
                                                                                                              • Instruction Fuzzy Hash: AA7238B4B002149FEB14CF58C850B6AB7B2AF89304F15C199E9599F751CB72EE82CF91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 06bc5635f26278483a458a40356232ad97bf17542bd4935e56c62c2f5e989769
                                                                                                              • Instruction ID: fc596f222fbbb9ebe1dc63f52e2e7e11d289a5ac219b2557144e5de600e6e0ff
                                                                                                              • Opcode Fuzzy Hash: 06bc5635f26278483a458a40356232ad97bf17542bd4935e56c62c2f5e989769
                                                                                                              • Instruction Fuzzy Hash: 3861BD70D8020AEFDF209F90CD45BAEBB75FB18307F50C025E621726A0D7B59A44CBA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a149adc59f01bfc3debdf48fa37017fcd92ec4fde7ec115fd672657d78f30883
                                                                                                              • Instruction ID: a37a2f415939860d9c31c58c69e92884593d292a461dd36713a798357f854fed
                                                                                                              • Opcode Fuzzy Hash: a149adc59f01bfc3debdf48fa37017fcd92ec4fde7ec115fd672657d78f30883
                                                                                                              • Instruction Fuzzy Hash: 15514B709C0344ABEB10AFA4DD4AB9DBB74EB04707F90C051F605BA6D0D7B5A644CF6A
                                                                                                              APIs
                                                                                                              • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 09D2BA3F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateMutex
                                                                                                              • String ID:
                                                                                                              • API String ID: 1964310414-0
                                                                                                              • Opcode ID: a3ab39e17e50d20666f5944e40889a692fce0aa08d591f30f556d04ed2c878fb
                                                                                                              • Instruction ID: 7de53997b283cc329c052532d081bbe5a52e640a580c6fbb75ed805d3509982a
                                                                                                              • Opcode Fuzzy Hash: a3ab39e17e50d20666f5944e40889a692fce0aa08d591f30f556d04ed2c878fb
                                                                                                              • Instruction Fuzzy Hash: EC416C7548E3C49FD7434BB098656943FB1AF17229F0A40D7D0C0DB5E3E2AD094ACB22
                                                                                                              APIs
                                                                                                              • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09D36480,?,00000001,?), ref: 09D281E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 10892065-0
                                                                                                              • Opcode ID: 0fb09713f2bc13cc57dc62a7d4291e0031c2a30cd47da558f452be12583991aa
                                                                                                              • Instruction ID: f61ca2c2fd9155f31bcefe76d92f8f76c2592081f1b1f10ba2c542981ea488b7
                                                                                                              • Opcode Fuzzy Hash: 0fb09713f2bc13cc57dc62a7d4291e0031c2a30cd47da558f452be12583991aa
                                                                                                              • Instruction Fuzzy Hash: 433129942C63B532913136B68E0BF8F5F18CFF2EAEBD0D514B50465CC28998648AA0F6
                                                                                                              APIs
                                                                                                              • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09D36480,?,00000001,?), ref: 09D281E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 10892065-0
                                                                                                              • Opcode ID: c2c1eb20f9e79b7f82083bd67d7a9ce4a81cfbf46147e3f20cb6d9cf3f07b544
                                                                                                              • Instruction ID: 3ef89483ec3088aa420b5fcd66806360d00796d52ece958a4dbeac3fdc3e48ec
                                                                                                              • Opcode Fuzzy Hash: c2c1eb20f9e79b7f82083bd67d7a9ce4a81cfbf46147e3f20cb6d9cf3f07b544
                                                                                                              • Instruction Fuzzy Hash: 842174D42C67B532507136B68E0FF9F4E18CEF2E9E7D4E414B508A5DC38898A48AA4F5
                                                                                                              APIs
                                                                                                              • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09D36480,?,00000001,?), ref: 09D281E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 10892065-0
                                                                                                              • Opcode ID: 118f9b7772b9d6d79efecaf7ca8d1cbf963ca1d123b65bcfcb168b33c18eaec0
                                                                                                              • Instruction ID: ab6513927032d7195f8726bbfb844b265d2cb3c9f86661f79c05d5ef2dbdc55a
                                                                                                              • Opcode Fuzzy Hash: 118f9b7772b9d6d79efecaf7ca8d1cbf963ca1d123b65bcfcb168b33c18eaec0
                                                                                                              • Instruction Fuzzy Hash: 542183D46C67B536507136B68E0FF8F4E18CEF2E9E7C0E414B50865CC38898648AA4F6
                                                                                                              APIs
                                                                                                                • Part of subcall function 09D2AE54: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09D2AE76
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 09D2AFC7
                                                                                                                • Part of subcall function 09D2FBB8: NtTerminateProcess.NTDLL(09D2AFAC,00000000), ref: 09D2FC1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 3176663195-0
                                                                                                              • Opcode ID: c65740fb6418a63751b7a57c13a0b0210b9d1da2747e73beb1035a9a07c92f6b
                                                                                                              • Instruction ID: 1336cb430ff6680e6b954915d32f9cc2729b93519713ed8c2423176f0322ec90
                                                                                                              • Opcode Fuzzy Hash: c65740fb6418a63751b7a57c13a0b0210b9d1da2747e73beb1035a9a07c92f6b
                                                                                                              • Instruction Fuzzy Hash: F3312B70980208EFEB119F90DC49BDDBB79EF14706F00C0A4F505A66E1E7B58654DF61
                                                                                                              APIs
                                                                                                              • OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09D2AC01
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ManagerOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889721586-0
                                                                                                              • Opcode ID: b99ac0a3695da0d3bb9220eb7e023b845d98531551c75a1802c6028ce9277cb8
                                                                                                              • Instruction ID: 2efecb11771f859a55a022c6267a9df548d13ad35c1b88fb0684cd1d301d139e
                                                                                                              • Opcode Fuzzy Hash: b99ac0a3695da0d3bb9220eb7e023b845d98531551c75a1802c6028ce9277cb8
                                                                                                              • Instruction Fuzzy Hash: A3317E74980218EFDB14DF90C949BADBBB8FB10309F108196F501AB6E0E7759B54EF91
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000EDD0,00000000,00000000,00000000), ref: 09D30195
                                                                                                                • Part of subcall function 09D28614: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,09D301A7,00000000), ref: 09D28635
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Thread$CreateInformation
                                                                                                              • String ID:
                                                                                                              • API String ID: 425492364-0
                                                                                                              • Opcode ID: 1cdaa3d5487e705f0fe7f4756a7e7e77c4f0b6ca11407ee5c6576445c66f9ac2
                                                                                                              • Instruction ID: ce8ea4833888cad3316bea8b2740f7d81e1eccf68d65eca2c5f6edda93ebc46c
                                                                                                              • Opcode Fuzzy Hash: 1cdaa3d5487e705f0fe7f4756a7e7e77c4f0b6ca11407ee5c6576445c66f9ac2
                                                                                                              • Instruction Fuzzy Hash: BB01D6707C0354BBF3206B58AC8DBCA7364DB09B17F60C220F905A37C1DBB0990486BA
                                                                                                              APIs
                                                                                                              • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 09D2BA3F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateMutex
                                                                                                              • String ID:
                                                                                                              • API String ID: 1964310414-0
                                                                                                              • Opcode ID: 3bbb53dcbce8749da9d19b6078128558765730329105ca613b20b86df66d4456
                                                                                                              • Instruction ID: da6b9b70a50d9678fa8d1ba28f3dcbab9c073bffebde7718f3f0e0534ed70860
                                                                                                              • Opcode Fuzzy Hash: 3bbb53dcbce8749da9d19b6078128558765730329105ca613b20b86df66d4456
                                                                                                              • Instruction Fuzzy Hash: 5A0121708D4298AFDB11DFA0D84879C7B75FB15306F00C156E580A26D0E7F55550DF56
                                                                                                              APIs
                                                                                                              • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09D2AE76
                                                                                                                • Part of subcall function 09D2B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09D2B5FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AdjustInformationPrivilegeQuerySystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 4254901982-0
                                                                                                              • Opcode ID: 56ae987aba8fb2c2ad90d5c3ec3ab2370d1ea0b9129c45810c363b33ed0cb279
                                                                                                              • Instruction ID: 069d1da53b025ba1ba8297e5e94e60c0aac4733251d4a011f36dc9016d20a790
                                                                                                              • Opcode Fuzzy Hash: 56ae987aba8fb2c2ad90d5c3ec3ab2370d1ea0b9129c45810c363b33ed0cb279
                                                                                                              • Instruction Fuzzy Hash: 51014470A81318BBEF10AFD4CC4DFDEBBB8EB05719F108155BA14AA2D0E7B58644CB61
                                                                                                              APIs
                                                                                                              • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,?), ref: 09D2D09B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AdjustPrivilege
                                                                                                              • String ID:
                                                                                                              • API String ID: 3260937286-0
                                                                                                              • Opcode ID: 8293af93f9ad18e77cf83bc6436747c2b8c54001ac63fb913206745d23aa07cb
                                                                                                              • Instruction ID: 1655f2d57f1defc93269bc230f22160c5f7bba1069e8098ba055a1fd0ae6a79f
                                                                                                              • Opcode Fuzzy Hash: 8293af93f9ad18e77cf83bc6436747c2b8c54001ac63fb913206745d23aa07cb
                                                                                                              • Instruction Fuzzy Hash: 10D02B7159822857C63015543F01BE2335E8340715F000351BD46D65D0EA62D60581D2
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(?,00000008,?,?,09D2B5EE,00000400), ref: 09D286EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 0848ffb7efa1f99ff0265cd17b80407ad440bb1304cb4a7a995ad8bc6d6175c4
                                                                                                              • Instruction ID: 9e4840b6cc1bf3eb9c5b91d21efb021af6757605f44c8ffcc2f56d9939ce875f
                                                                                                              • Opcode Fuzzy Hash: 0848ffb7efa1f99ff0265cd17b80407ad440bb1304cb4a7a995ad8bc6d6175c4
                                                                                                              • Instruction Fuzzy Hash: 0BD012311C4708AFC751AF99A805F9A7758AB30606F85C020B6085B5A2CB75D490EB61
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(?,00000000,00000000,?,09D300CF,?,?,00000000,?), ref: 09D28714
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: 452110e3f0fc82bdead304643e7b7721ce3b5484d171cc0c116f7ad060e2481b
                                                                                                              • Instruction ID: 24ba0a4f40f626d246888d306cdfc55961f7fe171631bc5d3ab680eb53420885
                                                                                                              • Opcode Fuzzy Hash: 452110e3f0fc82bdead304643e7b7721ce3b5484d171cc0c116f7ad060e2481b
                                                                                                              • Instruction Fuzzy Hash: 56D01231190348AFC7119FA8A805F9A3718AB20605F858014F6094B5A1D775D860EB65
                                                                                                              APIs
                                                                                                              • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 09D2BE0B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DriveLogicalStrings
                                                                                                              • String ID:
                                                                                                              • API String ID: 2022863570-0
                                                                                                              • Opcode ID: 00ca6274e097abbb22312e13b63e3216b9fc0c5cf22ee1b0f6a0bc737b67f843
                                                                                                              • Instruction ID: f19516da18cb23300ebd967d255396fd947973833706a20b5adb8ed2959597f2
                                                                                                              • Opcode Fuzzy Hash: 00ca6274e097abbb22312e13b63e3216b9fc0c5cf22ee1b0f6a0bc737b67f843
                                                                                                              • Instruction Fuzzy Hash: 6AC09237040208EF8B019F88E808C85BFE9FB5CB01704C061F6084B231CB32E820EBAA
                                                                                                              APIs
                                                                                                              • GetDriveTypeW.KERNEL32(?), ref: 09D2BB2A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DriveType
                                                                                                              • String ID:
                                                                                                              • API String ID: 338552980-0
                                                                                                              • Opcode ID: 159ed71f3f4a70aacc4b85c54859e809c46538ce8e8fd67b60465d859a4b3f34
                                                                                                              • Instruction ID: 0eabd8d19dc7d5c29aec4dd534fdcd3ce4c65443953df2d045e76cbc30358720
                                                                                                              • Opcode Fuzzy Hash: 159ed71f3f4a70aacc4b85c54859e809c46538ce8e8fd67b60465d859a4b3f34
                                                                                                              • Instruction Fuzzy Hash: 18B0123204410CA786001A41F804845BF1CD714651700C021F508011118B32942195A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: t*u
                                                                                                              • API String ID: 0-1085282689
                                                                                                              • Opcode ID: a8a257a183bf18c7c6ab291905217da0cbf8751335f150cbf10589a6e6fbce7d
                                                                                                              • Instruction ID: 1312072e24a04b92409d2e985958535b577197d5e6991403fc4b544c3993c439
                                                                                                              • Opcode Fuzzy Hash: a8a257a183bf18c7c6ab291905217da0cbf8751335f150cbf10589a6e6fbce7d
                                                                                                              • Instruction Fuzzy Hash: E5615271A00249CFDB15CF98C8949EEFBB1FF89314B25459AE842AB365D735EC42CB60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84xl
                                                                                                              • API String ID: 0-2489031827
                                                                                                              • Opcode ID: 80ca340810cf1388c87b2760dd0d8996c37efa5996e312f95afc5733bc31314c
                                                                                                              • Instruction ID: b501d9077906fd9122101c6c0bb7ff996c040a278d4bcb53e66ca1d31deddd9c
                                                                                                              • Opcode Fuzzy Hash: 80ca340810cf1388c87b2760dd0d8996c37efa5996e312f95afc5733bc31314c
                                                                                                              • Instruction Fuzzy Hash: 974129B17053459FE7198F58C5A0B69BFB5FFC2250F18849AE8658F2E2C734C845C761
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cda658f451ffd26b2de7eb9bd7ee4901e85035fcfb7f577c1dcf78aebec1028
                                                                                                              • Instruction ID: 88a057703130d275649fd567db59e1a920cc2a957c5078d565a2f830f5ac1f26
                                                                                                              • Opcode Fuzzy Hash: 0cda658f451ffd26b2de7eb9bd7ee4901e85035fcfb7f577c1dcf78aebec1028
                                                                                                              • Instruction Fuzzy Hash: 0B7238B4B002149FEB14CF18C950B6AB7B2AF89304F15C199E9599F751CB72EE82CF91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52a8ad4ed8492d6c97b87c5f15b2ecefba50727037229442dbb1f12dcba5ad3d
                                                                                                              • Instruction ID: be5fc6e79fdded5ad0a41f5729e1bc4b2f85e54674b6e56ecc1ffc9c34086c86
                                                                                                              • Opcode Fuzzy Hash: 52a8ad4ed8492d6c97b87c5f15b2ecefba50727037229442dbb1f12dcba5ad3d
                                                                                                              • Instruction Fuzzy Hash: 7D620735A012099FDB14DF98D584AAEFBF2FF88314F248559E805AB365D731ED82CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2477aa8441a4f767630cbc037dd54f66331572d36539e613f94dee9af8fcdb50
                                                                                                              • Instruction ID: e6d5cfd42e7936e8ecfc98a55077eb1e7c7a99feb83b91d59971277154b1afd2
                                                                                                              • Opcode Fuzzy Hash: 2477aa8441a4f767630cbc037dd54f66331572d36539e613f94dee9af8fcdb50
                                                                                                              • Instruction Fuzzy Hash: 65527170F002459FDB15DF68D484BADBBF2AF89314F148299D845AB3A5DB35EC02CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36fd3437265fd1ac1ba8ad4e5fd7496250f4c61a078a47ef4220eace5eba3670
                                                                                                              • Instruction ID: 7ce644a51ce074410e37edc08ffb3e11aa1c09f179c514ec831a5bcae5f9d746
                                                                                                              • Opcode Fuzzy Hash: 36fd3437265fd1ac1ba8ad4e5fd7496250f4c61a078a47ef4220eace5eba3670
                                                                                                              • Instruction Fuzzy Hash: 01428EB0B002059FEB14DF98C850B6AB7B2BFC5304F14C1A9D9299F755CB72ED828B91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 678854db98fa51861413b2fa214811ec86625d23ccb7170e6e24c0a90642fcfa
                                                                                                              • Instruction ID: 75824a0960f7511ecc781247ef21e59e95014456e44844846c391d760b64498f
                                                                                                              • Opcode Fuzzy Hash: 678854db98fa51861413b2fa214811ec86625d23ccb7170e6e24c0a90642fcfa
                                                                                                              • Instruction Fuzzy Hash: CCF13E35A01249DFDB15CFA8D884A9DBBB2FF89310F248559E805AB355D731EC82CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c25c60035fb481b6860013c2bcd6eadbf59776beb3430c19b59ff3111ee39ed
                                                                                                              • Instruction ID: 7fc23c69c392eff9711cd51f024ffc0c90fe09c507608504d8fb55bed2b5effc
                                                                                                              • Opcode Fuzzy Hash: 9c25c60035fb481b6860013c2bcd6eadbf59776beb3430c19b59ff3111ee39ed
                                                                                                              • Instruction Fuzzy Hash: 00D11774A41209DFDB14DFA8D484ADDBBB6FF88310F248159E44AAB761C731ED82DB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1938583789.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_99f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d08842dc6461f2e8c68a90135891f5b2658aa8614782b36eb16d728b06abfa4
                                                                                                              • Instruction ID: 52b8cc73951e68ba7586c97d64bacc1fd872ad2ab4757f97103d66b29ee640e2
                                                                                                              • Opcode Fuzzy Hash: 2d08842dc6461f2e8c68a90135891f5b2658aa8614782b36eb16d728b06abfa4
                                                                                                              • Instruction Fuzzy Hash: A9C12734A01209AFDF05DFA8D494A9DFBB2FF88314F588159E944AB365C771EC86CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1943073297.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9e00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ffb62a0cf7d9a1a5bd712641aa735090b2139647375b528112fd01272816e3f
                                                                                                              • Instruction ID: 9a5e7ba60e313d0cd02658f2c66e4a6bae3451cf661347ab656cc2659b15b192
                                                                                                              • Opcode Fuzzy Hash: 8ffb62a0cf7d9a1a5bd712641aa735090b2139647375b528112fd01272816e3f
                                                                                                              • Instruction Fuzzy Hash: FFC11A34A05209EFDB05DFA8D494A9DBBB2FF88314F249159E805AB3A1C771ED81CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa69ec6e0ca3a23aa3adb5b47a145ac362b71be857051e37b43f6d46679900a3
                                                                                                              • Instruction ID: cee3de2a4c790802ebfacdafc8b7a7342a029566aaa284bc8786f2af21ff6d26
                                                                                                              • Opcode Fuzzy Hash: aa69ec6e0ca3a23aa3adb5b47a145ac362b71be857051e37b43f6d46679900a3
                                                                                                              • Instruction Fuzzy Hash: 659109B1B00206CFEB14DF68984076EB7E2BFC5614F25C1BAD9169B281DB31DD52C7A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ac397f3945c2d29c0224838a49bd6a888e4e29018205fc421544d1c873beaa1
                                                                                                              • Instruction ID: a510345705ee7b30fd277facf0fb89be18f315170810678ec6807b7dd032c078
                                                                                                              • Opcode Fuzzy Hash: 8ac397f3945c2d29c0224838a49bd6a888e4e29018205fc421544d1c873beaa1
                                                                                                              • Instruction Fuzzy Hash: 4B918D74A00605CFCB15DF58C494AAEFBB1FF88310B258699D816AB765C735FC52CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbd7e9f59a7519eec5ef6e7fe0f8731f72f333a98a16605179da6b4523b9a8cc
                                                                                                              • Instruction ID: 0ba8811cf9a0d859bfc4004c2741a83732912eea689f85da275f28278d8158e6
                                                                                                              • Opcode Fuzzy Hash: cbd7e9f59a7519eec5ef6e7fe0f8731f72f333a98a16605179da6b4523b9a8cc
                                                                                                              • Instruction Fuzzy Hash: A8517FA280E3D59FD7039B68D870199BFB0BE9720470A41C7D4C1DF1A3E2699949C7A7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 550b926377565d6d165f84d8e4832dbfdbfcd7e39dd6f593c5113c8c2df24f9f
                                                                                                              • Instruction ID: cc560758a646edef6d8048f903c7e37ded52fd6d3d246bdab3ee399887459a76
                                                                                                              • Opcode Fuzzy Hash: 550b926377565d6d165f84d8e4832dbfdbfcd7e39dd6f593c5113c8c2df24f9f
                                                                                                              • Instruction Fuzzy Hash: BD51E934A00209EFDB05CFA8D844A9DBBB2FF88314F248559E805AB365C775EC92CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 785cb163a1c5348f8d4ab85e198f1f124b742c324dfd327ff074c1f2808fc3b4
                                                                                                              • Instruction ID: 3e0e191d0a4d4953df0eab301e27e459567cbe5a25722f6e4a1a5661c8770149
                                                                                                              • Opcode Fuzzy Hash: 785cb163a1c5348f8d4ab85e198f1f124b742c324dfd327ff074c1f2808fc3b4
                                                                                                              • Instruction Fuzzy Hash: 0C416EF27053468FEB159B78955066AB7A2DFC2230B1445BBD5328B251DF3AC941C3A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e2d7072cff9bbddefd3254fef1f822cd4db94fba7f0658d2ee4243789f9bc19
                                                                                                              • Instruction ID: 09cf3db72ccb1f077bdd4e4d9cf495931c9559f6dfaec48dff7ba6342ef931bc
                                                                                                              • Opcode Fuzzy Hash: 8e2d7072cff9bbddefd3254fef1f822cd4db94fba7f0658d2ee4243789f9bc19
                                                                                                              • Instruction Fuzzy Hash: AC512B74A00209CFDB05CF98C8959AEF7B6FF88314B248559E906AB364D735FC42CB64
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1938583789.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_99f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d181b6b3228a9efaeba86d272ba44dd1e3273cbf7bd4f4ef4d405e67692bb838
                                                                                                              • Instruction ID: 398538cc803ff3ebe0133f7e125f8c7a6a6ccd4940aa765fa89d101c990e0ffd
                                                                                                              • Opcode Fuzzy Hash: d181b6b3228a9efaeba86d272ba44dd1e3273cbf7bd4f4ef4d405e67692bb838
                                                                                                              • Instruction Fuzzy Hash: D451F934A00209AFDB05DFA8D494A9DFBB2FF88314F248559E505AB365CB75EC82CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1943073297.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9e00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f621435502052137a02e784b400b97f14d558cfa1e6c01923af4ac14a21a555c
                                                                                                              • Instruction ID: b0ffeafd1f3c0904d3dbca7a4350d39f786218f453f179e3777a665cf172ddcd
                                                                                                              • Opcode Fuzzy Hash: f621435502052137a02e784b400b97f14d558cfa1e6c01923af4ac14a21a555c
                                                                                                              • Instruction Fuzzy Hash: 7E51A830A093449FC706CF6CC8A05AABBB1FF8A314B24459AD455DF7A2D335EC45CBA5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1943073297.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9e00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5aaaa6e88790894316f7497b0dc17840acf15ebfecef1094c30a9031270517d9
                                                                                                              • Instruction ID: 41b31af207d0c65733ffe99b6735837d569057d305d4779d9c119b1cf2c742c9
                                                                                                              • Opcode Fuzzy Hash: 5aaaa6e88790894316f7497b0dc17840acf15ebfecef1094c30a9031270517d9
                                                                                                              • Instruction Fuzzy Hash: A451D934A00209EFDB05DFA8D594A9DFBB2FF88314F248559E405AB365C775EC82CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc9348cf34aeb6e384811d2b1568813109728ae58f39fac27b44b7d3a42a85ed
                                                                                                              • Instruction ID: e1f243df569cade469f288b2277d7b2f310e1ecb58d9b63dbd2032b1e56e8d05
                                                                                                              • Opcode Fuzzy Hash: dc9348cf34aeb6e384811d2b1568813109728ae58f39fac27b44b7d3a42a85ed
                                                                                                              • Instruction Fuzzy Hash: BA51DA35A00209EFDB05CFA8D584A9DBBB2FF88314F248559E405AB365D775EC82CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1938583789.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_99f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f2fb37a1b4707269d848673feb378660202f3d77541f5726376ecfa4ee82e476
                                                                                                              • Instruction ID: fe2b549f49fe67a4ce8084babbc86bdbc38addbac617297bf900adae5c90aeed
                                                                                                              • Opcode Fuzzy Hash: f2fb37a1b4707269d848673feb378660202f3d77541f5726376ecfa4ee82e476
                                                                                                              • Instruction Fuzzy Hash: C5412A75A002099FCB19CF5CC990AAEF7B2FF88320B248559E955E7364D335EC81CB94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5811487a27ebd5ee64bb2523021262c200931b81e4f53207c252933be42ab86
                                                                                                              • Instruction ID: 233832d737c0f384bc67a066d3ebf59763192824c7807ec415c5496ef3334ee9
                                                                                                              • Opcode Fuzzy Hash: f5811487a27ebd5ee64bb2523021262c200931b81e4f53207c252933be42ab86
                                                                                                              • Instruction Fuzzy Hash: 1441B4366042448FCB15CF98D8949AEBBB1EF89310B2485A9D456DB366D731EC42CB51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1938583789.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_99f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 70f550552c7d252802f5e7fa41a07d6b53b5491827d89801f57ce2500b79f010
                                                                                                              • Instruction ID: 3b41086bbdd86dcca800684171f52caf9c6d751c0af63a3db4ac813ee7a002c4
                                                                                                              • Opcode Fuzzy Hash: 70f550552c7d252802f5e7fa41a07d6b53b5491827d89801f57ce2500b79f010
                                                                                                              • Instruction Fuzzy Hash: B541F874A006099FCB18CF98C990AAEF7B2FF88320B248559E915E7364D331EC81CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32e49ffaa84be4ec69dbb430020a66775560e6d22bab3ddf61c8f2300019b864
                                                                                                              • Instruction ID: 5c1b538fdbf552973e2eb2b4186d4e2b5c02e38027bcb7279a12691872f04cc5
                                                                                                              • Opcode Fuzzy Hash: 32e49ffaa84be4ec69dbb430020a66775560e6d22bab3ddf61c8f2300019b864
                                                                                                              • Instruction Fuzzy Hash: 1A413C74A002058FCB15CF58C884AAEBBF2FF89314B248699D816EB365D335EC42CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1943073297.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9e00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c8d0251aca73bd4d32a7c637dd66843a6f3650d63a04880ae1063bc718539756
                                                                                                              • Instruction ID: 6caaddff810103b4351bc42f94d95926c93603301a45e0aa01fc7bea9424e70a
                                                                                                              • Opcode Fuzzy Hash: c8d0251aca73bd4d32a7c637dd66843a6f3650d63a04880ae1063bc718539756
                                                                                                              • Instruction Fuzzy Hash: CB414D74A00609DFCB15CF9CC491AAAB7B2FF89314B248659D915EB7A1D731EC81CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6751c2a9784b90908079fa19ddff7b50e766b24535f85aadfbe2d6cc10ff719a
                                                                                                              • Instruction ID: bd42122c8dd5b37a2687e71a0def154b9ddcfa4480fd41fcf1cef184dc8ee484
                                                                                                              • Opcode Fuzzy Hash: 6751c2a9784b90908079fa19ddff7b50e766b24535f85aadfbe2d6cc10ff719a
                                                                                                              • Instruction Fuzzy Hash: 59411D75A002098FDB14CF9CC894AAEB7B1FF89320B248669E915AB765D735FC42CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cda476ae2dada6038ededdccb6b1c9b5adda4158e9b657ad78cd3be658fa37cd
                                                                                                              • Instruction ID: 41ff9b231e92936864b5302a9c511c559fd8f1ce9eba81d3d7ed569dba541581
                                                                                                              • Opcode Fuzzy Hash: cda476ae2dada6038ededdccb6b1c9b5adda4158e9b657ad78cd3be658fa37cd
                                                                                                              • Instruction Fuzzy Hash: 1921E775A00609DFCB14DF99C8809AAFBF5FF89310B24855AD85AE7711C731ED91CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 171dbfefa093bce9f2535d6ff998cbe73f72fbebf93b54a64d5a8f34ac514fd1
                                                                                                              • Instruction ID: 74b76722f00c7d0d9ca0cd1f38751b2180f495dd68b174280c8d81368f7ef8a0
                                                                                                              • Opcode Fuzzy Hash: 171dbfefa093bce9f2535d6ff998cbe73f72fbebf93b54a64d5a8f34ac514fd1
                                                                                                              • Instruction Fuzzy Hash: 3A21FCB5E006099FCB00DF98D9809AABBB5FF89310B158599E919EB352C735FC41CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f8eabdc55e960ca97db9b03d7733d25d0559e1075b5fd2988b17ca0d5b20f2d
                                                                                                              • Instruction ID: feb4b03361b5a6c29b551d8eaa584a0daf33b3a408784027bc7f0165978cc609
                                                                                                              • Opcode Fuzzy Hash: 7f8eabdc55e960ca97db9b03d7733d25d0559e1075b5fd2988b17ca0d5b20f2d
                                                                                                              • Instruction Fuzzy Hash: 0D21F975A0021A9FCB04DF98D8809AEFBB5FF89310B158599E91AEB351C735FC41CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2e55e244c402dd3a9a71d99312310bf663a5eeba2dd06e55832489fecebfbd24
                                                                                                              • Instruction ID: 9e9b72e9a2dabf03cf51f7c0aea5c48b09d7c495ea9a118676bdb7637f0d2e5f
                                                                                                              • Opcode Fuzzy Hash: 2e55e244c402dd3a9a71d99312310bf663a5eeba2dd06e55832489fecebfbd24
                                                                                                              • Instruction Fuzzy Hash: 49118932800349DFDB14DFAAC8417EEBBF5EF88220F248429D559AB640CB399540CFA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa8ba38e7d948c5c56cecd0e9af4378c3e26f453d680bf32d575292c96f94954
                                                                                                              • Instruction ID: b895b3070ceaa9e189afe2f4584d583d6e852c30a762578d7da41380fcd9789f
                                                                                                              • Opcode Fuzzy Hash: fa8ba38e7d948c5c56cecd0e9af4378c3e26f453d680bf32d575292c96f94954
                                                                                                              • Instruction Fuzzy Hash: 7A11F974A00609DFDB00DF98D9909AEFBB5FF88310B1585A9E949AB351D731FC41CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94d7b758234361228567858a7bd0d4cfe51a3075f898fa56cd5f26a39d471b21
                                                                                                              • Instruction ID: 8971efc625217872e11018544acc4dc7d266040497870cbae1a0b823ba0b0960
                                                                                                              • Opcode Fuzzy Hash: 94d7b758234361228567858a7bd0d4cfe51a3075f898fa56cd5f26a39d471b21
                                                                                                              • Instruction Fuzzy Hash: 43117972800309DFDB14DFAAC845BEEBBF5EF88320F248429D519A7240CB399540CFA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31dc78c66f4fef9d1aa4cc3099ae962acb3e5653f683c2eb95a3ac2b7d1ad163
                                                                                                              • Instruction ID: b6f41ebce73a9a9a2f2acde989b17f781aac0a033a9b2718e396be3fbd2592b8
                                                                                                              • Opcode Fuzzy Hash: 31dc78c66f4fef9d1aa4cc3099ae962acb3e5653f683c2eb95a3ac2b7d1ad163
                                                                                                              • Instruction Fuzzy Hash: 8311F9B4E0020A8FCB04DF98D980AAEF7B1FF89310B118599E819EB351D731ED41CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc4a49e72d931ffa34050a06db008362fcc1f694b605e5664a36f153d449298a
                                                                                                              • Instruction ID: fa7200c1bda7733c68b750bb92aa30bc8d74d00f3ff84dc25f56d61de0ce15e6
                                                                                                              • Opcode Fuzzy Hash: dc4a49e72d931ffa34050a06db008362fcc1f694b605e5664a36f153d449298a
                                                                                                              • Instruction Fuzzy Hash: ED21BA35A00209EFDF05DFA8D884EDDBBB2FF48314F188159E405AB265C775E892DB81
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1938583789.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_99f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bbfe7c5d6fe742c6fe93d17bae8e02abe71c558b3ec182f808747d6d18276b89
                                                                                                              • Instruction ID: d3bfac62277fb30086077b0adf785dc84fb6f558699deef0fabbc6a199f477d9
                                                                                                              • Opcode Fuzzy Hash: bbfe7c5d6fe742c6fe93d17bae8e02abe71c558b3ec182f808747d6d18276b89
                                                                                                              • Instruction Fuzzy Hash: AE11CC35900209EFDB05DFA8E494ADDFBB2FF88314F288555E504AB365C771E882CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1855921614.00000000032CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032CD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_32cd000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 524bdeeef557544c8d1950bbf00840d8779a0928138709551be17117bc584c45
                                                                                                              • Instruction ID: 68ac7f8ca9e54e754b421375fc1b3b4a3e3b662cd3f27a0bd80a4a20f4462750
                                                                                                              • Opcode Fuzzy Hash: 524bdeeef557544c8d1950bbf00840d8779a0928138709551be17117bc584c45
                                                                                                              • Instruction Fuzzy Hash: 13115B620193C09FD7128B298C94752BFA8DF43224F1981DBE8888F1A7D2685C85CB72
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1943073297.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9e00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fcd53378c9978e18f876fccde3bcf4fe43ca8b40e3845728e406b02f108e6e60
                                                                                                              • Instruction ID: 82547e9b22a0df02193a20004a6884aa8e66248f41c2acf17a60fe7f20c6fc5e
                                                                                                              • Opcode Fuzzy Hash: fcd53378c9978e18f876fccde3bcf4fe43ca8b40e3845728e406b02f108e6e60
                                                                                                              • Instruction Fuzzy Hash: 3E11AA35904209EFDB45DFA8D894EDDBBB2FF88314F289155E405AB365C771AC82CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1857624303.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_4f60000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ed4768221712b4ec9e438a4e29aa3799d1f9a0dc95ac3d1c4c279e98655e46a3
                                                                                                              • Instruction ID: aa7c3c58b688375b333845bbb4a4b9f803467aa32a6b8f49ef0dbf92c052beb4
                                                                                                              • Opcode Fuzzy Hash: ed4768221712b4ec9e438a4e29aa3799d1f9a0dc95ac3d1c4c279e98655e46a3
                                                                                                              • Instruction Fuzzy Hash: DB119935A01209EFDB05DFA8D884A9DBBB2BF48314F288555E405AB365D771EC82CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1855921614.00000000032CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032CD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_32cd000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa0fde4b7a64781b24aa96f79b8b19549bfc1b8fc5c44d11a9e238c3cc3ebd61
                                                                                                              • Instruction ID: 763eef2f40f6b0b01bcd9cff470a126629d4b5b3c7ecd6b010cf944f68886e8f
                                                                                                              • Opcode Fuzzy Hash: fa0fde4b7a64781b24aa96f79b8b19549bfc1b8fc5c44d11a9e238c3cc3ebd61
                                                                                                              • Instruction Fuzzy Hash: B901A771425384ABE7108B69DC84B67FBD8EF81764F18C66DDD480B246C2799486CAB2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5dcdbf7da2da98b8720cacc32acaf4a3ecc92dfe125518e23cc6ad6ddfc8d6a
                                                                                                              • Instruction ID: 9838cc96ef5b763054e215b42e0962eec25a515935bfa18cd7ad14f3224deeb4
                                                                                                              • Opcode Fuzzy Hash: b5dcdbf7da2da98b8720cacc32acaf4a3ecc92dfe125518e23cc6ad6ddfc8d6a
                                                                                                              • Instruction Fuzzy Hash: 4401F1B520D3D18FE326D7A49820692BFB19FD3110B1C85DFD8D58F263C6268882C752
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a85dfc5821890fc1e5af4efdc4875cde23222311a9ef2ccc1949db461098aa2f
                                                                                                              • Instruction ID: 7ab7436176e25e89d17c54678dc61d439e672f5b8fa310263a9c30a007493113
                                                                                                              • Opcode Fuzzy Hash: a85dfc5821890fc1e5af4efdc4875cde23222311a9ef2ccc1949db461098aa2f
                                                                                                              • Instruction Fuzzy Hash: 1EF0F939601205DFD704CF48D991EAAF7B6FF88314B2581A9E90A9B761C736FC42CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942636062.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9db0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a69e66d9b200f177273a7b6263b64511b52fc3b609c7a1dbff521b10d8b86a47
                                                                                                              • Instruction ID: 1babc7975d9a8a93a8a0e13dee82ed9e0a48470caccdd637c7f90c680a7b71a9
                                                                                                              • Opcode Fuzzy Hash: a69e66d9b200f177273a7b6263b64511b52fc3b609c7a1dbff521b10d8b86a47
                                                                                                              • Instruction Fuzzy Hash: E5F082797001089FC704DF9DD8506AEF7A6FFC8210B64C459D909EB351CB32EC468BA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1745626c41272ab21514e7e4d6aaf597c0d663de812c5a06cf8d71ca7f6fad54
                                                                                                              • Instruction ID: 9728829f64b5e6d9807f90cef15986b6967a0968819c0cf80e80ea9841970044
                                                                                                              • Opcode Fuzzy Hash: 1745626c41272ab21514e7e4d6aaf597c0d663de812c5a06cf8d71ca7f6fad54
                                                                                                              • Instruction Fuzzy Hash: 3FE15F76AA0E478BE324CE58E8D0B35B3A2FBAD300F59C539D64587B45D375F860CA80
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f4922b5fca6df27adc3dd2882ff99d80dbafe02917889587590ca2fbd4cb7f05
                                                                                                              • Instruction ID: 538f78fbef242c860685c680b0035516f78a61ee3889734d19fc5f1f3e026b9f
                                                                                                              • Opcode Fuzzy Hash: f4922b5fca6df27adc3dd2882ff99d80dbafe02917889587590ca2fbd4cb7f05
                                                                                                              • Instruction Fuzzy Hash: 57D11E7AE6058B8BEB24CE98E8D0B7AB372FB9D301F15C538CA1593745C774A911CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2c37cd757d7005cdc1f3401cedd2530fc9b1b36d8029b7a8b443cdb604d01f48
                                                                                                              • Instruction ID: 1b742d1a24871e558f1c564021379d5afb6f75f4b8f768a197a99cc624a95e6e
                                                                                                              • Opcode Fuzzy Hash: 2c37cd757d7005cdc1f3401cedd2530fc9b1b36d8029b7a8b443cdb604d01f48
                                                                                                              • Instruction Fuzzy Hash: 05A193B4546205DBEB08DF10C91175A7BE2FF8534AF14C06EE8058BBA0EB7A8452CF91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0e430c80839f402c46a681bf94afb1c5627c350b6010f1b186715433fe495fd2
                                                                                                              • Instruction ID: 1ecae8d96bfbeb47eae39f98ba38654fe785f75a55e34305d5632f60262df8e5
                                                                                                              • Opcode Fuzzy Hash: 0e430c80839f402c46a681bf94afb1c5627c350b6010f1b186715433fe495fd2
                                                                                                              • Instruction Fuzzy Hash: 323145B6A51A069BD328CF19D484A25F7B2FF6D300B65CA29D95983B92D370F950CBC0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                              • Instruction ID: 7fbdbbb79f40537bf9196535128b56c4117be377f65398e29ece713547fc714c
                                                                                                              • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                              • Instruction Fuzzy Hash: E8E0DFBB70C3021FF928890135533A78387C380178E25849EF402CF2C0EF0BE8A52045
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1941360811.0000000009D21000.00000020.00001000.00020000.00000000.sdmp, Offset: 09D21000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9d21000_powershell.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CountTick$CreateDialogMenuParam$BrushColorCommandHandleLineLoadModuleTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 354372533-0
                                                                                                              • Opcode ID: d4ab4f35886e43592f953443fe1f5679da396142a8d1a52f3ef562c34e1aad41
                                                                                                              • Instruction ID: b8a40dfc19619af25db84f5e7e49ca4ef9bcf92b5fb6a12a38282f8122d5c923
                                                                                                              • Opcode Fuzzy Hash: d4ab4f35886e43592f953443fe1f5679da396142a8d1a52f3ef562c34e1aad41
                                                                                                              • Instruction Fuzzy Hash: 7AF02D908E96A9E4C94633F9B68234CD804EF821537D8F628F48D66D200FE41248E373
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1942882932.0000000009DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DD0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_9dd0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (fzl$`9<!%$b9@!'$x.kk$-kk
                                                                                                              • API String ID: 0-3994669683
                                                                                                              • Opcode ID: f997fd3fb7756e60f7791b3f14cacde2b6bd672181b888ee6f3fef2b10235814
                                                                                                              • Instruction ID: a8cfe983ab1b77c5a7ef34e702bb85eca8b67f0a2f13c2b205762fd59c15b5c2
                                                                                                              • Opcode Fuzzy Hash: f997fd3fb7756e60f7791b3f14cacde2b6bd672181b888ee6f3fef2b10235814
                                                                                                              • Instruction Fuzzy Hash: F502A370B402149FE714DB68C951FAEB7B6BB84304F1081A4E6096F791DB72EEC28F91
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: pl$pl$pl$pl
                                                                                                              • API String ID: 0-1611185517
                                                                                                              • Opcode ID: 366666ad0b7a9388dbb441194b786f25917fee63abb189d8c81c5d5909de8ad9
                                                                                                              • Instruction ID: 4c6e33fc17313b920ca05422821f896588554adc58842e9a70954d9dd0e7376e
                                                                                                              • Opcode Fuzzy Hash: 366666ad0b7a9388dbb441194b786f25917fee63abb189d8c81c5d5909de8ad9
                                                                                                              • Instruction Fuzzy Hash: 1502BFB4B00206DFE714CF58C450A6AB7B6BFC9724F18C15AD825AB744DB76EC42CBA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84xl$84xl$Xsu$Xsu
                                                                                                              • API String ID: 0-3573298479
                                                                                                              • Opcode ID: fc26ec6a8a64d0db875538d065d462fb035909dd64b734301a0992871e28e649
                                                                                                              • Instruction ID: 9f3ceed6d9af51583e906cff5f82a2131d53fefbdbd6b7e1e8d9d4b64fa39b88
                                                                                                              • Opcode Fuzzy Hash: fc26ec6a8a64d0db875538d065d462fb035909dd64b734301a0992871e28e649
                                                                                                              • Instruction Fuzzy Hash: F371D6F1B00209DFEB18DFA8D5507BAB7B2ABC9710F148465E8629B250CB71DD51C7B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84xl$84xl$pl$pl
                                                                                                              • API String ID: 0-437928745
                                                                                                              • Opcode ID: 3d1c1f960b275a4cf896ca361c3bef466fa32c36ba6c517e3921826f2e13db47
                                                                                                              • Instruction ID: 26bb711cf5c1e4a7e30ce3a9107999f72f33f91f9959a9ede5be2e3e75d7f863
                                                                                                              • Opcode Fuzzy Hash: 3d1c1f960b275a4cf896ca361c3bef466fa32c36ba6c517e3921826f2e13db47
                                                                                                              • Instruction Fuzzy Hash: AF71C4F1B00205DFEB149BA8C440BAAB7F2BFC9611F2480A9E4659F351CB71DD41CBA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1903405281.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7a10000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: o{l$ o{l$Lzl$Lzl
                                                                                                              • API String ID: 0-563488846
                                                                                                              • Opcode ID: 6781d4c4e5e229f43a35ecb6a84a5de45bd86f2b7bbdda027a2e2e9efb645245
                                                                                                              • Instruction ID: 50981865c3e27a0b765f13428d7be75356456be8640fc88a5e2ab57c53ae9eed
                                                                                                              • Opcode Fuzzy Hash: 6781d4c4e5e229f43a35ecb6a84a5de45bd86f2b7bbdda027a2e2e9efb645245
                                                                                                              • Instruction Fuzzy Hash: 23F024B37202159F92285A8C8401A6AB6AB9BC5A507242027EA16DF714DEB1CD0287D7

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:40.2%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:1%
                                                                                                              Total number of Nodes:196
                                                                                                              Total number of Limit Nodes:8
                                                                                                              execution_graph 877 403983 881 40389c 877->881 890 402a78 881->890 883 403903 885 403914 26 API calls 883->885 920 40362e 883->920 934 4028ba 890->934 891 402a9e 891->885 895 4026c0 891->895 893 402af0 CreateMutexW 893->891 948 4024f8 895->948 897 402729 897->883 897->885 901 402f18 897->901 898 4026e7 CreateFileW 898->897 899 40270b ReadFile 898->899 899->897 902 402f2e 901->902 902->902 952 40227c FindFirstFileExW 902->952 903 402f67 CreateFileW 905 402f57 903->905 908 402faf 903->908 904 402faa 907 4030c5 NtFreeVirtualMemory 904->907 909 4030ed 904->909 905->903 905->904 906 402fb4 NtAllocateVirtualMemory 906->908 915 402fe8 906->915 907->904 908->906 908->915 910 4030f3 NtClose 909->910 911 4030ff 909->911 910->911 954 402e10 911->954 913 40311f 913->883 914 40304b WriteFile 914->915 916 403068 SetFilePointerEx 914->916 915->904 915->914 917 403095 SetFilePointerEx 915->917 916->914 916->915 917->915 921 40365e 920->921 958 403144 921->958 923 403673 923->885 924 403678 GetLogicalDriveStringsW 924->923 927 403695 924->927 925 40371d GetDriveTypeW 925->927 926 4037c6 928 403809 926->928 931 4037f9 NtClose 926->931 927->923 927->925 927->926 930 40375a CreateThread 927->930 963 40217c 927->963 928->923 929 40381e Sleep 928->929 929->928 930->927 974 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 930->974 931->928 931->931 935 4028dd 934->935 938 402760 CreateFileW 935->938 939 402797 938->939 944 4027da 938->944 939->944 946 4020bc 939->946 940 402802 940->891 940->893 941 4027f6 NtClose 941->940 942 4027b7 943 4027c0 ReadFile 942->943 942->944 943->944 944->940 944->941 947 4020c8 RtlAllocateHeap 946->947 947->942 949 402512 948->949 951 402760 4 API calls 949->951 950 402522 950->897 950->898 951->950 953 4022af 952->953 953->905 956 402e2e 954->956 955 402e37 DeleteFileW 955->913 956->955 957 402e7c MoveFileExW 956->957 957->955 957->956 961 403155 958->961 959 40318d CreateThread 959->961 970 403478 SetThreadPriority 959->970 960 4031c6 960->923 960->924 961->959 961->960 967 401d94 961->967 965 402192 963->965 964 40222a 964->927 965->964 966 40221b CreateDirectoryW 965->966 966->964 968 401da8 NtSetInformationThread 967->968 968->961 973 40348b 970->973 971 4034af 972 4034f0 WriteFile 972->973 973->971 973->972 975 403349 GetTempFileNameW CreateFileW 974->975 976 4033a9 DeviceIoControl 975->976 979 4033a4 975->979 981 403258 976->981 978 4033fd CreateIoCompletionPort 978->979 982 40326d 981->982 984 4020bc RtlAllocateHeap 982->984 983 403283 983->978 983->979 984->983 1103 4032e4 1104 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 1103->1104 1105 403349 GetTempFileNameW CreateFileW 1104->1105 1106 4033a9 DeviceIoControl 1105->1106 1109 4033a4 1105->1109 1110 403258 RtlAllocateHeap 1106->1110 1107 4033e9 1108 4033fd CreateIoCompletionPort 1107->1108 1107->1109 1108->1109 1110->1107 985 403956 986 403963 985->986 987 403976 985->987 994 4019d4 986->994 1032 4016b4 994->1032 997 4016b4 9 API calls 998 4019f4 997->998 999 4016b4 9 API calls 998->999 1000 401a05 999->1000 1001 4016b4 9 API calls 1000->1001 1002 401a16 1001->1002 1003 4016b4 9 API calls 1002->1003 1004 401a27 1003->1004 1005 4016b4 9 API calls 1004->1005 1006 401a38 1005->1006 1007 401b70 RtlCreateHeap 1006->1007 1008 401ba1 1007->1008 1009 401ba6 RtlCreateHeap 1007->1009 1024 402812 1008->1024 1028 402836 1008->1028 1009->1008 1010 401bcb 1009->1010 1010->1008 1080 401a40 1010->1080 1012 401c03 1012->1008 1013 401a40 RtlAllocateHeap 1012->1013 1014 401c59 1013->1014 1014->1008 1015 401a40 RtlAllocateHeap 1014->1015 1016 401caf 1015->1016 1016->1008 1017 401a40 RtlAllocateHeap 1016->1017 1018 401d05 1017->1018 1018->1008 1019 401a40 RtlAllocateHeap 1018->1019 1020 401d55 1019->1020 1020->1008 1022 401d94 NtSetInformationThread 1020->1022 1021 401d7a 1085 401dc2 1021->1085 1022->1021 1025 402836 1024->1025 1026 402850 RtlAdjustPrivilege 1025->1026 1027 40284e 1025->1027 1026->1025 1026->1027 1027->987 1029 402849 1028->1029 1030 402850 RtlAdjustPrivilege 1029->1030 1031 40284e 1029->1031 1030->1029 1030->1031 1031->987 1033 40176f 1032->1033 1034 4016cf 1032->1034 1033->997 1035 4016f5 NtAllocateVirtualMemory 1034->1035 1058 401000 1034->1058 1035->1033 1037 40172f NtAllocateVirtualMemory 1035->1037 1037->1033 1039 401752 1037->1039 1043 40152c 1039->1043 1041 401000 3 API calls 1042 40175f 1041->1042 1042->1033 1042->1041 1044 401540 1043->1044 1045 401558 1043->1045 1046 401000 3 API calls 1044->1046 1047 40157e 1045->1047 1048 401000 3 API calls 1045->1048 1046->1045 1049 401000 3 API calls 1047->1049 1051 4015a4 1047->1051 1048->1047 1049->1051 1050 4015ed FindFirstFileExW 1050->1051 1051->1050 1052 40166c 1051->1052 1053 401649 FindNextFileW 1051->1053 1054 40162a FindClose 1051->1054 1052->1042 1053->1051 1056 40165d FindClose 1053->1056 1066 401474 1054->1066 1056->1051 1057 401641 1057->1042 1059 401012 1058->1059 1060 40102a 1058->1060 1061 401000 3 API calls 1059->1061 1062 401000 3 API calls 1060->1062 1063 401050 1060->1063 1061->1060 1062->1063 1064 4010fb 1063->1064 1069 401394 1063->1069 1064->1035 1067 40148a 1066->1067 1068 4014b8 LdrLoadDll 1067->1068 1068->1057 1070 4013ee 1069->1070 1071 4013be 1069->1071 1070->1064 1071->1070 1072 401474 LdrLoadDll 1071->1072 1073 4013d2 1072->1073 1073->1070 1075 4014d8 1073->1075 1076 4014ee 1075->1076 1077 40150f LdrGetProcedureAddress 1075->1077 1079 4014fa LdrGetProcedureAddress 1076->1079 1078 401521 1077->1078 1078->1070 1079->1078 1081 401a5d RtlAllocateHeap 1080->1081 1082 401a79 1081->1082 1083 401a85 1081->1083 1082->1012 1083->1081 1084 401b5b 1083->1084 1084->1012 1086 401de9 1085->1086 1087 401e12 1086->1087 1088 401df2 NtProtectVirtualMemory 1086->1088 1087->1008 1088->1087 1111 402126 1112 402141 1111->1112 1113 402158 1112->1113 1114 4020bc RtlAllocateHeap 1112->1114 1114->1113 1089 4019b7 1090 4019e0 1089->1090 1091 4016b4 9 API calls 1089->1091 1092 4016b4 9 API calls 1090->1092 1091->1090 1093 4019f4 1092->1093 1094 4016b4 9 API calls 1093->1094 1095 401a05 1094->1095 1096 4016b4 9 API calls 1095->1096 1097 401a16 1096->1097 1098 4016b4 9 API calls 1097->1098 1099 401a27 1098->1099 1100 4016b4 9 API calls 1099->1100 1101 401a38 1100->1101 1102 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                                                                                              Callgraph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              • Opacity -> Relevance
                                                                                                              • Disassembly available
                                                                                                              callgraph 0 Function_004026C0 39 Function_004024F8 0->39 1 Function_00401A40 40 Function_00401E78 1->40 2 Function_00401DC2 3 Function_004024C2 4 Function_00402B44 5 Function_00403144 38 Function_00403478 5->38 55 Function_00401D94 5->55 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 83 Function_004020BC 15->83 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_0040205C 19 Function_00401F5C 20 Function_004022DC 21 Function_004020DE 22 Function_00402760 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 26->15 27 Function_004032E8 27->15 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->1 33->2 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 39->22 62 Function_00401E28 40->62 42 Function_0040217C 43 Function_0040227C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 49 Function_00402104 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->43 58->51 59 Function_00401F9A 60->0 60->37 60->58 69 Function_0040362E 60->69 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->18 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69->5 69->27 69->42 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->40 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorInfoLastLocaleObjectSelect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1586701277-0
                                                                                                              • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                              • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                                                                                              • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                              • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 4 402f18-402f2b 5 402f2e-402f33 4->5 5->5 6 402f35-402f5b call 40227c 5->6 8 402f67-402f8c CreateFileW 6->8 9 402f5d-402f61 6->9 11 402f8e-402f96 8->11 12 402faf-402fb1 8->12 9->8 10 4030bb-4030bd 9->10 13 4030c0-4030c3 10->13 14 402f98-402fa6 11->14 15 402faa 11->15 16 402fb4-402fe0 NtAllocateVirtualMemory 12->16 17 4030c5-4030e4 NtFreeVirtualMemory 13->17 18 4030e7-4030eb 13->18 14->15 30 402fa8 14->30 15->10 19 402fe2-402fed 16->19 20 402fe8 16->20 17->18 18->13 23 4030ed-4030f1 18->23 25 403000-403003 19->25 26 402fef-402ffe 19->26 22 40301b-403020 20->22 29 403023-40302e 22->29 27 4030f3-4030fc NtClose 23->27 28 4030ff-40311d call 402e10 DeleteFileW 23->28 31 403015-403019 25->31 32 403005-403010 25->32 26->31 27->28 37 403126-40312a 28->37 38 40311f 28->38 33 403030-40303a 29->33 34 40303c 29->34 30->8 31->16 31->22 32->31 36 403041-403048 33->36 34->36 39 40304b-403064 WriteFile 36->39 40 403138-403141 37->40 41 40312c-403132 37->41 38->37 42 403066 39->42 43 403068-403088 SetFilePointerEx 39->43 41->40 44 40308a-403091 42->44 43->39 43->44 45 403093 44->45 46 403095-4030b6 SetFilePointerEx 44->46 45->10 46->29
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                                                                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                                                                                              • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                                                                                              • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                                                                                              • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                                                                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                                                                                              • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                                                                                              • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 590822095-0
                                                                                                              • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                              • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                                                                                              • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                              • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                              • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                              • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                              • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                              • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                              • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2011835681-0
                                                                                                              • Opcode ID: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                              • Instruction ID: c3badfffa75a89a0abcd59fd2fd34812244497566a58eab59887ac76a1f04a4a
                                                                                                              • Opcode Fuzzy Hash: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                              • Instruction Fuzzy Hash: D6510A71A01209AFDB00DF90DD49F9EBB79FF08700F2092A5E611BA2A1D730AE45DF95

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                                                                                              • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                                                                                              • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                                                                                              • FindClose.KERNEL32(000000FF), ref: 00401660
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                              • String ID: C:\Windows\System32\*.dll
                                                                                                              • API String ID: 1164774033-1305136377
                                                                                                              • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                              • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                                                                                              • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                              • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 102 40362e-403671 call 403144 105 403673 102->105 106 403678-40368e GetLogicalDriveStringsW 102->106 107 403886-40388a 105->107 108 403690 106->108 109 403695-4036af 106->109 110 403898-40389b 107->110 111 40388c-403892 107->111 108->107 113 4036b1 109->113 114 4036b6-4036cd 109->114 111->110 113->107 116 4036d4-4036eb 114->116 117 4036cf 114->117 119 4036f2-40371a 116->119 120 4036ed 116->120 117->107 121 40371d-40372a GetDriveTypeW 119->121 120->107 122 403735-403749 call 40217c 121->122 123 40372c-40372f 121->123 129 40374c-40374f 122->129 123->122 124 4037ba-4037c0 123->124 124->121 125 4037c6-4037ca 124->125 127 403809-40381a 125->127 128 4037cc-4037d2 125->128 130 40381c-40382b 127->130 131 40381e-403829 Sleep 127->131 132 4037d5-4037d8 128->132 133 403751-403775 CreateThread 129->133 134 403755-403758 129->134 140 40382e-403831 130->140 131->127 136 4037da-4037db 132->136 137 4037dc-4037de 132->137 133->124 139 403777-40378b 133->139 134->129 136->137 137->132 141 4037e0-4037f6 137->141 139->124 142 40378d-4037b7 139->142 143 403833-403854 140->143 144 403835-40384e 140->144 147 4037f9-403807 NtClose 141->147 142->124 150 403862-403866 143->150 151 403856-40385c 143->151 144->140 147->127 147->147 152 403874-403878 150->152 153 403868-40386e 150->153 151->150 152->107 154 40387a-403880 152->154 153->152 154->107
                                                                                                              APIs
                                                                                                              • GetLogicalDriveStringsW.KERNELBASE(00000068,?), ref: 00403687
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DriveLogicalStrings
                                                                                                              • String ID:
                                                                                                              • API String ID: 2022863570-0
                                                                                                              • Opcode ID: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                              • Instruction ID: 4dd69471dbc29d4f16846e3344e2d9633d6215cd74752d72760f366e6b0bc30a
                                                                                                              • Opcode Fuzzy Hash: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                              • Instruction Fuzzy Hash: 33815CB590160ADFDB10DF90D948BAFBB75FF08306F1086AAE511772A0D7399A41CF98

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 179 402760-402795 CreateFileW 180 4027f0-4027f4 179->180 181 402797-4027a9 179->181 182 402802-40280b 180->182 183 4027f6-4027ff NtClose 180->183 181->180 185 4027ab-4027be call 4020bc 181->185 183->182 185->180 187 4027c0-4027d8 ReadFile 185->187 188 4027e4-4027ea 187->188 189 4027da-4027e2 187->189 188->180 189->180
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                                                                                              • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                                                                                              • NtClose.NTDLL(000000FF), ref: 004027FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1419693385-0
                                                                                                              • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                              • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                                                                                              • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                              • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 191 40286c-4028b9 NtSetInformationProcess * 3
                                                                                                              APIs
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                                                                                              • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InformationProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1801817001-0
                                                                                                              • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                              • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                                                                                              • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                              • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 192 401dc2-401df0 194 401e21-401e27 192->194 195 401df2-401e10 NtProtectVirtualMemory 192->195 195->194 196 401e12-401e1f 195->196 196->194
                                                                                                              APIs
                                                                                                              • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706961497-3916222277
                                                                                                              • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                              • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                                                                                              • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                              • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 289 4016b4-4016c9 290 401859-401862 289->290 291 4016cf-4016d6 289->291 292 4016f5-401729 NtAllocateVirtualMemory 291->292 293 4016d8-4016f0 call 401000 291->293 292->290 295 40172f-40174c NtAllocateVirtualMemory 292->295 293->292 295->290 297 401752-40175a call 40152c 295->297 299 40175f-401761 297->299 299->290 300 401767-40176d 299->300 301 401774-401781 call 401000 300->301 302 40176f 300->302 305 401851-401854 301->305 306 401787-401798 call 401e78 301->306 302->290 305->300 309 4017c9-4017cc 306->309 310 40179a-4017c4 call 401e78 306->310 312 4017fa-4017fd 309->312 313 4017ce-4017f8 call 401e78 309->313 310->305 316 401815-401818 312->316 317 4017ff-401813 312->317 313->305 318 401830-401833 316->318 319 40181a-40182e 316->319 317->305 318->305 321 401835-40184b 318->321 319->305 321->305
                                                                                                              APIs
                                                                                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                                                                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167126740-0
                                                                                                              • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                              • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                                                                                              • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                              • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                                                                                              APIs
                                                                                                              • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 1974802433-0
                                                                                                              • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                              • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                                                                                              • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                              • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                                                                                              APIs
                                                                                                              • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InformationThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 4046476035-0
                                                                                                              • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                              • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                                                                                              • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                              • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 159 4032e4-4033a2 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW GetTempFileNameW CreateFileW 162 4033a4 159->162 163 4033a9-4033ed DeviceIoControl call 403258 159->163 164 40346f-403472 162->164 166 4033fd-403415 CreateIoCompletionPort 163->166 167 4033ef-4033fb 163->167 168 403417-40342d 166->168 169 40342f-403447 166->169 167->164 168->164 173 403461-403467 169->173 174 403449-40345f 169->174 173->164 174->164
                                                                                                              APIs
                                                                                                              • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                              • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                              • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                              • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                              • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                              • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2011835681-0
                                                                                                              • Opcode ID: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                              • Instruction ID: db71fdc1c22404a5b670ef955f883ff194a6135e3213665c05072d4c5e51ce30
                                                                                                              • Opcode Fuzzy Hash: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                              • Instruction Fuzzy Hash: 3621F871901209AFDB10DF94DD45F9EBBB9FF08710F208265F610BA2A1D770AA41CF94

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 197 401b70-401b9f RtlCreateHeap 198 401ba1 197->198 199 401ba6-401bc4 RtlCreateHeap 197->199 200 401d8a-401d90 198->200 201 401bc6 199->201 202 401bcb-401be7 199->202 201->200 204 401be9 202->204 205 401bee-401c05 call 401a40 202->205 204->200 208 401c07 205->208 209 401c0c-401c3d 205->209 208->200 212 401c44-401c5b call 401a40 209->212 213 401c3f 209->213 216 401c62-401c93 212->216 217 401c5d 212->217 213->200 220 401c95 216->220 221 401c9a-401cb1 call 401a40 216->221 217->200 220->200 224 401cb3 221->224 225 401cb8-401ce9 221->225 224->200 228 401cf0-401d07 call 401a40 225->228 229 401ceb 225->229 232 401d09 228->232 233 401d0b-401d3c 228->233 229->200 232->200 236 401d40-401d57 call 401a40 233->236 237 401d3e 233->237 240 401d59 236->240 241 401d5b-401d80 call 401d94 call 401dc2 236->241 237->200 240->200 244 401d83 241->244 244->200
                                                                                                              APIs
                                                                                                              • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                                                                                              • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 10892065-0
                                                                                                              • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                              • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                                                                                              • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                              • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 247 403478-403488 SetThreadPriority 248 40348b-4034ad 247->248 250 4034b3-4034b5 248->250 251 4034af-4034b2 248->251 252 4034b7-4034bf 250->252 253 4034e8-4034ee 250->253 252->253 256 4034c1 252->256 254 4034f0-403513 WriteFile 253->254 255 403533-403535 253->255 257 403515-403520 254->257 258 40352e 254->258 259 4035d4-4035d7 255->259 260 40353b-40354f 255->260 261 4034c8-4034e0 256->261 257->258 262 403522-40352a 257->262 263 403629 258->263 259->263 266 4035d9-403625 259->266 264 403551-403561 260->264 265 403598-40359c 260->265 273 4034e2-4034e6 261->273 274 4034e4 261->274 262->258 270 40352c 262->270 263->248 271 403563-40356a 264->271 272 40356c-40358f 264->272 268 4035ad 265->268 269 40359e-4035a2 265->269 266->263 276 4035b4-4035cc 268->276 269->268 275 4035a4-4035ab 269->275 270->256 277 403596 271->277 272->277 273->248 274->261 275->276 283 4035d0 276->283 284 4035ce-4035d2 276->284 277->276 283->276 284->263
                                                                                                              APIs
                                                                                                              • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00403488
                                                                                                              • WriteFile.KERNELBASE(?,?,?,?,?), ref: 0040350E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePriorityThreadWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3596769661-0
                                                                                                              • Opcode ID: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                              • Instruction ID: 02d7b4ff8a3576d09fe5cde13513df6eb5b6ce77b27be8b8a28bc97f0a3a62b9
                                                                                                              • Opcode Fuzzy Hash: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                              • Instruction Fuzzy Hash: E75128B1101601EBDB10CF50DD84B577BB8FF08305F2052AAE905AE2A6D379DE95CF89

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 322 4026c0-4026e5 call 4024f8 324 402730-402734 322->324 325 4026e7-402709 CreateFileW 322->325 327 402742-402746 324->327 328 402736-40273c 324->328 325->324 326 40270b-402727 ReadFile 325->326 326->324 329 402729 326->329 330 402754-40275a 327->330 331 402748-40274e 327->331 328->327 329->324 331->330
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                                                                                              • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CreateRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 3388366904-0
                                                                                                              • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                              • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                                                                                              • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                              • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 333 401a40-401a5a 334 401a5d-401a77 RtlAllocateHeap 333->334 335 401a85-401a94 call 401e78 334->335 336 401a79-401a82 334->336 339 401ac5-401ac8 335->339 340 401a96-401ac0 call 401e78 335->340 342 401af6-401af9 339->342 343 401aca-401af4 call 401e78 339->343 348 401b4d-401b55 340->348 346 401b11-401b14 342->346 347 401afb-401b0f 342->347 343->348 350 401b16-401b2a 346->350 351 401b2c-401b2f 346->351 347->348 348->334 352 401b5b-401b6b 348->352 350->348 351->348 353 401b31-401b47 351->353 353->348
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                              • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                                                                                              • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                              • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 354 402e10-402e35 356 402e37 354->356 357 402e39-402e4e 354->357 358 402eab-402eb7 356->358 362 402e50 357->362 363 402e52-402e57 357->363 359 402ec5-402eca 358->359 360 402eb9-402ebf 358->360 360->359 362->358 364 402e5c-402e6d 363->364 366 402e70-402e7a 364->366 366->366 367 402e7c-402e8f MoveFileExW 366->367 368 402e91 367->368 369 402e93-402ea9 367->369 368->358 369->358 369->364
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                              • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                                                                                              • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                              • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                                                                                              APIs
                                                                                                              • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00402227
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 4241100979-0
                                                                                                              • Opcode ID: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                              • Instruction ID: 9ce072fc3005d4f78cf2e49f7f895573a995d668e844b6c98341eda9cf3d519c
                                                                                                              • Opcode Fuzzy Hash: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                              • Instruction Fuzzy Hash: 81117CB5601105EFD700DF94ED88A87BBA8FF08300B1092B9EA15AB262D731D955CFD9
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00003478,00000000,00000000,00000000), ref: 004031A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                              • Instruction ID: e5ec22d449c3d307afb1fc97fd659449252656cd0b8efbbc1ce39923ac99279f
                                                                                                              • Opcode Fuzzy Hash: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                              • Instruction Fuzzy Hash: B5115E75741B05ABD310AF94ED89B8BB768FF08711F2043B5EA10BA2E1D7749D418F98
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                              • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                                                                                              • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                              • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                              • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                                                                                              • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                              • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                                                                                              APIs
                                                                                                              • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdjustPrivilege
                                                                                                              • String ID:
                                                                                                              • API String ID: 3260937286-0
                                                                                                              • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                              • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                                                                                              • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                              • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2898232519.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 0000000B.00000002.2898205226.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898257343.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898281796.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                              • Associated: 0000000B.00000002.2898307356.0000000000406000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_400000_8521.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                              • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                                                                                              • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                              • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4