Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lZyN9NTrS2.ps1

Overview

General Information

Sample name:lZyN9NTrS2.ps1
renamed because original name is a hash value
Original sample name:a33f21d28bd83a9501257ee727c46486989bdfea6d5cb9f1c12c9a67296b21b1.ps1
Analysis ID:1579867
MD5:42cbb4743ea016868d7a049a6c9fb3fc
SHA1:62dca0b897feba00370bd505b3a3f8cc5e8f2615
SHA256:a33f21d28bd83a9501257ee727c46486989bdfea6d5cb9f1c12c9a67296b21b1
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Found post-exploitation toolkit Empire
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 6412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6644 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • splwow64.exe (PID: 2300 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
      • F43.tmp (PID: 3276 cmdline: "C:\ProgramData\F43.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
  • ONENOTE.EXE (PID: 6972 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{0ABB2406-12BC-4E6C-8C0C-B2880C04A53C}.xps" 133794276123940000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)
  • cleanup
{"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.\r\n\r\n>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a cold wallet, such as https://electrum.org/ or any other cold cryptocurrency wallet, more details on https://bitcoin.org By paying the ransom from your personal cold cryptocurrency wallet, you will avoid any problems from regulators, police and brokers.\r\n\r\n>>>>> Don't be afraid of any legal consequences, you were very scared, that's why you followed all our instructions, it's not your fault if you are very scared. Not a single company that paid us has had issues. Any excuses are just for insurance company to not pay on their obligation.\r\n\r\n>>>>> You need to contact us via TOR darknet sites with your personal ID\r\n\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.\r\n\r\nTor Browser personal link for CHAT available only to you: \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://fmtvvg3x5rs7tagzcytmfmffnihnte6gllkljufyz534hfpqhfyg2dad.onion\r\n\r\nTor Browser Links for CHAT \r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion\r\nhttp://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion\r\nhttp://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion\r\nhttp://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion\r\nhttp://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>> Your personal identifier to communicate with us ID: 5150CB33290ED8C9BC347F15357C9E9E <<<<<\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\n>>>>> Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\r\nhttp://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\r\nhttp://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\r\nhttp://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\r\nhttp://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\r\n\r\nVersion: LockBitBlack4.0-rc-001\r\n"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.2629857137.0000000009A12000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
      • 0x153bd:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
      • 0x8c:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
      00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
        00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
        • 0x147a3:$b2: -MemoryAddress $GetCommandLineWAddrTemp
        • 0x148fa:$b2: -MemoryAddress $GetCommandLineWAddrTemp
        • 0x14435:$b3: -MemoryAddress $GetCommandLineAAddrTemp
        • 0x1458c:$b3: -MemoryAddress $GetCommandLineAAddrTemp
        Click to see the 10 entries

        System Summary

        barindex
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6412, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 , ProcessId: 6644, ProcessName: powershell.exe
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", ProcessId: 6412, ProcessName: powershell.exe
        Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\R4SZPhslZ.bmp, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6644, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1", ProcessId: 6412, ProcessName: powershell.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: C:\ProgramData\F43.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
        Source: R4SZPhslZ.README.txt22.3.drMalware Configuration Extractor: Lockbit {"URL": "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion", "Ransom Note": "~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~\r\n\r\n>>>>> You must pay us.\r\n\r\nTor Browser Links BLOG where the stolen infortmation will be published:\r\n( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\nhttp://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\nhttp://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\nhttp://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\nhttp://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\nhttp://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\nhttp://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n\r\n>>>>> What is the guarantee that we won't scam you? \r\nWe are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.\r\n\r\n>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!\r\n\r\n>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.\r\n\r\n>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency b
        Source: C:\ProgramData\F43.tmpReversingLabs: Detection: 86%
        Source: lZyN9NTrS2.ps1ReversingLabs: Detection: 31%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
        Source: C:\ProgramData\F43.tmpJoe Sandbox ML: detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZIPXYXWIOY\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZGGKNSUKOP\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\QCOILOQIKC\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\LFOPODGVOH\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EIVQSAOTAQ\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EFOYFBOLXA\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\AQRFEVRTGL\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZIPXYXWIOY\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZGGKNSUKOP\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\QCOILOQIKC\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\LFOPODGVOH\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GRXZDKKVDB\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EIVQSAOTAQ\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EFOYFBOLXA\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\AQRFEVRTGL\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E994BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,3_2_09E994BC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E993E0 FindFirstFileExW,3_2_09E993E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09EA0F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,3_2_09EA0F48
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9930C FindFirstFileExW,FindNextFileW,3_2_09E9930C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E97AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,3_2_09E97AC0
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040227C FindFirstFileExW,13_2_0040227C
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,13_2_0040152C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E992B8 GetLogicalDriveStringsW,3_2_09E992B8

        Networking

        barindex
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionugJ5
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion,5
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionn4?
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion04
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion%4
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionHC
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion]0
        Source: powershell.exe, 00000003.00000002.2647559755.000000000A150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
        Source: powershell.exe, 00000003.00000002.2647559755.000000000A150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
        Source: powershell.exe, 00000003.00000002.2647559755.000000000A150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
        Source: powershell.exe, 00000003.00000002.2601716761.00000000079BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
        Source: powershell.exe, 00000003.00000002.2601716761.00000000079BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion3Lps
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/307.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2393707505.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/7AB184D8-1066-4EA9-8034-256A80F8CD39.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2393707505.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/7AB184D8-1066-4EA9-8034-256A80F8CD39.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2293053228.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2293053228.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2248686984.0000000004AA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/87D8186E-9582-4989-A684-33C9825D482F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2248686984.0000000004AA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/87D8186E-9582-4989-A684-33C9825D482F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"hips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"hips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F21D613C-1C21-4A09-8194-338171B29DA0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>me="/Documents/1/Pages/71.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />ntticket" />ips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2449693246.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/FD4E2657-BF1E-41B7-AA50-E47E0C667587.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2449693246.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD4E2657-BF1E-41B7-AA50-E47E0C667587.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2449693246.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/FD4E2657-BF1E-41B7-AA50-E47E0C667587.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2383757738.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2383757738.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/356.fpage" />510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/356.fpage" />510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 6,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: codeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2312341669.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2312341669.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2299785537.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2299785537.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2464347820.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/5CE586A9-2C8E-469B-B340-B884893693B0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2464347820.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/5CE586A9-2C8E-469B-B340-B884893693B0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/192.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" ContentType="application/vnd.ms-package.obfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>rget="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/187.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />bfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2262620921.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2262620921.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2472403723.000000000505B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2472403723.000000000505B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2217456937.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2217456937.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/140.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/142.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1127B7E7-7040-48EE-AE29-62FDE6D309D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/076E784A-77D0-44D9-9359-BA104E12EDD9.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/142.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/142.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2345667953.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/DBEF76E6-5FBB-4E7F-847E-20B472A5C496.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2345667953.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/DBEF76E6-5FBB-4E7F-847E-20B472A5C496.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/242.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/241.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/241.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2305020338.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2305020338.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/87D8186E-9582-4989-A684-33C9825D482F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2199660109.0000000004A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2199660109.0000000004A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2199660109.0000000004A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2272716905.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/4E2E1DA1-5611-46B6-9267-1A5BDEEA880D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2272716905.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/4E2E1DA1-5611-46B6-9267-1A5BDEEA880D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2317876959.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A97C5B1B-2ACC-4969-A9AD-03B3259BD66B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2317876959.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A97C5B1B-2ACC-4969-A9AD-03B3259BD66B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2413605428.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/CD22382E-72FE-4840-84DC-D13B3A68753B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2413605428.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/CD22382E-72FE-4840-84DC-D13B3A68753B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>arget="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />ips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/76.fpage" />22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 4<PageContent Source="/Documents/1/Pages/76.fpage" />22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />ips+xml" />.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />ips+xml" />.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2210510498.00000000035BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2210510498.00000000035BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2210510498.00000000035BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2437382630.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2437382630.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/227.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tionships".ms-package.obfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/227.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tionships".ms-package.obfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />CF76.odttf" />form="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />CF76.odttf" />form="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>arget="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315293413.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2254145098.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2254145098.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2269279631.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8D387AD9-82A4-4806-A4D3-487AA2133B2D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2269279631.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8D387AD9-82A4-4806-A4D3-487AA2133B2D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2457251611.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E4DCA80F-B8DB-41B7-BB37-869554E241B0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2457251611.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E4DCA80F-B8DB-41B7-BB37-869554E241B0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2382750725.0000000004BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 6,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2382750725.0000000004BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: codeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2382750725.0000000004BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2327292688.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2327292688.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2363860000.0000000001473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2363860000.0000000001473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2418056331.0000000005051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/688A06AC-D247-4E5C-BD72-FBCE70912707.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2418056331.0000000005051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/688A06AC-D247-4E5C-BD72-FBCE70912707.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>me="/Documents/1/Pages/_rels/256.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/096FD52E-09F1-428D-8AE5-AE7E37242002.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/287.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/287.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2390140619.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/080A68AA-1EC3-4AFE-980B-7F8D88C7D172.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2390140619.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/080A68AA-1EC3-4AFE-980B-7F8D88C7D172.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469949176.000000000505B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2469949176.000000000505B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2373673239.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/076E784A-77D0-44D9-9359-BA104E12EDD9.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2373673239.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/076E784A-77D0-44D9-9359-BA104E12EDD9.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/9BF66A2E-7D25-4C8A-9A37-A0C1653BE921.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/22.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />.com/xps/2005/06/required-resource" />>ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/22.fpage" />Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />ips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 4<PageContent Source="/Documents/1/Pages/22.fpage" />Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />ips+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/20.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BF66A2E-7D25-4C8A-9A37-A0C1653BE921.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/9BF66A2E-7D25-4C8A-9A37-A0C1653BE921.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9BF66A2E-7D25-4C8A-9A37-A0C1653BE921.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Discard SentinelPage="/Documents/1/Pages/28.fpage" Target="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" />om/xps/2005/06/required-resource" />>ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/27.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2214726603.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2334506509.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/29B8C66C-1628-4068-A987-389C6D6515D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2334506509.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/29B8C66C-1628-4068-A987-389C6D6515D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/51F410AA-734C-49D1-A1DE-6823564872A3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: </Relationships>.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/51F410AA-734C-49D1-A1DE-6823564872A3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/51F410AA-734C-49D1-A1DE-6823564872A3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />bfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />bfuscated-opentype" />0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2207672373.00000000035A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2207672373.00000000035A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2362982438.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/312.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/311.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tp://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/311.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tp://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265986365.0000000004AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265986365.0000000004AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265986365.0000000004AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2444274572.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2444274572.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/127.fpage" />d="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/127.fpage" />d="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionfz)
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/16.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />ansform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2214611072.000000000145F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2214611072.000000000145F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2214611072.000000000145F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2288497340.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/A1F87993-EE1A-45EA-81F3-902376E1C2AA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2288497340.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/A1F87993-EE1A-45EA-81F3-902376E1C2AA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/096FD52E-09F1-428D-8AE5-AE7E37242002.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/292.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />bfuscated-opentype" />red-resource" />ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/292.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />e.relationships+xml" />bfuscated-opentype" />red-resource" />ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2205718539.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/0BF688F5-7673-4516-B8BC-054617ADE728.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2447398298.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2447398298.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2220770349.0000000004A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2337816170.0000000004B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 73,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2337816170.0000000004B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/237.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tp://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/237.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tp://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/236.fpage" />67891E-F466-40A8-B62D-E355DA83B56D.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/236.fpage" />67891E-F466-40A8-B62D-E355DA83B56D.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342187997.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342187997.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342187997.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 6,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: codeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/6A30C6E1-8150-43A8-A734-2E7BA577999F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/6A30C6E1-8150-43A8-A734-2E7BA577999F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/175.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tionships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0302EEB8-071A-4BB9-AEC7-0CF3D5355D08.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0302EEB8-071A-4BB9-AEC7-0CF3D5355D08.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/175.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tionships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0302EEB8-071A-4BB9-AEC7-0CF3D5355D08.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/177.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/177.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/6A30C6E1-8150-43A8-A734-2E7BA577999F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2467300458.0000000005059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2467300458.0000000005059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240497511.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2240497511.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2209126260.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2209126260.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2209126260.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/0BF688F5-7673-4516-B8BC-054617ADE728.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <PageContent Source="/Documents/1/Pages/337.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5<PageContent Source="/Documents/1/Pages/337.fpage" />e.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">hips+xml" />com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">hips+xml" />com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2460894203.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2460894203.0000000005057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2326094095.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/35CC2CA8-AC5B-48A9-830F-89074DB60C69.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2326094095.0000000001472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/35CC2CA8-AC5B-48A9-830F-89074DB60C69.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/_rels/267.fpage.rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" />com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Override PartName="/Documents/1/Pages/362.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o<Override PartName="/Documents/1/Pages/362.fpage" ContentType="application/vnd.ms-package.xps-fixedpage+xml" />tticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hips+xml" />nsform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"mas.microsoft.com/xps/2005/06/required-resource" />ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"mas.microsoft.com/xps/2005/06/required-resource" />ill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429918156.0000000005053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2429918156.0000000005053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />hs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">ips+xml" />/>om/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">ips+xml" />/>om/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2357930925.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: " UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion"
        Source: splwow64.exe, 00000008.00000003.2199409740.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2199409740.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: z><Relationship Target="/Metadata/MXDC_Empty_PT.xml" Id="R0" Type="http://schemas.microsoft.com/xps/2005/06/printticket" />s.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"as.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438885901.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2438885901.0000000005055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"phs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: " UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion"
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Relationship Target="/Documents/1/Resources/Fonts/D322552D-E570-4CDA-AECB-6B4D8E632C96.odttf" Id="R1" Type="http://schemas.microsoft.com/xps/2005/06/required-resource" />Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/674A2903-A025-42D4-AEF9-2CADC5BF9B96.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/674A2903-A025-42D4-AEF9-2CADC5BF9B96.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />/>form="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/688A06AC-D247-4E5C-BD72-FBCE70912707.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9865.76 L 11982.7,9865.76 11982.7,10249.4 0,10249.4 z" FontUri="/Documents/1/Resources/Fonts/688A06AC-D247-4E5C-BD72-FBCE70912707.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="10167.5" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;144,54;617,55;138,55;621,55;132,54;135,55;617,55;133,55;144,54;147,55;146,55;152,55;144,54;133,55;155,55;138,54;140,55;619,55;148,55;137,54;143,55;144,55;153,55;144,54;619,55;619,55;621,55;618,54;618,55;138,55;144,55;156,54;156,55;143,55;150,55;154,54;134,55;152,55;140,55;145,54;147,55;142,55;146,55;622,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion" />
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"ships+xml" />/>form="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,9482.08 L 11982.7,9482.08 11982.7,9865.76 0,9865.76 z" FontUri="/Documents/1/Resources/Fonts/688A06AC-D247-4E5C-BD72-FBCE70912707.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="9783.84" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;149,55;151,55;146,55;131,54;622,55;135,55;618,55;132,54;619,55;146,55;141,55;144,54;619,55;143,55;137,55;141,54;137,55;145,55;140,54;148,55;142,55;620,55;139,54;147,55;137,55;154,55;617,54;619,55;133,55;142,55;132,54;156,55;133,55;619,55;154,54;143,55;622,55;139,55;621,54;140,55;135,55;135,55;150,54;149,55;139,55;131,55;618,54;147,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion" />
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" Clip="M 0,7947.36 L 11982.7,7947.36 11982.7,8331.04 0,8331.04 z" FontUri="/Documents/1/Resources/Fonts/D322552D-E570-4CDA-AECB-6B4D8E632C96.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="0" OriginY="8249.12" Indices="138,55;150,54;150,55;146,55;347,55;373,54;373,55;142,55;145,55;133,54;141,55;132,55;139,55;150,54;131,55;146,55;150,55;617,54;155,55;136,55;132,55;150,54;622,55;142,55;133,55;138,54;154,55;135,55;140,55;151,54;137,55;619,55;622,54;141,55;143,55;147,55;152,54;147,55;147,55;154,55;152,54;152,55;140,55;146,55;147,54;141,55;143,55;135,55;152,54;152,55;619,55;142,55;618,54;131,55;156,55;142,55;618,54;137,55;155,55;621,55;146,54;155,55;134,55;348,55;145,54;144,55;139,55;145,55;144" UnicodeString="http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion" />
        Source: powershell.exe, 00000003.00000002.2629857137.0000000009990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
        Source: splwow64.exe, 00000008.00000003.2472842268.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2331737943.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2449795978.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2337816170.0000000004B0B000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2453668627.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2474969184.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2275309590.0000000004AE5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2395698836.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2270400675.0000000004AE5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2341993618.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2363150286.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2404223227.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2485384649.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com-0
        Source: splwow64.exe, 00000008.00000003.2476813346.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com.piece
        Source: splwow64.exe, 00000008.00000003.2275309590.0000000004AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com5
        Source: splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com:D
        Source: splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.compiece4
        Source: splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt.uz
        Source: splwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion%4
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionf
        Source: splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionfz)
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionn4?
        Source: splwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2410386712.0000000001477000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion04
        Source: powershell.exe, 00000003.00000002.2601716761.00000000079BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion3Lps
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionHC
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
        Source: splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionf
        Source: powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionugJ5
        Source: splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2485384649.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uz
        Source: splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uz2
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uz:
        Source: splwow64.exe, 00000008.00000003.2474969184.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uzast.piece
        Source: splwow64.exe, 00000008.00000003.2414386976.0000000004C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uzast.piece/HI
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uzceH
        Source: splwow64.exe, 00000008.00000003.2300670324.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uzece
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2462124073.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2460294018.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2458593177.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lockbitsupp.uzz
        Source: powershell.exe, 00000000.00000002.2056994806.000001781A339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2127901587.0000017828D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: splwow64.exe, 00000008.00000003.2481396783.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2478345004.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2480406126.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2479740035.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2483279631.000000000505A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoQ(
        Source: splwow64.exe, 00000008.00000003.2484077643.00000000014A2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2422806270.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2276180750.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2195994020.000000000148D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2335399445.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2204991925.0000000001496000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2217074916.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2364264878.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2226736397.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2365932201.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2388663242.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2200863954.0000000001491000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2224655578.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2212943924.000000000149A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2222028580.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2197110953.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.open
        Source: splwow64.exe, 00000008.00000003.2484077643.00000000014A2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2422806270.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2276180750.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2195994020.000000000148D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2335399445.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2204991925.0000000001496000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2217074916.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2364264878.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2226736397.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2365932201.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2388663242.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2200863954.0000000001491000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2224655578.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2212943924.000000000149A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2222028580.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2197110953.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000000.00000002.2056994806.0000017818AA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2559581107.00000000051E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.example.cb
        Source: powershell.exe, 00000000.00000002.2148047917.0000017831200000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2601716761.0000000007A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
        Source: powershell.exe, 00000003.00000002.2629857137.00000000099C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coD
        Source: powershell.exe, 00000000.00000002.2056994806.0000017818AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000003.00000002.2559581107.00000000051E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000000.00000002.2056994806.000001781A339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2127901587.0000017828D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: powershell.exe, 00000003.00000002.2629857137.0000000009AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/hashtag/lockbi0

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: C:\Users\user\Documents\EIVQSAOTAQ\R4SZPhslZ.README.txtDropped file: ~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~>>>>> You must pay us.Tor Browser Links BLOG where the stolen infortmation will be published:( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/>>>>> What is the guarantee that we won't scam you? We are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. You can get more information about us on Elon Musk's Twitter at https://twitter.com/hashtag/lockbit?f=live.>>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files!>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for Donald Trump to win the election, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency.>>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a Jump to dropped file
        Source: Yara matchFile source: 00000003.00000002.2629857137.0000000009A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2583323436.0000000006662000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\R4SZPhslZ.bmpJump to behavior
        Source: powershell.exe, 00000003.00000002.2647795602.000000000A164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: powershell.exe, 00000003.00000002.2647795602.000000000A164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedI
        Source: powershell.exe, 00000003.00000002.2647795602.000000000A164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypteds7
        Source: powershell.exe, 00000003.00000002.2647795602.000000000A164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted=
        Source: powershell.exe, 00000003.00000002.2647795602.000000000A164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypteds
        Source: powershell.exe, 00000003.00000002.2647559755.000000000A150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: powershell.exe, 00000003.00000002.2603019214.0000000007A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : All your important files are stolen and encrypted!
        Source: powershell.exe, 00000003.00000002.2629857137.0000000009990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2453377855.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2449693246.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/FD4E2657-BF1E-41B7-AA50-E47E0C667587.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/8958906A-BD67-4815-A8FE-8AFA4C31A39D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2469172409.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2412181678.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/BA93D8D4-8D69-480C-9125-5D953CF42F3E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2406463882.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2331737943.0000000004ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/8D4E5FF2-A8C1-455B-BA02-031E00125188.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1127B7E7-7040-48EE-AE29-62FDE6D309D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2381106803.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/076E784A-77D0-44D9-9359-BA104E12EDD9.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/10358A55-FF94-4184-B3FC-5A20B59A335F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2432248701.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted\
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedls
        Source: splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/87D8186E-9582-4989-A684-33C9825D482F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2199660109.0000000004A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/BD5A089A-FFFA-4010-ACE9-8918A409D7EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2306606773.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/FD03C156-1E63-4C2B-9BBD-D5007F7827E3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/0B6D465A-E0DA-46CA-AEFB-1C1C7AB4EC64.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2425272344.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/8068A07C-42B7-4AD9-8360-C91F9ABBCF76.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2476813346.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2476813346.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedeg
        Source: splwow64.exe, 00000008.00000003.2382750725.0000000004BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2438227354.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/82C717C1-9DA9-4CCD-8824-F4050307C8FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/096FD52E-09F1-428D-8AE5-AE7E37242002.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2446451321.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/A0249FD8-4F90-41EC-81EE-A3AD06545361.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2233736542.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/9BF66A2E-7D25-4C8A-9A37-A0C1653BE921.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2337816170.0000000004B0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedek;
        Source: splwow64.exe, 00000008.00000003.2240669582.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/9805C170-AFD0-497D-A9D1-079C17BA071C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2214726603.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/51F410AA-734C-49D1-A1DE-6823564872A3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1B2CD30A-4A46-41F5-8871-57B78BF15C43.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2479084600.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2474234943.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedels
        Source: splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2455007436.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/823417BA-4651-4C09-BAB4-D6572095D143.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2265986365.0000000004AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/39D022F7-1739-4C91-8887-FFAE4A6DC3AD.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2367957435.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2225302001.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/F3CB5E6F-416B-4693-A1D7-9E97F419DCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/096FD52E-09F1-428D-8AE5-AE7E37242002.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2448145711.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/B1617CD3-CD0E-4B28-A47C-05B30D2AA76A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2205718539.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/0BF688F5-7673-4516-B8BC-054617ADE728.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/05A6C7D0-72A7-4F19-B34E-6026FC9AE9AF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2461792367.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2220770349.0000000004A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/CE1031E5-4632-4F7F-8A85-795CDBFAA34A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2452082533.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2337816170.0000000004B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedRELS
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2767891E-F466-40A8-B62D-E355DA83B56D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2429184116.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/396D6283-3324-46B9-A51B-4DDE14FECE74.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2342187997.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2358270800.0000000004B0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted\
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2402034560.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/6A30C6E1-8150-43A8-A734-2E7BA577999F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2F27D4B0-496C-47C2-9FF3-D861774C315A.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/0BF688F5-7673-4516-B8BC-054617ADE728.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2463304786.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/F8566DD7-01D3-427B-9D9B-57AB2F9D7F7D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2440753247.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/0856FD13-4326-4CBA-A06B-B6BD3B514FD1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/39510E9B-45ED-412D-A6F4-47BE31A9EB26.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2470685406.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/502FC277-1F0E-4096-9705-987F2A570A66.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2342315033.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2265375533.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : ;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted1889`
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/368C76CA-93D5-485A-B2CA-89A7E6C2D5A8.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2315587652.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/D22EA2DF-50D6-4565-8ED0-517B9A31453C.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2442195901.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/3D444D23-14F4-427C-8B7C-48EC42CFC0EF.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2439424685.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E2CFC4F7-F4B0-4425-96A5-1808801E9100.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : ;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2421052251.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/D322552D-E570-4CDA-AECB-6B4D8E632C96.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2415816466.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/CD22382E-72FE-4840-84DC-D13B3A68753B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2415816466.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/674A2903-A025-42D4-AEF9-2CADC5BF9B96.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2358318327.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E4B15560-1144-49E1-A2F0-A6F072E57358.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2358318327.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/DBEF76E6-5FBB-4E7F-847E-20B472A5C496.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2483410921.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/55EE0B5C-1F8A-4E18-84F9-7BF753448442.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2483410921.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/51021599-B200-49CC-A296-9EE67677A6E7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2325308122.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/35CC2CA8-AC5B-48A9-830F-89074DB60C69.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2325308122.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/A97C5B1B-2ACC-4969-A9AD-03B3259BD66B.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2466564017.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/3D412DEC-95D4-437B-B556-CF9D67A6FCA5.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2392594483.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/DD5AC7EF-7130-44B4-81F6-179C586B6A23.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2392594483.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/080A68AA-1EC3-4AFE-980B-7F8D88C7D172.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2270453347.0000000004AB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedef[
        Source: splwow64.exe, 00000008.00000003.2337977175.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/29B8C66C-1628-4068-A987-389C6D6515D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2337977175.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2362982438.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2258494514.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2207535704.000000000145B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2436160561.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2436160561.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2488AB05-BB57-41BF-9360-07B457DCE731.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2398334257.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/7AB184D8-1066-4EA9-8034-256A80F8CD39.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2398334257.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/6A30C6E1-8150-43A8-A734-2E7BA577999F.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2398334257.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/DD5AC7EF-7130-44B4-81F6-179C586B6A23.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2408253617.0000000004C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : f000000" FontUri="/Documents/1/Resources/Fonts/9BAD8DE1-3675-4D1E-9317-DD8EB9FF49FA.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2448345581.0000000004DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1CC6794F-4E2F-45A7-AFDD-9A549F4F2C9E.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2474969184.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2331921769.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2331921769.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/35CC2CA8-AC5B-48A9-830F-89074DB60C69.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2270508500.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/8D387AD9-82A4-4806-A4D3-487AA2133B2D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2270508500.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1F69142B-3448-45EB-8CBF-9DE5C1F98AE4.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2403991577.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/6EF990E2-9C28-40AA-B283-962C94AFC534.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2403991577.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2623112F-674A-49EC-B500-E6E344321EB1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2386487658.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/D0D7717E-F700-4C52-87E7-1BE872E364B6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2386487658.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1127B7E7-7040-48EE-AE29-62FDE6D309D6.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2386487658.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/076E784A-77D0-44D9-9359-BA104E12EDD9.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2472842268.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2472842268.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted\
        Source: splwow64.exe, 00000008.00000003.2481915378.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/4EB8B271-7A0E-4B5A-BF71-E788CA3ACD31.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2481915378.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/51021599-B200-49CC-A296-9EE67677A6E7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2204474152.00000000035B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1DC1F7F7-7E35-4B3D-9F91-B285F3385A16.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2258857235.0000000004AB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/1732A307-3CB1-40F4-BC1A-F66F997E6816.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2476286047.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/51F410AA-734C-49D1-A1DE-6823564872A3.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2476286047.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/A2962398-F6F2-4D25-AE12-EC65E90E7437.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2476286047.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/AF89650E-AC27-4872-9D35-695B000CEEDC.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2434420140.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/58F97CBC-AE39-4790-AF87-AB9ABB3B6893.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2449693246.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encrypted
        Source: splwow64.exe, 00000008.00000003.2465232573.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/5CE586A9-2C8E-469B-B340-B884893693B0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2451695106.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/E59F5B1A-A9D8-4623-9937-10DF29656180.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2451695106.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/FD4E2657-BF1E-41B7-AA50-E47E0C667587.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2348146385.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/DBEF76E6-5FBB-4E7F-847E-20B472A5C496.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2348146385.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/AD3F7CA2-A3A1-4F2C-93C7-0CFB128573C7.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2348146385.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/16620DC9-4F50-47EB-924E-BF0F6A7A3711.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2362736689.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/2F45B950-42AB-48F0-B236-AF0A6FCAB3F1.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2417470880.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/434C5120-DEF5-4A2A-A65D-A9A42F1D03F0.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2395864007.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/DD5AC7EF-7130-44B4-81F6-179C586B6A23.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2395864007.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/7AB184D8-1066-4EA9-8034-256A80F8CD39.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/D2CA564E-F88D-4A3A-91EF-1909911AF521.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/8D387AD9-82A4-4806-A4D3-487AA2133B2D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : <Glyphs RenderTransform="0.062437,-0,0,0.0625521,0,0" Fill="#ff000000" FontUri="/Documents/1/Resources/Fonts/4E2E1DA1-5611-46B6-9267-1A5BDEEA880D.odttf" FontRenderingEmSize="327.68" StyleSimulations="None" OriginX="3139.2" OriginY="7098.08" Indices="28,55;145,54;151,55;148,55;3,55;134,54;131,55;150,55;131,55;3,54;131,55;148,55;135,55;3,54;149,55;150,55;145,55;142,54;135,55;144,55;3,55;131,54;144,55;134,55;3,55;135,54;144,55;133,55;148,55;155,54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : 54;146,55;150,55;135,54;134" UnicodeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : codeString="Your data are stolen and encrypted" />
        Source: splwow64.exe, 00000008.00000003.2341993618.0000000004B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory : Your data are stolen and encryptedB
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\EFOYFBOLXA\EOWRVPQCCS.mp3Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\TQDFJHPUIU.jpgJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\EIVQSAOTAQ.jpgJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\EOWRVPQCCS.xlsxJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile moved: C:\Users\user\Desktop\EWZCVGNOWT.pdfJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\EIVQSAOTAQ\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Documents\EFOYFBOLXA\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Videos\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\ZIPXYXWIOY\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Desktop\ZGGKNSUKOP\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Searches\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dropped: C:\Users\user\Saved Games\R4SZPhslZ.README.txt -> decryption of files!>>>>> don't go to the police or the fbi for help and don't tell anyone that we attacked you. they will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die.>>>>> when buying bitcoin, do not tell anyone the true purpose of the purchase. some brokers, especially in the us, do not allow you to buy bitcoin to pay ransom. communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, cryptocurrency donations for donald trump to win the election, buying bitcoin to participate in ico and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. also you can use adequate cryptocurrency brokers who do not aJump to dropped file

        System Summary

        barindex
        Source: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
        Source: 00000003.00000002.2583323436.0000000006662000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\F43.tmpJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9CDF0 NtSetInformationThread,3_2_09E9CDF0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9B5D0 NtQuerySystemInformation,3_2_09E9B5D0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9AD80 RtlAdjustPrivilege,NtSetInformationThread,3_2_09E9AD80
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9D0A8 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,3_2_09E9D0A8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99C7C NtQuerySystemInformation,3_2_09E99C7C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9CFE8 NtQueryInformationToken,3_2_09E9CFE8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9FBB8 NtTerminateProcess,3_2_09E9FBB8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E98AFC NtQueryInformationToken,3_2_09E98AFC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99EDC NtQueryDefaultUILanguage,3_2_09E99EDC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,3_2_09E9D660
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E98614 NtSetInformationThread,3_2_09E98614
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9AD7E RtlAdjustPrivilege,NtSetInformationThread,3_2_09E9AD7E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99CC7 NtQuerySystemInformation,3_2_09E99CC7
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99CAE NtQuerySystemInformation,3_2_09E99CAE
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99C7A NtQuerySystemInformation,3_2_09E99C7A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9B622 NtQuerySystemInformation,3_2_09E9B622
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9B609 NtQuerySystemInformation,3_2_09E9B609
        Source: C:\ProgramData\F43.tmpCode function: 13_2_00402760 CreateFileW,ReadFile,NtClose,13_2_00402760
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,13_2_0040286C
        Source: C:\ProgramData\F43.tmpCode function: 13_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,13_2_00402F18
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040362E GetLogicalDriveStringsW,GetDriveTypeW,CreateThread,NtClose,Sleep,13_2_0040362E
        Source: C:\ProgramData\F43.tmpCode function: 13_2_00401DC2 NtProtectVirtualMemory,13_2_00401DC2
        Source: C:\ProgramData\F43.tmpCode function: 13_2_00401D94 NtSetInformationThread,13_2_00401D94
        Source: C:\ProgramData\F43.tmpCode function: 13_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,13_2_004016B4
        Source: C:\ProgramData\F43.tmpCode function: 13_2_004032E8: SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,13_2_004032E8
        Source: C:\Windows\splwow64.exeFile created: C:\Windows\system32\spool\PRINTERS\00002.SPLJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E99EDC3_2_09E99EDC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09EA04DC3_2_09EA04DC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E970B43_2_09E970B4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E96BA43_2_09E96BA4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E96B9F3_2_09E96B9F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F234803_2_09F23480
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F408C83_2_09F408C8
        Source: Joe Sandbox ViewDropped File: C:\ProgramData\F43.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: SecurityJump to behavior
        Source: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
        Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
        Source: 00000003.00000002.2583323436.0000000006662000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
        Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: F43.tmp.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winPS1@10/164@0/0
        Source: C:\ProgramData\F43.tmpCode function: 13_2_004032E8 SetThreadPriority,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetTempFileNameW,CreateFileW,DeviceIoControl,CreateIoCompletionPort,13_2_004032E8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\1f9fd7d5b2844adb0946f9e123528d7c
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\ProgramData\F43.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pej2rzpy.1cd.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: lZyN9NTrS2.ps1ReversingLabs: Detection: 31%
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\F43.tmp "C:\ProgramData\F43.tmp"
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{0ABB2406-12BC-4E6C-8C0C-B2880C04A53C}.xps" 133794276123940000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\F43.tmp "C:\ProgramData\F43.tmp"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscms.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: coloradapterclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\F43.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\F43.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\ProgramData\F43.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\ProgramData\F43.tmpSection loaded: ntasn1.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
        Source: F43.tmp.3.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C98587 push ebx; iretd 3_2_04C9875E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C9866D push ebx; iretd 3_2_04C9875E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C9875F push ebx; iretd 3_2_04C98762
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C98764 push ebx; iretd 3_2_04C9875E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C99CE8 pushfd ; iretw 3_2_04C99CE9
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C99D2C pushad ; iretd 3_2_04C99D2D
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9546F push 0000006Ah; retf 3_2_09E954E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E95471 push 0000006Ah; retf 3_2_09E954E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E95408 push 0000006Ah; retf 3_2_09E954E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E98012 pushfd ; iretd 3_2_09E98016
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09EDB35D push 8BD68B50h; iretd 3_2_09EDB362
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2E19A push 7C00005Eh; iretd 3_2_09F2E199
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2E162 push 7C00005Eh; iretd 3_2_09F2E199
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2B8B2 push C800005Eh; retf 3_2_09F2B8D1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2B8A2 push eax; retf 3_2_09F2B8B1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2287D pushad ; iretd 3_2_09F22891
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2286D push eax; iretd 3_2_09F22871
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2DBC8 push 7C00005Eh; iretd 3_2_09F2E199
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2F490 pushad ; ret 3_2_09F2F443
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2F430 pushad ; ret 3_2_09F2F443
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2B78C push 7000005Eh; ret 3_2_09F2B791
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F2B77C push 3400005Eh; ret 3_2_09F2B781
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F48743 push ss; iretd 3_2_09F48745
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F4873F push ss; iretd 3_2_09F48740
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F45023 push 8BD68B50h; iretd 3_2_09F45028
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09F80AC0 push eax; ret 3_2_09F80EF3
        Source: F43.tmp.3.drStatic PE information: section name: .text entropy: 7.985216639497568
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\F43.tmpJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\F43.tmpJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Videos\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Searches\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Saved Games\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Recent\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Saved Pictures\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Pictures\Camera Roll\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\OneDrive\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Music\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Links\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Favorites\Links\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZIPXYXWIOY\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\ZGGKNSUKOP\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\QCOILOQIKC\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\LFOPODGVOH\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EIVQSAOTAQ\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\EFOYFBOLXA\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\AQRFEVRTGL\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZIPXYXWIOY\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\ZGGKNSUKOP\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\QCOILOQIKC\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\LFOPODGVOH\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\GRXZDKKVDB\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EIVQSAOTAQ\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\EFOYFBOLXA\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\AQRFEVRTGL\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Contacts\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\3D Objects\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\.ms-ad\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\R4SZPhslZ.README.txtJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\$WinREAgent\Scratch\R4SZPhslZ.README.txtJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9AFE0 RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,OpenEventLogW,ClearEventLogW,3_2_09E9AFE0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
        Source: C:\ProgramData\F43.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9108C 3_2_09E9108C
        Source: C:\ProgramData\F43.tmpCode function: 13_2_00401E28 13_2_00401E28
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9108C rdtsc 3_2_09E9108C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3410Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1999Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7558Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2068Jump to behavior
        Source: C:\ProgramData\F43.tmpWindow / User API: threadDelayed 363Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4956Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\ProgramData\F43.tmp TID: 1396Thread sleep count: 363 > 30Jump to behavior
        Source: C:\ProgramData\F43.tmp TID: 1396Thread sleep time: -36300s >= -30000sJump to behavior
        Source: C:\ProgramData\F43.tmpLast function: Thread delayed
        Source: C:\ProgramData\F43.tmpLast function: Thread delayed
        Source: C:\ProgramData\F43.tmpFile Volume queried: C:\42F9286D FullSizeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E994BC FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,3_2_09E994BC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E993E0 FindFirstFileExW,3_2_09E993E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09EA0F48 SetThreadPriority,FindFirstFileExW,FindNextFileW,3_2_09EA0F48
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9930C FindFirstFileExW,FindNextFileW,3_2_09E9930C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E97AC0 FindFirstFileW,FindClose,FindNextFileW,FindClose,3_2_09E97AC0
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040227C FindFirstFileExW,13_2_0040227C
        Source: C:\ProgramData\F43.tmpCode function: 13_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,13_2_0040152C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E992B8 GetLogicalDriveStringsW,3_2_09E992B8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\]q
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\]q
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\]q
        Source: powershell.exe, 00000003.00000002.2608226865.0000000008C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\F43.tmpThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9108C rdtsc 3_2_09E9108C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E978BC LdrLoadDll,3_2_09E978BC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\ProgramData\F43.tmp base: 401000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1 Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\F43.tmp "C:\ProgramData\F43.tmp"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9108C cpuid 3_2_09E9108C
        Source: C:\ProgramData\F43.tmpCode function: EntryPoint,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,13_2_00403983
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09E9D660 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,3_2_09E9D660

        Remote Access Functionality

        barindex
        Source: powershell.exe, 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
        Source: powershell.exe, 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
        Source: Yara matchFile source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        PowerShell
        1
        DLL Side-Loading
        112
        Process Injection
        11
        Masquerading
        OS Credential Dumping311
        Security Software Discovery
        Remote Services1
        Archive Collected Data
        1
        Encrypted Channel
        Exfiltration Over Other Network Medium2
        Data Encrypted for Impact
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading
        121
        Virtualization/Sandbox Evasion
        LSASS Memory1
        Process Discovery
        Remote Desktop ProtocolData from Removable Media1
        Proxy
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
        Process Injection
        Security Account Manager121
        Virtualization/Sandbox Evasion
        SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information
        NTDS1
        Application Window Discovery
        Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Software Packing
        LSA Secrets3
        File and Directory Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Indicator Removal
        Cached Domain Credentials134
        System Information Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading
        DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579867 Sample: lZyN9NTrS2.ps1 Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 5 other signatures 2->41 7 powershell.exe 15 2->7         started        9 ONENOTE.EXE 5 22 2->9         started        process3 process4 11 powershell.exe 2 69 7->11         started        15 conhost.exe 7->15         started        file5 27 C:\Users\user\...OWRVPQCCS.mp3.R4SZPhslZ, COM 11->27 dropped 29 C:\ProgramData\F43.tmp, PE32 11->29 dropped 31 C:\Users\user\Videos\R4SZPhslZ.README.txt, ASCII 11->31 dropped 33 10 other malicious files 11->33 dropped 55 Found post-exploitation toolkit Empire 11->55 57 Found potential ransomware demand text 11->57 59 Found Tor onion address 11->59 61 8 other signatures 11->61 17 F43.tmp 2 11->17         started        21 splwow64.exe 1 11->21         started        23 conhost.exe 11->23         started        signatures6 process7 file8 25 C:\Users\user\Desktop\lZyN9NTrS2.ps1, data 17->25 dropped 43 Antivirus detection for dropped file 17->43 45 Multi AV Scanner detection for dropped file 17->45 47 Machine Learning detection for dropped file 17->47 53 2 other signatures 17->53 49 Found potential ransomware demand text 21->49 51 Found Tor onion address 21->51 signatures9

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        lZyN9NTrS2.ps132%ReversingLabsScript-PowerShell.Trojan.Lockbit
        SourceDetectionScannerLabelLink
        C:\ProgramData\F43.tmp100%AviraTR/Crypt.ZPACK.Gen
        C:\ProgramData\F43.tmp100%Joe Sandbox ML
        C:\ProgramData\F43.tmp87%ReversingLabsWin32.Trojan.Malgent
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://lockbitsupp.uzzsplwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2462124073.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2460294018.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2458593177.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionfsplwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmptrue
            unknown
            http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionfsplwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmptrue
              unknown
              http://www.microsoft.copowershell.exe, 00000000.00000002.2148047917.0000017831200000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2601716761.0000000007A18000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://contoso.com/Licensepowershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://lockbitsupp.uzast.piece/HIsplwow64.exe, 00000008.00000003.2414386976.0000000004C32000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion3Lpspowershell.exe, 00000003.00000002.2601716761.00000000079BA000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://schemas.opensplwow64.exe, 00000008.00000003.2484077643.00000000014A2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2422806270.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2276180750.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2195994020.000000000148D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2335399445.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2204991925.0000000001496000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2217074916.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2364264878.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2226736397.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2365932201.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2388663242.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2200863954.0000000001491000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2224655578.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2212943924.000000000149A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2222028580.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2197110953.0000000001488000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://fontfabrik.compiece4splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          http://lockbitapt.uzsplwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            http://www.microsoft.coDpowershell.exe, 00000003.00000002.2629857137.00000000099C7000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionHCpowershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                unknown
                                http://fontfabrik.comsplwow64.exe, 00000008.00000003.2472842268.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2331737943.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2449795978.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2337816170.0000000004B0B000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2453668627.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2474969184.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2357930925.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2275309590.0000000004AE5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2395698836.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2270400675.0000000004AE5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2341993618.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2363150286.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2404223227.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2485384649.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionugJ5powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                    unknown
                                    http://lockbitsupp.uzast.piecesplwow64.exe, 00000008.00000003.2474969184.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      http://lockbitsupp.uzceHsplwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                        unknown
                                        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.2559581107.00000000051E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionsplwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmptrue
                                            unknown
                                            https://contoso.com/powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2056994806.000001781A339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2127901587.0000017828D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://oneget.orgXpowershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onioncpowershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                                    unknown
                                                    http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionfsplwow64.exe, 00000008.00000003.2300840488.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2389572139.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2199562963.0000000003590000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2402236450.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2358318327.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2412471779.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2220609933.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2398153935.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2367957435.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2408491547.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2198887449.000000000352D000.00000004.00000020.00020000.00000000.sdmptrue
                                                      unknown
                                                      http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion04powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2056994806.0000017818AA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2559581107.00000000051E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionsplwow64.exe, 00000008.00000003.2280269124.000000000352D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2410386712.0000000001477000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmptrue
                                                            unknown
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2056994806.000001781A339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2127901587.0000017828D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://lockbitsupp.uz:splwow64.exe, 00000008.00000003.2240836226.0000000004A91000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2240109808.0000000004A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://lockbitsupp.uzecesplwow64.exe, 00000008.00000003.2300670324.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2325204306.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionsplwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmptrue
                                                                          unknown
                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://lockbitsupp.uz2splwow64.exe, 00000008.00000003.2295675579.0000000004AE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://contoso.com/Iconpowershell.exe, 00000003.00000002.2583323436.0000000006356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.microsoQ(splwow64.exe, 00000008.00000003.2481396783.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2478345004.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2480406126.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2479740035.000000000505A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2483279631.000000000505A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    http://fontfabrik.com-0splwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionfz)splwow64.exe, 00000008.00000003.2400472764.0000000004BB4000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                          unknown
                                                                                          http://fontfabrik.com.piecesplwow64.exe, 00000008.00000003.2476813346.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2414386976.0000000004C32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            http://lockbitsupp.uzsplwow64.exe, 00000008.00000003.2375124629.0000000004BB4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2396827943.0000000001477000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2485384649.0000000004EBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              http://schemas.openformatrg/package/2006/rsplwow64.exe, 00000008.00000003.2484077643.00000000014A2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2422806270.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2276180750.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2195994020.000000000148D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2335399445.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2204991925.0000000001496000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2217074916.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2364264878.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2226736397.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2365932201.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2388663242.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2200863954.0000000001491000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2224655578.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2212943924.000000000149A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2222028580.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000008.00000003.2197110953.0000000001488000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                http://fontfabrik.com5splwow64.exe, 00000008.00000003.2275309590.0000000004AE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  http://crl.micropowershell.exe, 00000003.00000002.2629857137.0000000009990000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2559581107.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionn4?powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                        unknown
                                                                                                        http://www.example.cbsplwow64.exe, 00000008.00000003.2248830161.0000000004A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.2056994806.0000017818AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://fontfabrik.com:Dsplwow64.exe, 00000008.00000003.2320561011.0000000004B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              https://twitter.com/hashtag/lockbi0powershell.exe, 00000003.00000002.2629857137.0000000009AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://oneget.orgpowershell.exe, 00000000.00000002.2056994806.0000017819DCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion%4powershell.exe, 00000003.00000002.2552528265.0000000003168000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                    unknown
                                                                                                                    No contacted IP infos
                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1579867
                                                                                                                    Start date and time:2024-12-23 12:39:07 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 20s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Sample name:lZyN9NTrS2.ps1
                                                                                                                    renamed because original name is a hash value
                                                                                                                    Original Sample Name:a33f21d28bd83a9501257ee727c46486989bdfea6d5cb9f1c12c9a67296b21b1.ps1
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.rans.troj.spyw.evad.winPS1@10/164@0/0
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 66.7%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    • Number of executed functions: 109
                                                                                                                    • Number of non-executed functions: 50
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .ps1
                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 20.190.147.5, 20.190.147.10, 20.190.147.3, 20.190.147.0, 20.190.177.22, 20.190.147.4, 20.190.147.9, 20.190.177.147, 52.182.143.211, 184.28.90.27, 4.175.87.197, 13.107.246.63
                                                                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, www.tm.v4.a.prd.aadg.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, neu-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, onedscolprdcus13.centralus.cloudapp.azure.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 6412 because it is empty
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                    • VT rate limit hit for: lZyN9NTrS2.ps1
                                                                                                                    TimeTypeDescription
                                                                                                                    06:39:58API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                                                    06:40:11API Interceptor427x Sleep call for process: splwow64.exe modified
                                                                                                                    06:41:47API Interceptor127x Sleep call for process: F43.tmp modified
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    C:\ProgramData\F43.tmp22V6t8mgjo.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                                                                      e93wY5kRY0.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                                                                        zhbEGHo55P.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                          LB3.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                            LBB.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                              ggjLV4w8Ya.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                                yEB1xvr2rZ.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                                  71p2xmx6rP.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                                    98ST13Qdiy.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                                      c8JakemodH.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):14336
                                                                                                                                        Entropy (8bit):7.4998500975364095
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                                                                                                                        MD5:294E9F64CB1642DD89229FFF0592856B
                                                                                                                                        SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                                                                                                                        SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                                                                                                                        SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: 22V6t8mgjo.ps1, Detection: malicious, Browse
                                                                                                                                        • Filename: e93wY5kRY0.ps1, Detection: malicious, Browse
                                                                                                                                        • Filename: zhbEGHo55P.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: LB3.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: LBB.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: ggjLV4w8Ya.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: yEB1xvr2rZ.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 71p2xmx6rP.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 98ST13Qdiy.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: c8JakemodH.exe, Detection: malicious, Browse
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 16, image size 2621440, cbSize 2621494, bits offset 54
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2621494
                                                                                                                                        Entropy (8bit):0.20386902944493035
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:GKm71jTv37T1BNrdVRd3fF3bdJf7vhpnzBxD1fJ/tBfJvTLtFFdF9tlFNtnvDdFv:2
                                                                                                                                        MD5:05C478246441EA79035033291E709320
                                                                                                                                        SHA1:2B2B39333F5B36BECC4DF19A906C2E3BB9D7230D
                                                                                                                                        SHA-256:EF3A8A9EC29B83FE02EB21E4C86DFB98E82CD55F7C781D8F347CAF1AF6033218
                                                                                                                                        SHA-512:B395FFA1215AB817ED5C2FCC467F2747BC9351A471F1EFA3A71ECEE616A1F6226C18007E2D56F320ECAC7FF66D384A0475644DF817BF74E2C4BC30DF146CB90A
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:BM6.(.....6...(.....................(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):15086
                                                                                                                                        Entropy (8bit):4.262047636092361
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:jpBaAlHSa2vU9G/8MMBD7O1lXFMB8VMJP7:jpjmkMYD7IFMRx7
                                                                                                                                        MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B
                                                                                                                                        SHA1:CE9F87183A1148816A1F777BA60A08EF5CA0D203
                                                                                                                                        SHA-256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
                                                                                                                                        SHA-512:ABAFEA8CA4E85F47BEFB5AA3EFEE9EEE699EA87786FAFF39EE712AE498438D19A06BB31289643B620CB8203555EA4E2B546EF2F10D3F0087733BC0CEACCBEAFD
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):239
                                                                                                                                        Entropy (8bit):7.194034368621395
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:67IQo+KUwdJYrEgdYzCTarWvsRvxUupKp3xI/VzXRIp:67IiKUZLdEwg0sRJlVVzXOp
                                                                                                                                        MD5:6FB6A9AC10AC69AA6965E2A359C59CD3
                                                                                                                                        SHA1:747BD097BE258C943955E4900D5A25624C88975B
                                                                                                                                        SHA-256:55416829F1FA22F25BAF0B43D602CAD4B392B5307B4098B0D2572ED803D0F863
                                                                                                                                        SHA-512:657BF212F8376085239EF8BFF05284DE12DCC8CD6D5A40971A8DE519D736DC7D144BE17EEC9728B1DB08C1684FE026BABE8AB0636C171B024B5A6A69743327D9
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: C....}...b3..vlp$..%.FN!._../...9.....Q.8OC....&.........Q).0l....nLb.......M....\.*....T.|...d[IMa.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):183024
                                                                                                                                        Entropy (8bit):5.293741813506762
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:rrVwfRAqpbH4wglEpLe7HWKQjj/o/NMOcAZl1p5ihs7EXXbEADwaKBIa5YdGVF8M:r8e7HWKQjj/o/aXotTB
                                                                                                                                        MD5:143F2F44B8BC96301C1F965E8F530FE4
                                                                                                                                        SHA1:7666BEBCA50739E40AB1C8AF95C8435B247E1658
                                                                                                                                        SHA-256:C55BDC9207C98C7BFE1CBC83865A95D603FCCC6AA8073BA21EAC9419F040E0DC
                                                                                                                                        SHA-512:EC267FE55C766DDAE34A9B379FCA772B0ACE1B509F409A8D4D6D2310AADE338511CDDDEBEEFCD276CC70EAB0F4BF445863A34BBCD1A8E894633878ACB28FEEE1
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-12-23T11:41:52">.. Build: 16.0.18406.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results?fullframe=yes</o:url>.. <o:ticket o:policy="DELEGATION" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Bearer {}" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.Resourc
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):56763
                                                                                                                                        Entropy (8bit):5.060943754762371
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:00Z+z30IFPV3CNBQkj2Ph4iUx7aVKflJnqvqqdKgfSRIOdBlzStAHk4NKeCMiYoC:jZ+z300PV3CNBQkj2PqiU7aVKflJnqv+
                                                                                                                                        MD5:B67E4E1FD9987999A6BC979ED6AB67E7
                                                                                                                                        SHA1:74AF26E4E4E58502D6F7F9B2C3F9456E1C89F1EA
                                                                                                                                        SHA-256:3953CE4BD52C236BC5A16C2A8A0827B70A77142E74A6AB76890BAF95C0F6C217
                                                                                                                                        SHA-512:9FE68F137C432F8CDE01A9009A4BB31E99A3A6D19191ED20A1CDBE7849BD4817798C7712AA695272C105B3715088593BB43A00601015B97F3EE2F8379544594A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:PSMODULECACHE.N.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):64
                                                                                                                                        Entropy (8bit):1.1940658735648508
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:NlllulVmdtZ:NllUM
                                                                                                                                        MD5:013016A37665E1E37F0A3576A8EC8324
                                                                                                                                        SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                                                                                                        SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                                                                                                        SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:@...e................................................@..........
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):65536
                                                                                                                                        Entropy (8bit):0.4268413863651865
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:grmMLJoN71o7ej9GU6EepOlF3S2BAOCcNafqrNsylVlsolDPZ1XKDSJ:gryN71iej4KbmckO8/2
                                                                                                                                        MD5:8D0691B4601B031684C21B08DC3229D4
                                                                                                                                        SHA1:99FAD7F8ACEDF9FAFDA6BBC12B8FD1D4FEC344B2
                                                                                                                                        SHA-256:ED398057A037866F8D3F15A9B2CDBBB7205FAF8FE33467B589F4F11FF9128475
                                                                                                                                        SHA-512:AF6929944FB6BF5F3325B57F59C20397406AE9BB9A0E7673EB6826B825AECB2082B923EF8C70562478FA1E01E5DE66158C61571A662E938BA8FCEFB6251DE26E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................XM...p.. EMF....p...............l.......D........... ...............?....f..P.r.i.n.t. .t.e.s.t.....%...........%...........R...p...................................C.o.n.s.o.l.a.s.................................................................................................................v&.u....l+.v.&.u,........_..._...........dt,...a.#J...........................v.............>....................KE........x.....u1...1.1.|...w..v...........u8..............v...u...........udv......%.......................................................b...........d...................................................T...T..........................@?@.@'...5.......L.......................P... ...........................................................T...T..........................@?@.@............L.......................P... ...................................T.......'...5..................@?@.@'...5.......L.......................|...L.o.c.k.B.i.t. .B.l.a.c.k. .R.a.
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6222
                                                                                                                                        Entropy (8bit):3.694394225906999
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:Ky9OtI5CCgbU2K+s3ukvhkvklCywvn2AHfxlzpSogZoCfbgHfxl/pSogZoCf31:lOS5CClovkvhkvCCtXHfxKHwHfx+HB
                                                                                                                                        MD5:4FB60C8F6B9CAF192B3020A5AA3F2D3B
                                                                                                                                        SHA1:C2BF348D01189276B09BEFCDFD1698C7F2AD8B06
                                                                                                                                        SHA-256:E83603D7B62334A1DAAABFC2EBD0C3947F74E1133774FE19413E30449A9DE990
                                                                                                                                        SHA-512:D038A80FB015A18DE158E38675BB16DE218B03E765E5EFC802D00B11CEC887C044B02539F617BEAC6DC3ACCF8C8117EBEE713D5C89F7D5751D6B7C2F5C8D3BFA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...................................FL..................F.".. ...d.......\.c/U..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....7._/U.....c/U......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.\....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.\..Roaming.@......DWSl.Y.\....C.....................S.D.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.\....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.\....E.....................""..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.\....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.\....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.\....q...........
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6222
                                                                                                                                        Entropy (8bit):3.694394225906999
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:Ky9OtI5CCgbU2K+s3ukvhkvklCywvn2AHfxlzpSogZoCfbgHfxl/pSogZoCf31:lOS5CClovkvhkvCCtXHfxKHwHfx+HB
                                                                                                                                        MD5:4FB60C8F6B9CAF192B3020A5AA3F2D3B
                                                                                                                                        SHA1:C2BF348D01189276B09BEFCDFD1698C7F2AD8B06
                                                                                                                                        SHA-256:E83603D7B62334A1DAAABFC2EBD0C3947F74E1133774FE19413E30449A9DE990
                                                                                                                                        SHA-512:D038A80FB015A18DE158E38675BB16DE218B03E765E5EFC802D00B11CEC887C044B02539F617BEAC6DC3ACCF8C8117EBEE713D5C89F7D5751D6B7C2F5C8D3BFA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...................................FL..................F.".. ...d.......\.c/U..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....7._/U.....c/U......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.\....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.\..Roaming.@......DWSl.Y.\....C.....................S.D.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.\....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.\....E.....................""..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.\....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.\....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.\....q...........
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8298343054867185
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:5boopTiiHIAATrsMvwrilopP6YrMN3qct1Esoj7xpsEwfC+YiWvBKSwwdpqz0sR4:TpWxTrPwrrMN3qa07xpnwfCPZZX+lh4
                                                                                                                                        MD5:6DF89548ADD5129C0D1C825FB749EFB5
                                                                                                                                        SHA1:8781C72760467047CE8D66EEE9988252A57811EA
                                                                                                                                        SHA-256:E9B8DCAA004B024F86DB4677089C0C2C75D5020A36D6DA67A8E5F4316D237FB3
                                                                                                                                        SHA-512:40CA4BA0C37A0C160C6C35DA67B6D26DD8686085E7581E46BAB6A715C66ACE223A53D08778787C356E0E0D7595D8B9308FF666A4E29F81DF51B49F83122E42D0
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:sX....1.}.M.2..k"..\..v.B.W|....v.^..z..XI.a?.....Gx....."~.)..}..-..n.Z.O.T.......<5..[.:l...Y.]..N.8a...0....P.....-P..W.k....w..)..M....y..iv..a.W=).|Ku... 8....i8~..l.6.u9.bh.....u./....8!.....v..r.=.......4B.....4.<.#.(.....r....}c..XtX.....).d.P.&..e=..N...v.U.Z~....}..E..l..C^.q4.....A`......v.>..f.."..`.[.R.U..j....633.J.&a..P.Z..A.1q...8.....U....(.....mv.A...._..._.=..#.(......Lw..=.Q....].K..R..RB........j....`....1..........|...ec.m.Y.J)....oo..RL..dF+e v...R;.......C%`..F0_..4k.D"...-v$.y._".e...o/......1.2.2n./n.ZX.&D.....{{.ZR...cZW...|..@Z.0.$i71........M......[..].u.}..#).0..)...&.....ps.X....P....Q.1..".8......Rq..1.D....S.\..L..^I........p....k.~.. .........c...jv.j.S.G-.....xs..MO..aZ)o$w...T3....%..K.k.c.e.......'...Vb..V.x}.qc..8L..BUB|F.S`s.....].}N.......V...n.u8S......:BPju.".Hzn.t....+.......... ..w....`....IcsZf6p..[..@.....l..m..rpE.........)d.\..........i2g.....H[..s......R.....w!zW..n.../C...#.l..L...C..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.841963302054294
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:cCZKzaIseKqvLy01WOjz+5mFg3kaY8xfDYVOARnhHYgv0sRJlVZXOp:BoeqTy0Ieq5m6UaYjlh4
                                                                                                                                        MD5:D05C0D792C523175F63FCF02FC13CC32
                                                                                                                                        SHA1:21130307687AA2F9147E5253A5FDC99A44BE882A
                                                                                                                                        SHA-256:240C3A2A45C41AACDF8D948C19D0DE769546FDF06DCE55A17BCC8EE2C76BEDFD
                                                                                                                                        SHA-512:9ADF40F9E35B14F7E46E3BA73F33049651DB5182B74B38D90D070A456D1FC6B8DB731E262FE75BE85A32B6102CC9CE44E965A899F558AB789FA39A0A664B8433
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.....B.J7....S...!ln....Q.W..>.d.....!a .5.N.....H..XJ..(.....)...\0n....F........pC...lN......V...-a$...I..3n.........5Sr..)@$.i../E..........3L.?y.*..d......?.eC.X....0p7..{&.....+..b...s.R..lZM4vpy=.."<..5..rY=./6....6....^i.Jj-..\F..7..]C.........[.\/....P..u./sb....S.]..3.d.....5z*.$.Z.....C..XO..0.....!d..B+~....F........aV...wD......Gc..8e-...F..#t......-..0Ee..+.D(... ..p#\.H....o.rD.!...czze..uq.. u.J.Y.E7>.T.=..:x.ar.q.....sU.J....Y3....v..\.@8......;I.S...i....h.5.^.7....g.\.!...]b'T"..LyD'&....t..Y..u.......|..k...X.*......H>...b\.]..].?....f...?..:.2.0.v-l....^.r..~.C.3%)B1.QI...Rp.>)...o.Bt...<..s.%.A?...%..c+B.G....a.~C. ...ixfe..s{..>`.H&S.Y 6.J.$..'x.wy.{.....`^.K....N$....v..L.E*......!C.^...m....x.*.I.+....|.Z.1....V..?...W.....,X...k..I$.y....+.....o............U..'.R...z....T1..A..2T .3.....Z......c...YJ...L|3..x'i...vXU.N..].nz...+...1.>YJ.v....J...k...o^..%...].....".....2m..N...`../(E.I..S7.Y....)I&\By.8c.#..S....".....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.85655394338914
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Au/N3sZnECtlHXTIm/LxtyJKXmulzp7ftoiG64RYmbLTI10wdbV0sRJlVZXOp:AkpkrtlHHLxtyMWuPJGilh4
                                                                                                                                        MD5:7516CC4F8CEAE313BDFB7D1051744E43
                                                                                                                                        SHA1:6CD7A63C4834FD272FBFD5CBD91C7FC1961D769F
                                                                                                                                        SHA-256:18A54959EE621C9DAFB88063EE4F1763832D97E6E1009885779FB8E9B3C21D9C
                                                                                                                                        SHA-512:9723EF848774A1DDBBB748F1E2763F829F09549A3F2E1BC4CC541ABDF8E18CBAC5632099F5CAB92226D5641C250A781FE96873D5C6C27C23DA20EBB383E5F62A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.G..y......kaS...].h....x.t.p..%.z]..\E...Q..v4....^....t..........{&.H ......`.5....=,..K..\...G..^.Yb....g\.N.-.&.C.YNK...A.T|......<,K..[I..>.2.<...54[l#..v[...p(P....e..t8qE..Yz.B|4;B.:....R........:.M0....\.f..y.c.0..5.m..tp.z..R...4..*...G..d......vbL...S.d....z.~.b..%.bV...VU...M..f?....I....|.s........t).H!......a. .....7*..Z..M...R..@.M{....}\..F.".%.^.OYZt.z<.}..>..,o...a.$......Z).>......?..E~.......[.o..>}>.."".h......T...O.x4.....#.W".K...W..w.o...Z.0...>....R..{.[bH.Z@1>.........w,Nt0%.t..-..-..YB...8.;...."......=..+8).{..G)Ms.".J.m.oP..p..]....=.Z...(....j......V..|...q..d..{...:..5...`.t..+..`.'..2b...e.*......J!u<......?..Pa........E.v..#}3..,(.r........G...X.i4.....3.R0.G...M..z.o...^.,...=....P..z.@oN.J]--........{...J.j}.b.1>Hi...t....T=..O'..4.~....z?`.....(\B#..LL.VA.f.........2.........N.!....S3W."....^.:}....h..l.%...0.e.r..;w.'T...*..rJ..%.|.gx$....[*y_E...X..p..6.`Q..r:...xT.......<..yl...m...EZ...q.S...X.z;........
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.851965116302
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MtF1J9S0NM/uOzd+raAcjdvTjFWulUr9xVzwbhnmvm0tQFAv37Z0sRJlVZXOp:MAHuOJmaAcBTjo9tz8mFt++7Flh4
                                                                                                                                        MD5:F50A6BE792A71710F22AF98A3C3DEA83
                                                                                                                                        SHA1:B8E68C899E874920F7656DB4281A6A098BC2578B
                                                                                                                                        SHA-256:0FED2FFA78DA62A698E0B9CC4373BC0ABF021B27541D4F866D20822FB8F010B7
                                                                                                                                        SHA-512:78E8BEA93EFE0C53D0C478522918F61B4CE3DB281C8EEC1B84D18558F8F25A9E44397BD3365680F9D6B175756D88E5A340EAAE8DADECD77C64561B49211F5DEF
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.v.6kun...0}.nM'....{7..9.B$#V.P_......I....J......6DM,.]yQ..+e...8<.!...l.....Ls.....nv.........Qo..v ..@..J......hh.=.',..J"...4A.9zM.fHH..}.^.c.........@O0]`..5=FwY.....ir.D.._.H5s...n...o:.y...Pr.a....~..H...._AL..Z....1W.v.....\.U@.....j....f.;sby...<k.r^*....}5..".U<2M.QL........U....[......1VO .R|T..#q...!#.....{.....Ay.....sz.........Rk..w?..R..M.....~g.+.1!..t.. ..."F.L......T.2.`.Y. .c....Z......EN.{.p..q.|..O.....a ..Z.Qe..../.1.a.k..g@....,V.7...S....C`..X3..............mHC.^P..ij....ixG&...xU....v_.3...}...t.{x....eI....[...).b....-.u.F/.Psa47.5...".9).h9.P.FO)Q<.J.F.....n..1/J..K.C+%x`.IT.I3....c..)...*X.L......Q.'.f.K.6.k...#[......KO.s.o..}.`.._.....g3..K.Yy....0.;.f.r..w_....-N.+...@....El..Y*.......|.....1aXY.VN.r....~..+.C0..~.|p.,.U.XD.Z\~..n..L.Q.. >F...^...M.F...d..&.....z+.*.5....[).......x2f.....6]...cSMR..n#P6......d<P...NR....).PA....1j....?6v..*....T.....m.)..t.W`...T...Z.eys.u...^.........1sm C.Yb..?..a.H.j....*..BR....hl..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.846640761845715
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:80GzYXlsK87jiUSB/QtPtNpKB1tWoHGdHE7mJnI49EoXqpQZi/qsM0sRJlVZXOp:fGUSK8P9SxQt1TKB1THGNE7e99lQmllu
                                                                                                                                        MD5:01E210C727FCA696A76C5E233026595E
                                                                                                                                        SHA1:6E8C57F4338A3789D568273D4741042F96D0D0EF
                                                                                                                                        SHA-256:BB52990F97A3F6552A78CD7B5C2F83176EDACC3E35EF31DBE64EC4CFD0D95767
                                                                                                                                        SHA-512:AA9BCF63748D51B7A216B998593A04B2078AFB96421C488B44BC184B5705F2F2ACF192285007464059B4DD4A7398A37AAFA8C442F29349DAA346691BFA542A4E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......s...L...@d..w.|p...M......./..u.M......?s.N..#......QT.`........P[,...D..Ah"...z.U.$.*..GA%.-H`|rNp..}`...5'.5.....W.W....64..lt..#.+.&....~..4.+C.K.\...:.zo........^.....<..x.E.../...F.<.l-^.../.P..E.........\@.33..0.kv..6`.+.N.I.......x...L...]s..g.jm...G.......#..t.H....../a.V..&.......GY.o........HX<...@..Kb!....x.\.#.&..B[>.9Oukj\w..ti.../).7....Kkd..........T...?...~..1:.....y..(.Ex....j..?._...S...g..#6..m.....O...Y...G.........i,....J..I...t.X,*....;......P~.&..5._.F.W.7n{..|..~A...=.`......6!.L.;CrV..k.._...af#..#:...dKH.#.K...j>..D..`..d...B.-..V..8....}}{k..m.....T..&.....5..D.y`....Jdm..........P..:...e..#$....4p..>.Xn....h..6.Z...V....y..?+..q.....D....Q...A......./.p ....[.I...q.I?!....0......J}.9..'.mI..K...%..1qm....N.../........J(....I.U...V.. iu..o..D[..L..y.....T.E..&.).............#./Cp.....R...D!..3...J..FG....(qJ..u..%..9.=.)...&.RU...c..}..._v...Cw*@...?k...e./......\I.&Jr.,..C.j...D.............-.x.).9...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.835794768963399
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:T4tUZ9Co3+L5P67oHI+D2cjzDtBW0o4q1F9SIg9GwQHbPihLv1KAO0sRJlVZXOp:xZ9CeD7oo+bGiq1F9SwwQ7PiGlh4
                                                                                                                                        MD5:CEC9F107B7FC592445F05FC9989A7580
                                                                                                                                        SHA1:E1BC5D57044C203741BFA67E4F191E2B440C8538
                                                                                                                                        SHA-256:ABCE5A2AB4B1C8B3494450B499B7A5DA51B2A1FD879A9AD4A3A714F0047E7854
                                                                                                                                        SHA-512:B6AD2A812966931431D26E92CB268D797CE55BCF7632B1DDDA1BE04E98F74ABC5A4DCB3219ABC13D3320F72C18EE07EDEA9FDD7CECBEFEA15AB19067DEC69826
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..p.l.../..G......3.H>..*.....,{..F5Y...%...C...J.+d..h.o.>>.{..p.>.@*P......)Y.9....xx.X..O.3......j."}jW.T.Y..b!s.Sy.....a.e.+..V..d{.FP.!....Z.h.G.Z..*6~+.l..C5c.$s.U..n:.{..ik:..K...u..hRsTmu#..XqH'.I._....1.G..2.H...o}..?...m..Pj...9..a.{...+.Q......#.Q/..,.....)n.L([...0...Q...E.)h.j.`.;2.e.c.6.G$E......%M.5....zz.P..C.8......h.$}h[.Z.^..u<|.Sa...BM..oJ!.&......2...T..U.{..R.%,.1}..@.u..Y.u].Z.!TS.............%$C._....$y.}.m. .0....'.....}(;...W.-.6z]fQ.H....P. #..G.m......4.{G.]TjV....h.....oYSW..+../l%6B...}..P..YA}G(v.O.c.`6%. .._.^*..U.6._9.E.Z...Z....N..o...'..~..D_.f..*+...,h......p...@L..uC?.!......!...T..Q.g..F.!>.6`..N.b..B.eD.M.5UP..............!4D.Z....1b.u.l.8.+..........r00...T.&.'rS}N.D....T.+0..Z.t...<.3O.....74...6L5v......I.j.A ..b..;;.z$K.(Q.;.......]U...I...5.h.....".c..........bT..@...Z....C....Y4.i^......0C..[..}H............~....p...gP.n.k?j.|....d.%..,..p..y..;*...a%Jz...wW..B0Q[..*.xA6|..........Ku....5
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.857619590642988
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:XhW16dqim59Dk8FADAjWYsVFQqrN0By3U1uD2G1F7tiH/wP0sRJlVZXOp:RxFm59DkuAD9tOKNxEV2rlh4
                                                                                                                                        MD5:793A6232D60847FD4374657C458EE492
                                                                                                                                        SHA1:69D1C009A418FB2C2DDBDFC1BDF5E0393D0DCFE5
                                                                                                                                        SHA-256:61F5E953346A7F5E5699D706FB7EF120E04BA00CFBDDBC486F682531D360FCD3
                                                                                                                                        SHA-512:9B8D15D3B81FA8DF5C8C5CD416F0273FCA13C260F9B159AE678A49EFD77C380C8C4D82D5ECE1FB21DC274AB118B1BA62AE8C99850C566B385CD01D98A4F151A7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..'REU.4.R.......{vK..,M...k.{...gSJ..4}d.\...t}.....]...S..}.ZO{i=..A`..5W...!.b./^.....".W]...[y.-..v.O....vY[.5.<w.Ps.6`I.........6PM....+4.'T..}.P-.m....K:..r..*.adTYA~I)+0..|3R+....O...R..........(n..*...fD.....~.;#.X..._.J.s....v.........(EBF.,.X.......d}Z..=M...h.}...aYD..#bb.H...{c.....F...Q..r.IRo`,..Ze..>H...$.e.4@.....".AR...Sx.+..}.L....vXY.9.-p.Jz.6....5..o.$...+...r...~F........0....VdF...w.+....C......$.D...j3"..WI.../Qon....V....<.=.g.z. .-.pr.0._..e.w.-2....Qm...\..?.Vt.....h.?.FVG#....*.....FL9..*C.....%.......O..!.x.>.l|..7.+....JEiJv]U...o......W0 ...OV..D..)..}..rG.n=........l.T......&..v.:... ...`...tY........#....[aB...k.5....Y....../.T...v*1.._D..(Yqu....O....1. .y.u. .5.ok.-.G..b.u.. ......Pv.,.B$.."AZ}&-........#.e......E.5..X.Oaf\.\...b./.%[W.....v..4<...R.......n.........".^..1D......8.c.J.yv.....x..B.r.\.../s...i..hN0.;..b...)T(.>...CIm.. '_"..ro&.&>...Pm.<.!....U..1#.Q...M...&v..+c...f-R..h..}..j...L....B.N
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.85013012426878
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:dt0cBEdU6UmsnO0f2W/tbBPNnVIIGDVLgxJOLa5QIvo0ialmv3F1W0sRJlVZXOp:dfIU6UmsnCgtbDVIIGDVScLIw3fXylh4
                                                                                                                                        MD5:C2EEBB8B855D8D343B1032C7BE52624A
                                                                                                                                        SHA1:12EB567118E7E3394B50B7C009F41303BF678C12
                                                                                                                                        SHA-256:08794666D47BA9A3EE03D8161B3349E9FEE655BA76276530EEF641DFCC65EFEE
                                                                                                                                        SHA-512:8BCE4C303076F902E5BEF56BF2F0A54E0D7626D840590B2057A056F671BF9B3F0C29423D2CAF2F293B68CAFC28FC8A3A8289BD5C08255BEAC5F78FB38D0EA3C8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:(P."..T.f.,.....c..L"............Q.l2.....j.+.@...>..Zw..Lr.)..dI..d/....J.u....,?F....e..k..>...BgY..o.1>....q+h-:.-.&.V......VzB..li}@J..uZe..!. .q.......ag.M.9.h.%*.......-.,.w..o...R.,.U*.{"..@?q...v^..7....o.U1twp..&i..Q.\.J`.:R.....Z...E..O.f.`/N.4..O.n.6.....j..A>............Y.n<.....q.;.L...1..Xr.>\r.6..~@..b#....S.{...2%J....c..y..?...UnL..o.,%....u0c:%.%.%.P......9Q.........WD@1..@...f..{shX....'T#...=...,.X..\Jl.N7.t..$.z....7...R+....VWxw.=.....*...UZ.$u.C,........:x......H...].zE.G.q.{].2...[[..p.....q...M...9'?.rk.Q..D?.W.;+..\.HE6U...]....R..k>....r.A...(xw.....Q....e..aVG?..B#.S<.T...<.6c#.Q.N..C....#R.......RED3..Q...n..bgyJ....&K ...?.1.S..KY`.G8.w..0......*.H3......SMvh.'.....?...MA.-e.N5.........%g......T...P..z...r..Q..........M..c.}.3..0....`3...h...G]..7........:...=../..oF..WaMBL0.. N.s..,u>.o.F.^.5b..........\.k.k.Q..,.......7W'...%F....."......\..27..0"..0.....v....sK..).#L......L....}W3i...].T...,....>.L.J.OO.I."l..a
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8623090317330675
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:g3nt8jCLG1BojC0EjB7//lj3WY92JmND4uwQFAv2Xb0sRJlVZXOp:qnJjK97R06suw+5XXlh4
                                                                                                                                        MD5:6D82B940EB9BCC221B7381350EC9CFEC
                                                                                                                                        SHA1:F583999CB225CEA7CC2C583E8F0734FA1CF76446
                                                                                                                                        SHA-256:70E3D166F5E0A4CC58A6D8A548C190B9BCF632792005404CA29020A0D2B3B66A
                                                                                                                                        SHA-512:879616BCA4E8C6C9200CDE70E0A1D841A0D5BA521ABC91E62620AD405440FAF91F7B85BFB8126C27E0454FC671913DF7742DDD1BB8906D76CA2BA684779E8BB2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.U..1.=.U.~...L....v.K..2....l.......a..#.@6.m.....u.[..PU ..R.@m..j.l^...r......2.?..H0:}Q.D+....C.y.........9.R2.2.k.S.?.\9.=.Y.g...^g.WH....w.....hR...s...l&.9.S`.f....{k.:._.....*K.F.`.ZJ.MQISy....p........C]1........6w...~.S.x..`.{x{.o!...E..).*.O.r..._....p.N..0h...}.......{..?.D7.d....l.I..YZ%....Z.Ib.u.cW...p....#.1.,.U<4sG._"....K.x.........:.L3..%.~.^.8c.....*....U.v..v./.......i.O.c)6u3.[..p.,..=x<.. .L.5.5......+..J.v>g..]p.5.v. D.....;G...D9....-$V._.......^3..@vwY.jO. ...Y......%`..;v......9..F..m&..3!............Z#.....b2h..#.. ..~..W..(._'.g4}...G...B..<N.....c..R{r.*t].$.....C.q..t.....=...[.~..q.3.........B.n(,d".J..q.$..:g0...<.W..4.3......8..[.g4n..Dw.%.j.:A.....<B...P:....,=X.H.......N'...PleQ...o..n..gR.g...t..K..*R......A.....!..*4.`.X.|.......oF.G.#.6.......V..st7d[.X..4._.7...^...N..5.V^.......*.'..Djb..Z....n..M./...!...$I?..,.}.j-F(........1..FB.......Mu....LhM...gh.pU.:..w.W.G>.}...S.....jq..s......
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1269
                                                                                                                                        Entropy (8bit):7.810439547368287
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:l+3C7Y/7d0hMuGiZmZXyWdpqUhhA/0mzLuvLju/cZ4RMU3NeLzT36x0sRJlVZXOp:83C7Y/766uG7XyWdpVhhqPuW/S4v3NeB
                                                                                                                                        MD5:727B1F3EC5A0135BD12B949B04930AA2
                                                                                                                                        SHA1:E1F250E98633CF673E3EC95823752F59B2ACC246
                                                                                                                                        SHA-256:1D06DC87A8FACEDC8D49D43574E071BD2FDD0A3819D6526F77DE47000A0C18E3
                                                                                                                                        SHA-512:77050E9650382502DBAA451C61805C4EAD9E1C27A2BC85F7032E5E8E138068A544EE3B0188BE04E2A5A9EC11274DC6A795DB9FE5437B7B99DBBCD689F837DC65
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:0....T.&...[B.Y....3...T.4~-<$....z.....!N9.Ydv;#f$~..)....90W=..P...v._.]b..&.a......X(i.....I+h...&...2-......2<.#....x.%.."..t.Y7.l.r,-h.Y1>./RI....1o..5y..HC%...Ao....B.....6J.#..m..|&.[;._3gUw*.HD.V..Azu._.[B|..X.....G..QT.7=.uw.'..r..@i#dR..%....B.!...E^.@....../...Z.,f>54....h.....3E+.Lfx%2{#r..*....1 G*..V...r.R.Ho..#.h......C?|.....V,m...+...;2.}....8<.9......'~.....N>.m..j..z~..yS.n7E.M.>..]......5....oUu/<Y..C...m.q......]..b9V#.*...\..-\O............$..xB2.a..Am9.]....<.<........E......+..v.0LJ..}.f4.F...t.<.K.p.lq..%z...?#.E.J..r........H.......>hRi|....C...sW.-._..Ssd.....&.9.Ve+r.35d..N...X..Jf....pE(.o..h..o`..~I..3@.M.3..B..3...:....mMm$.D..R...}.d.....F..u#_0. ...^..:QR...............mN?.p.mCl5.U....9.5.........dK1H...h...U..*.@.......,...h.?.l..+bu..6~.....2Y(...U..t#.`....Mh:{Y.....5zYa.g..,.[..H.^.....O.m.)..<D!1......~.....d..49...P.7..MBw.../.zL...#...Yp.[....Z$..Tw\.6......."_.....m=..#......$.....\Mz..@.........o.|~u...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.823753896989024
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:j9sVSiVb2b0dEMWjmsS2sdkmbW1d106bRyfsKIwdOqsK0sRJlVZXOp:j9q/Vb2xHjb18u0ER0sKBselh4
                                                                                                                                        MD5:0E22EB1BC7539C6F951B5B72911B6A18
                                                                                                                                        SHA1:7F53E0436ABA2FBC8E8AB933F80393433588EB01
                                                                                                                                        SHA-256:FC2D11F191DB752208D64E39554DC49FAB3AF661239887D64ED39BAC5BF42BEE
                                                                                                                                        SHA-512:DB56B9583D1885FFFDE3274F657173CF9640427126D2A6A2AFF9EA41CF37716D8D1DE832827DDA62D28429D0A4900B87C379B8873329A5605E27738A1C66D4E2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:../...k....s...!.....~{x....P......?.P.6_.........M...}.Ai&....]t.he?..?...\c........~....L.ly.S...%|N.5...g%.8..d.R...+E.../_...{w.......).QwH..,.;|R......W.XST.R./...J+.n..t..C.n.A.?.u.!%e.n]......O.,...@.z.W.......Ay.90~...y;.t..{.....:..6e....p...).....cvj....Q......<.T.4E.......m.A...o.Sc:....Fl.xw#..9...A~........i....X.x..P..,hI.>...y .#..z.G.....Hx....3..............1'.~.>H.W|...BQ..:..Y{E.|7dW..x..L..OW...n.[o4..2Y!{S.X.@.OsE..rT..^Dr]...+$..=.....b.\.tu.PE!-..W.s..q.(V.8w...,zgG.M.X....Y...b...x..{.....^..vXa.n_....b....f.....d.^......i..?..Mh.#.~.AP<X.+h3'.8jH......H.h...Z,.p.#........Kl....8.............72.e./S.Hv...[@.. ..Yu\.w>vQ..k..Y..RV...y.Sy1..6F'eG.M.V.P~Y..xE..VYkB...:2..7.....t.M.na.P[+9..^.i....OT..k40.J.SZ....V.W...fN:.;.<.l...<.G.1..b..~...+..>..v..;.%..~Az.m........?C|r4..E.c..!zF..S.JA.........o...>.=v....P..%.o_.$S..i....rd...:u..#uK../F..^e..f|.X[&.9.CG...w.}...)ZO.....X...BVt...t~..})....q...0..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.822106811165719
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:BrF6FFKn7lVt8KAKykB2rVklcNV10K3XTvudZFvK35IqqA20rHzqLfyu0sRJlVZo:BrF6FM7lPHOvrtNV10K3X0FvK5F2xTy1
                                                                                                                                        MD5:7FC3D1396420187C4861AACA6CE6AB35
                                                                                                                                        SHA1:7CAFFEAF0DC96A0D8D75613CE7B83C961F72B1A0
                                                                                                                                        SHA-256:0D37CB342376ED54B068E65E151D4BD051FFBF3E75A9AF5559BC30D165B19F0B
                                                                                                                                        SHA-512:7FBDE506F62F2C9DE86E7D48ADE86737A1CBE84502686EB5251056C598FA2E1079E7F8233E1A46382A38B2387D19DA9B3054D4986E2F0D46315B87367EF78D94
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:u..S......>._.d..}.Y.x).1.K................. \.....A:..8..H...L.?.X.|.=^.&1V4.$Ud..v,.)...J.9"..K[.."....g..V.....q.ie.}....1.....x...3...D.....!+}W..Gh.P.$....?..i.@6Cf?#'><..)....s.q.S...s....G.Eq.j.@....`.D.$-.e:K(.yP!.r......(.....'>...r..@.......#.@.n..b.S.n+.;.Y.................+[.....I6..0...V...C.?.V.}. L.7$C8.0Nn..i=.'...H.=+.._B..+...|..Y....g.x.>w,5G.%..$.@..x...f...&B.....s..]..k..GJ.6].[. ..o0..H...'.dB...(...#I.2.i'}@0..=m.y..jk..$.I-.3+@Szd^......h.`.?L..Bc........?....Q.u....xSv~.'....rF......+C.+.qs^.........x.o0..O:=,..T..Q....{Cy.....w...bJ%....y}.Ww.;.g....{....*@.d.!t./P.0x)"@.8..7.^..o...h...)C.....o..C..k..RU.>W.G.(..g)..H...).rX...#..0M.%.w6}Z0..)}.|..fd...>.D .3'D\~sB......m.b.;M..Oe.....k....na".B$...k...e......R,.y..'..;..,.iV.!...|K.c...G.P;..Tp..r.J..#er.A.-.....]>..bV..U..*\.F......../Z.+.7..../b.\..Y....TA.1....3_.D.$.....s......O.t..=;NC....hZ.D...Ra...ba>(..+Y_.h.W.ai.!(.t......O'...GY..F.x.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1269
                                                                                                                                        Entropy (8bit):7.8217453049066705
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:qu0WZztV6s0qILE+fZ2jo2gl8RLw1mtPUMhHBCuZB0SbhzSix7Z0sRJlVZXOp:qZq2s0VnZQEl85qmt8MbzLxRlh4
                                                                                                                                        MD5:96EFD3FD9E56DDDFA8746FC1434B6DC8
                                                                                                                                        SHA1:D407A31592CDB6FE6BE9282DE0C6FEF477AA6365
                                                                                                                                        SHA-256:EDA98776B8B0F31A30415305565793EFC8830A5FC6E54F1C6EE0930A33C64BF9
                                                                                                                                        SHA-512:FE639B9EE10B7179BE5083EC2DB5D99E508C573FFEAD990EC518647BFE1D9CEB717D54D073FD108989C6C6D2B1B315F62D632A763F1BC41AB3B4416A453F25DF
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:z.f...ub.0......5.~..%...J..c.....^.4&..^..:(o...B...P6.>...m.bI...8.y...T......BF..x...V..A.$.`..k@w.fd..N...4.............o=.uT...a.F.Q.H.yo........4jAH......yj......l..o.`U........5.d...T...........]...7..6.[...........,...(..s.Q......Q..P>.o.|...ab.7.....#=.v..9...D..{.....[.80..H..("z..._...X5.4...}.uQ.../.}...Y......\N..}...C..C.(.g..yYz.zc..A.../.............[.l5....-i.}N.W...M.V....S`."".{..(?.....5.YMv..}.J.^..sWi.\.......-....f..c....G.....qw..y. .{'.B.f6.0O..egT.n..`Q.f...5G..9V.Y.pM;/....#.."z..YL...[.}..<...}..?.o\.Y..xG.E#ek.#.....Y.........f....%K.....l..W.~...Bw.....]..N.Z.|.>i..O/..r.Y.x&....(k.kL.\...J.L....[q.=>.}..7'.....-.R_k..l._.N..qNo.K.......>....q..t....E.....{k..f.5.v .S.g:.8C..abT.~..gM.v....T...=*...q..#k1..ob..v...Ib......7.!..T..~R.P&d.......k.$m..E...'N..$H...#.sJ..u..C..y...$...=z..C......../.[y'..a..j\z0...38.^.....V..KJ..OO.v-Y.....W.g.i....M^...>.A.4....y[...uB..t..+..vJ.n........4E.....S,@.4...`
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.871529178066867
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:yM20VevihliTqBBMjXQOCjtd6ESL6Ed8zOwd95ov0sRJlVZXOp:hsihliB9EL6z6EdUODlh4
                                                                                                                                        MD5:CE2C8930F8FD953D6AA6BFA809FA9939
                                                                                                                                        SHA1:DF61D3A691A4280AC9AEA74602803C3209CD454D
                                                                                                                                        SHA-256:A6712456A15AB2DB000606D1461573119543866FC64EC4A4260C3D0E6AB84FF5
                                                                                                                                        SHA-512:B0C2DD47DCAC64BD85291C6839948507BC0F4647EEE7D10E714022A44669430F70807EDFD3FE1DAB5CAA5618AA1A616984F1718E72320BF15506E7295AD9C6A0
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:B.......c.[.xPq.......7u@...i\...tS........1+Un.j.f....4..gL..4w...s._;.".[..q.AL.+1..YIM.......m....'...6..j.G..]76.:.,.c6......D>I.z..0....._.w..f.R."A..VG. ...(Q.Y...h...3..iJ..{I.S.fw-...x.W.=./O.>z.....b..#Z..>....`..T}...>/.fAS..s.l7;.=8_.......r.Y.{[m.......&hM...{]...`Q...4..31M..f.k....1..uO..!f...h.P+.>.E..~.YQ.)0..YON.......v..3...>..i.E..F1>.5.-..s..#'m..p........ws. .tQ.....`.......<.z..h.n..2....v..(.".L.G......Rk..S.,.G..t...HKW....2 k.....Q.Z..m.......&..~..^}C.=.=|o'.Y.T\.X..Plx#...5..P....d....;....7..i.`7..r.."...F.OzQ..u....Z.`^._...ng.F)s;...............,e...<....I...o..r..=3q..y........wj.5.jW.....{.......-.f..j.`..9....z..).).Q.D......Bo..M.*.E..k...SAF....+?j.....V.L..t......7..e..TiP.'1.Q.......<Ad.....;P.LhoL...%j..I..&|...R..=.../.8].]. -.U.........y.!.wG.,....)....^x.....@..3.0..%.....0X!.!......7.x..ak&.l.8..'.G.Rp........?.T...L.M.^A...N.X..HQ..Ti;.O......%..}../4."..h.&Ts._Z..`.....o..HEh..T.=\..<...M}]
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.856439957209427
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:n5k89h4zobN0ERfrUxkWdBPai9p7GcXvQzoWosaMmQOitG1XFAvPnEuv2H0sRJlo:5k8j4zo6ERfrUvdBPN/PXv/Wosa5jhuX
                                                                                                                                        MD5:BF29C79C4B20AC27BDE7B134542B13B5
                                                                                                                                        SHA1:78225F04DD31D4D8D8D96C3AA23B7D12150BDEB0
                                                                                                                                        SHA-256:31A0CEF9CAE8018C6F729974BBF54E712316C97FD1CFA0BAB462EE3A4A0F6866
                                                                                                                                        SHA-512:B1B9BFDE4E9EE637288CE66C976D0363F32623E5A89393A07145785D6CA83A49FF2804CC50CE7E66721511070F6904846E6E2CC90CB434C6D78BC68DDCFECB9C
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:T ..^....Uo..?.....sEV]w..woevtu...(.....VE-..kBX4.............j..I....1.~[.rW.....O.t.d.%l,. En`.....Q.....O.s..I]......V.y.!).X.9F.<.8.B..r....&.xX1F.....X....ji<...v(E3.,..NL*YT...u&T5.+.6.i[..6..l^>...5..k.w............9..D..k.][_K..W...I.mE7..Y....Io..(.....rSKKv..qwy{x`...'.....S^9..vO[$..............a..J....>.pC.bY.....E.|.k.8e?.!Mb~.....E.....H.f..UV...._.PAy.S...!'/|...kI.0,........T>R......./...y{.e.]../5)..eT(....@5.].f.nO...U/..........D......8.ve*..<1.+8u!;6.....\..1..d?...EA...l....$..I...((ym...&_/.......J..G........3;z....TLh..%....H:.O.....t..s*.a.)....._?...p...2.....=......R@v.\...;1*z....kB.8'........J8H.......6...~~.q.B..*7=..{I4...|\3.S.|.dT...N<.........]...f....8.vj/..75.#7~'7-.....C..#n}..R......O.......0..c..u.I{.P...C:..'...O.i...>...T..M5.`;7.]......#..9.@....q.......D.......ine..x.J...3[G..R...g..e..b....}W....h.U[..*...B.5E..'..G.0....s..K.....f.%......m....E..p....{d..<.R.z........=W..R..Ok.|
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.848083995299267
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:4z04gxH80Ys10tJ0jRz1q/w95HDn7M7Yxz6h+uAnyTmz1PzEsNPRPkrD3e0sRJlo:4z04gxc0YsggrE45H77ci/uW+mtNJO64
                                                                                                                                        MD5:B2B7FA1AABD56FEE2E2103658DFECA61
                                                                                                                                        SHA1:8CCD791B18A98C0B487F820401A3EF8070C82EB9
                                                                                                                                        SHA-256:9305FBB7470486EFCE11E557EFEAABC773F9DDCB2D5860E8C50D11A37232E312
                                                                                                                                        SHA-512:680EE2BF93E18D7421D2B82BE0C8DCC3FBA743CD52345476691FFED7B3F6B4D2B225D81A64A517C960D6E956696CE39FAF9A9EF74107E469F3568BB273BA1B95
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...P.qX.(.n...W{..u.B...#.b...`..m..6&*.f.......0..\...u.a......6E....c....L.z....9.)....p.5.c.....>.t.Z..J/..dv....u.*.D%.......t...v|.@T..P2@.o.$...\j.n..u._dW...P.Z..O.KT..r_.6...Y...W.S.h...z..v..g.....C8B.......t..M............Z...<.V.g.Y1....@.`\.$.p...Mp..j.L... .c...z..r..184..u2....7...P...q.x...... .%U....~....V.d.'..&.6....g.:.d.....<.i.D.7P5..|`....u.<.M.$C~(........y.pN...t.>.a..W.........fu..C."..F.c...z.......%9...._..`.*.r....]{..}:y.c.....#7..0...} 5.B...=v....y/.p.z.U....^MK..G........\.....Y..-.O.i>T6.o.\..Nb.4<....%/.......?..QO.1.. c/_..D...2......H...K0j.!.....l.m......(......J.+Dh".........g.uU..... .j..N.........k}..@.&..^.|...|.......&/....O..}.+.r...9Cf..u&s.{..%..7*..8...~&1.\...:`....x#.Q[.O../9).....G..b..hl?.U......%K..4.8(v..g..D...*.H..".%........\.s...X..Z..i.......[..........T..s..O.".3.*.q/r.\.q^O.c.0M...Q. S..\...qi`.FIF....m.fdK. ..4..t.+...../Eh=X....u..#J...."..Y...`%.3.i.D.B..%..9..+F..|..>(3...Hi<\...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1273
                                                                                                                                        Entropy (8bit):7.822132098683876
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:a43iwn+anRCw0LDufmpY4Lu3NOYdEPXNv9ZAfCQ14G9F5f7hvD9qAg0sRJlVZXOp:aei+L03uepY4LuHdAvmGGthvBqA0lh4
                                                                                                                                        MD5:034D494BAC772F08493C6A9169179A5E
                                                                                                                                        SHA1:84A61062A2D393157AEC3DF588F6514F6048817A
                                                                                                                                        SHA-256:B634BE233BB79B2C5848CA360B194E518CAFCDE857BFB928C79B732A1500A06E
                                                                                                                                        SHA-512:464EA9015AD63D26C26458A55AD8CED04B778434CCD8AA462E5FF652AE8E4D95F1CE87F371D7DF8EAAD0A6A0275B0F9B94C229AB547C4F1B10159ED688BA0414
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:R.$......B...$'/;.`vz1i.M...Sc.ii......${.?%Rs.....bv?&............n(....w.!. 4j.?....t.$`R...f.[...i.r?.......6Jz.5\K".R1..kn....M...O*m....p.?B..I@....W~e.>U7+..O.n@...WL...T......1_..7..C..2..J..Q.'Z.$.-ZM.....&...r.%.../.r.q...l>..TE./......Z...4/356hkq5c.\.....[b.{m......8o.=9Oo.....mg+9............n?....i.<.&!o.=....e.#oI..9a.C...j.i$........M~.)_..F.]..*u....0mni...B~.......>r.c.A<xu.......7Tm.wm..r....4N..2..7....rV.Q.........S...|ma...K.E.jF#.......l..n.99]..w.Zs......B\. ...I..X.L.p.n.-...R^&.]..v@w...*x F.V...w.....Y.k.5.E.Y\z._......0ijM.J.C....4.H...O.@.ez......7.j4.b.....V...2e..[.G..6b....2tri...Zo......5qpb.D9np.......%Mu.|l..q..$.%C..9..)....fV.I...........P...bpo...G.M.wQ.........h..{.8'X..t.Co.0...u~@+l8..#r.....d...(.'.!..9e..!....9V.(..K..u...Y..M=T..n.B....~..b..'.. ...[........:.y...0.....Yq.<..1.A.].<K..B\.)J.p.t.....H....h.Qh.....q.jD+...L...<....D1..B...a....~...+.O7j.......P.M....<.).,D+..$ ..(I4..9m*v ..=e.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.8372969715540535
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:DGEVK8R9BSLguwi6/hFK7K9sjBqxiDG16LXTv7IBishvtsn2CLCP29D0sRJlVZX4:Dlw8bBSMukuqxD2XjcBXtsnrLCwPlh4
                                                                                                                                        MD5:B73F877C62487F34EEE308E3AF0D48D4
                                                                                                                                        SHA1:78462BE3CEA3D2F79131581B5FC8B2D09F62156B
                                                                                                                                        SHA-256:CBC9F7375480B22AA8D9401548AE9ACEC3EF675D94B2436DE4D56C02AC68AE34
                                                                                                                                        SHA-512:2EC1406AA14C281127712733684EA6CD0B9A17B7C29CA1FAD50FAFB84CAC1BA5040022ED087CEB4A5C1F8E7F866BB450F4DB4E6B48C7035BA7841F36ED8E6005
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.(j...>..F.+............NZ...B.. ..W.G..2Y'...WYp.j........b...q....M..... azy..\....!R.Wg.I...d(.=..,4/..V...............\......./..%j.LD...&!}...b..G....C.T.x.....K....X..|.N{'.|.u....^.%.b&...H....x.....<dd..$..Iz4.p. .f-..9...@..V,.z.=l....+..\..............TI...H..!..T._..(T<.....W_c.l........x...}...^.....2gkc.Q....#].[b.P...c*.1../)"..E......3.~C._.W.4.y.u....nq...9....gA.... .A}.M.}.|q.F;....VS..+%...Vx...q..{8^).jb..ls.1\:...;......n4..../...x....J.T.?.<|hRP.rl..MI..m!.I.k.....X...s...'.eP.[,/.O...a..RA.R..'..e.{.p.{..{..-'.V.}...,."Gf...Ju.$M..I.g[.a..\Z..[.@JS71_.......<.Y).7.3.i[.Y.V...h.v....nd...1....kJ....;.K}.Q.|.in.D-....I^..86...Hs....f.h2Z;.yk..zd.6^&...?......n'....2...`.....S.G.4.$ugD?.d2NT .p.....-+...`H..31...;.FSb.e.......ko!;..x7....1..q......<..Z/V......G..Uh..dR..a..V..+.K..j.[..H..s.29JS*&...r...*....y.3......T...G.~&].$5..C.P..7.4...}...2..*`lA.nAt.>.......r....2..c...W.`]...a........t.1.T.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:COM executable for DOS
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.833581097573468
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:WrnqB/m5ulIdc05jIvi3iibszRWYuoudOl79xtbFAvbVB3cMv0sRJlVZXOp:WGc0lIP3iJRdIdON9xrwdHlh4
                                                                                                                                        MD5:19D437D77B493B5F4C500154BE1764D8
                                                                                                                                        SHA1:037E76188B6F79F665BEF529A7E42B5CA9CBC35E
                                                                                                                                        SHA-256:3F3774E44678BED6C7D839CF475C8D4D55CFE9449AD19DB0A9FC8D9424675B95
                                                                                                                                        SHA-512:7A34FAFC9498D78AEA1DC1701ACD19343788C63F5FF680FFFE18F166E0C32CD0A838BC87B0C369818D78B538FEDC69CE508AAA535D7A2C6FFFCD5B95D715B42C
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:.2..N......X\.]..n..h>+H.sA$<k..S..@15...G..c.jw........=G"]V......c..#.!wV...\...:.....w/\..6,...../.`X.--....I.`........R...~Y...e7.2...1f.......v..u.w..2...jw...d....A....[r:.w.".\...FQt.!......o..s. .qIoC..P...{....H0..&....Q..n<..%.8I.......OA.[..o..~?8B.k])0~.._..F0=.....B..`.xc........:V"K[......r..2.9tF...X....9.....~<[..:2.....;.uO.?*....T.n..........J.....*.v.Xq{.@..K>.AdY....l....-C.X:i_pX.+%f..9)..c...-.r]...t....9....L.|-.........l..k..)k.Qm.?..im"D..c,.h.KkP.....j@..z.{....i@=.*...b+.&.......p]A.@#....z#.9..G..A.Qw....Q.:.&&.w@......~y.W5R.-.'n...b._...u[*....b.....a?.....5.mQ'.32......M.....,.r.Uz{.E..P%.TvG....v....(^.D&d]w].? y..<+..v...1.p^...z.."....W.z-.........`..r..*k.Qb.=..bi%L..e ..j.QhU...j\.V.Kr}.n5]=9..}..E..tK|.%>.........'.K...V..i.R.%...}_..2B..;.M...^.YT.T.^z...xW..{...k..-..Y..t........+..,...8.0/.G.w......Fz.5O...;m%.5.....Y.t.^..o..{-...q3.Hy. +...Y.i.Qq..4<.I.b.~.......K'O1...n.[.6..I..'..Q..[
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8573351105288705
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:r44eUBPKlaOGv82gQrqqeMvlU6yboRiCTZfzVBt8Ey8FN+R/vfUAP0sRJlVZXOp:rTSlaQaXeThoUCT5xByRPUilh4
                                                                                                                                        MD5:E99A1993B3A6DDEEF0AD9E4F2F230825
                                                                                                                                        SHA1:6E0E36A7B618CC51EEA694EEBD2732CD834FF83F
                                                                                                                                        SHA-256:32B46DD62DBFFC45EBA48802E7F971536463E650F9409C3487FB91CECAFD22FD
                                                                                                                                        SHA-512:3B62868D2284C474087C6BC25CDB464ADC2553E1AB937F676B03896CC6A69568D27DF481752A1F855EB8E264C6C8F18D3B8132E6BEDA434D52774F9C6101E7A7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.y...iV.H.Y-.U.Fh4...?.O..|=..........n..&h..>)?.....7{>..!.@k........}?.Vb........ZDz......G..j.Y..H"3.Q=....J..L.;...d..V.v..'Y}[m./.Xu%.f......... ..i.)I.Y...6.}.....7.......(n.....y..#.+Q....c...s.(.2..zS.g,I.....loa.....h.[....Z\@o..,.f...bZ.T.G7.H.@v$...).\..d!.........f..=|..#$<....45~'..8.Qk........y..Ys........KTp......E..y..Q..@').@)....M..E..0...{.._.~....MR.^k.C.:.`S.@.#....>.E...H5.R..?.QJ7.D.N%Q.n....}.,..Y/{.QDh"..2..]#...!....k.'Au.a..A6..:.8..j.$'.3.[.....<.....A..._/"...F.s|dz.)...UM...&.....fK....._.k.vj.TR...R......uc....wzIf...V.....G.<.....M.-....o@[..6.Bs..g....=.z\n+}.}.W.i.?.....|....BU.Aq.F.).|^.@.&.....+.[...N/.H..:.GS+.I.I X.k......9..D3g.SGt$..,..F4..:....x.:M~.|..M:..+.;..j.!%. ._.....0.....B...[=b..N*..j...2....!....p.T..Z.....)..jvC3|r.....3.......7].)o...?..(...a.2.[S.}...RK]...~..".@b......cc....~...j......~7..t.w..k.:9.Yg.8..y.[:.W0.R........F.mxt.rT...A..]....1!...........@#|.7.{....+.@.u.6.............
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.852989227381353
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:eCY9CwndYU4jHLFReISt08w8P64nftlJhHh6C1+0sRJlVZXOp:xxUYpRXSt3w2fJKlh4
                                                                                                                                        MD5:447274CEC9E2780C26D6AF619029E3BD
                                                                                                                                        SHA1:DA6F9DA7074B150359EC13265A4ACD837FE749D4
                                                                                                                                        SHA-256:DA9410080EB6D20B1E9F10D32D83EC9D871E6545A806009D8E54B5836E2E0B3B
                                                                                                                                        SHA-512:E11881E9370AD488965606F931F34C2D7739A0D4D35FC1AD9AA8AF05FCC8F8F8C47C1E827B0AE74D9FE1B482C372D3CEAA80C23E5EA61D34D11B937CBE9019FB
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..O....)MY....3lqs..D..yB.x]3.h.y4...U.Z..lj.N&u..5m....p....l.,.......S-...%.z9..?.P.G.... uQ.U..".....z=..}..B...F..X{"..f2%.^..b.&.....f.rp.8A.(.U...s94...Xa..b.M./j.+..i*...,k...d.....q?......DaV(.g..Ko....vP.u......E.<}~.bs_.)........u.,....P....%KE.....5rar..R..sD.dP?.y.u;...]._..do.C%e..-w....y....l.!.......B#...*.k)..<.K.H....'tY.K..8.....m%..e..K...H..Qa...5.`.J.......NJ.)MD.._..,...[....fB.....2....6..)b.p.+.s.k.a.m....Q.^..).w.Y...H.b..}./:N.h.s.\.1..z..U...w.v.=..9:H......S.. q _.?:...\.k.qd.A.rA..........`*W#u..K. _.9.D0...|.o.v....M=...*..$.+.@.d.+....T..Z"...;.4k.......qO=..*.=..Dy.7[...c.h...<.o)@..8....CA."HL..M..2...A....p[....7....*..+v.e.6.o.i|}.i....J.@..2.q.C.#.D.c..q.##^.|.s.\.4..i..R...q.m.#..<%G..r.zH.D.....p.....25.^....x&.s)......MX.7..K9.S.P...G..^......E...nT*-I.1J..nY...83....3.,.>...Y....s..........8ru..h..T.....Fd#..'....=).5.3.Q.8E3...Uj.5...*.Pj..#...).`...V....%.yV.b.>!..3.@gj.6.....M.D..&.nNg.\.C:.9.....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.853215361438845
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:r+rK8wIkEd2kjo+aF7xSMg5ZYjhNOQXxLShKzDYhLvwiS0sRJlVZXOp:r8K73looTF7xxg5ZYFTYODYSiWlh4
                                                                                                                                        MD5:4F46E3B14832CB8FE9477219B1CEBC48
                                                                                                                                        SHA1:09FC93BA60DE7B1775DE5DC9CCA7CE3E66F1D173
                                                                                                                                        SHA-256:378524850B49A319718F9EE45699F8FABCA8216B1CCBB55727F5A5485DEB071C
                                                                                                                                        SHA-512:54D272CDE543BD84111872E355F609378EACEB8898F40699C06AF18831035FB8CDD9913EF8303C9C3453DAB1DAB9FF5A8A53D51B15CF54BBE218BD8312874394
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..,x|I...`u.....xg.v..uq.%..xv..................n...mb......x-....k......q.Z.C.......=6....:.e........b..)....)....6.<...k.M.*Z.....B........9......w|,..e8...#s...H.r....5..D.F.X..O!.q.O..B_..4?....)[..3,.R....ti....0..)...eG9.......<.....|...!ia^....g`.....g~.a..gu.?..ys.....................}...bx......k7....~......|.W.O.....?4....6.n........`..).........9.<.....qm.^...)H|..W..i@......5!/....S...`..l..W.....w$...;.q.e....G....:...4...[`...;[....;......../......| .-..2U.......w.;!..T.S'..s.(&".dj...pl..Q;.gn....|j..,?../..k>..D.#`..G....3\..8....(t.~......f,Prn...O..*..XWc.@.6.........._.O..BY.Ki.\...sl.V...:Oh..^..zH......):3....T...n..y..]....c%...4.z.f...@....7...!.....Cu...+X....1......,......g?.!..0Q.......n....,.......:.@.pj...y.*.r-.'x[......o........d.[7cJ.gB.y...<....u?.;...<9.......5^...p.r..yaXd...1.`f..C'.S..)t....\....P....9..~$X.K..(I..(Z.dKV.N..0..9|V.[.`...O.'.O.D../Ad.r.%.B.4e.W*...r.9.....z.Z.q......z.2P....5
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1267
                                                                                                                                        Entropy (8bit):7.837736663202005
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:xkJwD5iWe9QEdR9zXF/co329eBdw9QkwkA82BpHM0sRJlVZXOp:SYiWQ5LZEo329BlR2glh4
                                                                                                                                        MD5:E2BAB9C2F5793D842A3BCA2A9F6EDF9C
                                                                                                                                        SHA1:CCD5E7B1EB31D00590A0F2456F0B11A6B7F5208E
                                                                                                                                        SHA-256:EE564BAE2921C43E1DAF0BA52BD65335C97CAD3AE077A27BD770692059E1FCBB
                                                                                                                                        SHA-512:4926A6F0875C60F0BC502AE4C009A1CEE6F993C5F5C38567481A22BC31EE5D89874706DE639DAC8EEED030B729020E07EBB1E882449F1A6DF336BC813455444B
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..'.*.b..3$....d....3P...........&..;.8.f.....p.)mQ...."......z..R.5..Q.6..^8^O..P.zhVE....7.%....%K.0.)B.4w>'.7.n.p...u'}.........R...>..mPcM./..,/...?B.Q.[d..G\s...CQ..b%.S<:"..:...0......W....[.Z.......%-......3P3...../.=d.xkHm*...\..~.H....."1:.o..1/......z....=C...........+..#.(.r.....b.,wI...9......s..A.5..D.!..F1GW..Q.zvKE....3.+....7^.6.%@.;i*,.,.k.z...`$e...f....-...^k....(A.c.B.....g...(f..w...0..}.9N...%V....\.y+Xf#.1.1.(Qf.!..r.RX..#.EVFD]{....,.n.Nh.r...|.j.of.]....Ah0m..uXZ...sJ.(rhY..E..`T...U...S...."(F...>.^...L...;.D.M...5F....v.>...p....p...j.%.#l...."`...Ze.........s....t..KE..X..H..f..... ...S{....3O.f.Q....}.../h..k...(..|.8]...#V....E.r>Pa?.9.0.1Vt.!..s.BK.p'.ESEH_z....5.f.Io.b...y.d.{u.]....Lp'o..cp.~...3.?.. .."..Rv.~.!.."$..5..Q.....#4.w...M.&.o..1........e@:......./K&..w...E].V.f....c..z...S..|.w|Rz...HJ.....y........B.."qO.>..i...].Y2.......]9..c....m...<.G..Na..x1...M*)"Nro).=%..g..Wd.......?....p.j.%."..L
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.85769358076566
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:4ObyaULYmS18SbGXxiq58ckTVyJmC0iLI/iQwlqwd3FEr0sRJlVZXOp:LsE18SbOiAUR8mC0i+C2Hlh4
                                                                                                                                        MD5:A42FA00D3775B1465C92838EDC6FEB12
                                                                                                                                        SHA1:448520D12EFD18B79EED753BEAC8796225AA2434
                                                                                                                                        SHA-256:3BD6C3AF3106DA4B49C9EBB15BDF00912E5FC4916F1F851894C3E7AD21277AB9
                                                                                                                                        SHA-512:78D421CE889048BC61AA39FD0741AE401FA10D178FC7D63C22CBCBF81AA1B76729D4F5E4D558718D3370208B06A3EE76C4D3EADA22EF9E86A8B7C557E9CA2D7B
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.......s...&...E-.c....b..U_SX.|..#..........F..e].^...>SY.e..f.c..l+.^....j..l.H5....'.u.[]....k#......3u......'@.=.W.....1f=\..z.2..O..h....6.ZU6...Z.......$pm.>.K.....;.F....{.?..k.N.........pG.......V..>.....*....byu.&s..*..........A...B.......n...;...N>.|....f..J^WU.f../..........X..k@.R...:F@..y....i.s..v1.K....ya.e.O*..."'.g.AR....k7......%y......1R./.W......x..V.."../..4..8`..J.@..i.3.g...?.^F.........+.fUP...{.z}8.....p.!..........$16..:.=.,q:.....k._.~.v.<..u5......p..&$.OU...b..67...\vT...y.y......;...y.Y. .A..!K.U(T..tn|.V.e*..,.dI.4(RO....G.X...B......Q.}......z.A..V.."rC..y.}...M..xN.......Q.,..'..-..4e.u^.K.0b.1.~...:.@Z.........:.~VU..af.vb:.....s.;.........0$*9..$.8.$m0.........M.g.k.:..k3...8..l..*8..d..9...<.w"."...&0...D...#ik\7..5RZ........[.q...q..I..}j.NJ._C..M.C..b.:.Y.<..l2{.0..e.,...&.h.,....t.v|....%.S...$(.&..>...#...#-......<..G./....?.:B..-....h....B.u..|.l..o.......E......../"....'.uC]..L;!V".3..y...:
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.861591231645815
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Md+6LT1UptgRvRdIPLSSZxjlAP/9zzMhmGCvg1LOs7pJ64izakAQgJPD1c0sRJlo:MI6LotuImSz+P/9zz7GCMislY4ie/Rrd
                                                                                                                                        MD5:230C4B04028BA90BCC2E322444D2461B
                                                                                                                                        SHA1:FF02F2B6E7BD5CEA7605432822A9D61C17943569
                                                                                                                                        SHA-256:E6C3E5622CD6181A011E425946CD47A9F3A0481D60E9B62FCD8F1D36BD4D154A
                                                                                                                                        SHA-512:E87724A7011B3E2883D4651A3DF6AC99F83123D87D074A7437FCD260A37DFE9BDAA5F261F2CBE1BDAA292AE7CFE4DAD6318D85FCDDF04C8B223049ACF95B2B16
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:k..k.|E7....h$.<..Ey........A..sA..O.4.....).!.S.>..r...U.M.J..@&...>0.'.DB.../b.v.`<.vq......Y.I.....I.....m..Us.<.]~........n<N.s.Xj>9..0.p;%`../..L-VQ.2....=.............S-..N..U8.o..._8...jfB.n.#..J...E.R........v..tk.....~.../.....b..{.mA*....p=./..Ew........H.wb^..H.*......).?.T.#..i...@.F.V..\(.....$*.2.IR...&k.i..4.vs.......D.].....W....y..Gi.2.Yh......P..h.RP....2:.......)$...o..4....m.,......:...~..c.`..|.P7$..e1.F...).fg..{.7>P.s.o.L59...=..u(.<Y.-}.(\N_..+KG.i....*4.....R...y[&.Oe/3..o..,..Q.Y{.l.r.s......g...|T..7S.........aAC2.........e^.n.M...F.#..?.R\.......... NE.X.....&......Z..t.XN....,6....7/...v..5....q.(......+...a..e....l.] '..e-.V...>.xg..e.2,X.y.w.H>".../..l".?_.$c.-GZX..*WI.r.........^^F..U5.....f.M?.s.9..$.jQ.....G}tS.X..{.u.6b7.z...sO...x.....>>...q2#....6X.%g).4%..74QI...!..c/M....O.p..Pc.t......I..?.....FSLBQ.p.l@..S..]k#...?g..6X.(.s.e.!....9.yu..........R..[..:.$.m.8r..../eP.j\A3*a......k....@O
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.850030771788953
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:vJ7N1/kBFhubxh06wtPFAvoRAbtQeLwiXOwsQx1VoNeLCP8K+gg0sRJlVZXOp:vJ7NdkBFhEMlN6wRUtQeMiewsQRoNeLO
                                                                                                                                        MD5:93661A3273DCE3AACD8145017D128BD6
                                                                                                                                        SHA1:5AD7AADC362C2F36ED3AAA86B4D9BCB370AF5671
                                                                                                                                        SHA-256:153C57E51FE9ED0F73265E27ED6A296B06BF3B52C2F23CC89AE89D0A66C26222
                                                                                                                                        SHA-512:99C94C400E7154A23E5F3E94F57BFCC914F0CDF85CACD587778014E41AE1A5BF4654F041A5D47C1B6AB8F3B54A20A0496F14F466DF08C8E292D7064484C1F370
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..c,tq.+q.-s.Zu.$K...>h....z.........2.q...9.^..C........hs..M....J...l.......]QCi.g....&Kx.'w5=/8_iAP..7v..V..Ef8iH'.-..$..m..r.-.D.......$.j..6^.....#b<`!.$tK$.{L....1.A.E...W.8R..*}e....1P..e.U...U..(..../5.'.]Bo].._..$.!..t...o...=.L...k..h..e=dm.0n.5h.Up.;B... m....`.........).u...#.S..S........`}..M......]...`.......OVIt.a....+Yk.1u:<#=PpL_.."z..B.Hz;zQ8.+....).../.M.l..7.I....j..g.....M?....m......U.....I.p..s[...$.o`...s.$.8..~.#.R.n\L............i]*......<#..=.QQ.=8.m..})....9...>..`<$.qi...We.....6...'~Pl..ekH.:.,.Y}.s.!Y.....3....1n.wT.Z.....!@..._.u..[0,.]\..^.,.cy.Ej?.....H..z.^...J.3..'..>...'.N.m..6.X....j..f.....^3....u......T....._.~...~F.....;.dm...d.4.2..n.*.E.i^P..........zY-.......+..3.LB.65.d.@..+ .H.r...'.M.H.V..v.?M..S,......":....3."...R.*.Nr.3.@........P.=....h..)).|.^....9....~..z...s..x/j.f<.]...T....G/...m...Q....F....{._.(.).FM.@Go..".\.jI61.ZU..3.2{.N.[...AQ...#..*f.....K...).....l.....mA..Y.`L|..5.(.a.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8397037569975385
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:EcS1w+jofHFWibl35k6nWu2SMo0aBq27xvfRWvuKYutbGi2HaveF0sRJlVZXOp:EcSKKoPJl35k9u2FaB5xvfRSuBu4iolu
                                                                                                                                        MD5:AA6CEAF4F872C5C9D98B01BB79980C74
                                                                                                                                        SHA1:ECB3EB6C6DD41C68E0D39D48C071F8C9BB636446
                                                                                                                                        SHA-256:4485C54C384DA14E879431C0C57244E29DD28DC4671B55E89D4352FE7F1957C7
                                                                                                                                        SHA-512:B50F9EC44DA5703309F4B8737030E0C725A6B18F7DCC6B0E045CF8DDEA173CF6ABF056F577FC1340440F943E0722FA0A73E7E9E81A04B0C3B606ACC5FA126611
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.(.0d........i3{w.4w.v8..U.......9..G.}....bPr[l.V{..~m.B]X..B~X1?...+..2U.....*U.....+....n...:..Dm...A........>k12U.7U....,uh..D..XD...r.5H.V.I..+P.C1u....(....[.`...k....;..yl....5.....*.M..'u...x.[e.iR....D.X.|.<T..........2Y...."..ae./.(.,j.?.&c.t......t$}i.5a.`9..S....;..5..A.u.+..jUoVo..Bc..{t.KEA..BhU:0.../.n0Z.....$_.....!....a...)..La...[........9s$;\.<H....%..fs.c..C.e.*.G.cJh..M..@...p.....pk.x.y...s..0F.N...B3HJrHC..>...C.s|,o...8.<....(4]l..U..X..M4.D>...7Dso....t..6)...,.?&{.59..LT.|;..H;...]...}.s.....&y;......OX..Lz..i.-.vEp1.u.&...c....E...7.\i.X.!....vNF....-H...brq~...q...Zg...D......g|.l..I.../.CcnAh..E..[....s...jd..e.`...q..9R.Q...@']_lU_..<...G.mf'e..00.'....;9@`..H..T..]%.G>...2Fb|......r..#+...).0"iX{S.._.o{K....t...l.{.j8.t..-x6.K.tGG.b..v.{l..8i..J.v..?.nV....WJ.n:.pDs.rX.8\.L.h..aR1%....-.E..X.a...z/....O..6a"..."..[...8g..vq....X..Xg..[.D.8....`...ep....^..[...vT5...I.H......%..4.p....+.h..6h...j..0..4..V.D.S.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1267
                                                                                                                                        Entropy (8bit):7.842888414995539
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Vw2nDWUeEu672tjsPTg5IV8OZEOh3XfMVgWGr+7fWv0sRJlVZXOp:G0WUeDk2g8iEAfMSWGqWDlh4
                                                                                                                                        MD5:C9846C73CE4CA572A9CBB69A320A4985
                                                                                                                                        SHA1:9B36B291C46DE8F032AFAB08595EDE5468D6B6A6
                                                                                                                                        SHA-256:9BD6C66E172D80DEE8A9D2DAD21E67FCA18FA773660BA59644478CE73B3003CA
                                                                                                                                        SHA-512:087F4C1A98A832D2DFA688CE2A335ABA9FEF657C7347E5E905F0318E67417AB6BBD1A13503BEAFDF270608AD00FB1FD8929627F83BCC3255E7D3702DD5C97385
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:I.b.R.....<W/R....T2)0...D..F|*...n......1..gf....._....<....._...Bq......0h.YB...snfCn.u.q.J.\.5.y...........l...o#7.;...S;h.\.}...H.........B6.-<............ ....Z....0.P..{Vu..V8.*I....|*V...p....M!......%T.;....(...-l.s.2.u.........(.....x.6.Y.g.B...7B9S....V#(>....V..Rq0.<.c......%..lv.....F....;. ...X...Bs....(a.AY...sp{Ch.s.e.W.J.;.k...........w...e->......$...=aW`.s.]D.]...W._&..p..+;X[2n....#......R.K.!M..u.)r..b......s.z...(..k...@x...p.3.2..#9.5.......A..c._......*.....Cjjx.dD...Gx..%.`...4......BZ...|i+.pYjz...pf.....f./..*.V..%R...6-..Jc.. ....?>.L...TXc..s.....y..B............y..YA:.#ef....$...-~Im.y.PT.I...Y.Z ..f../!HM.i....3......O.X.3[..../r..s......{.{...:..b...Pk...m.3.1.."8.........Z..n.Z......*.....Thz|...Y..n8.....D$.w..~.f.U.J.C.F9.u.[...9..)...."...1.....w'j+h.A..s..N...w 1..#..[U.:^.p.B.'n.........].vuY.Y..2......n.-..W..2..,....j.*..tg..1.1.CX$.>...O....A-<...M........`..U8..8x..M.>.j.?.......P:.N.g..l.\\_..!..$e.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.853949972462317
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:LPjOCSFeZuyf+Qjzoqu3ryUS7JoqHoU/GyrEU0zCYConnwdwbCI0sRJlVZXOp:rqJ8uvQj1ubwxBxrSzB3mslh4
                                                                                                                                        MD5:E2B95A6DF61424849577278CF239F5AD
                                                                                                                                        SHA1:04A84D72B7C84466C6DC3F0C1415C9ACD0AFEBE4
                                                                                                                                        SHA-256:0DDF32C6EB1DDB60923388ECBDA7F142273D26843B9373500D4A67D9962AA143
                                                                                                                                        SHA-512:17F492B5435B2EE890953FA9A7389D6738888843FFE47FC7BFE4D2249FDFC37576AE186872DB8664567F9AB802E4B8989BF2855C3BE8E2C3036EF7A21D8ECA25
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:a.,..a..Qv.....P.*.h.>..7..I...@...t.....,.b.0.......f...[#.V.u.u.e...q9.2...`...}...B..Q`lLl... .T.D{.kS...:m...e.*..../.......@..wxtA....*..4.......!..Y....4...&....+~.k.`.... ........J..1X.....?..80.*.kr.`.E.Z...".................q....5h.8..p..]g.....C..*.q.:..(..D...Q...s.....0.|.6.......l...P6.S.{.f.j...l,.?...~...z..J..Sr{Vc...=.@.Fv..uE... y...w.8q...+.n.h...`~o4..D....."......'g.;.h.jB%8#(<2f.?Uq..}w_.Oe./...X..=. ..R...G..bo-...\.Z2..3...;..&..G......4uq....EV.c.}....P...KN..T.Q[.^..;J.,k6.....L.U-....|@..#.$B.T......Q8..3.u}...[../7.xC..,....%.....O....).q...o.$..&o.v;...L#.3T).....b7......v.o...gfs:..L............5y...<.{.kG5&?4+6k.0Yr..l`G.Jz.1...G..-.-..D...Q..gd0...\.U1......'..>q.L....m.<l{....LH.f.i.8..^...GR.u.w.....(...j.%0.Z..E*....\B.@.).|.f......!..TJ4.y..R|....M'*q../.[..2...4.F%.4E..l.....T1G...Z....e.....cQ{...._.....asa...U..47..0.....b..a{a.}:..`.W.'.7"AW....UN......`j!..s..\b@|.u.Y...a...1...G.L.,v.7'S.Z]..E.V.d.4....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1274
                                                                                                                                        Entropy (8bit):7.839015912081393
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:X8Zm+9i/hPipZfo1H+kx5GKDXrbqn9ZMk7jndmskxAfeN7LM0sRJlVZXOp:J+9m/ZhzrOZbdm9xAfc7Lolh4
                                                                                                                                        MD5:25693CF9ECABE4A60E2F174DFCC11EE6
                                                                                                                                        SHA1:695B4427584BC8B2AD4F659134EAD30BA3590313
                                                                                                                                        SHA-256:1D7806AD0A53444BD0E1399A18A6F5D523EFD30C03A3086CB92C65162E46D574
                                                                                                                                        SHA-512:D099A0ABCD68105086BF1FDCCB63558A29DB6BB159CB84E9EB04F7612C992DA3351BC82328940DAA4704B6CF0588B476FFAA69D6E82650F7333B4426C6343282
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...b...|..7[%..v,.?..E..].%.cd.....I....r..6..].40+.J#.W0.RQ...G.&..HXJ...C.}....&......B..)l...+^_!..~)W..?.q.Z....?v.s......5.VD.CL......W...o:......\Mb.3.Rp`%.X&W.h....:.;.d. .A.....d^._..'........h.%.....~.....-.w.m......r5u...q../...}.9...c...}..$M8...p<.#..X..W.4.{n.....M.....z..>..A.(<9.\+.F$.@M...\.!..^VP..._.d...4 ......T..9k...(KH&..b<G..$.}.L....'q.y.....P..!K...$........!.i+......".6 U....}:O.1h..E.....KT.a.................nI.zO.h..>r}6>M...WV8.a.6.".^.0...1I...)P.O.].o...YfC...G...6~2Q......\..%T@1. ;.v...T..Hk.Sg.|.^...|.G.k~.;N..B...U..|..#.e470...^...fa...#......)...........U..........D..5W..."......2.q:......4.5/T....x#I.$...W.....X@-x...................xQ.uC.r..)z~($_...V@).a..0.5.E.3..../J...,X.L.A...<.0.t...<...NO..L...x....I.......^..8....Q..Qx.$...#....W+..S.?....1.<.X....]...5.......Q.mJM...P....Qe....1.....4.+...............V.....]@G......!a..l.....Zj....Q..|.c......,.D..T|Zp..I\...]{(K..p|W..?|b..U..^-@F.=.\.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8533028392832245
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:H35Y2ifkUQ3InJl1KfV0K2ZTXDrflUueuzEypKGYEYeQ+AhYGFAveyr0sRJlVZX4:il8UQ+jK996DBpLpqEHp42lh4
                                                                                                                                        MD5:1ADFEA602DF22138AD779E7041276881
                                                                                                                                        SHA1:136CFDCA587CF6833AE048EC264401DDF4235588
                                                                                                                                        SHA-256:CBF01D7C8992A2D2F68CE1B9D970E84213813461098800D4A4984360FBC72775
                                                                                                                                        SHA-512:E17A8DCAEE44285B39B3C17A7030F059925D9A3158425AC8889EBACB4C6EEDDF863958B3D1265B598AC14631B47508FA741133E98D513212AFD5629626428BD5
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.,~.../K...cKG.....F......'...l..i...I...:......y.k.|..#K5..H.>H..`..x..1...?*.0?[..c..$..WZL^>,d..s....$("...D7.$.O$...).4.^2.2.>w.W.VX.x.:b....[#F]^.s.W\4*;]cMy...".vn...1...f............t2."%.....1k/.:..<...egO..Yi..?w./V......f.uA.~y.-..GA.2t...4L...yVO.....O....,../f..c...G...7......p.{.~..3[5..Y.$A..f..m.......* .*3Y..b..2..NMEK= d..h.....?#5...G(. .@>.~...L.. {...sF.......p.A..2.....A.~)..c*.7b.x.8......)...PX0..[.......|...+.t{vi.X.K&..v..f....+..h.....!=.v].........YX...YA....-Fc.E.7....d...........Jd..m......h.0.p.=".}3..d...t..>....{.}.@b.|.2ey...h.v%.x.>[..8..RQ.....8E...Z.._.6.._.e....L..=q...vG.......o.U..6.....-].l+..o7.<j.o.4...... ...S^&..W......z...%.nuix.E.U$..r..v....%..q.....$?.iO.........YF._..]....Aqn.P.....k..~u...4....Fc.<K.(.+....Q.93...IR.,/.."..H..J.z[].j....9?6i...=i.hR.w..I......&.E;...l..N.]..$-y....Dw....x...j.U..+n..jQF...B\..ElX ......qyG9_....So...<..V.a..Yg..ov}...M.M}.)Kc..../?b.3.4.-+....m..k
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.857270848013239
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:stPkLqBjbIpS2+12n0rS31QqEWeSawZcRgwr7G1HL1ksB3F7tiHk92iu0sRJlVZo:stluV+1k0rXqmRNr6BLD1F92dlh4
                                                                                                                                        MD5:719FC453BE0C234B52914C93532771B5
                                                                                                                                        SHA1:979742CF0321F3814DF56921C1324E9EF731D4EA
                                                                                                                                        SHA-256:3B26CA402DE3E0E30CA098B03D9D3123992F4906AF90B429B15DC6317A3339CF
                                                                                                                                        SHA-512:C311E5AB6579FAD9BF082D01557C912397BA236A9A39375B09013B382215BB8D3BFA3A680CB19D75C9A64B113BA804DBAB2584F78FA03820FC15C9544DD14249
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..Za.1q|D.]I..*.D...]..a#h<...D....BW.....5.....s.8.k....U!...z..W.u..$9.w...b.gX.W5Xr.c.$.@.....]...KY .......,...N.]....?..+,...).8py.....UY.....bBu,R....eS`...]`.N......i.lF.{..\_.^K\.....t.S.....=.d\k.*+........$.X.V.Y...:.p.....V@~..C..i......Uv."bdO.PC..,.]...V..p#v$...B....D].....3......m.-.q....T#...}..C.d..?<.t...h.d].P9Cl.a.0.@.....E...MO=.......,...M.J....6.....P..;.P!..nC.. V..|L..LQ......9..9.r(E....ru......w.&.-.....:7..^p@.l.d{8An]...\3j....S..z\..v*}k.wi.U..]...r....U.."..I.R.%.[['...i.....\}5..x.Gb...u....%..x~..G.F.....!.)..9#......'2.xe........*.. .`..q......+q.0..A8....U.5...sF.b\.....~..V..4.J)..wU..5]..nI..DW.....*..1.w,Y....lh......p.(./......&.l.QxM.k.cs&Zi]...E*b....N..mS..|2bt.jp.C..Z...`....M..9....+D...z)..&.@..'.q.t.V.Ah.i.\...C1.....C:....G.10...5I..oU./f.PP..g66..d>%...k|..87.'....o..+B{..h....E.....a..J9U. v.6R..r.....?...4...E..C...V...D.T...\...[../....|.q*..[..,...Z.g.DK..9o..8m.a.z.Q...4..t.[.d.U"kls+.D...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1273
                                                                                                                                        Entropy (8bit):7.8549962924380425
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:0jSc7K+OwzvkLElm2o9qNTvOCbYHHKn1OJ1RXB9fZkD9tepXH0sRJlVZXOp:0j9K+OqgUbok1vDbvwPx9feB4p7lh4
                                                                                                                                        MD5:8912A2B83198174F3F7B004460EE2571
                                                                                                                                        SHA1:BE03B40674BD50C3EF5E79F3B1AD19DBDD465885
                                                                                                                                        SHA-256:3038FD06BC01C2F13C0DD25F3E89A96921C6E2900DB2E6FC4A3A5CAA8489478D
                                                                                                                                        SHA-512:10F279EDB580A36C435F24FAE5797D456447EC9F26CEC05AB0C25D83D8DC93C5095054CEA2A116E4216CD96256A253188CA879FB25A9D97CD566026C40DC2500
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:&....Q&.o.....Kk.M.....-..+t......[.'#W.&..>PA.Jy../...Nx..../.3Une.1........+7....m....W1...(O...S.....y...Z.w[.p./....P.c:Q...1...N.?.U<.-...._.WS9.H.0.?.t.0MG.FE......../....~t..H.)9..,h./.@.M.CU..G... .....A....(.Qr.'..V*.KV.O.#..+..K.o.1....V$.c.....@m.E.....&..:|......I.?&L0&.."DI.He..#...Fw...3.1Zuf.)........*.......x....W'.?.'T...T:....z...V.aF.b.7....S.\6.h..l........J..a."..:....wi...x...jx...^.....@.W.E......4.O.mo.........c.M.{..{....Y..a~...W..!.[...%.tc~.6..R[.{...}.JC^...Z.....((..J.q...`.x..H..H>.?K......._..g|.+.>..H.]x..<..&,.:..IQ.e....o..qc.XZ..}...f.....#.;^f..........|Mfb..B.]+.r..p........D..j.3..-...tf...}...ly...C.....A.C.\...... .E.sm.......c.A.a..l....K..o....E..6.@...&.a{z.5..SE.s...d.Ev.. SCLZ.H(._.N.......... ..r....!q.....gl.i.5........L.......p.....M..n..y..zy..r.....;..7..._.u..c..I..,SC..I.....Z.m..sw)...}.g.. F,.H..2.I...R...J.`2Ib.9.V.>3+.....E_{.t..a.h..T9..q.~np.]!C....A-.\.}0.K.t`.}...k..:.a..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1274
                                                                                                                                        Entropy (8bit):7.860316966366584
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:0y/Evcu3ndslA19XGPIVzpOa7yjBiRQkzETR+0sRJlVZXOp:0y/EpndsnwZrPaEETElh4
                                                                                                                                        MD5:C2C17D21D41C1DFD87D97C1896960657
                                                                                                                                        SHA1:93B405A68936905529B67355C4E08EC844EF8D7A
                                                                                                                                        SHA-256:3D4071C718418EF1C796543D4D00C3F312D9446E3894DE88C1A7C16C3B4BA981
                                                                                                                                        SHA-512:D2DD1076982A6104677B36205F78DA1F086A6D7017C591FCAF3F9241914062B6BEE6930D508A30A4D9A9A3888A720061201A249AADECD3A824BA17B17289B853
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:........k..=.....y.MK......q./...Ea..y...}....q^....UFO... ?g..G..{....'..Gr..sv.@....F.o..v.d0...ozN.`..b.j.~.8..<.... Ko..PgB..m.57,....l,.6..k.&....W.ZQL.I.|J[il.K65...5...D.. ..D^..^f.UF.v/?..&.'.TOY.-.&&...5....C9.....@zV.%F.{.....4..g%y./..d.K........g..+....i.QE......q.'...Pi..k...f.....eV...YTP...1+x..Y..`...1..Fr..ro.^....C.m..`.u ...hy[.g..~.z...#..*.-..8Lk..S8..t.r......$(dY>r....L........H2~..:.,@=n8.*.u.aF.....X.~Y...:....6.0.1@MU..~(i.pN).t>.k'...-.M.....W..a...T.....|:....m..*HH$.9......0.......I...%..CmQ....j=....r....<c...n..PSw")...rp..f.|..C....<. .m...._.-....a..}.....O...l....Mil.ih..W.8..`..f2.....'*}E>|....]........K=....,.5F<{/.7.l.yM~.....$@.sA........".0.)VUU."e2c.gF*.n,.v)...!.E.....L..}...L..../.t ......k&....Zglll....0&..i-.K....PCm.I...KL2AZ.j)...^.t.Z..=*:..;.;.C`.*.a...@|..eD%.....<..'..Q.)...{v.,../.VQ....beoP&.....Yaom....6A.<t..D.?.0......P.b.\+j;R...+....._4..._WV.s.G_.0.4.j.I......0..0G....e/y.@....3.m..8.0....sd....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.832326068696471
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:OlSfDiUstyUKLvCedE49Rpsd9xAisNSi0UmvM50sRJlVZXOp:e6Dii1BE4ls/mTDvllh4
                                                                                                                                        MD5:6E5219DA1DD24091DD5C6CBE07F7D394
                                                                                                                                        SHA1:3E1366B4FDE506AC47CAFFC412C9943C764D1279
                                                                                                                                        SHA-256:7F4A5F8A1D2F2350321DCF4213F6AAF2A46D8EA67095F3EA5EBBF32426A2ED24
                                                                                                                                        SHA-512:B7209D62146A85ED6673EE930BB850408D90761053809B0E3E69F8441E3107371EB8B887AB36DDD5268C13D6AE74D3A42F1C0F57F5D73B1F7615F21F4C2F655F
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..u4.....0`W..|.0...|..{bOMh.]B.....K.sQ.}.ej.q.........".MZ.x.O...l.......V..K~.....xZ.l~.l..n...C.~Rr...W.B..(.B...k-.......H9`F.......z...F..>.y.Kk....8.Q.f..R.Mi...B.+..?w.....r..*...f#....Oy.]f?.s......k...\..w.../.+.r.G...Gu.....V4.6......".....6.M..o.5...q..nnEFg.\H....+I.w@.m.~e.t.........2.M[.i.U...j.......H..A`.....~[.~h.m..w...@.~Qo...R.Y..7.J...m)......6..Xk*4......o..<..P9.3.@9.7K4(.4....4.....Qu..".$...~.0f.........U..4H.....6n..7..s...$....U.;h..Mr9|.~.....J\..rqXW!.k.o. .h1]...Jx)E...0..=H.....6...a'...{..~.;>.#n.$).2...R.GI...`..+.e[?.8*...#7.............rH.0x..r<'.S....!...#..q@i{....,..El7>......d..2..X;.*.Q+.;E8).7....'.....Ff..-.'...q.3`........D..;Q.....'t..)..f...4....X."o./_m5y.a.....\T..diUW?.1...A....Yg.D....}.&.!<j5 ....mIuL..B.1.0..+.....(..B..{....&...\.o...O..|.y.....O....n.......X#...L>....6..J....M0.m..!3.z*=;..l.....$.H....6....[m.x.H...8.!.i...d.N.=..<../.U0....8...C.........y...l(j..fC....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8367240596300825
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:f0FI9Z6vBbk2M8UwscvevGuwan+qX8yMrls8shD2kFAvNvFd00sRJlVZXOp:f0FKZ6pZbscv2G72lMrGvvoFdglh4
                                                                                                                                        MD5:828D2671F156785F2EB7729B442BC074
                                                                                                                                        SHA1:D5DC7DDDA2C728761BAC6D9330B8D81B96A6A25A
                                                                                                                                        SHA-256:4B5325BF1FC875B4359657EE0728431046C07C5E9A6D227B2DDE339D322EBE9A
                                                                                                                                        SHA-512:729D83DAD05B8542ECF8FEA2761CC8DD9CF02AC3956C5D06F171ACEB7AA612F4B5D3E1B0286CEA1A02B85DAE4B2808DFA6BC2C7CDD9799A959BFE3737E4DFFAF
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..r..J.O...rA.<..e.=2.[...F.2.pG.Le...wef.{.a.YS_.Bf"..............+A...F.kh.}q.._.[...F.%.wg...=e.....n...ZYR(....K\T..D....m.X..A..9,.C4..R.nN....'+......n...v..v....s.......z.bQA.=....Q.E.uj/.H$..b.......7.f.4.....[..O..n..wS..3.a.B..y.u.....x..W.G...oI.2..`.0..W...R.8.sM.Ig..{uk.k.m.]ZP.Wd'.............*T....H.~}.ck.._.\...T.=.or.(f.....i...ARE7....TZP..^.9%.V.6...q.OYZ.'....K.zy.ntf=w[..+;U..>..G.7...../G../...=..*..CVY....T.....3...T./UD"...K.!.v....."......S.QX.f...B..4..59.I.}...G..Z^pM...P+.i.i..[& ...;{.E.....Wv.^.W..M....R.....2..a?..S.HMM..........Q@.0.)...]......L..W.r...Z...H..Q... W...."?.L.6...{.WC_.#....D.r{....fb1yW..('D../..Z.<.....&H..(...8..<..OKH....R...+)...I.1WM7...[.:.......%......Q.NJ.o...^...9..i...@S.{6..-...Zc.7;S..F....g:[.Sl....6l.CB.cRh....G.5\...i../....+...lGM.>S|..c....|.[./.{".....X.J.....nm.A..y..K*P.......%zS9`n.E......Ca'...on..I3Oc6.A..J.(}..`L..h....#..0.5.x...M.~...*....&TL.I.^.Q...)...T...L.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\ProgramData\F43.tmp
                                                                                                                                        File Type:data
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):477817
                                                                                                                                        Entropy (8bit):7.9967879615440305
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:6144:g2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2N:8
                                                                                                                                        MD5:1D42A7B0F82095650A8B583FC09EB649
                                                                                                                                        SHA1:1A9C2D30B130992168C127359A9600205A18C418
                                                                                                                                        SHA-256:C3947BFA4E7826E3EBE46C4AA5D06784B8911CC9B770104D124E6F5F22ACD60D
                                                                                                                                        SHA-512:4DAA389651BA2B82CE5C53F80AF6000AC6850FF03F589B69EA29A9EF1ECDFB929E3446B139A67D93D56AF39D18D28BA808AC8E877925E19AFC0B5ABA463C2573
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:O..z...N.R.+........M..u{........'...:.CB/.(.+f..B0.o..c-c....(.e.S.C...`K.hA....D.d..{..t&....i#............x..Sf^......PRQ.......Na...!.!..]..y..;....2.p.....\..2...=.ij&up..#1.N...#{.k;N.A.}.;..DZ.A!s^M.\E|Hw.....t...............r.....R^...c.$s[....,k..O.5u.O.]....s.g%.rY. .p.q.O\.......ag......!...b.8..|`C.^.-.K.\...L...7).zE.G...e.2.@9..W..89.....:..gw?.7n.....C.v.>.[....]f..B........YeR...u.....s.c.......G=&.....O....$..0.m.F......X.7...#...RS...;.....i.Be.......G.~...].^.\..c6O.....G.Ug1.mv.J.GQ...,.S.....2...R%.....5.:.]a..Dn..u...;.....=..Z.....)....\3e.../..)T..LD*..F..7....0.m.>.Z.....0.P.a.R.*...mJ..ERg..p.......W.v?.Q..Y5.h7.....X.)...[l.R/...#Y.......u..p...Sc..;u...d."...9..,....A..>..IK.f)...~.U..7...B....:....V......D4.=.X....L.HB....(..[|...&h.....}...'P...z.V.%x.*I...Fe.....K.k.......7....x>..}......U.B....pb..R.;g0.6e....O_7.-.;OW...+.F.>>z....n{.......S.ZJ....%...q.J....G..z.T...d..p.o6...t....7.!..E.....6..\
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.863019092672676
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:uNV1hws7akf8UORVWCLFmgIEjauXDOaxf78a/QW5YKMf/wdVDnJE0sRJlVZXOp:uNZAVxLFXmujJ8CQqYmDJQlh4
                                                                                                                                        MD5:35499D7FB3AF481A5101FA8CDF58EE76
                                                                                                                                        SHA1:118CF02F5A26CD3F5E300098AF208ADF92C5B224
                                                                                                                                        SHA-256:89E2066A66B9E806449E75B611B9002E662D6BD38DA52B8AB062CC46EAF4470B
                                                                                                                                        SHA-512:E6154D04775FB020E0EBE2EE865E02C19C32546775A73A9B9C6CAAE0D1EBAE311031B7A9FD33F19C9DC3D2B5B31DF2EE1B0DEC9C909FC7C1F9FD21E28B420017
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:x.".q...._r.K..y..9.~..M.......P.~..ru.n..@......;/.p......'.V.:...../H......R:l........(WT...T...07.*.........(F.. .".....3.......K.....F..wf......h.\....a.%+........1.... E..l.\......X..`...........n..^.X.|.$..@.H\....a.!ad\.hH.=.(.pf.(.W.....1.h....Fz.H..s.&.t..[.......P.n..fn.~..T......0/.g......2.^.-..... G......@;}.......5HE...H...4>.-.........3N..#.?.......]...L...}.....ce]...z."..pK*/..u.sT`4..O..AV..[.J........g.O.t..ih..$.x.K...m4..(Y..b(.0....}.....m...c.(..M...m..X.#.V...3.p'..8..."..........T.o..r...L@.....B...Y.x..f..@........L.._..\...".....B.\.e.|pO.K9.wv...4..}....+.~S.[..4..Y......X...Q..fn.....}a@...}.#..xA(3..k..sX~!..G..]A..E.S.....i..m.U.z..bu.. .o.U...m6..8F..n'.<....y.....q...t.-..G...v..P.>.E... .{...;S......,YK|....,...C."Sk.z}_.:C$O...W.M..=.hS....j`.........z.........F*....$........A....&.......q`....+U......&.[ K.)J.}.d.m.\>...=p. d.h...^.&.h......)....@.bs.....$Z...ju_.....o3...........j.\e8.?.....".".n8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.831767962403857
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:NASSA+jnDUqv+3GdiQSj3vxKmKW2zQAQUEOKeL23g49s5mlgxHxsw0sRJlVZXOp:AA+jPv+uSjAmkkpOLKsKklh4
                                                                                                                                        MD5:C3A18DAE5CC492682CB3F25E94C17A2D
                                                                                                                                        SHA1:C09111232F970F1C2AF9332575601C7B1965EC57
                                                                                                                                        SHA-256:A59D5B678D3497E29AAC4BB1897BB93EC5A841DE899554E632A5C7F90A7885F1
                                                                                                                                        SHA-512:EF410B5866B9D2FE526D48D749EC3FE44BB042C5EECA08CB78F18C87501CA1101EAE79893C5395EA520BACEF0DC5E0FCB25254D3DB73C529CAD168327DDC6DB7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.W....Q./......B....-...d.~.x..~`...........Wo|....*j..5....zw"....E.......T.'......@....nf.......9.....f....2._.!R..=....j..1..V...j..`tG.?.}..?2.....,:..PP...d.@.....&.r9.....1..b...^bm..c...*. ...j..........1n...q.f......./#.....&K.W....Q.9......D..../...v.|.h..ct............Wjk.g.."f..=....ag ....K.......A.;......Q....cd.......9.....n..../.I.0.w...{.e.(T..+t...'f.=.O.o....?1..<Y..qS...>auex...hZ.nc...Et.(.....M..A.gb....H..1.L~.o.r.[.......t..V..Q....!.XI..ug2Mzjw.6...........X......Q...-.......;.....3H.$_..c.e...X......SJ.h.....W.>~NZC1#..T.H.....h..`..x..c@...?_..L..Ej..G......s...y...|.x.*M.w5y....:h.1.@.b....#1..:S..oF...4oirp...qV.sc...K~.2.....P..R.vu....R....\a.h.}.W.......p..A..J....=.\H..xa:]gvd."..xmA.bO.....l{"K..f%H.Rk>..w..'1... ....>.+.:ayM....z....}..Qg.@...P.:....l......+$E.#i..dNj3...}c.f.0.*.:..A]T.q...v!..74...,.f..^.X.......l.Dg...C .k.s.8n.w.b.QJ........Qy.0....#...../XE.K5.........WP.....:.V
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.85706907280638
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:9oxV7B7ykxZ9fHSR+142rkvdciuTr3OvoeBA+04sz9wdVXn0sRJlVZXOp:GH7BukxDfHSRiZ6sTTONA+tLlh4
                                                                                                                                        MD5:83D5544A253E54BF5A7C8EEC156CFC12
                                                                                                                                        SHA1:2C052DF268C983E1F8AD10B6AADC71A8398363C5
                                                                                                                                        SHA-256:6E89184152E0BE5BDA49003B5F4EB11C37FD873C7A6F0C158E12C4E765ACB731
                                                                                                                                        SHA-512:B5ADB5F5D153B6426FADF9BAC150DBB9393880F873ED5C89989E8318EA707B0E5A0ECEE9BC8F3C3F9C050D3120357EC7335503CE403471479FB658A0F9F02F08
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....(....]..Z.k.....M.]....8uJ..D...z.].~U....^...t.J..=.M..q.PY..P..IE......f."..~.b...]..P.. .S7......N..^i.v/.oEt ....}L.../.K...Q...pB..0iS.9....2c#g,.......<....,.2......ew..Z.e...)A..d.&......@'....n$q.. .)5...Wc....h.@.....9...._......&..H.....5....K..G.t.....A.O....2bX..D...q.I.tE...E.....A..*.U..y.EU..G..RU......m......w...F..M..).B+......W..Wy.v0.gO{#....k[......N....4e..<%K..&.w9.(K..OC.$. /...QK..[.....Q.j..N.7.Z.....j.......U.W.~...@I...{g.c@...x..$Xg.....M0k..&=.b5.'e.8.....].5:.m..t.4..rW.xN~s*.@.....[.F.i2p^....H...\..W.p....Q../....m......n16.3H.,.YA\'.l......(..I ...@C`F..w.}........dU,......I....-v..1*\..;.y5.'J.&EA.$.>)...O^..S.....R.b..S.:.T$....w......D.@.o...BV...~u.oO...b..)\g.....]+t..:?.f4.<h.0....s'O..i..O.D.i....s...f.'k[....p9..K..x.w.W.t....\N.....+YV.......\..]Kp.O..m.......n.G0....MDaf.Go..S]....<.4;.H!;.b.^c....h. GL......r.=#.0..Mi.e.l@...L.X2...@....S.+.g0...0x..Y.....8.5.M,.4...z.....1f.-.V.../...:.q.G...r.D
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:PGP Secret Sub-key -
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.849362874716454
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:nBZSVTqscyyJFPOcJkhQ7Y7jPGTT3qeAkoLA9szlvEynabToqXgQSQFAv90sRJlo:DGLWtJAQQrUqeAIszlXNqwH+2lh4
                                                                                                                                        MD5:D2AF5E598266B4264189390C2CECD08A
                                                                                                                                        SHA1:85749E18DD0625D806AECA6DD51809F227491048
                                                                                                                                        SHA-256:24F3534E4559B376347B7B7A2D6A0057AAC62D3299B697F1BEC1A2FA9CF794B5
                                                                                                                                        SHA-512:2E709BFCC36C25C9584FBE95069E5E1AF78165C7AFA59974FCD339A78E19D9B28AE7B514CA7D6C0E6F85794BAE2802ED338C95CE5C3FCCAC9418AA6FE16535BA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..u..@0..)q@...o3`...Yn.H...ZK.3O..9.....FD.....V; ..I.....P.k.9j.L...?..C..A.`...,.H....&.d.sJ.2.....)f. ..P..F.~..C.65W.(^$O.[MKV(~;..j.b...@..X....jZ.03.....@..A...-{..1....m.....Z]......k.......F..n..$hs... .>.(.|...\.M....Fy.9uH..^.(...~\Z..n..W'..*}V...d2v...\..J...AZ. [..!.....W@.....L&)..N.....W.t.-c.S...0..N..D.w.../.[....(.r.hC.,.....(y.$..K..R.o..L. A.<Y&.].R.q...E..m.$..kfyb. %)l>.U....._.Q.y]vgD.iHp.>..fK.O.Qr.7.R.?./$j.@L...bq.g.#/8.*..&..d.Lf.......8.MN.r.......Z.c.b..w.c."W.-.....|.g...~."I.....z.U"^7..=..o.....fs.NL..Wv'..-.-H2<........h.._.....r.O1..F....Bo..R...=."r.......e..x...Z1.T.^.y...P..o.;'.lcew.&;;{(.]..#..E.@.kSwmL.nW|."..vP..N.Wa.:.[.,.85u.JE...ex.x.%5=.5..<..a._x.......9..TY.o.......E.s.p....x...,.(.a0]..c.rTI..y.]mB.X.!.H..2....O.>...Js....q..~.k4.[7V...Ep...r:k..b.H.Up..k...?..u..F.q...v.:...L.x..t...sr...v48..:.#..,....w..`{.$.v.."_).S..h..#.d<..8k....(.t..ZxX.I.``...t.4mZ...q...\......+...O.{....\g.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.853331941964771
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Adxi8tTZBy22Vsx/aULu8c1hCz3t4kPvbJl5exs3pvUe+MU7VV0sRJlVZXOp:4xBtTZE2Jx/aUa89uGBexs6etCZlh4
                                                                                                                                        MD5:6B0EDC45F10AC1E73F2D2BF3F58272A6
                                                                                                                                        SHA1:5C4BF27BF0605EAA570CCB36FF47170FA2259B74
                                                                                                                                        SHA-256:54813FDC25EFCE46E8FD24585F4F47A35B12E124BD48B9F665D1F661A4EE16F7
                                                                                                                                        SHA-512:1D91D0CA63CCF744294CC63E09A692AF13A9E3710012CFAD62EE06ADB4A2DAF521FFCEB01EE4147578F1CC97BAC4695CBDFEF268F50AD8E0B50E3BF557C7C108
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...;.'.N1...+.6..U,.y.:.sR...(.(..S%..q.&W..%.;..q.QG.l..;`X.0..ra..WM..K.G...oE&.0:{..q.z!m.G.Q..'.]P@S..Bs...6...B....6..Q..4.gC..g.6kPN.\9,*..&y..E...g.9.m...Q.7..QB}w.F.........&,z.Th..TG.~.}.ap).!.(...f7TR~.....$..S...R....3.~...W.8.P53A.*.j8.....-.3.B7...1.+..K<.o.,.`X...%.=.._*..p.,R..8.8..e.KE.u..#y_.0..yn..^I..I.V....K,.4+k..r.a6b.Z.B..+.UUZH..Wd.......I....4..i.@4.;..;....G.;I.....].s...*:..5.+<z.+.b..X4.u^....?MI...#...SMW...VA.J...(.....,.F.6...`...1.P..0.\...|3.&.....'..f.....b...vs..?.O..[..1..]..sqK.+...0..#.....<...i..w4K.P.bj#.hB.Q.....>........;..*.w..A......6/...#..E...m...-L.]0...O>..s`.O=.4..$....T.'D.....V.h<..)/../.=9g.2.o..]=.pA....*XW...!...]SM...HI.Y...%.....5.J./....`...4.A..4.T...p(.$.e...(.....&l...z...|"YR....*.....R.0N.N..@.\.{.g...G..z...,a.8@.J..T.1.y..2..P..x.......P.l..8\`L.2N...S.d.z&[..=..9 .,...h.`...?gjj.N..$Z..r.*..#.T..D....).v.......5.....Uf.O..%.Q........o.TJ..9...3&...e..ka.......k...........{
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8643546157861115
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:JY8u7B4Z0lWPn/F6pBsiPA1xl7ql64di7JvyH5PjaKzth7T9ohLv7nga0sRJlVZo:JY8WBI8vdoll2yJvyH5PLLe+Olh4
                                                                                                                                        MD5:13B6BF093A60345DBC9DEC007A326337
                                                                                                                                        SHA1:9B82E4E170AAACD37260CA8CC273EFC45D892482
                                                                                                                                        SHA-256:4736314AD322F706534F277D87BEC3FF9E17AD74FFC4C31D4FDDF80E6A8FB36E
                                                                                                                                        SHA-512:C38AF1ADA0617A36C3A126D125849FC4078F24AB1653B8A4D318E38AF78487B7831D7CB9E651DDC74C99889293B97C1A030488AA085F430EC9CE7E310EF3DB7A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<.$?A.rF.3E\T{^.RR..].'.P......s&'..\.iC.\.........%..I..&}.Er].[....vn....~..4.....UL%...Tw........z.;.>........}....el..D{( ....}..-.~.&.....?..:e@..Xr.QV.G.T.'2...>+U...K"..X.,+.Cw...u..u[.*...D......G.......`].,...N..F.B.b.-m.1t6.<...?...NB4.).\.k_.4PJS{N.MK..D.5.V......f*0..^.{H.].........)..K.<x.IlU.H...x{....w..9.....GN?...\l........x.=.<........r....x...s.tn....n.....n.c!.OR...rIi......(.....'P .L........w2.7.`.9.FS..|.`..aD.J...|<.F.2J.....w.?Zw..CS..Q.2.......Y...).........z.'/.d.^.!....E......hC...F.t....wn..I...$...h.~..}.(.CM...I.s}..4..t..9f...)?......-...q?Q..].k........BK.L.....r.|t....f.....`.c..KR...fRm.......6.....3Q#.X........b#.,.p.4.KS..g.h..`\.Q...q5.C.3[.....v.+Q}..MH..].5.......[..&......h....+.|..a]..nIXY.|.....a.j..............*._....Wj...IR..I.|...2..c....i.#.K.@O?..X..j.}<:NS|.b...m.L.X..c....d....A..4.-.$....&..q.Z....$Jy(l(i...z.\Y.d..<g(....*d..v &...@3?..8o....S....j....FE6w....b......
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.849246080170979
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:HDRHX4VK6anI2Go14r6RExnBr2M0Nh5FtHQVw/qf/2F7tiHqZv0sRJlVZXOp:H9oY6anI2GoY6RenRghBZ9ZDlh4
                                                                                                                                        MD5:C05C790549FCC0B13EC941B2D8C70EBD
                                                                                                                                        SHA1:DB72CCA29A5A759980E3DA8237074D265F3610A0
                                                                                                                                        SHA-256:1566FB888CAF8E64E2C2F91DC6CD932019DA99508E642C7E71FD6CAA9954B9FD
                                                                                                                                        SHA-512:C8FF4E2A99AC449BF3527BAE14E06611A923993CC24B6F67649ABFA490511B866EFC249A88B52ACA9D35806A70E2A450417F73CBDBCD40BF8238A784695EBA24
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:h.U.....:......$.8.@..t}.K..%.n...e..l.G..B"...UB.m.l..a...=...^..u...mF."..).@.....s..Z....x.2?|C.+.?9..IS.X.K.......)..{...u..h.i....=.V-.Ed=r.F..._."J..X..O.d......E.r......}.....=m5s..%...*...o.z.^....?}....W.../C.b.a..f.8..".';W.R.....t.Z.....1......?.%.K..el.U.&.h...z..b.F..D5...IM.j.o..z...?...Y..a...o].=..6.J........X......w./'tB.-."2..PH._.J.......3..{O2.g......y.F.p....r...>..1rBq...._Ba.f......r..[=.t.y...u..y..^.,w..WV....3.|>qR..ci.y.....;.e..85DQ.l..x.....Cy.Qe.U.!....C<T$/..k.5..l.yH3;hH=% *]....M.-=[.~;.io.0.b....*Q.s...n..b.~}\.I&....-[...As<..J.W....b5...1.....6....+..m...L....d6..N3.a......g._.{....`...!..1y[u....CAi.c......o..A2.s.w...v..w..G..x..RQ....(.|2c]..mn.t.....1.z..;(]I.f..z.....Es6Sd.[.Fd.u......._<.3<..w8.......[Byj.r.>,....1...^.(...x....._y.IT..=F".....v`(Okw.QW.Uu.fm..ES...nD.........4dW.......EX.P..b..G=.a.9.;Z%jD..m.X?|.2..C<#.!^.*....0......&....S-...f...4..X..U..3_.`...4O.F97...z2..7s.I......
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.877331474500202
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:XqlmCI5n6kzkUQFOSVgZQzxhCXzk7960fyTJP0mvvzSZH0sRJlVZXOp:XdCI5nLkLCLk799fyTJPpzslh4
                                                                                                                                        MD5:F23262D723B2AAA1F9BF0AF6A12406FF
                                                                                                                                        SHA1:CC64BB383E7230D2D0E36DAFC6098E180AF24CAD
                                                                                                                                        SHA-256:989A43AB0D0A5BAEC800177CCA569D27A81EF9D931787BB917D6423C175B1374
                                                                                                                                        SHA-512:557619A29CF29C09B9559ADF1965191B0EF859241F15F66F8387C89C2777C3B1BC466B303786286833F5B89F0A59CDDB3BE5F239AB320C70F2A099228F3BD5B6
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:&.i...N.l^1.WI9.5D.o.g..E`1..#6.&E..Wl...4w.....q%H..|...{..W...V.[Y.-^s%...'...>......H.e..=.D..IIQ.y>...)..z...........LG.>w.;..9......}.[o.`@j..}..q..\.".K+.@..Gk[../.]......^O5.......rt.g..v.C.....E.jLM=.9c{..._Q6.Khz...+..'z...O.G......J..!.c...U.dX..JA*.0M.f.{..Ij:.."<.?M..Yh..9l....=.x*X..y...z..C...C.WX.?Oj:...2..2......O.s..%.]..\J].d%...,..q...........P....:...h)..t.-..o!...o......'....`..R4l..<$..z...[.:.....l....Bk...l....G.F..A.(...+O.T .|...i...e...]4tN{...4..N..GdJ.b.(..a"....)".J._...8R..L&.c...1..p*..'<.t.......E.......NBR.iD..CF... .h.M...l.ft .b(zS+....1.A.D....f...7.+...-....M.".&....?...u#...q.)..d0...g......#...~...C&n...!+.&t.."@.5.....c....Ag...v....I.\..P.5..."Z.\9..g...g...b...B8qLd...=..F.._iJ.N....../tQ.G..Lf|........}F.>..jE..t....0B.^.......G..h.IA..T.5]0....U.v|.g.^(..uXT,pc-6....@.9.._......9..'.|.G.v...u..E.../.....<t......`..P.q....Z.......gs....Kw......^.r..=.....'^. Rs#..3m.l..c...~R.....!....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.834478680508829
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Fn8budd8HUS77mSgj1HBtO2yYKA1EV2tQEAKr8P66QFAvvVG0sRJlVZXOp:FnPGH4Tj1htN1g2tQEmD+AVClh4
                                                                                                                                        MD5:54ADD2CF861DFB29489EDFC1D5A2F5D4
                                                                                                                                        SHA1:881669F7D6BAE14EFF3AFD48EBCB2A089C164468
                                                                                                                                        SHA-256:0B25607B4E6CCF0622CB64B6935355B23614900A664B1B97F522B59F0E3CDF06
                                                                                                                                        SHA-512:F6B35411C21806B570AF483CDCE31E064C0643559DE1065526C6BEE97B5F1AE6FE2AF042A2464B66D61AC9F04296CAFE69BA33B33370951B94D5AE9723FA1E56
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....P.b..@..=a....[..7Ig..](.)..M..7v..jS..../U..S9z.J...9.rqf}..D..5.+. ..)R{.1.IR...D&.......8..}......".P.l.@8 ..y....(...1.'.Do]..........Wv.3lu....S.....o.( .s..o..u..Jn>'..."...JzPQ.1Q.%..x..T...8>.Af+.`U..9..V.........T.gI.O.Fm.9.....j..Z.....G.{...Q..0j....Y..,Kp..F9.:..]..-~..{W...8O.I }.H...<.cnni..]..:.9.7..*Ec.;.SA...H(.......0..u......9.C.o.^96..o..../....M.T%..%'......}l.....7.H...CI...._H)e3i.:.G..X.w4>..H.{....}.G3.....L.^zR.]...f.4r..lQ.f<N..Tq.^.r" .{h..U..]a.......>..}....Z.w......V.Q..vJg......=...`F}.D.t%X.B.m$a.Y.3>./.D.d.......#9#z.nr]....g......J..2.r5mn.....8....Q-B../.X.=...46..D.V-.w;2......xp..... .^...ND....NY;k2c.'.@..B.l(...T.l....t.[ .....F.YbK.T...|.8m..vM.c$]..@r.R.l#9.b...I..]s.......,..T...`.H......tL;......d.]~.`...s&.)...9.V..%n)... .........B...l... .......[.L..|"yL.={......R..G.8G...O....W.OO.uH.""s@...D..^......;!f.>K.lO=..t8...x.J.c./.....kO....-...l.....Y......g<.h|.6K.L...ZC.... |R.[..;Y.rf.. "j.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1269
                                                                                                                                        Entropy (8bit):7.857726648904936
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:4ZMEk6HfkXhGJ/pTA2nnW6LCHx/RLPqkM70sRJlVZXOp:+MEk+MhkpBWMCHx/5ik0lh4
                                                                                                                                        MD5:CD70E6969EF29F419672CAC719EE19EB
                                                                                                                                        SHA1:5DF7887529A859371AFDA2F99ECE516869C38D7F
                                                                                                                                        SHA-256:9BB208CBC36BA7A3789CCE080780BA093CFEDB66129423E50815EA1A253291C0
                                                                                                                                        SHA-512:AB78DA759346F5FEA5610BBE9C103ADFCC9BFD962575628D6250AC5FF7C20FEFBDB5575718669F3551467B683587A204244FDD0F053B3A90CC1A4D0F7C48FE87
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......I.y.cR..Y.....r.Y.Z&:......j..S>.{.7&.i....Ma.]....g....`..8S...!#..!...R...8;q.....+.F.[%..."!E.4..i.}._..L.*...4..!.......H.2.v.(....w.>Xn/..ty~\..............>..C...h.e.$*.x..R.nD.t..../...K..f..~TL......+..'.Z.<c..bO.`..Bs&.Q......].~.zW..D....h.M.S(*.....i.._(.}.%-.c....\|.Q....m....p..9U...=...,...X...0&b.....).J.\ ...;,G.3..f.b.D..L.0...?..#tk..D}...}....a5..M4....mi.>@.5Z...Mq..)..+...E...kw..?.A.........O>%..v..I.....}.k.H.....52.....o...._e..d.4....W".:......q..d.a..J.jE.....!..Im..Y...4!q..U..8.Z..........N..A..{..l.6...6..."s.].k#Y...r.~....Su.y......$].:..7..../......H~....%..qli.Wv...k....q>..U.....il.>H.8E...Pl..,..+...]...nd..*.Q.......[;2..e..K.....j.v.]....75.....~....Nt..e.5....S'.3......a..7-.b..{..3.g...lk. ....'>..?.G.<e..).f.=n.......H"K.M .\h...|..V<^.........f!.x6.........|..+#.. '.?.V..v...*..\3.Q....Y..2E..)k6R..d.-..^E1.e...P...5..L.q%..>qn...Y.#...>.0..D#Rz..9..F+.'....@...+e....3...0.GoP<4.!r..h
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.877719028712725
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:jThL3uF7Ljcdln+m9q1XsMooSZuSfeoyVJZPFqwdb4HRM0sRJlVZXOp:jThruqlnd9qy5cTDFx4xolh4
                                                                                                                                        MD5:4C779063FD9902E0BC0A9A9F54FD80F1
                                                                                                                                        SHA1:186EFCCF1284EA00886F38CCA71BEF2A4543130C
                                                                                                                                        SHA-256:8495519A3F3BAFD1C1F44FC486F580802A6A2C7703C0D36042B66A9D72DB0AD8
                                                                                                                                        SHA-512:1EBD702003F0197C093AE23815E0190C61B11B0C71E4491CC399C716E00267FC533864F69147E63EB6B2EF28DF6CD536CFC5AEBA8626D464E27DBE7B6604D030
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:z..x...zv..".>(H..>}h2Q...z..u"it,..R`\.>..Y.f~7.O...f>6'...6/..!n.... !:..'o.....]U.v.X...2.R.......ef...Eg.....V.Cz2.BF.b.^A.M..vw.b..f.m.I..k.p.*...c.[&..)..4.:@$....Sq..[m..;...e..3.....S=...6:9...^....[E`....*CS\6a.d.Cl.:.Z...hul.S.sg..m...tg.0.54N..+ld;@...n...5~`...Ig_.:..C.ur;.]...d-$$...#>..9a....&.5..:r.....^\.v.G...&.Q.......ny...[b.....Y.Bp0..>.............H........f.R..p$L..l01x....2.....N.r..8..9.2....:.~A...JoK@.._..0+C..K......B...v6K_N..F.,.`........m.w.W.{..P..'.![....(...\....cP]j.`.<.oj...Q.*.(.C....a.'...|....+..ob.|.F=..-..1L....q.}6......r..\....O.<F=bE...6_;[X+....*.............].......w.X..e=]..g21v... .....O.y..9..3.%.... .z^(..LzIV3.C..!?^..R.....M...~/IRK..Z.=.t5.........{.KL...}.Wf.*..}Dr...j..3....se.D6xv...*?........'.....ZU-....I.......+......p?.!F....<...!k..xg.........]=%n.....[17.aR.p<..p...'v.e...L...u..Y...MA6_Z..1.6.....`..,..6d..^..S.OX......haM.p.+.YNUt...}..Nn.0.{..,
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.817635692262603
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:eK+WH+vETX0cP0/YnQ0Ceb1rmcMvIMXuJDDH3pJUfL2YzE1GJvJHmn0sRJlVZXOp:PH/t6hcMVeJPpJM0Gclh4
                                                                                                                                        MD5:318AB8A565FFE82D0FACD1104123E3B7
                                                                                                                                        SHA1:9021B1A1145456AB883FF2323E6E0B42D13FC6D2
                                                                                                                                        SHA-256:297F692DA3FE72B5DB8EAAA09D5A3FF3B43A827BBC090BF1A8974672246B0DD5
                                                                                                                                        SHA-512:0DE0D60B174F45C0D0789E9BE402B4061A2B740AD0C185977948A1E637401E890C36269C6DE1689C3D9430F14594253DCC6D5210A85DE7DBD6C374913A0DBD08
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..B.B..:?...Q.}....P>.>i........N.WY.2}%G.....3`...".\.a.g.s...PG6h.R.<....."..*...3.fY.a..bA"P!.....N5.....-..._..a!..i}.........."d.l......=L...r..`z....}.*.L[.[Ap:JC....6.%.Mr."w.I(b.....+..t`=.._.,@...Ru........[..B....Li[..h.O n\.CJ....vi.....A._..")...R.i....\4. .........H.\D.)w5V...h<p...".K.y.k.....SY-x.]..........+...?.rB.g..sH,A=..;..I!.....7...W..b"..lk.n.z.P..-.@.h..O3/.^..'....r.g.i.t`.`,..9U!e..en.-.'...v.mI4<..}..c..m......t4.T4tT:R...J.`. ...><..2..n,-.....C'..8..C.f ..<.../d.....I.......8<y]....e...B...p..8..<...B.vq......Lx.T....U...#.4%..k...QT).6.5....r.=.dy..[....)<.8.9.........t.U..0.B.{..B<8.Z..+....p.g.w.tl.u3..3[=r..{f.!.:...}.g_.<..n..b..i......n4.K dK?@...F.z.-...:3.....q/:.....B5..>..^.uX.%.x....tIC.Z.rwb.T...per.i\.w.L..|.W"N`(~...f7.....a(...;..u'...<g....b..C.aT....;.,O.{0,..5......#X8}..;.b.]0.dN......A..v..7........;o|.W...%7.z.. ..*..s.....c.E,Y.&..|..CV.....p.n.....z*.`9...El/R......~..J.AF'...{
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1269
                                                                                                                                        Entropy (8bit):7.820241573478875
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:usP4tuiiLP01OHxIzbGp69SaRjATp/2Da26M9UBEEmPn0sRJlVZXOp:usAhiLMsMGU99tqEa2risLlh4
                                                                                                                                        MD5:A181D01C7CC4403F762478D671A20F9A
                                                                                                                                        SHA1:64213ADF0B2592672FB2605EC23BE73131EB2C42
                                                                                                                                        SHA-256:31DD79188B5F3BB3398D02B25EDCEDA63146FF6685473D070F0955835182413E
                                                                                                                                        SHA-512:D19FA38D540595757E2358DD5810326C8F96BD3A7DF1584E4F129E5BEC000020A3FA4F958B6D927923AE31ADAE2CDBE237D3C8499EA77FB1DB0B017185BD2579
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.Tu..q.G...]....&....1\.H.F..."..V..Zj.A|..I+.DOA.x...Ww..ef.....<./....A./-.9W..&W. _..A......s..G......w.@.........I.c...M...=...x ....<w{..H.4...5z....e..N....&'.....F6..x..#]ux..M.T......W,9X}e.j...+.0#...>...]....%6.{....M.tWn..#0.Fo..g.G...X.......-H.A.^...2..S..Le.Wn..C>.Z^\.p...]e..uq..... .3....^.*'.!I..5R.;H..H......a..J......u.R..........N.a........&..l.s..KHa...r...~...v.l....B..U......V...<I<=..@..#G.-..........z..[L.F.4.u^.-B....(....B..2...?.$eR.....-..]..L..FNnZ....\..`..u.Q..M..2\......w.....}.y+.F.q*.D....D.A...6.dWY..".[Q...^..3......KM.U...M..Jo.3..2Q..!U..(....V&..N........-..n.e..@]....h...~...{.p...]..Z......N...9Z-5..A..:A.:..........x...YP.Q...wX.2J....&....N..#...>.%m^.....$..I..\.j?.=..[\x..j..M8`Q#ZS.y+.?..:.<.tn.....P.R.<r..;.j....mE....(GF._............>{.>......-.0....1+.Q.....>D...A:...N....h.(..i.<.n.~.qcF2.9...7.p4...R.UZ.=;<...j.Tf.^....U.I...;.xu.HE.D.=.B..T..&.S...N..N...Y.4.,....p.+
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.866769739560745
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:og7UgOxiBtHp5LeMGAgC0fcCgaA8+VJyspYQjP3d4wdT3ZbhMe0sRJlVZXOp:fUgOo3RGAg2DaAXJuQbNhhMqlh4
                                                                                                                                        MD5:432FBBC419DF394A9017FA8389349342
                                                                                                                                        SHA1:C75BB9BE9AA113FF31DFD461D60C16F24B1915C4
                                                                                                                                        SHA-256:6BD4F421E6F2A0FFF91B3198AC74165D735180C0ED598982D22A0FBEA10610D5
                                                                                                                                        SHA-512:C18F68894F2C4A6B53A303DD5E58E1C58227F9055ACC68A740F978FDEDE3226EFB963BBA534BF3BC6538877E5B8F9DD77F373A4CBB2B0C99443AC1F3F4D92BC2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.l.f0..&g....qt...y.:.........Tv.(...]...._;.u.t...q....a.....NHJ.(.qu.w{.Q.0q....\...v.n...~MW.....T).pc.,[..JR ........EB;.1.n............2...s....Pe.\@77.~..`..T..?m..0....\...]...JCxL...`..t...z...t.d.......#..........G.....7..W...m...G%.|.s1..(v....zh...l.6........U|.?...O....\9..d.x...c....c.....R][.!.jm.eg.O.?~....^...v.m...sRO.....@+.yw.$P.UP>..d.....G..u.....(/w..;..oH>O.Q...Z!C..4.[....-S.....&.>9.3.Zt.3..uV...t.I;~x...5.{..6.>.=w.....^z..\.s.i.9.........1......m`....../.HA ...g0F...&......P.23.yPM.>8W...9-...&..sk$>..h..hcK..:t....<.!.|.k~<)bo.."..y...C#...,._.|..%...e<.t.....?.S.*w.q/.R...v.....#&t../..vH'Y.H...C:\..%.Q....<A.....(.12.!.Kx.2..~W...c.I,|p.....*.e..#.#.0k.....Vg..].i...>.......... ......gt..'......1...q.).Q.[....[.! ...907.}..[...EYe..[.v.=.Vv...Z....W..........\sJ...r..b..V.../$.\.n:..VQ.Y....^......Q..W.;.X..I..\.*..e..|...Rp....f(u"....~+~...).G....y....$.?9....F..:.sZ).......?.H.%Y......!5....&.x.GzG....n2u3.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8499230019089845
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:h0Yx/zl4/igshCGCDfklm6pkrVqJ8cpFh9+ucV/uCwMvK2jhTVfDvoOFAv0Lkf0N:uO/zl4VsYXkm6pkrwh9+uc4C8YVvHKlu
                                                                                                                                        MD5:F2445AB47ACE26084F71BE89B11D1093
                                                                                                                                        SHA1:8EEC8EB48BD9BF879B50B1059C1DE60840C701B2
                                                                                                                                        SHA-256:0F16EDBA75FD351E3404D2D9A9D05392A0539D3C935CCF22A32D510D9F006C81
                                                                                                                                        SHA-512:BBAE60127128D18A7D406BCE5DC546B042AF86954411D6BE3A60F3BD81510F1A910D0C1D2F147D327DEF2AA0BFE218F53F0491C52DB2FBB60F7F8E721DFA040E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.e......p.L...A..%....,............5..N.v..D6.%..4....C...w.!.3..'.......Q.l8.p...........w....!.:.O....J.NR..k.o..I>..s......*..O..."m..#^.......@B......9..&...0..%-..,C.!r7..B...~=).^kc.e..aw.'yHh.x\.Bq".T......|....~U.#.u......l..F..a...|..r..)...v.L...\..;....:..............F.s..L3.(..&.....J...f.7.8..$......_.o(.z...........d....?.?.T....].\U..b.s..S0..j......\..\...`f.y:\d...r.f]....m.._.8........2r..ma.=e..M.!>..gM..A...&.W47<...S.6...HB.)Z.....[J).....q!.J6.nscH...L1]..K.../.2Z.C6.....R..D~...J.z...g.L.j6..)8B....|....../.a.|.t....$"s...L...81~.....qg.h.......f}......eH%..a.k8.....M...T.L...L....v.S..C...fu.e7Wd...y.}O...x..V.7........5w..h~.8`..X.?#.zO..G...<.]/ "...@.6...UN.(G......OI).....z%.B9.h.x]...O4B..Y...._..w......./..f.g.....?......."!.......5Vy..B..P.MQ.jxI........"2iP.GF..aNO.1.of.....N..F...:.APO....Y..(..?.V..%.]...*...W....ADS.......G'..b.#...`.t......m..$...S.. :.C6Mx...(="iU....,.E.`.Z..^.n..~&.}..v.^.....+H..Z..s.K
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.8334598128913395
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:7lh8CSaTN6CMGusvBKDExHhLjmxVCLWgn+RvkO0cP/Zz7810sRJlVZXOp:7nNtTNjKDExHVj205W8OLW5lh4
                                                                                                                                        MD5:E1E0620061AD1B1527AC9DF8BBEBE855
                                                                                                                                        SHA1:F316574426DB9EC122B81AB65A39077417E5B4B6
                                                                                                                                        SHA-256:43956D61DAF33DACC7E5E55CAE341728576F488DDE42D6F7BBDB90198CBE1F70
                                                                                                                                        SHA-512:07814EE34FA69ADC52C6D17E31C2D00F7C96CE47C8FA49D6FB20A2CFE05A92FB06F29F6899F191979C3302D8AEF6516793076645AE1C2FE7A34F40E5298C963D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....*.. .x..f...7...L...7.......^.*E9...-t...6..#_...g.".&....`.Y.;?.~...z._....-....y?. i8.Y.h.Y...w..f....;.E.O6o..Td..J.|..k.ad...we.F.@.F.Q..Gn.....*.*QtGq.._0......91..4....U.A..DOn.-.V.8..'r.8Q.....I.`8.Q.....G$..v..\.).......[4...%C..?..H<wJ....9..=.i......"...U...4.......O.&H>.../g...0..$Q...|.(.3....|.E.4,.q...g.T..3....f!.(e8.K.r.D...w..d....-.\.U"q..F~..J.j...).}.y.h.`.h..q1.].}...q.J..W..Q.5....w..0.{Do..h|....T...E....FD?....r..}7(..>:...mu...2X..jel.K..0........`h....M9.....O`..@.=..0...{".6...H......{|$.F........].E..~..O...-=....-.I?...XM.5.v...$..lma..1.J.*.....gO..K..?...%......Uo*..v...&.k.c.p.n.v..j(.C.x...n.X..\..B.4....`..8.wGr...d.....I...G....ER%....h+.` )...=-....}...*V..qwx.Y..:........{|....Q7.....vw..b.<...=3...`........n..4\..r..#.. .J;*^6U.PH...o..o.0-..5.....wI...lV. ..eT...?.E...x.=Nn...K..cs..i..........XZ&...Z..:....".,...(J1.#.=&.7..f.]n.......... lO.........D..Y.%N.J.(.........)T.#....e.P.Dx.8...L.R..F9..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1273
                                                                                                                                        Entropy (8bit):7.854825526681549
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:3svihDjI7Mwxu+UwjMcBv1JJLLxS9eWPzcyNoXD98jiqt5v0sRJlVZXOp:Yix+TrBjMch1nLxwWyNoXB8jiqt5Dlh4
                                                                                                                                        MD5:FB01DB45A712CF024B0641CD83C1684C
                                                                                                                                        SHA1:06FE49DBF99386A163956BE4960112F0F834A234
                                                                                                                                        SHA-256:A101C20BD885950E1526726E1688076A9D188AFE5F64879A2365A3CF37D61A17
                                                                                                                                        SHA-512:AF798DA5B56E4CC6D94ABA7B4981BBDA36C013B90B0A783140C15A3DFE2DE9D8A610E9A775BE46DD1825A4809CA5A423D05961D2FEAC06F9F23BAC6154E8FC78
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:V_.w-x.1...]9w]..&..qM..H...o0......X`}~f.T......c.n ..~.\..Xo..#.&L.@O.T-.t..!...?.rM,.|jR.h.0eO.x.sy...D?..Y...^.,..D.B.j......1+....[.~.).......x.w..NF.....Eg....5f.......}...M....rG./..[.q.|_"t.......E..].;....Y...7w2.....4.k.Ej.mFO.9$.....WiO.K.AI.v(..0...K$o@..6...U..C...g(......Jde{}.T....w.a.s<..a.T..Lp.=,)W.GW.B#.u..=...!.oW*.yaP.h.5t_.w.tz...P'..Z...R.:.V.Z.n....N......)z.c=.g.............?...T.<...Hy..^"yw..v.K..a8.>.....4..yn..... .O.v.DN......;..vy.a5..{...F.D3...=..w.9:..C.a.B..b.........p.\.mvz..t..W.7M........c#r....I......}:a.,$.mX#...c..cr...;k.?..e.p....A..p5.x.C.7K.|Q.....V..tnP......J3 .T..N..v.O....:.>s.e=.~..............<...Q.*...Il..L;ao..e.R..y).*.....3..mn...../.T.|.SF......5..gu.i'..l...O.G<.#..f.'?..@.x.M...W....t~.......8...2...|x8..wI.y..vO.|e..4..1...=...ki=.C.U.!.K*.9.....&....`M. =....H.R...:..O...n.........%.a..[..F..9.....-:RjR....L...X....a...X.k.....dA.......P.'\.......'...9+^..s.Wi..T.x..F..In6.CYl...............
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.858716671566516
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:fXiOly+S98hvfcL+YlBnQzlmeTWFlTPwxHXihCNzLCPgiymg0sRJlVZXOp:fXO+SWhHcL+YlBcZWF5SyhCNzLCo40lu
                                                                                                                                        MD5:879493F7E2E11180EF2A86F530F32F23
                                                                                                                                        SHA1:3F4B261BB5B7D56530FC44CA4FE28B39961072C0
                                                                                                                                        SHA-256:5D4C009128185C34FB24B79BC162EB44E6DAB6AA3BBA4A324B41894B629EB85E
                                                                                                                                        SHA-512:41B81A36D624B358BF6240037A908705FDBF3BCEE8B9FC298883ADF142FBAA1D6EA9B61E6ED2751B562A6EC656BBAAC4C4C33771420B06289F28535EF8511B67
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:M.T<8G.9......tP...G.[a........>..^....\(.....i.rw..u....^...[..a&s..y>b[....L.y..:. Kw...g.+.$ R>.%....]\>...D.8..)aw.Ev.....|......{.QA..z%O..-.48...l......:yy..AU.$..... ..>.(.>..l3.i|.28.s..'....^.B....C.|.g.i4..+B.[.<3.....r....|q..O..n..7.1.3.0].A:)W.,..d.{U...K.Vg.......!..T....G+.....d.dg..u....V...Q..e?m..p:hW...._.d..0.2Mf...j.8.2"]?. ....B[<...M.;..5bd.Zm...b..:....-..E...b....k........+~d.$...v.a.N..>=..*./...].. z.m...|..Bm*...D.I...._.......Y8.GJ.^.:.{0*H..>...*...C....l~.kCS.g.(..4qUM.,O...@..f._.6C.V..aL..S.^EO...<..h..W0Lw....8.+..a$......q.. H.%..L..7..........;..>@%Ju|.Ku..=.0....~.r....v_b..'....7..Y...g....e........-~f.<...v.}.O..!(..*.6...@..3y.r...j..Z}9..T.@....].......U).DY.R.:..7%[..:..."...Z....af.dU.....+......S"...(...$.8...e.=oHR.1......J.xtr.:r~..=d...,..Y.^......-.....>....; .b.a[.:....O.....6.U...Se.=c9...4.P......L..^C.c...M.....W>y.kv+....M..m.Ii.#X...........EL.){2.^e.....F.^R...q...2.N.e-....b.:....l.#p
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.853042911171819
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Nc6Uw3yyQ4OW7tzs7FY42MwNMjqEAxWHi5gzIBhwJlv7WFAvg1M0sRJlVZXOp:HUw9O89O2UHAYbzIBhkv7Ivolh4
                                                                                                                                        MD5:60C720D1F8C8D86B2F995F727990D5EB
                                                                                                                                        SHA1:E43C5D0C983CE09A103C19A16DDA1F09D5835793
                                                                                                                                        SHA-256:6487DB3FCCE8516DB89BACAF55ECA088F77A8A00A54A43EFDD5829E067A33644
                                                                                                                                        SHA-512:F0A967658DF17C68842D69203FBF48ABA07CCE9E4536BC5932E16496BE129613C2E26893D41C24983642715B4CDBACE748200E9B5030451491F28C00DAD5C88D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.p...7...+.I#.....AX+..=R#*0..c......S.g.r}l&.;Nu..o..yocE......8..j4N0..cHT..2a....;.....fQ..K......D..]...q......a......<2.6..r5.y1..,q.M.....k\.x.|.53...B.!....i...v../Q.....7 s}E.{.W.e.2.KZ.s...[.."...;.=.2...Z.W./.I`.Ed..n`..3}...'...g...#...+.^>.....WE=..7T;6=..r......V.s.opo6./Vo..k..`hrE......1..{6A!..`XZ..6p....3......uV..G....P..J...i.....{..,.C.]0Z!..{..D.T.+3%...[...=.c-.O......r..1.G&....<T..?.<.......?IR..j.9L...a..{H.....6k...].g.. d.....T..D......P.......b.D.....$e:..._F......./p.NJ.u..I.o..l..Gs...j}bY."&...?....Z\..q.U-. A.t.W..C......_.U.j.....q..._b.....i.b.N....H.4......C..g..J.\?S...a8.B.P.&8%...@.../.`8.I......o..-.J$....9K..:.(.......=JN..d.#G......`[.....+g...D.k..0u.....[..U......V.......g.K..T_.....`Mv.H.=......J.. ..k.....%KwOp....[..1/t..`2...P,2...Q. $...'"....A.Tf.m....lXKT'.......&.Z.._\.`Y9T.M:p.f.0.4... .m...;....g..O.E...aK.z..%.....O..........y..Nx./...8B......n..!.6....[.{B[H.......o.%..#......mlh.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.850056646921829
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:l2Nb0IHXDhPVZs1K8CnUF6sxR/Rbjf/IoCVG17VevOvxv0sRJlVZXOp:Ap0aXD3WDRbz/I1G1Vlh4
                                                                                                                                        MD5:000B40F22FDBB71D28C7CC770F132662
                                                                                                                                        SHA1:8BA0D5F5E24ADD8A2E09791A032AC667884CEA36
                                                                                                                                        SHA-256:A227C91BE19E58C97D46E425191505EE139B8E08AA8ADC369F4FCD15C79E1F36
                                                                                                                                        SHA-512:481B0E2E86025C4F908B31C1DED132E834EDDD7AB36CAA08F985595D768E70C7BB51E600CA0877F50231D8D0A8052C0FAA18E7DD192BD83589C508D5199B1BAB
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:EUR?.../Z ".X....)&%j.,..`d..l..9..u....e2*=]F%".m.u}..=..+..... ..s.......L..O7..*..../s.R..pT.g..X..F..a.....\...&..z......xn....J...([.B.......~_f....^.....c...7.........7uh...`;.(.*|...y%.X8.n..E..C.....\Yr....QHf.u..W...!.tXL2.!zr....>..]TBM)...#\<".B..h.76$|.:..jb..`.."..n....`)>5X[(!...mg..$..2....../..z.......O..E8..:....4d.P..cS.os.P..]..f.....U...;..c....d......8..z..<.R...y..S.\...o.[R.Lgq.Z....qeR..u%#N....Nc..h.%H...J}..bD.g.]8.j1.....e>..:.Q..}.."..........g......2..C.n. ..5J.f.L.R.Fi<I...3...4...*..."PV....w.....F.;J.y........{.%.Q...@....4.Lp.L.#*..!.......5.........:?.....3.8(?.}>..Z./....k......"..|.. .Y...q..H.I....q.A[.Cqt.L....v`[..j9&K...jP~..u.&T...Tg..yS.o.F+.j+...d#..6.H..i..)........h......,..F.a.2].?.P26...M]J...%tV.......).g.aR...4....EXo..6a"f$.1.}.ep$7......m/..mu{.`d....#...@.).<0. .S.^..n..9.@..6.S......MB.G;...5R.O.eQ...{..P.#.<!....:..w.\p|.w.'.n,.-..6...p..:..9.].4.E.....?...v._..'.T...u.... |y#....!:|.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.865586698119291
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:feJ0X7x59EWnZ55YhgkXQKIDo6Igfgf+SbVW4lv2q+o48H0sRJlVZXOp:fb5ZOgFzl/IffbVW4VBXfrlh4
                                                                                                                                        MD5:C0BE6987D0A247AD69489BB2A1623956
                                                                                                                                        SHA1:D346E3865B02D758E383236C07A200662169F327
                                                                                                                                        SHA-256:CE8AE0B1569C7DBC71EBF1EF17B6AA05D52B0462E0428019769D27771A3E56BF
                                                                                                                                        SHA-512:AA26B70B6FF072570F239B6F0224E5A5E4DB1BEC4D3BF58C25780EFD767E7F9845B0EC82D075A4277DFA9BF76634FE87AE6EFF3B75A90807217D0B692F37A6A5
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:2.....N^.....8.#.:s>.CH.?"..j........J..)...c(.<..2..sW.'...iE..G.;.!?.........mB. .h...._6;$.0.z....[.=.....}D....L i....l..WqCn..p.6d..j.0{.22f.}.....9.w@e.A.P...1&..u....?..]..K......m%.BqI.....Y...~%,...,..F...5.D..9..Zm']1.......1..f.~.]..a#.....ER...../.%.*r(.UI.5$..g........B..2...n+.(..0..w^.>....dN..D.?*0=.........|R.*.`....B?(#.8.d....J.:.....eQ....Q:g....P.?:.^.]...AF.u7......o..,......|~V!&.d.v.}.a....w?.V|2.j.R...Rho.m.&.z...\1kt.I~/.T....{D....B....QI..7.n.R.d.h..]=..O...hr..b........s:t<...J.(.......{f.C./..pg.YY.|.-....@.......)...EAB.....0.^."..aa3.n....<.....M../b....>...@....#k$.~i..%-s.R.65.Y.B...GU.i:......t..>....udY7#.r.j....d....k:.Th'.t.N...Nnk.s.-.a...G*xr.Sm".X....wH....A....TK..<.i.].b.s..C'..P.....O......".\..5t.5..Q.j^r....g..._[...`.......&.N.....!Xa*.].../.G.o?..0.m.'ma.J8..r.B.v.........y=.C.N.X.2..x,.f@U.....!.....+O.DI\.....Q..6....6T...h..G.H85p.....$..#!...../H..]..U....{...E...*.^;FrI....=.Q...[.6.....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.84585847430413
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:UhZ2QnAKFMLi1x4Wky5iHug3c4Lm83/6XjujWw8vMhbxQzbhLvoEX0sRJlVZXOp:Uz2Qndgy5iHNxLm8wj3ECzb2Eblh4
                                                                                                                                        MD5:01C863067400CD97533A9A7D2B814186
                                                                                                                                        SHA1:20113D8D1F0A170B2F1AE3CB87C334C25D4E850B
                                                                                                                                        SHA-256:E03C5D665B73D82F54731EB86FFFA6E9C00E0FBCB00CFA143247CF052C31D08D
                                                                                                                                        SHA-512:52F2E48880456400C2EB97BAF26A34CED875FB534E0A38FCCA6068A620D22F3FC1FD3571C2481D363CD39A9BCCDC882F7B25363DB70B260E31C2DCE8698E98DC
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:=@...../i.>JQ.Ds#..D...N......Q..}..-.d[..2Sy.<...6...P72..X.........G%{.dr..3d.{..5# .D..r..v..:.h...K.^...m+...ql'..g...}.....O.C..v..|l.J5U........ .._YdG.....n....'J..5s.2.i.......%9Q..FV.....Cp....a.....4".......?..HFa....e.]X.P..P*.y.<eI5S....6p.9_G.Dc=..T...\......T..q..0.pI..3Ug.,...4...R =..T.........R0w.c{..?i.wk.9*2.^..r..l..1.c...H...\...a+....s{:..g.....c...C(....-.^.......$...;A.. .v.7..H}.Y.v.}..."........,..)4.?U~...X....Ge...dM..I...............r\.......u...t^?..]K...V.]&.k...\.c.z....I......^..l..Y..(.aLx..|.2x.:@..d...#...-.g...x.qd.._i..d.oP......e.'.....;.?....<....Fa..7....MOz0...a...Y!....(.R.........$... E.'.b.9..]c.S.o.j...!........9..20.8X{...C..4.Kd...._..J...............xM.......r...dU,..@I...N....8......2j..._.AR.{...V.T..[.i.")...d...W,9.!.5"a...J....FL..I.....72....c-...q.......Ra..X...nh..W...0...`..@..2.G....,.K..#&&Z..EJ....7.....f.d=..e....vKB.2di.....cQ...2.X..V.....M.....X.......e.'R...l4A...:.....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1267
                                                                                                                                        Entropy (8bit):7.83567065394231
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:M4+8QH9dn+rqXFtZLTeigBeJ1QdDJcqtmRMJ9zKmDpD2uE7n0sRJlVZXOp:/+8eD+1cudDhf9zp47Llh4
                                                                                                                                        MD5:B98C159B93CC64AA84126E9266068922
                                                                                                                                        SHA1:35CC25CF34D903DD7B266F25BC8B472673B15B66
                                                                                                                                        SHA-256:74736DB8B1AD4D9D8C8D2192698D770FA3E704F577E0950AD740052D7661A97D
                                                                                                                                        SHA-512:A7EF4C1169BC521E931DF3109C1C48BF0EAF3CB78E7A5D282382A15D7BA08B53502393253B7BA842C8C1AA5FD2FA2B27DCD9959B3ECB1F0EB75AE40B7E8D1FC5
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:-.o.b..!.......y......s....h.......?....6.W...5...i..e.n..q...b....j/I{...j.R..:...6#.=.S.w8Z.MmL/-./$@90.S9.#.z..7Z..>...`Xw..2.ROL.W.=..mh#V5..4+6..).....orU..o_.....,..+...F.2...U.!.\"....d..^....v..L.`pN...u.......W...~.#EO....\(._......y..X.!=.j.r..6........u.....`....z.....1....5.@...>...{..|.o..v...~...t/Ku...k.[.!...6=.=.X.v,^.C{V!-.:'F2<.R6.7....2L..7...x...j..rY..].D..:{D..........#F.....;..VJ&Y)n......W.V..k.6..a.Rz....<...b].(..-Rs.-.n.tu9..1..HJd.U..F.P......+..."C.r}...dh.......*..X.#G..~.....Op7...4v..kd.....m..R....f>u.6;`...]...+'t...U.'.!...BG.ep.4...Iq.i2.\..rGG.....=h.......~G.l.).....s..bF..D.Q..>oN..........9V.....'..SR$](s......W.G..r.=..f.Yr........}\.8.."Vn.-.m.vt8..9..@Yc.N..K.U......+...=N.e...<^Y.bz.;.<8v.w.s.v....QS.Q....b!.......^".`L...d.n.8.^.1.3..W_....J...[....k.9Kb..%UR......2........OvC......v1...2..26...g%..TJ..RpmZ6*..7?K3...>...i....V.$-Z=.p....bM.N....C.p.Pe.or.5Q2...J../..cX..1Y.."......L.B..i...4..k
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.824497598188348
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:qt0l16x2V4pCjP/gNPVupaqb1ZEEUn5Atx31hwdc6mUU0sRJlVZXOp:qt0mTMjzciZyqx3156mUAlh4
                                                                                                                                        MD5:FB123417580DDDB7B6092C6E9688A3F6
                                                                                                                                        SHA1:C4496D38AA95A835C2951D5ADD6252EE66EA53C6
                                                                                                                                        SHA-256:10DBC8CC188E4AFDFB39A998441FA34976DE626CC5F01FB09890120540FDE73C
                                                                                                                                        SHA-512:645FA1D57B7FD7B99C82D923360C46E64CE42B820FC9D65040458DC8C3AB92776BD014A86C6F00A936A6719F09894CC3295AA0DA330C24E6813A2AF765321006
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.rW.../Rt.M...]$..`9...MWQ....=ft}*.j.9....IxH=.p..,nmv..T....[....be....Y......C".u.|F7C..l^H.q.vO..y..b..} .-dF...e.rn.bz..5.^;p.*.......8..0.-=.e........i5e.2.C.....z....a%.i.'b.mI..s..A_...F2..Y,..n..~..'....K.q*#..... J...rTi..Mu.k.f.M...]..$z.tC...+Ox.S...V7..`7...MTN....'neb&.m.'....@fH;.r..1bam..A....G....rj....L......^+.r.bY?O..~IR.l.nR..s....k,.7~R......|n.t~....Fr.(.~g.V.. ..<..5?..3...!M...`....X...._..]<.E..X...0.P!.2.m?....[..B..q.%.r.+.cS.!.J.f.P.eC....V$.........L..k....i....]0o[;.[Pz......._.G~E_~e.V.$$r\...V..x.-.K...wF;N....WW..P.$..F.)/.-N....C.L?.t...j.5...e...&.P5....U.....{.Tw$6.29..X.....Px4/.bi.H..;.."..?+..!...#J...e....O.r..S..L+.F..X...<.R9.?.n)....K..I..p.%.}.<.~V.).@.~.T.~Q....O..........X..o....r....n...S}......E.oQHk........+...0...W....Y.R.t..K.jP...Av..4 .9..ul...7........".^.U.v........7.IV....1T.F.t._...B..&.s.].V..5..W..\.". ..uE...,....d.....+..s..H3tb...[.X...c.C.f7...)...:.&......Cb\..........d'.}4...]...j
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.850681659080016
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:/bO+U2FCJqfREeQNYvGug+bxPp0VgQMjFdn4DMRB6cjPq+6P/0p0sRJlVZXOp:/bO0FZZEeQyvPgOoMR6F+638lh4
                                                                                                                                        MD5:4F6A176E1F54C3F3C6082BA4E71F200A
                                                                                                                                        SHA1:75FDEDEF943C7669AF218B1E9F496AB091CD6DB8
                                                                                                                                        SHA-256:D9829969C32A30C7B1C2B778ED02CCD35FC848DF094A322EC1E95902D293050B
                                                                                                                                        SHA-512:1127C585E63C9B3FEBCF605F53E4C7C47D722387FC8DC669AB4F706BE5A38D6B94037ED08B73D7AA2CD981DA4B272665EFDD37E89039F2B011D1FE743766B9E3
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.....<..hR......":m.k..............G..y..*.yt.q}1Ni...d.F\..z.WI.).V...~.yY.]R...........*..aK.W....?..|7.mY..2..N....{..v.g..+...Pj./...mM..U.t.M.s`*"...(@[...h[.To:..%k.?.As..6........@.....<.......G$..dk....2)B.c....@..} ._...tN..~...k.h......-..yL......=:c.q..............Y..{=.#.yr.sz?Se...n.SE..f.RU.&.F...d.lR.MH.0...x.....*..vQ.J....+..q*.sO..(..V....u..`.n."..d.[Q..7P...U......_z.....j..\..R.$.'g.x..u.....E5...E...h..7......i.&OK...V...e.p.U..q0....h......(........\.pL.X{..C.RO..0.2..D........D.i'O.}C.s<.<...ZB.<2.....{.%H.......W.Pq..[R..C..?.Yi.U....m^).!...q~.>p5A..N.|<.....;..o.h.@&...y.B\ .]....-..n.\I..=N...L.......@q.....m..]..B.8.0c.p..v.....F0...X...j...:........<J@...H...f.n.P..m:....c..... ........Z.dK.\z..J.SC....z..`.3..'/F"B..r.....w..X..|[.....F.l.......t....Z&..&.........YK..6yD<a.../.........D.EO..^.V.g..Kf..F..l..2.j..S.......2..X.....Ky..v7Ss37......y#@|.1..'...uq..i...s.....w...............g.Sr....%..7..g.e.9.V..g5..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.816876685841125
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:S/cI0RMzBEf85IEu4qccnroP36spuN5wmxnLCP1FJ0sRJlVZXOp:o4MzvxiroP36syLC97lh4
                                                                                                                                        MD5:1DAA5C38E6F01634C719520BB1A7D210
                                                                                                                                        SHA1:2C83B8394C60B47091367EDF1B24BAF1344808D2
                                                                                                                                        SHA-256:D84FD832F582634B0F994F06F62C55C0DAEE209B9151C1E7E33D20C2D255FE67
                                                                                                                                        SHA-512:9DA8DB76938EB859E7504CF8107C225CB49AD8C80359850C6AC3A65FD3E202428CAE2297D3B90C9B7B65E827FB112EA48A832BD6E287E677FC9795EF76D41376
                                                                                                                                        Malicious:false
                                                                                                                                        Preview::.\...,5O.\.&..`t.)n.....:m.f.|.|K.*..E2.bE-%....Z`......;p..-..E......7A7{...o.....,......L.W<..5.9..W.n..um.$q8.10..H.^.|J..FS6...#`..5.D]>..+......c..;..0.H.y~y{.........W...3.Q.OKB=Hu..;R..^I.p..u.Z..F..O.MK.l..d..o...+...=.m:=.Rh..*....0..*.I...0 T.I.=..ep. b....."p.u.c.yA.*..^1.zB+?....L{......3~..'..P......=M/x..d.....>.....^.Y*..9.. ..H.l..pd.'l5.2#..S._.t.....O..0.{."..z..x..I|u.......*....l2.7.{.o.1.....$V..Cl...@t.~z.......#..b......uBY.tP{.H.u...........slB4.be9b|2...3......w.....b....J..G.XV.|..r.>>.).u$F..u=.1~.....8....}.....;.6....}u.R..5<....D.G...pt.}.x..,@..x......f.#]'W0A8......q..Xf.c.t...G..*.j.!....`x..G}}......!....t).=.`.o.>.....$X..\a...Sw.ad.......0..p......wE[.|By.D.l...........ntF=.pm+mr+....>.v.....@..Yv.q.._.o....3)G..x!...5..[#..R?i.,,..)...1.....r?.r9S]...........V...?+D....@)t2..g.$..C.Wi.....q.6.F.)"...n.3x...pkO.DF....dl..!On;...q.zc....h.....bxn.n.....Paz...=..........[.=I._.M*..;C&.u.K..J.8.U..8.6KJ.].
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.842197089188005
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:EOgYzCmmyDtUoev9Ab5zbojJqELygoUvzF5GSTuimYv1F90sRJlVZXOp:5ntAvmbojegIHGlh4
                                                                                                                                        MD5:4A2881B1D43E2AFF30EA1B47CAEF72E2
                                                                                                                                        SHA1:A1A04C41607BD2B44A67BB9F6E017FFC15450F0A
                                                                                                                                        SHA-256:8793F131BBCDC56FEBF1FA8999428EDA2CEFED1B08D7F6A93045C517BCB4AEEF
                                                                                                                                        SHA-512:A30852F2BE90CDF92C49AF11A0DFF8DB53317452FD99C022E0FD74CC57DBE969655803120D3910BD992E8644CA4995E21ADB6554CF3C3CA9E113C0BA180DA16D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:k...w2~..t.|..i. .g?h.9...h<E..X.M.h..d.\......o..oglx...~.N.......n....%H.t278nl2..%...(.wr...c...S.N.........(...QO....s.2..t.N....W..^0$.....Yr........#.>~1.$.sux...YoShf.C.`.{.2.Y.M...du5..1.v..:.h.P..#......X..x.vR.x>.(..}.M.n.G..Z..!t9Ln0)z...p&u..h.b..~.0.q"~.*...e0P..T.V.i..a.H......{...j~hq...o.X..........!..=Koz88<.|8..-.*.~a...o...H.Z.........#...NM..(h..<hc.......0..].p?7b....p.~+..a.$~iU.v.....~s.b....]=F;.0)...,..JT....QB.E.....I..t..X}A.$.kTH_...m5.+p......$")._@..ET....{"...W......l..;..#........d..y.M.0v..+..G,.pb.}....e.F..\...z.Gj...(q...Y.}9.\O..*.n..E..:...L..3..G........*!j..5gl.......#..P.p42j....b.}>..h.2{tC.j.....jv.~....H(X&.,4...*..TN..OJ.^.....T.u...TqX.5.hTC_...|&./w......1 7.\E..AF=<]..B...j..D.-..?.}.Wr*.k..!...}.3..Jqy.R.+}...1.g...w".{.......Z#$i......yx..;.%W..".@...\.6.o)...S.*qj.(..I.8]..^.....U.F:....m..X.og..U.:p...e.>YJu..m.......^.Z3D.k...3.9.3.YXv(....]S.p.....t...4.....[..&.Y.G..t%...l
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1267
                                                                                                                                        Entropy (8bit):7.857094908294833
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:3o/oHBEAjU/wxIhHjNynDFeNuQorzCLMXRHZg0SLwxnCg0sRJlVZXOp:3oAHBEj4INyncovCLE5g0S8BRlh4
                                                                                                                                        MD5:46B45B3FB4A0ECE0B55483E5D941253A
                                                                                                                                        SHA1:F2F47F0DDF76264F36C618EC1D4C25C9EE13602D
                                                                                                                                        SHA-256:ACCAB4E2B993E09B5798FAF3A36C20C1816FA62F7518B7DC3BEFEB1F8301D904
                                                                                                                                        SHA-512:FEBC4872C39998927A05E69AD2E13EEC952A2AB122E03D9FEB28595AB4742993D3FC6DF7331DF13933D1A9AD4B5D4F31C4F3184CCD136C85DBFE65D2F3BAF49E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.1.i....%..D.....rJ..h..HL_....w...Cq.c/...f...N.n7.....?.......&......D.....6.aK..J../VFQ....}....M^5.t....\..=a...Y...*...s....bfxX.'.z..p..$S..uH..KI.|t..S........C.V%.Q._..d.[V@1.......sS........D...x.nXxL.v.w..!Cm.w..y..8....K.5.....t..;.v....0..Q.....lU..f..IVR...z...M|.|7...r...^.|%.....5......./......J.....?.yP..J..2V@Z...`....ML .r.....W..8d...P...2......g.......U.R=OLn...L....)j{......./.......[. T.R..........l.....~...(-.n..G#].Q.Q..b...\%;...h..W.1j..C.$f.~.B7.R.*)..`#.).c.....i..#.G..P.^.....+.&.....q..4..G`*.<..I.....I.|.&.8.....8..C.I).T%'W._d.E+?.._..8..~.D.2.'.I..]5.....w...+.i%.....w......E.F7MW`..._....-pk.......?.......H.2B.R..........p.....g...($.o..T-R.L.Q..c..5T<:...o..D.!o..D.7l.k.C'._..(9..."2.......)....s9.w>q^......L.o...n....7}..6.....9.e<T.7.......Z.%...e.I..S9X.}@Y...w`X.dXi.h..u.`......2........".5.l76....0.=,...q-....D..s.w..dAY]..X...?8.E~/.t@C...qr_.g!.W..*....X...w]...m.4.....v_.2|...v.h..X....T...[.n.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8339329870737915
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:7ckpWcr7XfUK2w8s8Pl78hRu75GKXgCOh9s5vMYwd8u9Fu0sRJlVZXOp:okMs7vUJDl78hR4zXgz9ouqlh4
                                                                                                                                        MD5:7531DC476BE2099C2B893CF5FB923CE5
                                                                                                                                        SHA1:3E282024A570925C9357AE6CC233640132A52038
                                                                                                                                        SHA-256:D79864AB90ED55D804C6A2E3D2FF3FAE15709C275393521CE016C37892C2259A
                                                                                                                                        SHA-512:AC3315BDE05A53414A531E962803B288A61FDC3E074F54E43AB7BBFF78A566E05E2149B126D73CD91F1D76E369B6B74703CF16311504AC62CDC36E48CB2F22EA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:#.}..........DP...n...ia...........n.K.v.@[gr.j.[....p.G.....mJF..1...:... .c.....~.K..w7bc...8.a6.d......^?.*#...Hap.f.c..Ne.;k.R.}...1.6.}......~Y..EF..D..Y..t<..|..b.. ..y)..EA...."n..:.t=.aW.^.j....i....KG13.;fC..p...0.~......(....._..*.i..........]J..q...se...........c.U.}.SGnl.t.\....v.C.....hVH..!... ...-.y.....a.T..w5pt...?.a".f.......D%.4;...Zop.p.j...u.U.=..<Z..Y..].pB`R...g....jU......8h.o.v....V.t..\.3........Uq.$....u..p:#..i..R=.2. ..r..G.6..U.z.h....q...Y..BP....eH.....o.........[..{..Si.../A.E.=..].j..7]....j..F8O..:.>t..\.R.../7.e!A.j.g'.(.g.h..$......u.n..N.@$a...1.w....<x.y1/`r..c...c.O.%.."R..@..Q.kHtM...l....kT......<e.`.u...N-q..B.5.........Oq.2....h..n:8..~...@5.8.8..y.S.$..L.g.n....t...O..^^........(...,..r.Er..m.....|.......df..Q%..0F(1....:.q..R..v5..l.{...T.My.z?..mi. .8.){o.0Y%..5N.h]+.6K.S..s..nb.....I..6.~.m...Sz..d...j'....... J^...C.0..n8.g.`..K>f..../..P.v.u...!<..9.....f...6...jP....T..S1B.h\.nFha.!.7..J.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1274
                                                                                                                                        Entropy (8bit):7.856947259582312
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:9sdTddbEMjYV+di2Ka540upjVeLdlsIw0kxH1S9jC2AdcupcmjUC0sRJlVZXOp:9sdvbf8/2X540Ue/s90kn4jCZi9mrlh4
                                                                                                                                        MD5:408C16D989FF3746132A09CCFC021477
                                                                                                                                        SHA1:ED04C24F77D94196435FDF35884A28CF5DFA7D41
                                                                                                                                        SHA-256:3B24CCBD6B537B1C3F071D86EFA147B5493B3FBB1C5C6CD1ADF97BA4A56F8F3B
                                                                                                                                        SHA-512:144829640BD012D04FC55EFD0DC2FE38C3F1560E6A5E83F6A1E13C1003C59DE7882DFB71A12A857FAA8AD2DFEDB3550FE4473E36D28C9A7D18DF9B15766BA8A1
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.).}..C;".2_I .v... L/.u(.^..S....x6..c..........|......;.....vKgb?.|$@[.V;.ai.wsWA..p....p.SX...p..`.dP4..G..1v=.S..y.N..n.....t.l..a....h!w.s...Fi...MA..+...-..X..\.b...&"U....+..d..NT*.q.............=jU/..........}.F\Q.S...OD.....1.;}?..D..?t|..A:..!IT8.}....T'.~,.O..Y....k$..f....w.....`......4.....hIhy<.d3VU.W;.}h.fmJ\....{....u.C_...e..t.xE$..\..'k>.X..}.R....y7...g%.4[c.6....`...u........k.#Z3`.-[.D...Nn...&..M.4T...7.......m`...r..j.....M.'+..I.!.ji.u#....7........&c...c..~.....BI.Q:..-E..._O~.c..J]xQ1C..wd.(.D......_.1..Gg..-.......+...f.)Cw...x.DEG..j..+`.&.j...r. .X.O.c....,.h.\..`...f...M.&...=.....m-...p,.2[`./....s...s........d.0_6v.4].Q...\w...'..N."^.../.......ct...j..f.....E.91..T. .{e.}1....,........8`...}..d......9"S.w....T<.......m..DU.VB.A..-1.2x........tevN56i.Q0..)6...._..YY.<..>....)...@Q.$]xr........n.y]>.))..s...".....wM...cE.^...2f..C.r.r.\...*f.^G..A....R=....G..."j.m.....F..*..+^....uk.w:..9y.#.s.E........_*..Z!2"..^..Q.T.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8578348139355185
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:gLd+BQXwG50dlJa/fG1UwWQ3Z5sFYz9o2S4BBI5vIiRYXQ/5bFAvd0sRJlVZXOp:n/dls/uCuJz64BBEvICYAHSlh4
                                                                                                                                        MD5:4585BDF8CAF5F0509F2EBFFA26514605
                                                                                                                                        SHA1:32192DE6B442E3C0099A2DA8BC2A6D805AE27D31
                                                                                                                                        SHA-256:D3A22FF5BEABF5EE4A5B6E422259A266832543B8A51E04046E7C8C9569F1EC45
                                                                                                                                        SHA-512:91806A1033CC4BF3567C786BB2727EED2A6B2E6938102684AA8F25AE0F98AFD7CBEDE7D6E57E1F53CDD5C1F2D8606587305E4F7782667CF56CC766E6FF29625A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.m7..0u..A6....\.h..\..r.IN2K...F.{Q.k.7..<j;..b....V....R<S[......&..8|Q.. .R..r........r.<n.E.$......+.@s[QR^....{...)74..J....S\..@...)~...H.5.. 3.5S}~#.6A).Zx^&....F|.mZ.\_.2S...,.2,.....e#...?..>4.l...@.........X~4...#.)v.L.6h.^.[^S......s.s=..-n..G)....Y.m..@..~.BA&J..._.~S.o..'..,o7..k....S...S#BO......'..)eN..5.X..p.......j.${.R.1......0.Hv_JYI....x...38..x9ta[..%....W.g.]..G.....)..6g.yr.\#.hA....OQ.oD....7....+\..,..iJ.3.5F;{Xo.E.g......C....P..[Qv..n...4.#.9.{...V.jD.m..08.8M...>..Zl... z..b*B...|.d...{.G.h.p.....c....B......HQ.....V..a...:....U...P........}BP...oz..}..<@DG.D.E.~q.....p...Vc#w{^.."....M.f._..V.....6..'u.u|.]<.tP....CL.dL....,....?S..*..jF.".&\#j^l.\.b....e.L....T..KIm..~...-.3.+.w...D.cE.e..& .8S.R.&..w......e8J.....o.4.)...Q.q...0....{..m...6G.w.....B7s....e.=........}.b.v.e@....M^r.Z...^G..7..v'x!..4V.=..:...{.s../C...;....N.......<.,....W[.X...2."........r<@.+......v.....".[P...G..}X.W...|[...../.%...v.'..:
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.853610490855411
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:5xX8vWr0viBzNn+0WyhYeev6U6FaFv0mQzm8ZE8JftTPBJcqUx0R+F7tiH7kX0s+:j8OFNWa3UIU6m8ZECtvcqG0RGzblh4
                                                                                                                                        MD5:5A27A52535EEB602CA1E03E24B72C666
                                                                                                                                        SHA1:D4F1F828238656CD7D0FC95CAC30E11D6324F10E
                                                                                                                                        SHA-256:C7CB0E3DCF4EF55B477AD7D65AF05239BA82E39F57DCFE3E3A51BBA29266EA3B
                                                                                                                                        SHA-512:87670D1427A7648783BEF14C700B8624F51139A2ABA25E4C5A2084C49FA0F82B1CA84EBA1C98A23F07C2E98902592C8001A390A0E5C382D2620BB27C6CE888B2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Tuj.._.~.m.....S*...?.$=`..c..Fj.e...+>;3.57,+lveT.SHw....(S.i.4kz'.. ..~.....9..!.s..^P..^....-...p">]lr..&........*<.....G.<v.aL....h.6.|sQ.dH...z0...+....C...+.{...|.v7.%....Mc.I.............Q.N.O@.*...H..}....*..eq..R\...:d-./.k...dQ..C9.Hne..L.f.g.....J7..../.5=~..`..^p.z.u.=?,,."#--py{S.PRq....*Y.f.'vn..."..a.....5..&....VR..J...."...x#:[zo...=........=-.....G"..K.X.LP=v.U..m.)..H.{WKL.pn.q../(u...l.)._..d..{b.{...Ib.*s..z/%.Zi.=).Ib..D-..d..Y....R:7..'.R.......o.+l..)X.w....a,*...9$...G.w..YZ.@{L......A...'l..c+..T.#...H<..=..X....q..{..B};.<...uA..U'..+.7.F.~.v.i.ct\ZM..T...L.=.U...[. .?0.%(.V.Q.#.mM.N.UJ5h.L..d."..Z.w]TD.pe.u...=4v...p. .F..}..am.|...Ba."}..f66.Ua.8..Nj..C-..k..W....O:)..7.X.......w.!k..'[.j....c-1..W...6..."W.e....<......#.Mt.L...,qu.G.?F...6:R.......Jkk.$....k'......x..7...*.a.I.:......p.....#..t..0....}..Wu..r......J.V..e.Y=....c...6.._.....S';...{D=4.A.l...G..{E.?}D.<s...p=.. +..v.Z...8N.....2mP.9/.B.SB.m.9
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1273
                                                                                                                                        Entropy (8bit):7.841139373802653
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:AO5lQx2WsST8vd4fWf5v2fUICf3uta4ZG3lCUasD9nKTaA0sRJlVZXOp:A3x2WsSAvdmWF3f4ZG3lF9BoHlh4
                                                                                                                                        MD5:FF370AF7569B7D3D6ECA4623DF1A8DFF
                                                                                                                                        SHA1:7A0B0D6B6E90C782F52720E7A51DB30B7EAEA2B2
                                                                                                                                        SHA-256:D89688EAB3272302C85B96BC398E821D72DBD8DFDE1D49F7814C3BCD23277F6F
                                                                                                                                        SHA-512:48F13FEB35046197776124CD5C9E72DA3E1AA26095DC0CB4AA503980DC374ABF8B1C6094DB9F3C6770AFCB5EE3B2A7CDEAC8BD420E104570B4F59D080A73970B
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.,..0{.5c.T*..A..x.]!6q.k(.C.O..^...F...p.......t.....!u7f^..O.Z....<......^..:.~.x..6..J.V..A'6........l2..9.ux.N._.[/.'..q.Y..E'... Ut.U..)..-[......T..=U.<a.X.Z^..w..@.9.M.O..x6m..z*......\r...5~lA.R:..yeG..Z;..&<.6..>.t6.".N...:.d...N.:..5|.9a.B7..J..p.S9>l.o".R.W..K...T...k.........h3....7}8wJ..S.X....*......_...'.x.}..,..O.F..Z 5........m)..#.h{.E.X.Q3.B..V.da?.G.."..jIs.....,>...A.....DZmL.*..H^.........$..m..$. .U...hIz/.{y..qip...a.M*M..*Y<...$.i.?.i...Ja......YZ(.y.Er0vw......c........p....>...]/..x...C`....m+.."..;.t=.SK..{)=.f..'2.kj....!.......b9Na.x.aK...i...Olz.....Oum).......3.;Ly.4.QB..B.eu#.N.."..sUs.....=8.,.U.....EIhI./..IK.........0..{..5.8.^...jNt;.{|..ii....k.Z"N..8G!...5.i.-.t...C}......LK).|._q3ok.dG.....f.JC....'.L0......R.J:./.#..P..ld.@...p..!.....xL....O..z.N./9W......._L6..p...F.]7.....(........".<3......;t....."0._SB.}If... ...1.23C..d.`G..@.jt...zu....x.j__..{.X......w..fU.>6F....'....u..I:...q5....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1274
                                                                                                                                        Entropy (8bit):7.852043009594679
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:abCfZY0l+Ku+dvd7Y+1Cz3CsxM9ajHe71I7O5C1DyIjVuXioj2fCqk0sRJlVZXOp:320T7YqCzSsxZhtRVG/aaqwlh4
                                                                                                                                        MD5:A77026D17A6F9778543F7C4146185108
                                                                                                                                        SHA1:5A4B14A6049B461A0C48AD88209F7622CBE38F22
                                                                                                                                        SHA-256:13870D24B577D426CA2D5F7F3A346B96C230C952D4198DC03AA3BC7D8CEF4731
                                                                                                                                        SHA-512:CAB6D70C586C24D0AEBB3ACB01C9589277CF9EB7F1DB41FA75ADBF24E0D9834276DA2F5C722043B3AF7076909514A6148E32BF177A259A051DC66C2C9E3C3C12
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.....e?....*...4....-..H;...e)k....m9^.k....t2....'.o.....f...|..k=/l..(c..~..,..Wk..y>.Z.qa.....7.......8.A?g,mY1l-......(%.....gu=.c.}[..........0t..rw....(..S .O}:....o....o.................8...]..A.j..|...h@.Q...KG..y=............JR..^.x.........g>.....7...<....0..B;..o8~....i![.u....`:....;.}....r...~..h:7{..2b..b..=..Jq..r<.Z.tp.....4.......9.Z3}:pZ#g5.....Qr3.X..e......Xt.0.!.WoV.X..>2...5Q.[D.....P(!..g .&.s\.......V<..dvI.....Y..'.)...`...R...],...Z&m..TNR..."~..U.N..V...R..RB*K..p...d...-.....(a._...fZg.,......$...Hv.q>\..e..H.........W.=..gU.G..~T...".....d......Z0..*.N|ifXGl!......?H#'..Po'.Y..r......Ah.>.2.O~P.Z..,$...4B.^R.....G.<...8.5.pE.........T;..pvL.....B..9.!...r...S...]$...W=h..WAG...!k..P.T..O....................jq.t.;K.D..U..v.5.F...& ~!...7..S......6=l.g...A.....4@n.}.*..2F..T..,....Hs.....}~3..o..B....7..v<U.....#*..v...n...3.........|*.N.....0....0......ou..c.w.y.g.,.....\c.t....X....M.Uf.l-.Y...Jm...;.c......"
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.859352528930099
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:KKnWTCax5CgrlNrMellbrv816qvPbwTQumv9oHr5u0sRJlVZXOp:KKWTXVrlNxvT8gqv0WoHr5alh4
                                                                                                                                        MD5:4C8968E19930309BFA928079CBAACF7B
                                                                                                                                        SHA1:7FF548A15DFDB8BB6BE515B8B0B3F6C0A7D53656
                                                                                                                                        SHA-256:00A36A38AE30DCD83A609EE28E37FE4EDF1B1D758B7AFCC160E47232B516F09D
                                                                                                                                        SHA-512:7C643D711C72682A5CAE9E0D906889736ECE370C1CB31426A67AB26DE00522FEAB6A774272A16DCCF29F2C53768EE9BE6A7F7F529AFDFAF7FBCAD3B9B76B0BE9
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.C..O9.Z..o...&.G...o......9D............ ..74."..0N.v}.'.5...p.:.lc.d6.....\F.....Y.D....,.1.........E.>...IX....{.=\..l..5m.]rc.Z_....r@....#.....M`.....8jHe.F.....x.C..v.-...[.o.No...@..g...~8_...._...[.B.u...0.l.Ln..........`.LCe8.]..O$..R..u...(.N...g......8N.........n..-..'1.+..%L.fm.'.*...y6/.`b.v'.....VX.....^.E....-.$.........B.;...^G....}.'S...5..p.K..t.0.X....=-3.*..V..%\....!.....$...#..G.]......m.z.?.c#...wl........g5.[....=.J.......I../k.^...B5...-'Gd..,.gwu....M........"..T..|j...G....>.....<.{y|$...1.K.Z...9..O................f....`..f....IR...!..]w.Q.....j..]..<.cX.!....d]..:.j../..u.V..~.(.]....6<=.)..O..!P...."......(...+..T.F.....y...9.` ...w.........b/.D....#.C......U..!f.G...P*...28U{..:.{nc...@...6$o.unr$.9...|..}1.Tgi\....P....l..$3...n..._....Uz.D.&...9....J.....-.^H-...W?.. o...G..a.......]fw"4.wI!......!k.43...dI..*....[....QQ,.Eq....av..X...r,Dd...+#.0.....V.........nw.3.....0.S.m.n^;.n..k0.. ..3.. l
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.851827094564246
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:Deq0lOJ5sjw//j4FoLGehQUbtPes7UctNV3BKeLZs4OrFAvUof0sRJlVZXOp:S7kEjw4FUqwtPZtJxLZhasTlh4
                                                                                                                                        MD5:7F1BB79C8FDE00B681574CA6D01C9F22
                                                                                                                                        SHA1:1C6B1C067FED7BF82793998E8F307E79B052AFF6
                                                                                                                                        SHA-256:2A1D8E694DEBDA643B95BAB3BB30FC29C846C2555065C69943E0082E3FD2E578
                                                                                                                                        SHA-512:3062F5E8BB82A7B47F76C2D52DD55D967692783DE21E114868A72505CF235F2EC599D940066B6A284231B354F30947060EBAA162E6E1C86E9AC90A160DCFB893
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:c.*..I.......R..L=..h^..N.........&R....ql..evl.}.3.[._..?:B...)h.$.....m.......>..H..T....T..Q>..!"...od.........J.'..\&..=!.S.B..........Rh.?....5|..;..^_.s.@.L.b.......O4.P..+.g..N.A......L.OT......z.&R...k...k!:."<E6...db.......#X&....2....&..e.d. ..T.......Z..I4..eB...D.........#P....aa..us`.y.<.N.Z../:C...3a.1.....|....... ..H..R....U..H).."....t.........B.$..X<..!.D!8>.A=t#T.K.DR7J..m.qv...,.G.f3o....'...DZ.:..6.).`I....P7=F..l.tx.m..R.....)..P. C.&._#1._..(cO....NNS...|W.....H4J.I..F.#5..Ko.Z.s.m'2>v.X.m......vhr./.....~............3..x...../t..c.-..$.Z.......1.>...\.S....=.6..y5...QU.....-.ig..v.:..^"";.F ~,L.N.@P<A..b.yt..?>.K.j2p....%...YU.4..:. .rJ....U4;P..q.tk.u..Q......6..M.>A.3.W:!.D..8mB....\Q_....nH.....^,G.W.!*.Ij..c....EQ.xu......2....n..."...'.6..z..R.y.`..N......i-.u......\....U..;:....kl...l.w..p..bK9R..i.o...3.v\.jm.q..vS'/..................ps........`n..y....:....99...//"n.<....W...A.%.P.......OR[.W..l.j...FX.,....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.860103707356741
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:4dD8uiaUvB346HBU+TNbAFYtF4jK285WzF/+pD/z0Pldwde2xH0sRJlVZXOp:YgXvV46HyebAFcOzzs/YPlR2plh4
                                                                                                                                        MD5:B3C4D6480146197C83B3BE6FA27208E1
                                                                                                                                        SHA1:FD90EE4F1D63D5983C28835190A8C16AA99B967F
                                                                                                                                        SHA-256:6D2FC1153A8084CE0A0ABCC735C448BBCC35E1A426F85A945CD78A08F06C17E1
                                                                                                                                        SHA-512:6676E4402EFA41D8AD0135E3A51FF5FAB3699A1981B0B325EBD74D265A27C9ECCC0356A82899FE34BFF37BD424576635AA31BDFBED52B2334D8D5D14ACC40199
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.).yA..H..$..Qu..h....p>...I..@.u)....*1.;.S...d."./v........7I...l6..&.> ...HTGf.p\i.}..........2.2t..n..vkc........K.......T4.</.9.t.............z...Z..3-U.[E......Z.h..?.E}...Z..ft..5.O......:@W \+..ia.z......!.B............J>*..1J../...<....).j\..^.=.Rj..n....b ...C..M.s9.... !.-.H...o.".8p........,^...|4..4.?....ZUVs.|@}.w..........'.;j..n..lk|........N...J...pI.......LB1.....~.e.7q.,u...j.~....{. ..>....X...}.L..K.i.7...G1cp<A...7T...........^n..IS.....a.*.5C..As...WC.3.Y..6,@....d.N..>quXY...C...t..>.N...{....8..q....9.g.5.....,,ov...p...6.,.r..)*.%..3;...0..d4..k.4....H.j.o...y.xg..fa.Eu.J...gN......RO>.....p.b.6|.$....r.x....d.(.q"...P...`.A..E.s.9...Z0nc8P...&T...........Q{..C^.....}.1.6T..]q...EX.5.I..%.%nms...=....hA.2.y..........%....g..*..[].*.jTg.`...g1..-~...V....O......o......h..#K)....OM._zG..@.X.l*R..B..v.L...1.g5.Z..".0.*.3.C#..?,\..U,...S.d.*E.PXU.ZT{.w...F...#.!..E.q.9..E.M..g.q....0....~CI.E..U.....9z.%.E.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.848360824508787
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:X1YQPmzy7pLx/pzrtkDT4qtZYLqoGhJH7JQSBUDfNAcXSjQp2HfZ0sRJlVZXOp:FYQOzy1xhkPtOZ0JH9PUDcbFlh4
                                                                                                                                        MD5:273CCB666A6C8D3823805EDCCBB6D2E7
                                                                                                                                        SHA1:C236328658B99ACB528942EAFDC5572687E2D0C0
                                                                                                                                        SHA-256:A167F2DD44F5B97F4A3F094F01760996A0CF0791BF66EC9BDED32B5C43CEEC25
                                                                                                                                        SHA-512:C32E5429CFA253B382B1258DFBEBA163080015BF088FFAF4D13E129C6473E08026EDA68A99CCE65658E125865364D3C3B8F4F625AC95EA25AB898DE114D3B659
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:O.$.z...P.[k .....zAcsi.e.L"...n.t.5.p.h.T./......K8.0..|......8|.}...!....R..`v4.:o.t..zY.@....+.c.......f.Kk....<....{.k?....T.L....C..f..|./..xI...Mj......:.x...b.?.Q@..0}.#..a..Op>*ie..ixhd^..s~.*.."....*..<......x ..~B...c...R..Z........].H.'.g...F.Sv#.....eMiaw.g.F5...n.d.>.d.b.E..3.....@8.'y..s......;b.m...3....^..ag!.6s.o..gF.I....).g.......v.Kt....?....m.z.&Ug9..oG.*V-.T.3...V....,.........Kw.@.z.=..5c@....i|.V.T..R.!..0..M.)d2.U.....yr.kP..!..\.b..6.....`..f.".6...8.v2....\...[k...... D....@...<..k......^...}Ct..$.e.$..n[....kL......./.<.I^R...|P....o.E.Ei.6O.?....M..Z.D..>..LC'.ig..j.}*. 5g1{.(Zb...rB.3E%.Y.$...X.....!.........Aw.^.e.5..)tH....ew.V.B..X.;..-..P.$w6.B....4yp..@..3..S.n..<.....d..z.9.5...$.|6.....T...H.0a.A.>uV....7.B.k=z:.P.\-3`vd....wz.g......V.t!.c.k...%t.<.\.....&.....\..d.b..]n...B.u..6..q.)....X..uT..Lf....a.k.o..]..EH.%{.....%y.-lF0f...o.(.:.B..|.....Pu..l..$T[.:]TJ.l..:.......J.1a.V`.4.]Rj)+O.i.-.~t=..v. c+_9.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.845818529900182
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:FqI1+qhNaBjGS+nlzQ6D2HTuuIpgfkvQFAv7+0sRJlVZXOp:f4Oe+lza2ptv+tlh4
                                                                                                                                        MD5:4A9F4963D0362AA0C73E69886D9CFC05
                                                                                                                                        SHA1:ACE130715CBC6BCA3AA1B7C58CA00009FC276935
                                                                                                                                        SHA-256:69BFE01466D8212569C46453B93F745DC40420B3B0339C6B9EE4B85794159C4B
                                                                                                                                        SHA-512:85761EC7D41951BAB7901E245C1E83BF80BF88CC1B0777DA863D650044804572C8D4723285A19C850597D2F5452B2EF5223C597A3293B63B10BAADBD624A5A17
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.I'...../......-..l.._.^g.!.Y.4&.(.!..n..VZ...l5.}yD.g. ....3.v..!Y1...p.q.\.V.....*IX..w.....{$.v.........7....HH...K....@9v.Z......2....X.a..Sy...#V.=.eC..8.t...'|8.]-..t..x..E.!...$:~2o.....g..M=.+*.........I..?.&..$Q.u_...Zq...s.....l.`s;m.Y<...,......&..j..N..I..:.X. ;.+.)..j..GS...e/.zkF.n..%....'.y..>N>...g.t.K.[.....7EV..o.....x .r.........#..^G...]....]....2..]...V..:.8.P.BE..n..........h.^/\I.j@.8......q....'...>..`...4...1. jU....+.....w....Nt.7/.....8hR..%..:A...wX..C...oIu.l...S.d.0....<....5O.Otj>.....F.r3E.3...r./Jw.{.x......+N<..).{-..$..k...B...P.m..p@7.3,.........e...I. ?,^+...*-.[..[....0..U...T..3.?.L.\C..y.........y.P.VA.uG.4....j...4...7..s.....>...(.)zJ....4.....r....Zw.;3a......%tS..7o.;^...eP.7&...]..}.*...R..W.3...T........=..A.#....{..6..h.16.#..;....R...../.l..U.7.B.....u.r.0.w........B^z-... .!W.n...k0..=o....4.j.}y.[..-C+.......!>d0..'........H.|_.SC....7.+..2s.I.1.{Os...o.;.vY.R.w.h..=w..`x......zV.&..1.;.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1269
                                                                                                                                        Entropy (8bit):7.854089795821517
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:grOTI61PUau14M9WRLKwjeH1u+SWmJoHmVEbv1kD+cZ39TpavytqT0sRJlVZXOp:grIdbu1zIwwf+SW7mVEKKE39TpavytqQ
                                                                                                                                        MD5:328CD02B14026B6CEA64CD9974508B5D
                                                                                                                                        SHA1:C2358D223AFFB4486D3B1281BA38B4E7ECE79E18
                                                                                                                                        SHA-256:D8D9E7BF617BF159EB241A45AFB5ABCE22B839DA0C64E7743FA8BBCF886396AF
                                                                                                                                        SHA-512:9A6D2D2D398CADA41EE5E1341024A500C32CDCD5BB35BE050FA2142382AC30B1A241A876E6EE3B8651E05B09B473F119EC87BF5DC8B587E46F55C55DA92C494C
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Z.y....)<...8 E.[...4..M].2.P.`...^".w#.|.(.=)l?lN`+.eg\M.Z8......{.J.....,..mw..\;..'....N...X.RfoU+`...y8;/.......;].....}W....;D...,..$D8..\..X./...e2.&.j..X...".Q.....;*.Q..c.5..j..C...yM.f....Et.../.9kj..B...I..y.SZ......3..oL.F.N.91..fVO..O.c....);...&<X.V......YR.<.H.s...[0.a,.j.#.7<n1r_},.mo_R.H5......h.V.....!..do..A(..<....._...].@tvX)|...v:$=........I....5~..}.`.a'.......q...==z.....:.s....B..0.D...g.O..C..s.....m.>...l..,.}=}.v..'N...."..(.=........I..b..n.>...=9.*....X......(../..&ig...y.=.gX.J..{d.....}K.3.4..Q.2.MU....Z...%.k\^+3.\!/.../..q)VM...1$.)q=.e...:?yK........`.?...f.&>ja..-.7m..c.k.d%.......v...98z.....&.u....G..0.[...u.J..K..c.....m.*........j?a.a..=[...*..4."........K..c..m.:...-4.-......X.....?es..A.z&..p.....r..[..../.Y*?zX.\...{...XW......m..C5.d.}S../........_...u#..U,..C\'.?...b..Q..D.4...g.:_....."x.}75(......m..r..lt.._.......4~R.........h..p.@T=y.F.&N.+8...2.........zJ.]p3.E.3.....+.~N....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.844730074149185
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:skb2nMWf21Kco/DJbqn7DeKR9EzkT394hnmcspEozX2NkgeJDD4d+mwdZPuoM0s+:50zeIcoVbqXeI9Ezk76hwEo6kPHzuDlu
                                                                                                                                        MD5:33285880EB732DB4CA73C82C54B334A7
                                                                                                                                        SHA1:EE0F0A18D796E7E22BCF1FC2BFFE0D2247614C7B
                                                                                                                                        SHA-256:61A636E76DC210E082EF30355C95115BE8D17147CB5E2A39A0F9600BE7EBC1DC
                                                                                                                                        SHA-512:8CCC1396AB7C7FC26BACFAF2E9590CB552F9351532DE9C2D8F94EFDC9E06534AD50A0E4CC1535E5E20AD57298D5A82EEAE77766E0A37E5E3D6EA52BA460DDE2D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.....d).pG.[-...{0}.v.......jA.a.....Z.9.&....s..j.4Cr,.."W.\....`G..%^...)*d..F..p7.5C..&."?......C...fpw.n....&Zq.?..E.%/...Q..LV.gU."....V;.. )..c.pI..UX.#....B..&..\.+.y.rY.T......V.#j.3.9..`g*.-....O-T..\..AfyQ...!..a...kF..X......,....\....p1.aQ.I....s!h.z......kK.v.....].#.%.......i.6Oh)..0T.V....iC..*N...7,k..^..r6}(C.|/."21.....A...odp.e....8_m.9..J.$%.`...V..F6....dE.1....9.#c .>...M.G.....4."V.2....}.G..../.o.,....c .b.\...5.X.uJ.EER.-...L..&....a.:.........+3...@........{'.....d#.m)Q.".7.n...(.h..%.B.......I(..'-1......D.....D..X{*.L..RN.......&..,....<.4...9...IE..+..Z..MX= ......%..d...K.ef.q...H..B=....kQ.;....,.=e5.%...\.M.....(.)T.<....o.V....:.n.-....a(.g.L...3.Z.hU.YCI.<...U..,....f.,.........:"...@............[..../Bp.C...6.'.....0....T;..2v......{...O6v..~L.....2.@./..`.\r..-...rF,,..S[......L9......F.GYJ4...W....S.L'.`u.?x.aN.........N....h....&....N}.%j...V....}B8..G._x..H%&..|&.fh..7..x....ncT%.>,...k.....4.=. d3..b8..
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.850875730398857
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:vy6/77PIhe4Kkkgq5Rx1QBC+1na8g1CvjsPOIq9nIAVeLCPXIm70sRJlVZXOp:66T74LigqPx6BCanaIvo2VHoLCfIm3lu
                                                                                                                                        MD5:6AC586235EFFB0DAA9B1258EFCB608EA
                                                                                                                                        SHA1:82FD4F3E6EAFCD42F36BE89CE7A2F47C06AC95DB
                                                                                                                                        SHA-256:4D8EE004ACD031B0FD4FBD9D6AF9E805A930C9ACE122FBDF583C574C51D8C96A
                                                                                                                                        SHA-512:C1D3A11BADA14F3177DCAD4CEC8560195D8E0BC00A7E443C95EBA95B98DAA82DCEAE5CF6E47A4A0E71416F4FCA2E65600E2894682F7843CD4EC3B049B07C71F2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:1R.[....+....p.f..).[>&.{..,.O.*....z..V..G<..8.r.......!79....g..@c\...w...h..d.pxs@{|..A.P!..L.yb..l.}.Pna...).].6..B..!p.4.f....O.....E.P,..g..6.........m(.N.b...Z.......[....]q...}....0....h.f8B.........'{..4v..n..!@z...}..+......5.]1'!].J....4....u.y..,.] #.t..6..P./....a..R..A&..#.b.......)99....c..ZtU...t...c..c.mjuQa`..S.^7..M.|m..k.h.Ugu...5.N.)..T,.U....../..V..`.8.).k..'..s........+Fw. ..6....`.....nc.U2.w...=.:h:..9....[uI.........+........H..GMU...t@.|...X........ ...9.......R&.3....\2H...>..........'l...#..uW.cg....P.<QTT......BP..@.ug.?|...p'..C......a....,..P.R.&2./....->)..[n...,.B......5..J..q.=.6.~..&..d........<^l.*..*...........k|.H$.d...#.7b,..!....IeZ..........)........_..@BF...}X.t...A........6;.U......... .0b) .~....4.8,w.x.>..Z.....uS9.K.y@y.x...(..Im%.Y....5E.6...#(FLgn.t.q........c..e+P._..kA.9.C<..3. ..NUA..%L.k.7.-.c!JHD..."....7.....Q..9...r............g......6'..8.q..........b`..^Q2R.y..]..v....|.U..g\
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8517760469012
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:C31AZQvrtpSuUdW1r4FTTf3gtWqcwl3m0C8IEbNWa2+YkAtFAv2lzg0sRJlVZXOp:Cl+UrtpSJaM9TPacwpm0rf72kS/l0lh4
                                                                                                                                        MD5:937CFD023C18DFBE391A31CBF94F3007
                                                                                                                                        SHA1:C62F3C214C53C7BB57C2D5E6475210EE3B64DDFB
                                                                                                                                        SHA-256:8F6AC2F7A6DCB6B78DE1BF424842B947A8BFEEBEA47E77949B07CEEFA7B23C8D
                                                                                                                                        SHA-512:864C9FCD270BB771DA3042D476AF3D1D532E05569A85244518771893823FC221F85D71DFD030AE9B51D3D34270148E82E1264375825F7AA06297C29BF98B68CF
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:u....W....6U....q"%....}.U~.8....[-..y.Px4....`/....H}....9x\*..Vb..m... cn...6X0.K.ChM.....V...|OM+..&..B.`..+&J..cx...#..6.Iw.GS{y\.?i,[+.G..?...9.X..+Tjq.....8%EdwqC.@E*<.\....c`.....%.iz.n.y.Y..1...^.4..gY."cU.d...#t.G2.!J.4zCx..5)P.`.[.NT.#.d..[.....!H...g?3...(e.Xr.)....],..|.Dp1....r;....Qy....(xJ'..Ya..i....{m...9\!.A.@`V.....E...bGH1..2..U.r..>/C..~b....*O.).....r..1e.6L..r...~..............].o....U..._.b_.8jxV.Q....3Zr.....N*p.n.*.\.d.....kW../M.E)..d..F.M..7|.e$.K.....U&....6.....\@.........O..j.;.k.....z.."S}...StPf...QJ39.D_..1.....R..%.....Dy..">QrU....xn..%y....C..d`i....;....4..%...fuF.(.....x..'`.%H..y...v...........K.r....X...V.g@.=ozB.D.....1Yn.....E k.p.1.Z.~.....jJ.#A.U8..d..I.O..<x.m+.M.....O%.....W*.s`...=.F.=..:\....Z$..q.t...4o.k)..8e......aK..b5-oZ.k.~...I9..k.d^X$..@...%R.E16}.Q.I..n+....;.f...1.......p.w...US.X.=..y.W`.Hvn.kh.E!Q(...7.t.-zyS...=..m..@.:.o..........{.o.....9"..]. N3.g..{7t^...}.4.....s...]....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.831609822639301
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:yqicKoCtlYi8Kgf5QjprKq0pkdFA2PUdwITWYw8Rh1VvB+v0sRJlVZXOp:ZKooydKu5aKq0SheTpwSz2Dlh4
                                                                                                                                        MD5:567590579F3B9B41DA3C5C3A38F112E8
                                                                                                                                        SHA1:E4C3A192960582C07B84C2A02C29DBB8E04A2D78
                                                                                                                                        SHA-256:9450390C9AA3C27422300DF485DA0AB3CB7743538D514BCEE466F5890B12462A
                                                                                                                                        SHA-512:7C8A5AAC92A34AF854742B481F473DF8F6A85C71605C20633C3869B503B18B63C1FDBE93224D4DEA8301E3F0DD26D06CB98B310651DBCCCFEC248465CC63CDC6
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.=..,..u...4.n...c.jaz.......|ba....k.ib......(N......A..t....-[.g,XiD.H..........0.@...:.r5@..sA..u.r.cHpoh..(..VS....Ke.. ]l[.zL...v..YH.A......)..{"f......2..}H....D..e.f`Z....Y.T@...7g.|.M ..1.(|....eT........K4/..&70..YG..{l...>EW.......*....'..i...#.y...b.ww{.......mym....a.rv........0T......F..b.....R.c=ZfU.P...u......3.[...3.u4H..{D..d.u.tPbhp..!..KI....B{..u.#...~.(..9B.........~i.....1)E]).#co.. ......h..k..!.d..G..d..qK.V.2-d..f[.d.=I{...t...ta\H..$....Kz.J3...U......e..O.....;}.....,6....s......Z..L.G9.F.&4...KhU@..V..{..6&2.,.2......E.R^sd.]w_q..[6.i&.h.@`.......Z..q...],.q/.......vN.I...K.h6.r..z.,..a.>..*F.........e{.....//_T3.5fr..<.....|..w..#.q..Z..f..wO.H.9'...n@.w.=Sh.......xmPQ..0....D..[ ...Z.........P....o..B.A.X...".h1P~...r......ar...=..,.....@..s.=.y.P..F.Gjl.n.:....TY^..y...Ic.2..WU.w.lG.Mu.....S.8...Gp.....V<`.D.J.Y..H....U.q..x.,...p...8.....b.i..vR...7.H.bS'8=..8Y..%e.r..x8..]..Q..zx]/<..2V....R.....;a7..[.R..-
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8302145818811155
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:RnrAGpSI4tjt6lS6EDmOeOdHM74bwTYsSvFLpkavq1VxEPogEC60sRJlVZXOp:1riIKB6lS6QmOvdscb+oVpkavqzxEPo4
                                                                                                                                        MD5:C633F787C54364D887F8DBC5EE7D851F
                                                                                                                                        SHA1:87710DD1690E66071F03D27C08B3A22A86C1FE11
                                                                                                                                        SHA-256:B66373C5791B3D55F6F64562CDA9DFD6716B40538E830156679D39793936E39E
                                                                                                                                        SHA-512:661D88642F956CEA9FB31586E438A4F79212207078C20785213BFEBCDE3E56711DDBE0E1AEEBA57687810DABD83E9AE594C82A783D215E107D22F36824844C6C
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Q...NM..E...2.].........`.h.B.L..dE/.84.+0.a.'.To.v.$..R]{..cv.~....1z...7X.n..j......."]4a6.4.....7Kxlj..r.1..k.@....w.1.%.2%.s.........z...d..E<E..a..0....&s...w. =.:Tx..2.&j6r....&1o.J.F...Sr...i.......zcn......Z.8|q.....l.6/>[l.....f...1@..IY..C...%.J.........j.p.O.Y..bD'.=/.#5.l.7.@w.t.=..JD|..u{.q....3u...4H.d..{........ @=r1.8...&_.y}..u.$..w.]....n.W....s.G..I.[....7...1...c....i.......%..18B.X.%.!.i...V..."i}X|...m..Jd0.6K.)E.0..#.rs.8......N.q....".....`wf..I...RlO.. ..1ew.3........B.0)x............o%....'..pm=.d.H......{.....*{.p=..4.........&.3f...k.D._. .......GQ..Jyi:I.....#.9uU<6.@...^....|.@..S.^.....7...:...v....w.......8...-5@.].1.>.l...C...>t.[`...w..Qs..-P./E.#..(.oj.4......N.q....1.....kqj..K...Ws@..q.Q..i.&$.8.RM....h.....s...F......m...tQ.wA....M.....n..^Yg....C.....U..:.h(d....WSJ.....h. .....WO.%t..7.*.l{.\..(xN..U.H......t...S.B._....hQ.Q.5..A..m./\.1<|.......>ot.....#2+-GZf_.......y2.j..l...l..&..:..-u{.kf
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.841187705759036
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:oITVo3TyTc2AUrM3eKO4PnvGm4WOW/FL5d+QwdhiSQSgshLvN7j0sRJlVZXOp:zimTpAUrSeKO4nG2/fd2dhiSQBsHTlh4
                                                                                                                                        MD5:F3209192587B5040C85F3EEAAEF0B097
                                                                                                                                        SHA1:A06906EC4AA993EE7485FC93D19FA0904444FE79
                                                                                                                                        SHA-256:6017919E85E81B18C4FCEE7116CCF4E8F5FBFA04FD7B524318DB881184A15D15
                                                                                                                                        SHA-512:5D518AB6D81F067D7123EDA2CF9670D03D7BD13D8E954F6691C369F67A87D5136B006CDB10398B0367078F88A916485F5C75C2A4A41E78791F1EF5E4BBB8DF45
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:m.4/.U.....XN..|i7?a.@u.[]JG.J.I.". ...c.~Mq....A.a.M!.q.........../A...S.!...@9r.DMb....|.z,.....}-.......dko......h..ACt'Wv.'.....n...>..(.;.......Oo.{...Xp.2........@"....../..............n.(f.W.35...i.F...}.`......p.,.....H..K.....W/..g..e.9>.B....._N..cp'(x.Rq.AXWF.O.E.(."...b.`_a....C.r.O6.k..........!T....Z.,...L-e.M_`....t.` .....i-.......dic......d..E^....V.-.v.Kp|..t.....:8.....}..=..k..Q....37.@3<..[.m.d7..d.u.1.}....5.....K....E[.....cm..lNQ...#H3..e_..D..}..-)<.?f...."..c.l.*..k.[-a.....r.'h.F.....Q:....?.g:n.Ly.r.6U....w%.,...x..u........4L..S.../v..U..N......F.z.....@..'.'........^.$.q.Cuu..|.....>8......o.. ..e..D...*'.@'=..O.f.f4.q.n.!.p.... .....J....FK......b|..gJU...2@=..pS..N..m..#0!.&pz..........x...p......x..wQ...-.a..y...L?o...'S.../...{NlR.W].L..W...l..(=.34K^fu.l..6S.......>...0...v.....Y....4.......s.3.m.....[.N.`..d.?a..I...+..s7K.E:Z.G...&.~.....e.n.vQ..w....0..... eU...".1..0....A.3,6gmf8...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1267
                                                                                                                                        Entropy (8bit):7.831668816559805
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:YCaibo5B9yl4+1VCTqAbtoJBggqWLgewIaBvQrgp+NMjgSeXgJT2J0sRJlVZXOp:YCM39ymGk2AbtozL4I6f+Nv1wJT2Vlh4
                                                                                                                                        MD5:87BD70EDCCC6325FC27865A01E8118E6
                                                                                                                                        SHA1:B33929A2926A7AB92711DDDAB1DC29FBE67EC9F0
                                                                                                                                        SHA-256:C2DB7DE80745486E63931BC0B366AEF74A20DB13B8D22C27797BB438524BEDD3
                                                                                                                                        SHA-512:E6003A1E8FE546EC46CA4C56FDF8CF8959BA35D881BA8F9E526198C5386C86EBCE2DFEE57014F260C03C003E76B342408EA656A0334F95CE281DEE6B1905D3AD
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:3:.....?........y..v...v....)..A...qG.}..c..44tys...#wxz..../..E.p........*.T#d.g...\.;...!..........w9....pt$..6x...l.CI7f.0.8..N...vp.Y.....9X..;..{..hP8.a..*Xp.!&..N..Z.1......[.......-.^."....p.....}7.K.....%..os]<V&....d'..={#....^..IR..#0.....(........g..w...w....>..Sq...iD.j..h..#&f|i..."}c}....&..V.p........#.O e.g..Z.=...<........{;....uo!..<v...t..D.xZ..}.dd.l..ZZ..oDw..+.<9......a...>k..._.,o]...5c}....L.V..J."......j.@kK..c..=...@..[.C..Z.....g.5.Mzh....s..>..y.w!B.e..".x..nN...a.....*<.$...._.9V0Rq.........o..(.6.....j.r....M...W*..H...]........oc.}_..w.6..xm.F..Vo.......uX3i`..M...Uj.T?..S.aZ..b.i}.y..^N..tJh..8.*5......o....c...[.1nN...3cw....].C..V.*......a.ItJ..p..9...C..Z.O.C.....w.8.Hvf....s..?..t.u1F..j..+u+i.......`..J.)j.s..|+p.5(.J..wT..g.?..\.W...? .&_......!hj...K9.M...K.j..FfY....K$....[...K...r..'.z....J."..T.'.9I..)..1.....h.8.....Rv./#>..gz........).Z.4o..x....8d.._..Q%..l..,p.Yt....z..~.m..P.....f#_].....
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.8540291452466064
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:o1zp8kv2nDfitDNC+7iCIq4w/VhWtkhLzvGM58qHiudD7jwdrk0sRJlVZXOp:oL8kunLitD/7iZq4w3WtsGM57HzQwlh4
                                                                                                                                        MD5:9EE258D674B1E5AA364CC1077E54B137
                                                                                                                                        SHA1:7B016AE5F9910BB4B647BB4A14740A1EDFAEB589
                                                                                                                                        SHA-256:46B7CAA8F6EF7E420410ED69BD6B7C809B60916182845EEB8925E13CBE38A4DC
                                                                                                                                        SHA-512:89EE665B0C75DF34E33997AFB458671C26461433537878604A2FF604AF872192D99A0B0AE47EFF4236E56CA39EA8838EE007410333F752C5952224918AC028DE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:;.Z6..p..ghb./....sfn;.z.........z&.Gf...&.V(/...H....o.cj.......-.x3..we..MOG/.znW....u...............D.._..Aq..X.......5...S..}.Vu3.M.E\..}.&.s..}.@...AV.O..,..Z..@..`.t.QY..R.....A...~lJ<ie.a...r.....>.\..uY.z.//..0'[.o..l4{!....p.c....2.N&.nt..vv..5....shw!.y......?.v+.Yx...:.H()...U....e.vs.......".h<..mx.@_]<.gg^....y.................Z...E...Yg..J.i..q..l:.L.h..=.H.G.[....b*b..w..fS.......f*..BOl")F.(.U...!..d.XUv>=.\....8......n@..|}........OhX..}.?.&j..v...P...._qF...!.._.....[".......a.......FQ..R.l......^x....Q..............@yU.R...[*..8~....?.t...$.*9'Z.6.H.x....4..[....W..........i..z0.K.t..#.H.^.E....v5i..|..aJ......z=..J@`!4B.?.V...<..{.@El3*..F....=......aC..ax........]|E..u.5.%l..h...D....C.O...=e.C......b*..R....Q(...,.A....PEV....N.D....1O.q.9.....F.j...D*..@i.%.4.Z!.o.II.Z-.t..h..H.Y....:fsDw{.vl.DE..@W.b.K..b..o,.e.?.,%..=..G....(.*x.X.+{.9ks.Y$...l... .Duxe..u.....b%L0.O,+.ST.......d..<m..A...].G..JE ._....j.
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1271
                                                                                                                                        Entropy (8bit):7.840723873946243
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:4SsejkMPggxmc/vfHl3i77qC9qAfQbjrnK6Lo4yR+UzLghVGF/hdbZk8XPs3N32c:dvP5nvIWCkAfQbjrTQ37FZdbZk6U9ilu
                                                                                                                                        MD5:02281F580E1DC4AD21A1AB9E981E801A
                                                                                                                                        SHA1:A40C4C238723E5BD85D0974578BC83291875925F
                                                                                                                                        SHA-256:FB242FF0DDBCF4E16DFA831209C3AE320D6721B8139752EBFFA4B6132C24B622
                                                                                                                                        SHA-512:816B167A1B14E39206688344C40CA0BF510B855357C4C5F2E8782FBE61C8B6205D5C3629F0CE6B0E9313757D217155AA6283016437C237408B76577650F6EE95
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:%....7%...j.6.[..L&.\......t..!1RC*..S.d.......<D..L....a...{)k......H...P.?........@[.0.2*o.[KG..s'<.#SE.oUs.U..)....r.."..p6.....H....Zt~x5...U.;...%q;...yw.'...jY........|.V;.].H.....E..VS_"..K....).32......]$q.k.HP.mA!y..Gg.?{.B]2..tOY.{.,....&!...t./.P..S&.E......y..) MO'..M.f.......!H..J....j...g'd......]...J.!.........@Y.'e=7h.FKS..~:#.5_\.uAm.C..'....~.5...h.....f.w......To]?.....e.............3..L..$2.<.X #L....'......S...Aq.3...E+s.....H.4y......+....n........c.V4_..^@.)t.......{..u!(CV...Z...t.9.?[......j.."5......-<...@d....}.Z`].).J2...Q/..e.o.f....sT...X.aa.f....8.\..1.cF.4m...WoT.f.2...o.....f.n....5._}C4.....d.............7..T..;2.!.T?!T...$........X..._q.<...X.a.2...F.?b......!....ga.+....b.X=D..Bz....9*...DB..T..X3v.!...o\.C..+.!c.x..[.e..._.....8.cf.g...lr.O..."...y...u..."a.o:...._......h.....e..M........W[.{&..Y.[V,._...z.!.sv..k. o.M.W.....0G.<p..%.....dT.&iq.;i..G}....N|...).tC.O.,.)..+.../L...?.9.......D
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1270
                                                                                                                                        Entropy (8bit):7.839216955584123
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:dzAHdTNxlaRfq1G2CTDVCXjsuIAGjlKhn1bCFlHF7tiHKmrMkETC0sRJlVZXOp:dzA9Fadq1qRY+PpYnwlXQUTmlh4
                                                                                                                                        MD5:819043EBE1294335169D0A4452C666DA
                                                                                                                                        SHA1:50906985228C7CD48659FEAE18ABBF1FC4FA4457
                                                                                                                                        SHA-256:3C83A94269444FCFEF5CFC07E178BB4D57E71C59F29D27BF0A664EB09A8DA255
                                                                                                                                        SHA-512:EE11F9534C5973E0605B95C88248A87959B45E8EFA3BDB9777BFF02FEB47483228091092EC457832E79CE204A91E6C6E20E3E9918969957C4CCBBD41ADBC6858
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....J.._X..V4....H.....X.M[.!.g..:Z....q.-....2..zS.T..AO&.e.O.....J...-.:$...f..t.....V.?M.a..,. .....Y.>?.-.....=..C..0@.Nf...N....t...@(.Br|A..L........>zM...d.T....6..&.,W.Ct._....Z+....).{.....YLC....Et.v.Q.....3...QL.._a..D.......F...@.H.}....M..GS..\/....U.....I.SC.".a..+E....p.2.......}F.N..PM'.o.@.......H.....%(...c..x.....F.0M.w..1.(.....Q.% .-.....*..Y..0@..T..k..........N.7.[n........}=B....G{r....P^.:'.?%..C3.3+...$..V.5c].Wo....9(%.&F..r8,...t3..NE..pP..P.....{.f#9....V..1H/.o!...G.U..+.....s...:.........4.RvA.4.#.....V,F.N.+......6.>&tJuyg...%r..2...C}l-........X..l/........ ....Q...s..F..d..........E.%...Qq........~5O....Ngk....][.58.#+..H0.;%...=.Y.8fZ.Pg....5:*.?N..o82...t9..Q\...hF..W...}.~!8.........W.>..).>IA..._..-.<6..P...M.,.a....7..NS.}..:...][..x{2..;.4..s....e.f...)..(8.b ...[..+;.$...t_..l.\.&.}.G..-.-..}...E.e6.U..0.@../.......>&....:..*..B8...f..B..5.J.)..e....3.C,...>Y9L.........,.o7J.5.^Q.../hC..l
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1273
                                                                                                                                        Entropy (8bit):7.843254785573692
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:v4FYnk5xz07fhbA0ge4Kh6YJNQ8y4MLplD5PVasUvWNfIEqrpD9mG7aq0sRJlVZo:mYnk58AahfQ8fMLplD5daXWJArpBmGd4
                                                                                                                                        MD5:6764A31FBFA2E3A56626F8DFFEAE4200
                                                                                                                                        SHA1:A73C789157EDF34ED8EA5D9DB5E86454B64AC443
                                                                                                                                        SHA-256:4B5F4CC1ABAE6FCFE73E14E22174C8601099165657BE5B4A45AD367E2A6B33A2
                                                                                                                                        SHA-512:7900908C76CA6282D1C77ADC6875B80F2C8FD48138503F956FCF34E60773F9C5BFE25E1438FCBD03DE8471D5EF2D643CE173CBF72FA5D29EC824A999531C3AA8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.fZ..+Y<w.....f...#_.k.GMjG'.......^.GJ........O..J..\./.......v.........<....2{..:.r.v2a.z.h..=.....*K.17..9.-.3.g{(....1.X..2.z..x.t..1...y..(......J..I.....K...u.m5...F..9X>....@.W.)KQpw...vz/....q..@..."...E..y.....CA..p\...g.&.S4....pQ..,[={.....m....-G.v.CGjV/......L._O........X..W..N.9.......h........&....3b..'.h.c7j.l.y..2...-_.-"..8.6.%.di#....2^.F.Mks.O.......9.^.&.e{..&=.H..K.l.X.z...`.......J.ZxaSd..:._3...N.4.+...$.E..A...%.E....H.T._.\..{n..._.yJ.V..+...~V.\..sj...SY..`H.iB]...Un.H.......074.|.(...AJ.....[..%%....YUT\...D&.G..Ep......j.s.%...N<.^......]X.......2:.HQ.*.,F.h.....{..H^.[.Wjg.X.......%.P.5.}j..$*.Z..H.m.].l...a........A.IlbJr..+.G'...P.3.?...<.]..M...;.M....V.Z.I.P..}s...C.v_.R..>...{^._..|..zO.H.U.s.kR6...i..2..........v..k|....g|.]...X,.....I.....u...b.9.... h#...QE?9....U.N..5Q.>xC........E.`.}...F........Z._.......}N.Q=..e......Y;..a.;*...M.>p*}..lB....C...IY..k.<a..a.Ij......|.(..+../z}A.....gR...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1274
                                                                                                                                        Entropy (8bit):7.834178359157306
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:IRhTJRqn+j5gLSADd5Au3bJMiEI9Ek5cTzntA0sRJlVZXOp:Ie+uZD93bJM7I9EKMbtUlh4
                                                                                                                                        MD5:AA047934C044C12888BDD8C75F4BF3DF
                                                                                                                                        SHA1:C96073F5E14FF25A11AF74F2F52A6F6A53532B0C
                                                                                                                                        SHA-256:9A4C845BD364EDE110F7F66C0B8B0487AAB6B9F5E8A4F3072899EF43306B741B
                                                                                                                                        SHA-512:53319D63E1A51D25B12B16D785D87CA041A63D009DCB3B297CE7448993A691BDDC56333A9AAE3FEF030E306AD998605CCECF8FD955FA7EC6EA7CE8FD85FC7BAB
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.M.......x...}^.u-.D.`.*n. W.|.8.F.....s.....).'..........%..D/%k.G....m.(.!...7...r......[.tn&.v9/.a....x..m.A 6u.....?z....W.m..c&$...~.ETa.H.,!qZ..XF@|7 ....".....=..E.}...;..|...'>.....f_.....'~.)..#..We.W6..=.U...........b......(..5.X?..[.......z...eC.s=.X.x.7e.*W.t.2.N...6..m.v.2.!.%..........7..K4&l.P....m.4.8..*...w......J.sa=.u,8.u....{..v.[6+v.....#y.......V..G.<. .s..T.l...)....l.al..0.S...7..'{...kW....R..@.T..&sxV..g........&x..DG 4f/......I.KS3..\f........Gc.B51.J.l.)...m...$d...i|u.....1..X-XS.ZH..BX...Q&j.].Wp....+.F..5.pL......$..\...T%.-.| ....;..,o..x...-1kW.d?..V..i..J3;A*......e..J..G.<.9.s..L.j...=....c.ri..5.R...%..?p...hN....J..J.J..2gxS..g........<j..EQ18f'......L.WP<..Xx........Dz.M>..1..eI.09....J..Z........m,..J8.....q.]...])......J*O"8#N..(.....j.a>.....!.),-t_...s..ZNEc...z..,fX.B.s......G.]?I..>n0.].j....%...b..r[./..e....-@....s..l.. .Jwy.7......B..U...._..a....V?.Z..p.....q92.Us.1-U..g...
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.872454328482177
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:+PbHPtd5sefKifh4auXBExgkpJoPnLCbDhEt+luAK5KbFmvzYtau0sRJlVZXOp:cbt7WLXBExVo/LS99luAbbcYUalh4
                                                                                                                                        MD5:EAB898AAFFFD5DB683AE9670B8B1E036
                                                                                                                                        SHA1:77D8932CAFECC61D7FCBD09922ED335DDAA6B341
                                                                                                                                        SHA-256:4C27B9828D64B10FB4ABD76D0E292269D3B1A18945304A2BB3F7B3547FF3F7E4
                                                                                                                                        SHA-512:265F3F5D4ED460951D7263FC0272B37D64ADEC01B3AAF35CA71299CCFACFD8E53BFFA7CEBEB0C4D88C9A6F8C422A1D31A21A7DC77EB2BC1D3F5A03DBCC013752
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:M....Q.y2C.}@.=....+v*.O..1f..j.E8...... .@.Q]G.2l)F._.....2.U...R+...J....g..F...8./..qK..9Db.@9.1*.L%...l_...d.5.+.i..I....Y../..`p...l..c.E.Ng-6../.X.a...m.....Kzt.E?......*.......6.?37.8).+P%B;.. ........ J...S..`3^.b...\.,q..x../.O..Y.}4,(...J...L.~:E.g]....'."{6.Z..>r..n.O!......,.M.^MB.!h I.J.....2.J...[3...._....y..L...:.6..pL..!Ez.Y..$).L&...kW...o.*.#.j..M......u..D..A.c5.....?,..b......d.gh.Q....$.9t.j....|LV...5....+.B.....zA.`P.!....2S5. .F....o..`V...........NrKu..4..{#..%a~s..).......v]t.ez....Z........1..r.h.........+s..QC...'X~.....q..=j.-...6TC......Ci>.<......zE.............W.#z.....#5..v..D..\.l-.....4'..m......u.cd.P....6.(g.w....k_Z...6....(.T.....zR.xA."....(]*.:.I....g..xM...........Q~Nw..+..m+..3yss.i.m...#.b.< ..<."u0S....h..../......f.......!...8..Rq..wN.......m...;...n....U..n..... ...~...9...c...`..c.2..5.^V4.Z...'.w...i..FMV...V}e|n.....A.M4..p...%.z...0.k....q=....:.Y........b.lA.D...m..=..t 6r.."..L.w..B.p..).^
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1272
                                                                                                                                        Entropy (8bit):7.853031136056996
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MRJiJehWFbAEKIpQVSpKx0j50ATbYev81kFSBdqask+oITKJU0uDPFAvIXu0sRJ+:xJ6yb9KCg0q0t9bV0aFSBdqas/oIT1hD
                                                                                                                                        MD5:D3CC32A550FF581536A4B3F7D5C7498B
                                                                                                                                        SHA1:C5DC4209F52C68934644E7756CA7C76B36C50670
                                                                                                                                        SHA-256:04E6FAC897327B6AD7EDED82E3CD27ED1B46AC0E5188154CED5C8F36BEE72DEE
                                                                                                                                        SHA-512:B77411A8597ECAA95B6818D64EEBA5DE35A26481E995F08D0760B39072799FC887892E3F4E0FF86321D50B3120175DD3CC5D1505424BF21B46EF8461E90B0803
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:O...G..*.T..UyM4".. cV.b..^......}..6x...c..|2=...i.l....a._..b.l/D.......6.`n-.<H+..m.\.H..u..C...C..._.[/.U1....H...]..\...O.^..;'k.?......l.../....m.S@..HX...T7...,}2.~.hz..N.~.j..;...|............m.{0@......{.u/L.Ns.R..Q!k...K..'4zt...-@k$H...Z..".N..FwH='..<kC.h..J......x..2i...l..p!9...|.i....`.K..z.j#E.....#.jp7.>H2..l.N.P..`..J...C...X.^+.^&....W...R...i.p..,Qq..wT.3.0...Y=,..m.....R.e..S~ZQ.K....-....z....:V ..f....y...../E...........4.2..@..O.....E.........<P.".q........k.nC.9U......zW.g...k..D-..>R.F....R..\.....\rJ5....#../...J*.N...w..2...n7.Hn....-....T...W.;...;..oz=7e.(.{u.2s.\.6z..[A.b+.\.s.j..1Vl..oN.2.2...V>$..t....\.d..OoHS.X....%....a.....3B/..`....d.....>C..7........*.;..H..W.....H.........#B.+.g...i....`(.[b..q.......E......I..Y.. .....Z.../>I>i....6.%_.o.........U,.,...;.3e..h..[.M.......A9.n(Xf....%&|r'.>Y...[U.Wp..h/.]...i.r...-}..R...*j.e(..<...h.0....MM..@..... .w....T.E.@...Qk.I.HM..RP...A..X....q.:.Y.....&4..d
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):350
                                                                                                                                        Entropy (8bit):7.490590638912238
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:tpDZbLRiwyEOcXfr0yn//KTEg/P8ZYePrWvsRvxUupKp3xI/VzXRIp:PxpXOKbnmEgHIZ0sRJlVVzXOp
                                                                                                                                        MD5:4B9DBFB9BB4B0E2D441D6FD0ABB026F6
                                                                                                                                        SHA1:6483AD8B070AE9D37C9D742D4DF5410DE0F7DA30
                                                                                                                                        SHA-256:14EC845ED043D39678A774677999A9B4708F27B2BAFC21734906CB4C54D8337D
                                                                                                                                        SHA-512:45F75D02461CCBF5843D07222D81C4F502258EB1B67BDCB12FA12903C4BFAAE03A6810273C0024CCF34E8F990BFE447749D6D502B564F82C755D3F2CA1853FA6
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...MD.^..`6.MN.+...>.u+....Zx.ut..2......V...J.. ._..t..S.:TD..aA.&2..AD.w....C..i.. t..]..P.z..5.....b'..voKCJ....<...../..9...Q.#......I.k<.....T9.....<._...{.9.).#.vZ...l..<.....R.//.8Sxl.%vWj.*Pi.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):443
                                                                                                                                        Entropy (8bit):7.557058834592423
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:0DGN2rqmbznK217OWeGGcN+0sRJlVVzXOp:CzK2PA0sRJlVZXOp
                                                                                                                                        MD5:30517017C84C8351C4E8915D287D733C
                                                                                                                                        SHA1:84DEC38EFD47C7E3242E9EA6948A197DBAA860A6
                                                                                                                                        SHA-256:E8792E538AC394DC9024C0A0F8AC3139026B9C92CB0AD5E2F4D94E42B5F1FAA1
                                                                                                                                        SHA-512:524A81A798E33D4E432036DE2BC7DD5A4A62C2EF10A55831414843C91F723F02FE477B2BEB7A7CFBC43125C3EB91C49EA0E00B875F7403EAB3B43DC622F48B7B
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...N..4*LgJ...\F.b...F.r;..:u@...hJ....S.(?..9..P#.........1....".=O...}.9.IOQuR6.~.8.....'..X...H........y....$R..B..`.`..+YM.....X9\Z".S.I.6....*...jRz...,...;.{..l...V.........V.....j.O,..YS.....b(..v.KXJ.....#..../...9.....Q.#.....:.......4.r.=....H..)c..?.c..g=&... Qv..W.G.../.O.H.]..]r.s.le.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):355
                                                                                                                                        Entropy (8bit):7.4650932960799725
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:/4863Te1AbyFfE8lHSMnl/bRqiEStAXPVgpJ8jrWvsRvxUupKp3xI/VzXRIp:/4811AifEALl/bPFuXenE0sRJlVVzXOp
                                                                                                                                        MD5:FA85E2A7F659A1046C99138424A0A387
                                                                                                                                        SHA1:C05C2714FEEF4752AF11E03E2CA09583BD9292C8
                                                                                                                                        SHA-256:35301D709F53147B361740DDCBE97288EC20E746B071A65A4F532E260E96AEC0
                                                                                                                                        SHA-512:FBD9692A2A5F3B56FF2D93617CC7D8DDC49A3813E62EA4E8520636D574EA6CEB55F65605DADA4C83039D8839013C0E0520BE6451C3921EF79AAEB99E493379D4
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.XQ]\....fZ....a.?.........-.;....f..W.xH..f.CS1.|...K. uA....R..F....l. .o....8...../.......i..[...y..[.....b%..vbKBd.Lqg@T....4...#.....Q.#......D7...f&.U...>.........Niegx.....7.<.[./;.-.elP.r[.2..l(s.7..l..l.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):347
                                                                                                                                        Entropy (8bit):7.355791926216566
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:OQiV7FGAIP6jIjK1D8avGpYVhQtPQoUpoLkQy8urWvsRvxUupKp3xI/VzXRIp:OnBShu1D8N6SLUOu8k0sRJlVVzXOp
                                                                                                                                        MD5:64094FB6FADDAEE5E35F90573AAC80E2
                                                                                                                                        SHA1:19EC2F30DD9F18CFD82B0E068B232066B4F3A7D9
                                                                                                                                        SHA-256:568C7E4AF27E5DA2E308B333EE6AFCB230F4BF7BD51C20A41D259AA7FD87933E
                                                                                                                                        SHA-512:93D8C5A2CA3CE0A9481B50E2ADEC48DA6F094E5BA664E7B6B2275BBE9FA3E3F94149E67AEAD6A6393D80C9AFF4B6FF20BD505D0134C31E4AE2EBAAB701D1144D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.,2..nI..u.........lJ~c..... ./.....2...IVU....!vO$..E.G....@1y..zcGc.]b....=X.N.v^.<5...Y.v.ZE...<Y...?.L......LCpj...#..Rr;[...../...9.....Q. ..6B!o.G7.`..'8N..........3D..A.[w.R.......K.!...I[*5[..XA.h...f.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):344
                                                                                                                                        Entropy (8bit):7.397848641624924
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:pjLIiHmnYnnSN/y2Jf1V3POVkjK0i8cDBFnHgqNarWvsRvxUupKp3xI/VzXRIp:RVHmn2n8/y217OK20i8cDngZ0sRJlVVs
                                                                                                                                        MD5:4562C830004AFB7063AAFB3F1AC097BD
                                                                                                                                        SHA1:50FC0DD58B2125BE46B0DA037F94DDD20E633F3E
                                                                                                                                        SHA-256:A975F571C1604046FB5FC3D1AA1C37E91E1E4C39AB295BC36FED89FC0EDF4037
                                                                                                                                        SHA-512:8D7572ED1CDE8809A50D2DBEE08B784BC561AB35839BBABF4279CAA5743268ACCFE3021D5B89F2D8BE83A7E39480E9DCB4D3761CCAAEE6FB204DD6302F7234DB
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:d#W....}mDE...W...=.,y......ozP.C...x..}:.R.$......v...i.r....U....f|."...8.....`....D:.F.....4e....q.......b0..v.KXJ.....#..../...9.....Q.#...K.uUW|'...oa...Y.......E...!g......|:p.....W.!Q...:...h.c.0Be.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):353
                                                                                                                                        Entropy (8bit):7.445573718877974
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:fFjVj7e+IvFdXTXlviNCL0/jkFXEfOyjHDarWvsRvxUupKp3xI/VzXRIp:xVj7efr5acLOjxfOyTDg0sRJlVVzXOp
                                                                                                                                        MD5:FF677B4833C636485C246D690E4FBA4F
                                                                                                                                        SHA1:D875D5F5E0B08AA79402ADD5423D0D9A4F215C4A
                                                                                                                                        SHA-256:D307AEAA8D5635745370F1207AE4EB116C4ADD98622CD2BD005BA7F6562934D2
                                                                                                                                        SHA-512:F8245E95F9DEFDB5334D2A7F7489810591B71864CF2A877F7645D96BE34DAB29E5B2D95F6420D33CBA5E4C8DDB12C3F1CEE512E887D128950E29A336ABECAE5B
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.._.Es..U\..GAV_..X}6..F.[.Zr0^....|K.. .N..1..}..2.ly...H.P..[....y...;.<3.8....N{..e......K.#.B'&.........b...vmKHJ..Q.;.........9.....Q.#......DfP6./..i1.;..3...&.'4.......N.."W.;.,J.E....Y.2kP....akqt..36.k.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):349
                                                                                                                                        Entropy (8bit):7.459344948312659
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:cwuIt3tHelhYxxkrPk8JOkdzVOxR8/S2+c5My9QN4TrWvsRvxUupKp3xI/VzXRIp:c+ptH6ijkrPDOkfOsS4SQQN4n0sRJlVu
                                                                                                                                        MD5:85DD973D177BB5ACF1F88B3EC5379EE8
                                                                                                                                        SHA1:BB6054C1718F91D060CD545005E16AD32C99FB99
                                                                                                                                        SHA-256:DDDD498871555FBEE2991626EF3245FA35FA7BAEB1A45820B977BF87BC8FCD24
                                                                                                                                        SHA-512:04E796171861C2CECD7948BC67F8AC7B2384831728AAD5C1529D493E30DDE107CF57104FA8952942F83F31D3A12F8D23E988C349A8C0B93FCF90AC66F5967E6D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...}..r. .LN....O.c..i..z[.uz..R.*..-..B.@..N...(X..`O..6.5AK.....s.......p%Z...sF..2....$YCK&...7..xg....b".a...#..Rq;@M....9...k.....R.#....Sq.]7?T...|&-...I.fS....%.D.....F.......7..m]..1.Jy....~Qh.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):350
                                                                                                                                        Entropy (8bit):7.361640113349071
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:AjSW1pNCEpKoBRrqrxqPwl2VOMFYOTKzvrL0zrWvsRvxUupKp3xI/VzXRIp:fW1fCEpPBRrgOwloOEYyQ0H0sRJlVVzo
                                                                                                                                        MD5:B3AF4240883CD969A50A75C0BC0E6D4F
                                                                                                                                        SHA1:0135E4F910C9F9E9AE857E2B07CEE9B748328997
                                                                                                                                        SHA-256:CC893096D642CFC9699A98731F725787E3E562D6C46FF4D72F60911A1458D013
                                                                                                                                        SHA-512:ADEDDB47950A775B482348F2866FFCAAE51C882AAFEFFB42C84E664DFD7A9EC76556F73B1857AFC9ECE5F7C13CB1E848B03378DDCBE59A9E1E373D099FB582F0
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...d..........n.1q."...:"....5...-....oJ....2K&-.........$......q....q4..d.............7D.c:.T...M..h...b/..X..#..s<CM....9...k.....R.#................<j....Mkk.X.a|OP..P.y.UH.Q7.2.D}Mx^\Uv25...bv.. ..h.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):356
                                                                                                                                        Entropy (8bit):7.442049152784242
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:K9Zy9Ht7gP8mDyC0NkFpn9acrh1LE0r2PGSk4rCKifzrWvsRvxUupKp3xI/VzXRe:KG9HyKyn9rh1LTr2+NlfH0sRJlVVzXOp
                                                                                                                                        MD5:0EDFFA1698E5551E72CCD9EB9B930199
                                                                                                                                        SHA1:710B2BC676AE77E1889096D4287970E0F2F89BEB
                                                                                                                                        SHA-256:88779CE0BD48DB665F72BEF923CA4402ADEF5F1013A265F45282B9C874DB0FAE
                                                                                                                                        SHA-512:B4688595A0ABC1D688B7F5AB77386AF163CABC84864030E1219FC4361A5E24CF1411C103A66CFBF995771F6064D10B5AE4CCC225BE8DA5938E0ECF44D3D9B8F5
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...b.g......c...Dg...L.X`_..w...%p.7?..L....{.gi..q>....G`.+.....QrxA}.B.......r.I2.:'.S..B...tS.....@c%u........b-.m...!.F.g.T..@..I..#.....Q.#......D7. ....A'L.6h.HjZh..0..o...?......t.O.u..Dk.n..S.......r...l.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):350
                                                                                                                                        Entropy (8bit):7.442508006274205
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:fVpqtzaDbnWx2d2nRPhZyCcJsUhVOJke5XH5vJvrWvsRvxUupKp3xI/VzXRIp:fPqBaDbnYj9ODOqe5XHbz0sRJlVVzXOp
                                                                                                                                        MD5:8D38861562F9D891FD66B57A61AA4425
                                                                                                                                        SHA1:7CD8F951BC057B3CE2589BFCB366E8335C291159
                                                                                                                                        SHA-256:C9ADF75122580942C92C3100AB151E540871AE2D2B47D801068EAFD3EA2BFCC3
                                                                                                                                        SHA-512:AC4049FACCBF41296D4A559CB8DDFCC3648D3563D474CCC159508757B06EEA30ABC8D8E957CEACF3DCC6B8C2C697D73531A0DC7B27C478371EC8C87D56598911
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.......l.:..@.....Q..../......[.....k....]>m$.....I$.....A1.rw..c..p.^..x..t/qKs.!`...&fe......)..1..W.....b3..X..#..n;.M....9...k.....R.#.........Z......U!.4..O.<~.P..*.h..a..>p%e.p.{z..5W..o..2......h.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):497
                                                                                                                                        Entropy (8bit):7.553449692742676
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:0EjvCEu0bxC3LB0AqhT6+DIpFXuSfTQE7MdffOR8ODNUWcgx0rWvsRvxUupKp3x3:0uIinW7rXdpYc8ODPVS0sRJlVVzXOp
                                                                                                                                        MD5:ABF304BD61619623451E583FAC0DD797
                                                                                                                                        SHA1:B7CF85F7F2FD38059BA534E561F8E734206836DA
                                                                                                                                        SHA-256:43BA45B7FB8835B5FDBAF36439A5D6C90FE0BA4FD10DD58982470C98566C903A
                                                                                                                                        SHA-512:5EAA598C1AB9B8D10B03F6CDF66818D01B80DF32CB6F6469D959153569216A6D136A873338BAAF6FBA5B061406EE0B60D9E74F741470DCD0DDFB042688FA9B0C
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..RE..pW.!........).=..MT8.*M.Sb.Z.Fj0n.GMg....H. ,.(.J..C...q&Pa.b3...(....`.&.d........!.|(...}......kT.Hf+......9..A6].#YSH....*.W...\Z.zDx.z.Qj...nE..fM'J=S.f...0./(+}`ts.V..=t".#....&Y...T.K.hw.a.i.Dz.3t...,...I.L\=...~T.K...-..M....!......b#..vyKZJ.uqF..~.......3...Q.#......D4..I................i~X..$.....x.5.wYn...~.........p..Y...g,..T.s.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):511
                                                                                                                                        Entropy (8bit):7.597339236484227
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:2LLoTdU62N0pO3hiUbjDcfh1qQ+RIVF0sRJlVVzXOp:kLoTdUb0kRiUbjCiry0sRJlVZXOp
                                                                                                                                        MD5:FBA06CB835CE1361345435AE39155C56
                                                                                                                                        SHA1:EAF6DE438ED650E2C63064815B4F3E69BD19E918
                                                                                                                                        SHA-256:405215C0518CBA970F79A798FEAAF6461463D5824C7E5B6396E71A66EBEBF535
                                                                                                                                        SHA-512:CB9A43C53057B3DFE95FC7DDE67639012E658030A1EAF799B6239D13242D72805DA7A533C110AE1E684F941EA3DE67E2345056E2BEF798E7B10E9BC796DE42E0
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:m..o.........4......_.D.Xf..d.u.k.G...g........j..ZA..S..K...MJ*.....c.L...........W..eD.O.V.:..F.+ZeT....].'H+W5..Q.4w>....>..g.....r..#.R!.fML...W.<Q...{.7..#...#.....h|.f.a\.G.....{N.H..z.N....<&.Eu..,Y..Jz..5.V...a\R|.w)..e..Y..#Q.I..h....b"..vxr$...3.!....'[8.{,..;.!.K......1.)..sI...]..D....;k......2..>...9,c.7S.z........K|>.W...l....[0IP.V|.=...Z%......,..G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1173
                                                                                                                                        Entropy (8bit):7.838615270266975
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:HU1gqPT9+pCZTf1sUjax133kNP4WeygvtQghtMhR60sRJlVZXOp:HUF+cTRjUMPtevjQholh4
                                                                                                                                        MD5:2CEF7668573771DD4242335179EBB3C5
                                                                                                                                        SHA1:B56792681987B487F81CFAD9C983E262466DC2B2
                                                                                                                                        SHA-256:EAC172C1898B6167BE158E606CCDF03C71C92DF80231C6645BA4163FA562DD6A
                                                                                                                                        SHA-512:E2FAD15A7427A7DF3883A4D0550E4FD29CB749F07DC6208753C8327D1AEFA61933035F646AA4F74113449AEAADC79CFB90518B49C81221D7C125100089F91980
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.J!.J..,B.:]...9.8jN.;|./G,...;......u.P..DM......p.I.....E.P5$pe7....e.....FZ.2U.zb.~.....V................X....d\.=..R..~..g....f....m?w..qp..W...0.pq"....=D/z.....6...P].g1u_DK...^..._K[.g.NX.......W-..&M.._...;a{X!...9....)..G`....|?X_P..F.....=^.0....7.n/F.4r.#`%..ib...........Wk...AE!.....C.....ms.0......<.....-..bv...2`.y.....8.U.......S\m.F.....K.@.>.....n.'_...:.>H..... ....E.n)...(..33q.a]..Q......7./V..f.].... ...|&6.+}.B.....h..*.,r7_<..6....S..._.);...qUt..KR.Vf..od...@.....Rn...........=..r......w.U.7gYL....H- .!m...aO_I.mo.#~R~x..m..H.S5.X.#1.tt....!..z.?A'.bx.+..>....LPJ.*......\H...t.....L.8q....\.j)..%...x..$.#.T.o...L..g@.g.5...Nd..fE.^2.....b..qO....`K.ID...1..!..K.B.ty........,...P.9>...WZt..K#.Fk..jd..3..(^q.......6..P\.P..=....N[....R....k......v.H$..q.I..@a..E...,T..$...%*....I,.T>=.)...b(..vtK.d.\s.C.%..s....<....[t......%7I."*l....}CV.)...}.;...........-....y.....Y.x..8.......[}L.W......'....eW...+h+.....k%......s
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with very long lines (837), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):6291
                                                                                                                                        Entropy (8bit):5.03015880843669
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:mMiSZuBoGdN8zNOWp0UgAD/QCiS57diS1u1slkGijwwxwwuiSOQYTbt6:biSuJXW0Wp0GMCiAimkA9i0
                                                                                                                                        MD5:F0921DDFCD8040590262C0CDD94D84D3
                                                                                                                                        SHA1:161288D26820D5FBEB8B83AAAE9F5CF9C819AE33
                                                                                                                                        SHA-256:E94EB00F7A06BD20C476CBE1AB73015AF58CE8AD9DFE5BD0897767568C0C89DE
                                                                                                                                        SHA-512:6C0E735A519A581CF496DF7B54E232425CAA975694AEE1E84D2158E39580D0791B4A325B8821592DFB416431EB66161138026632E29439A86D19F8B7C11DF6F8
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:~~~ You have been attacked by LockBit 4.0 - the fastest, most stable and immortal ransomware since 2019 ~~~~....>>>>> You must pay us.....Tor Browser Links BLOG where the stolen infortmation will be published:..( often times to protect our web sites from ddos attacks we include ACCESS KEY - ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA )..http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/..http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/..http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/..http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/..http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/..http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/..http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/....>>>>> What is the guarantee that we won't scam you? ..We are the oldest extortion gang on the planet and nothing is more important to us than our
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):239
                                                                                                                                        Entropy (8bit):7.146457759764038
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:t6So+K7Tvijqqx0arWvsRvxUupKp3xI/VzXRIp:pK/v4qi0sRJlVVzXOp
                                                                                                                                        MD5:4156C45EC62DFF5E95E571DD6BDDB2F7
                                                                                                                                        SHA1:CAE3B1638F4DCDF004BDBD2D9A74F512C3A9AAA5
                                                                                                                                        SHA-256:A60119E1D2A5FC0BD8E6F63CF637CC59CE000CD9609FACF1260AF5629F5D65E7
                                                                                                                                        SHA-512:F3DFD3B48BD92239A22F77192EA3294780F45AB9043CAD05E6ABB471D3FF6ABBE656F96498A9B8909ABE343C16A766CCF0C4BC59C1CEFBE8E34E47E01B43BB81
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:(t...8.|...b3..vlp$..%.FN!._../...9.....Q.....q>..a.\.g..0.r(~.....8.g..!.z..F........!.l...^C.0...a.G.....r.U..@...VB.MOJ9.k.0x...w|EA.....{...j5.<..?^...k.S0.....n....c........|..W3b.`.1..nw./N...AJU....$.5..(D$...Y&....e..8
                                                                                                                                        Process:C:\Windows\splwow64.exe
                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):13757689
                                                                                                                                        Entropy (8bit):7.893099990403852
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:196608:1BZ6qkyGEsZdEj1KZeu804xdUGHxe5iR/IRT2YB7YqE:YVZdIuhkpe6QNI
                                                                                                                                        MD5:F468E2E46C09FBA14A7C9E247E6AEA90
                                                                                                                                        SHA1:0477838811283B4AC54D995BD8F6DC9F47AEBB31
                                                                                                                                        SHA-256:1F211B92C80BC7CC33571365BC46AA1A2D038EF15A16639306A0AD4BCB71A5C4
                                                                                                                                        SHA-512:20A31015396644C5B1737A98ADAAE01E5FC6F604B62449B3DBDC41B69C7116AF6D810276067B503198D9E5D1A1DB7208462B8D14DD83B60226B6DD386C9C90FA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:PK........F8.Y................[Content_Types].xml/[0].piece.....0..W..o.x .....e.(....Ql!..<...S^.MMw....#Nr.9....p..:..J.z..`3..DM....T.n..J..-c...3....&a#......PK....X.j...q...PK.........8.Y................[Content_Types].xml/[1].piece..1..0....eE$....{e.C.&..X.........H\., .....o.T..i.."...K.s..4..VW...i+.Ak.....}....\.+..O?PK..K..jb...l...PK.........8.Y................_rels/.rels/[0].pieceM.A..!.E.B.w...1.....9@...C!...?,].......f..4.qp.,.._^I...y?\`.....Cc.jF". .^...#g.T.A.e.c.........3.....PK...BpJl...y...PK.........8.Y................_rels/.rels/[1].piece..K..0....9@&.....nk/.....O3S...s....L/'.UN...'.......P....UO:....=X......B..gD...c]...[..[..3..9.9a.... .....N.PK..4...u.......PK.........8.Y................[Content_Types].xml/[2].piece-.A.. .F....p.u.q.&....!...m..[.n_^..kA.......>|.......f....`........}..F..(v.6.t...0-.n.C|@.N-.Z...PK....[Pm...{...PK.........8.Y............%...FixedDocumentSequence.fdseq/[0].pieceU.M..0.F..fo&.....H.`..2.....H.o..p
                                                                                                                                        Process:C:\ProgramData\F43.tmp
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):477817
                                                                                                                                        Entropy (8bit):7.9967879615440305
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:6144:g2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2qBP0l2N:8
                                                                                                                                        MD5:1D42A7B0F82095650A8B583FC09EB649
                                                                                                                                        SHA1:1A9C2D30B130992168C127359A9600205A18C418
                                                                                                                                        SHA-256:C3947BFA4E7826E3EBE46C4AA5D06784B8911CC9B770104D124E6F5F22ACD60D
                                                                                                                                        SHA-512:4DAA389651BA2B82CE5C53F80AF6000AC6850FF03F589B69EA29A9EF1ECDFB929E3446B139A67D93D56AF39D18D28BA808AC8E877925E19AFC0B5ABA463C2573
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:O..z...N.R.+........M..u{........'...:.CB/.(.+f..B0.o..c-c....(.e.S.C...`K.hA....D.d..{..t&....i#............x..Sf^......PRQ.......Na...!.!..]..y..;....2.p.....\..2...=.ij&up..#1.N...#{.k;N.A.}.;..DZ.A!s^M.\E|Hw.....t...............r.....R^...c.$s[....,k..O.5u.O.]....s.g%.rY. .p.q.O\.......ag......!...b.8..|`C.^.-.K.\...L...7).zE.G...e.2.@9..W..89.....:..gw?.7n.....C.v.>.[....]f..B........YeR...u.....s.c.......G=&.....O....$..0.m.F......X.7...#...RS...;.....i.Be.......G.~...].^.\..c6O.....G.Ug1.mv.J.GQ...,.S.....2...R%.....5.:.]a..Dn..u...;.....=..Z.....)....\3e.../..)T..LD*..F..7....0.m.>.Z.....0.P.a.R.*...mJ..ERg..p.......W.v?.Q..Y5.h7.....X.)...[l.R/...#Y.......u..p...Sc..;u...d."...9..,....A..>..IK.f)...~.U..7...B....:....V......D4.=.X....L.HB....(..[|...&h.....}...'P...z.V.%x.*I...Fe.....K.k.......7....x>..}......U.B....pb..R.;g0.6e....O_7.-.;OW...+.F.>>z....n{.......S.ZJ....%...q.J....G..z.T...d..p.o6...t....7.!..E.....6..\
                                                                                                                                        File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                                                                                                                        Entropy (8bit):3.480378254746028
                                                                                                                                        TrID:
                                                                                                                                          File name:lZyN9NTrS2.ps1
                                                                                                                                          File size:477'817 bytes
                                                                                                                                          MD5:42cbb4743ea016868d7a049a6c9fb3fc
                                                                                                                                          SHA1:62dca0b897feba00370bd505b3a3f8cc5e8f2615
                                                                                                                                          SHA256:a33f21d28bd83a9501257ee727c46486989bdfea6d5cb9f1c12c9a67296b21b1
                                                                                                                                          SHA512:dd26ed19d4120a22f3716292b9670a50026b1ea4c37ea634de27d9292912c7383eb76723c38543494b95abd67d75e7ecebea83997994538493e92efae8c1efa8
                                                                                                                                          SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJy:GR
                                                                                                                                          TLSH:5CA408F0636099E3B6D94993B265191E3B2A103F7EC635D84182FBDD1C7B6C08A19CD7
                                                                                                                                          File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                                                                                                          Icon Hash:3270d6baae77db44
                                                                                                                                          No network behavior found

                                                                                                                                          Click to jump to process

                                                                                                                                          Click to jump to process

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Click to jump to process

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:06:39:56
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lZyN9NTrS2.ps1"
                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:06:39:56
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:06:39:58
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\lZyN9NTrS2.ps1
                                                                                                                                          Imagebase:0x1d0000
                                                                                                                                          File size:433'152 bytes
                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000003.00000002.2629857137.0000000009A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000002.2583323436.00000000065C7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000003.00000002.2583323436.0000000006662000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000003.00000002.2583323436.0000000006662000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:06:39:58
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Target ID:8
                                                                                                                                          Start time:06:40:11
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Windows\splwow64.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                          Imagebase:0x7ff691d40000
                                                                                                                                          File size:163'840 bytes
                                                                                                                                          MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Target ID:13
                                                                                                                                          Start time:06:40:48
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\ProgramData\F43.tmp
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\ProgramData\F43.tmp"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:14'336 bytes
                                                                                                                                          MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Antivirus matches:
                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                          • Detection: 87%, ReversingLabs
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:false

                                                                                                                                          Target ID:14
                                                                                                                                          Start time:06:40:50
                                                                                                                                          Start date:23/12/2024
                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:/insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{0ABB2406-12BC-4E6C-8C0C-B2880C04A53C}.xps" 133794276123940000
                                                                                                                                          Imagebase:0x180000
                                                                                                                                          File size:2'191'768 bytes
                                                                                                                                          MD5 hash:0061760D72416BCF5F2D9FA6564F0BEA
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:false

                                                                                                                                          Reset < >
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.2150235618.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7537df620ceaca31488396110b0132bbdf16822307a399e2d3d52e828cd47370
                                                                                                                                            • Instruction ID: f731f6541751ca17b92081bc6c63c343a0d759eb1488ea5194dd7219b736e3ef
                                                                                                                                            • Opcode Fuzzy Hash: 7537df620ceaca31488396110b0132bbdf16822307a399e2d3d52e828cd47370
                                                                                                                                            • Instruction Fuzzy Hash: 7101677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:5.3%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:17.1%
                                                                                                                                            Total number of Nodes:932
                                                                                                                                            Total number of Limit Nodes:1
                                                                                                                                            execution_graph 62296 9f81700 62297 9f81709 62296->62297 62299 9f8180b 62297->62299 62304 9f81a38 62297->62304 62321 9f81e49 62297->62321 62338 9f81f78 62297->62338 62355 9f81c28 62297->62355 62298 9f817ef 62306 9f81c5c 62304->62306 62305 9f81d3a 62305->62298 62306->62305 62372 9f412d0 62306->62372 62378 9f408a8 62306->62378 62385 9f408c8 62306->62385 62392 9f4100d 62306->62392 62399 9f4154c 62306->62399 62405 9f40b4c 62306->62405 62411 9f41020 62306->62411 62418 9f40a20 62306->62418 62424 9f41164 62306->62424 62431 9f41418 62306->62431 62438 9f41178 62306->62438 62445 9f40c38 62306->62445 62451 9f455dc 62306->62451 62457 9f412bc 62306->62457 62323 9f81da4 62321->62323 62322 9f81f27 62322->62298 62323->62322 62324 9f412d0 126 API calls 62323->62324 62325 9f412bc 126 API calls 62323->62325 62326 9f455dc 126 API calls 62323->62326 62327 9f40c38 126 API calls 62323->62327 62328 9f41178 126 API calls 62323->62328 62329 9f41418 126 API calls 62323->62329 62330 9f41164 126 API calls 62323->62330 62331 9f40a20 126 API calls 62323->62331 62332 9f41020 126 API calls 62323->62332 62333 9f40b4c 126 API calls 62323->62333 62334 9f4154c 126 API calls 62323->62334 62335 9f4100d 126 API calls 62323->62335 62336 9f408c8 126 API calls 62323->62336 62337 9f408a8 126 API calls 62323->62337 62324->62322 62325->62322 62326->62322 62327->62322 62328->62322 62329->62322 62330->62322 62331->62322 62332->62322 62333->62322 62334->62322 62335->62322 62336->62322 62337->62322 62339 9f81ecf 62338->62339 62341 9f412d0 126 API calls 62339->62341 62342 9f412bc 126 API calls 62339->62342 62343 9f455dc 126 API calls 62339->62343 62344 9f40c38 126 API calls 62339->62344 62345 9f41178 126 API calls 62339->62345 62346 9f41418 126 API calls 62339->62346 62347 9f41164 126 API calls 62339->62347 62348 9f40a20 126 API calls 62339->62348 62349 9f41020 126 API calls 62339->62349 62350 9f40b4c 126 API calls 62339->62350 62351 9f4154c 126 API calls 62339->62351 62352 9f4100d 126 API calls 62339->62352 62353 9f408c8 126 API calls 62339->62353 62354 9f408a8 126 API calls 62339->62354 62340 9f81f27 62340->62298 62341->62340 62342->62340 62343->62340 62344->62340 62345->62340 62346->62340 62347->62340 62348->62340 62349->62340 62350->62340 62351->62340 62352->62340 62353->62340 62354->62340 62357 9f81c5c 62355->62357 62356 9f81d3a 62356->62298 62357->62356 62358 9f412d0 126 API calls 62357->62358 62359 9f412bc 126 API calls 62357->62359 62360 9f455dc 126 API calls 62357->62360 62361 9f40c38 126 API calls 62357->62361 62362 9f41178 126 API calls 62357->62362 62363 9f41418 126 API calls 62357->62363 62364 9f41164 126 API calls 62357->62364 62365 9f40a20 126 API calls 62357->62365 62366 9f41020 126 API calls 62357->62366 62367 9f40b4c 126 API calls 62357->62367 62368 9f4154c 126 API calls 62357->62368 62369 9f4100d 126 API calls 62357->62369 62370 9f408c8 126 API calls 62357->62370 62371 9f408a8 126 API calls 62357->62371 62358->62356 62359->62356 62360->62356 62361->62356 62362->62356 62363->62356 62364->62356 62365->62356 62366->62356 62367->62356 62368->62356 62369->62356 62370->62356 62371->62356 62373 9f412e2 62372->62373 62375 9f41330 62373->62375 62463 9f2fa20 62373->62463 62472 9f2fa19 62373->62472 62374 9f4582a 62374->62305 62375->62305 62379 9f408f2 62378->62379 62380 9f409f7 62378->62380 62379->62305 62382 9f40adb 62380->62382 62383 9f2fa20 126 API calls 62380->62383 62384 9f2fa19 126 API calls 62380->62384 62381 9f4582a 62381->62305 62382->62305 62383->62381 62384->62381 62386 9f408f2 62385->62386 62387 9f409f7 62385->62387 62386->62305 62389 9f40adb 62387->62389 62390 9f2fa20 126 API calls 62387->62390 62391 9f2fa19 126 API calls 62387->62391 62388 9f4582a 62388->62305 62389->62305 62390->62388 62391->62388 62393 9f4104a 62392->62393 62394 9f4114f 62392->62394 62393->62305 62396 9f411a2 62394->62396 62397 9f2fa20 126 API calls 62394->62397 62398 9f2fa19 126 API calls 62394->62398 62395 9f4582a 62395->62305 62396->62305 62397->62395 62398->62395 62400 9f4158a 62399->62400 62402 9f41670 62400->62402 62403 9f2fa20 126 API calls 62400->62403 62404 9f2fa19 126 API calls 62400->62404 62401 9f4582a 62401->62305 62402->62305 62403->62401 62404->62401 62406 9f40b58 62405->62406 62408 9f40b6a 62406->62408 62409 9f2fa20 126 API calls 62406->62409 62410 9f2fa19 126 API calls 62406->62410 62407 9f4582a 62407->62305 62408->62305 62409->62407 62410->62407 62412 9f4104a 62411->62412 62413 9f4114f 62411->62413 62412->62305 62414 9f411a2 62413->62414 62416 9f2fa20 126 API calls 62413->62416 62417 9f2fa19 126 API calls 62413->62417 62414->62305 62415 9f4582a 62415->62305 62416->62415 62417->62415 62419 9f40a4f 62418->62419 62421 9f40adb 62419->62421 62422 9f2fa20 126 API calls 62419->62422 62423 9f2fa19 126 API calls 62419->62423 62420 9f4582a 62420->62305 62421->62305 62422->62420 62423->62420 62425 9f411a2 62424->62425 62426 9f412a7 62424->62426 62425->62305 62428 9f41330 62426->62428 62429 9f2fa20 126 API calls 62426->62429 62430 9f2fa19 126 API calls 62426->62430 62427 9f4582a 62427->62305 62428->62305 62429->62427 62430->62427 62432 9f41440 62431->62432 62433 9f41537 62431->62433 62432->62305 62435 9f41670 62433->62435 62436 9f2fa20 126 API calls 62433->62436 62437 9f2fa19 126 API calls 62433->62437 62434 9f4582a 62434->62305 62435->62305 62436->62434 62437->62434 62439 9f411a2 62438->62439 62440 9f412a7 62438->62440 62439->62305 62442 9f41330 62440->62442 62443 9f2fa20 126 API calls 62440->62443 62444 9f2fa19 126 API calls 62440->62444 62441 9f4582a 62441->62305 62442->62305 62443->62441 62444->62441 62446 9f40c69 62445->62446 62448 9f40cd1 62446->62448 62449 9f2fa20 126 API calls 62446->62449 62450 9f2fa19 126 API calls 62446->62450 62447 9f4582a 62447->62305 62448->62305 62449->62447 62450->62447 62452 9f455e3 62451->62452 62454 9f45889 62452->62454 62455 9f2fa20 126 API calls 62452->62455 62456 9f2fa19 126 API calls 62452->62456 62453 9f4582a 62453->62305 62454->62305 62455->62453 62456->62453 62458 9f412e2 62457->62458 62460 9f41330 62458->62460 62461 9f2fa20 126 API calls 62458->62461 62462 9f2fa19 126 API calls 62458->62462 62459 9f4582a 62459->62305 62460->62305 62461->62459 62462->62459 62464 9f2fa25 62463->62464 62481 9e9d0a8 62464->62481 62487 9e98176 62464->62487 62528 9ea6464 62464->62528 62536 9e9b7e4 62464->62536 62569 9e981bc 62464->62569 62612 9e9818d 62464->62612 62465 9f2fa8a 62465->62374 62473 9f2fa1c 62472->62473 62475 9e9d0a8 5 API calls 62473->62475 62476 9e9818d 11 API calls 62473->62476 62477 9e981bc 11 API calls 62473->62477 62478 9e9b7e4 16 API calls 62473->62478 62479 9ea6464 124 API calls 62473->62479 62480 9e98176 11 API calls 62473->62480 62474 9f2fa8a 62474->62374 62475->62474 62476->62474 62477->62474 62478->62474 62479->62474 62480->62474 62654 9e9874c 62481->62654 62484 9e9d0f8 62484->62465 62485 9e9d0b6 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 62657 9e98778 62485->62657 62487->62465 62488 9e981d4 RtlCreateHeap 62487->62488 62489 9e98329 62488->62489 62490 9e981f1 62488->62490 62489->62465 62666 9e97988 62490->62666 62495 9e97c3c 7 API calls 62496 9e98239 62495->62496 62497 9e97c3c 7 API calls 62496->62497 62498 9e9824a 62497->62498 62499 9e97c3c 7 API calls 62498->62499 62500 9e9825b 62499->62500 62501 9e97c3c 7 API calls 62500->62501 62502 9e9826c 62501->62502 62503 9e97c3c 7 API calls 62502->62503 62504 9e9827d 62503->62504 62505 9e97c3c 7 API calls 62504->62505 62506 9e9828e 62505->62506 62507 9e97c3c 7 API calls 62506->62507 62508 9e9829f 62507->62508 62509 9e97c3c 7 API calls 62508->62509 62510 9e982b0 62509->62510 62511 9e97c3c 7 API calls 62510->62511 62512 9e982c1 62511->62512 62513 9e97c3c 7 API calls 62512->62513 62514 9e982d2 62513->62514 62515 9e97c3c 7 API calls 62514->62515 62516 9e982e3 62515->62516 62517 9e97c3c 7 API calls 62516->62517 62518 9e982f4 62517->62518 62519 9e97c3c 7 API calls 62518->62519 62520 9e98305 62519->62520 62521 9e97c3c 7 API calls 62520->62521 62522 9e98316 62521->62522 62679 9e98614 62522->62679 62524 9e9831d 62682 9ea3c18 RtlAllocateHeap RtlFreeHeap 62524->62682 62526 9e98324 62683 9e98640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 62526->62683 62529 9ea646d 62528->62529 62530 9ea6493 62528->62530 62531 9e981bc 11 API calls 62529->62531 62530->62465 62532 9ea6480 62531->62532 62533 9e9b7e4 16 API calls 62532->62533 62534 9ea648e 62533->62534 62710 9ea39e0 62534->62710 62537 9e9b7e9 62536->62537 63291 9e98dbc 62537->63291 62541 9e9b82b 63327 9e98bac 62541->63327 62543 9e9b83a 62544 9e9b848 62543->62544 63330 9e9db18 62543->63330 62544->62465 62545 9e9b7fc 62545->62541 63365 9e9cea4 RtlAllocateHeap RtlFreeHeap 62545->63365 62548 9e9b854 63333 9e9d07c 62548->63333 62549 9e9b822 62549->62541 63366 9e9d430 RtlAllocateHeap RtlFreeHeap 62549->63366 62553 9e9d0a8 5 API calls 62554 9e9b863 62553->62554 63337 9e9cfe8 62554->63337 62558 9e9b8ca 63344 9e9e38c 62558->63344 62559 9e9b86c 62559->62558 63368 9e9cbdc RtlAllocateHeap RtlFreeHeap 62559->63368 62562 9e9b882 62562->62559 63367 9e9c84c RtlAllocateHeap RtlFreeHeap 62562->63367 62564 9e9b8b1 62564->62558 63369 9e9cf60 RtlAllocateHeap RtlFreeHeap 62564->63369 62566 9ea0214 2 API calls 62568 9e9b8fd 62566->62568 62568->62465 62570 9e97988 3 API calls 62569->62570 62571 9e981ce 62570->62571 62572 9e98329 62571->62572 62573 9e981d6 RtlCreateHeap 62571->62573 62572->62465 62573->62572 62574 9e981f1 62573->62574 62575 9e97988 3 API calls 62574->62575 62576 9e9820d 62575->62576 62576->62572 62577 9e97c3c 7 API calls 62576->62577 62578 9e98228 62577->62578 62579 9e97c3c 7 API calls 62578->62579 62580 9e98239 62579->62580 62581 9e97c3c 7 API calls 62580->62581 62582 9e9824a 62581->62582 62583 9e97c3c 7 API calls 62582->62583 62584 9e9825b 62583->62584 62585 9e97c3c 7 API calls 62584->62585 62586 9e9826c 62585->62586 62587 9e97c3c 7 API calls 62586->62587 62588 9e9827d 62587->62588 62589 9e97c3c 7 API calls 62588->62589 62590 9e9828e 62589->62590 62591 9e97c3c 7 API calls 62590->62591 62592 9e9829f 62591->62592 62593 9e97c3c 7 API calls 62592->62593 62594 9e982b0 62593->62594 62595 9e97c3c 7 API calls 62594->62595 62596 9e982c1 62595->62596 62597 9e97c3c 7 API calls 62596->62597 62598 9e982d2 62597->62598 62599 9e97c3c 7 API calls 62598->62599 62600 9e982e3 62599->62600 62601 9e97c3c 7 API calls 62600->62601 62602 9e982f4 62601->62602 62603 9e97c3c 7 API calls 62602->62603 62604 9e98305 62603->62604 62605 9e97c3c 7 API calls 62604->62605 62606 9e98316 62605->62606 62607 9e98614 NtSetInformationThread 62606->62607 62608 9e9831d 62607->62608 63370 9ea3c18 RtlAllocateHeap RtlFreeHeap 62608->63370 62610 9e98324 63371 9e98640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 62610->63371 62613 9e981ca RtlCreateHeap 62612->62613 62614 9e98192 62612->62614 62615 9e98329 62613->62615 62616 9e981f1 62613->62616 62614->62613 62615->62465 62617 9e97988 3 API calls 62616->62617 62618 9e9820d 62617->62618 62618->62615 62619 9e97c3c 7 API calls 62618->62619 62620 9e98228 62619->62620 62621 9e97c3c 7 API calls 62620->62621 62622 9e98239 62621->62622 62623 9e97c3c 7 API calls 62622->62623 62624 9e9824a 62623->62624 62625 9e97c3c 7 API calls 62624->62625 62626 9e9825b 62625->62626 62627 9e97c3c 7 API calls 62626->62627 62628 9e9826c 62627->62628 62629 9e97c3c 7 API calls 62628->62629 62630 9e9827d 62629->62630 62631 9e97c3c 7 API calls 62630->62631 62632 9e9828e 62631->62632 62633 9e97c3c 7 API calls 62632->62633 62634 9e9829f 62633->62634 62635 9e97c3c 7 API calls 62634->62635 62636 9e982b0 62635->62636 62637 9e97c3c 7 API calls 62636->62637 62638 9e982c1 62637->62638 62639 9e97c3c 7 API calls 62638->62639 62640 9e982d2 62639->62640 62641 9e97c3c 7 API calls 62640->62641 62642 9e982e3 62641->62642 62643 9e97c3c 7 API calls 62642->62643 62644 9e982f4 62643->62644 62645 9e97c3c 7 API calls 62644->62645 62646 9e98305 62645->62646 62647 9e97c3c 7 API calls 62646->62647 62648 9e98316 62647->62648 62649 9e98614 NtSetInformationThread 62648->62649 62650 9e9831d 62649->62650 63372 9ea3c18 RtlAllocateHeap RtlFreeHeap 62650->63372 62652 9e98324 63373 9e98640 LdrGetProcedureAddress LdrGetProcedureAddress LdrLoadDll 62652->63373 62660 9e986d0 62654->62660 62656 9e98762 62656->62484 62656->62485 62663 9e986f8 62657->62663 62659 9e9878a 62659->62484 62661 9e986d8 62660->62661 62662 9e986e6 RtlAllocateHeap 62661->62662 62662->62656 62664 9e98700 62663->62664 62665 9e9870e RtlFreeHeap 62664->62665 62665->62659 62667 9e979b4 62666->62667 62668 9e9799a 62666->62668 62670 9e97988 3 API calls 62667->62670 62672 9e979dc 62667->62672 62669 9e97988 3 API calls 62668->62669 62669->62667 62670->62672 62671 9e97aa6 62671->62489 62674 9e97c3c 62671->62674 62672->62671 62684 9e97920 62672->62684 62695 9e97ac0 62674->62695 62676 9e97c67 62676->62495 62677 9e97988 3 API calls 62678 9e97c51 62677->62678 62678->62676 62678->62677 62680 9e98628 NtSetInformationThread 62679->62680 62680->62524 62682->62526 62683->62489 62685 9e9797e 62684->62685 62686 9e9794c 62684->62686 62685->62672 62686->62685 62691 9e978bc 62686->62691 62688 9e97960 62688->62685 62689 9e97974 62688->62689 62694 9e97870 LdrGetProcedureAddress LdrGetProcedureAddress 62689->62694 62692 9e978d3 62691->62692 62693 9e97901 LdrLoadDll 62692->62693 62693->62688 62694->62685 62696 9e97ad3 62695->62696 62697 9e97aed 62695->62697 62698 9e97988 3 API calls 62696->62698 62699 9e97b15 62697->62699 62700 9e97988 3 API calls 62697->62700 62698->62697 62701 9e97988 3 API calls 62699->62701 62707 9e97b3d 62699->62707 62700->62699 62701->62707 62702 9e97b85 FindFirstFileW 62702->62707 62703 9e97bf6 62703->62678 62704 9e97bd3 FindNextFileW 62706 9e97be7 FindClose 62704->62706 62704->62707 62705 9e97bb5 FindClose 62708 9e978bc LdrLoadDll 62705->62708 62706->62707 62707->62702 62707->62703 62707->62704 62707->62705 62709 9e97bcc 62708->62709 62709->62678 62711 9ea39fd 62710->62711 62728 9e9b4e4 62711->62728 62713 9ea3a03 62714 9ea3a24 62713->62714 62718 9ea3a19 62713->62718 62719 9ea3a4a 62713->62719 62715 9e9b9b0 3 API calls 62714->62715 62715->62718 62716 9ea3c10 62716->62530 62717 9e986f8 RtlFreeHeap 62717->62716 62718->62716 62718->62717 62720 9ea3b6e 62719->62720 62721 9ea3b91 62719->62721 62722 9e9b9b0 3 API calls 62720->62722 62721->62718 62723 9ea3bbe 62721->62723 62724 9ea3be1 62721->62724 62722->62718 62732 9e9b9b0 62723->62732 62726 9e9b9b0 3 API calls 62724->62726 62727 9ea3be6 CreateThread 62726->62727 62727->62718 62746 9ea22e0 62727->62746 62729 9e9b4fd 62728->62729 62730 9e986d0 RtlAllocateHeap 62729->62730 62731 9e9b50d 62730->62731 62731->62713 62733 9e9b9c3 62732->62733 62734 9e9ba52 62732->62734 62741 9e99de0 62733->62741 62734->62718 62737 9e9ba05 62738 9e9ba25 CreateMutexW 62737->62738 62740 9e98778 RtlFreeHeap 62738->62740 62740->62734 62742 9e99df7 62741->62742 62743 9e9874c RtlAllocateHeap 62742->62743 62744 9e99eb0 62742->62744 62743->62744 62744->62737 62745 9e9a780 RtlAllocateHeap RtlFreeHeap 62744->62745 62745->62737 62747 9ea22ef 62746->62747 62748 9ea2369 62747->62748 62749 9ea232a CreateThread 62747->62749 62750 9ea2342 62747->62750 62796 9e992b8 GetLogicalDriveStringsW 62748->62796 62749->62750 63159 9e9b440 62749->63159 62750->62748 62752 9ea234b CreateThread 62750->62752 62752->62748 63198 9e9ad80 RtlAdjustPrivilege 62752->63198 62756 9ea2395 62758 9ea239e CreateThread 62756->62758 62759 9ea23b6 62756->62759 62758->62759 63193 9e99c7c 62758->63193 62760 9ea23c4 62759->62760 62806 9e9c034 62759->62806 62762 9e9d0a8 5 API calls 62760->62762 62763 9ea23c9 62762->62763 62816 9ea0144 62763->62816 62766 9ea240a 62768 9ea0214 2 API calls 62766->62768 62780 9ea241d 62766->62780 62770 9ea2418 62768->62770 62855 9ea1838 62770->62855 62774 9ea0214 2 API calls 62777 9ea2405 62774->62777 62775 9ea0214 2 API calls 62778 9ea24b5 62775->62778 62776 9ea247b 62776->62775 62831 9ea1ee8 62777->62831 62782 9ea254a 62778->62782 62783 9ea24c5 62778->62783 62780->62776 62947 9e9f994 RtlAllocateHeap RtlFreeHeap 62780->62947 62948 9ea333c RtlAllocateHeap RtlFreeHeap 62782->62948 62877 9e9a050 62783->62877 62786 9ea254f 62949 9ea2e98 RtlAllocateHeap RtlFreeHeap 62786->62949 62789 9ea24f0 62793 9ea2540 ExitProcess 62789->62793 62910 9ea25c4 62789->62910 62790 9ea24d5 CreateThread 62790->62789 63164 9e9dff8 62790->63164 62791 9ea2556 62793->62791 62797 9e99303 62796->62797 62798 9e992db 62796->62798 62800 9e9967c 62797->62800 62798->62797 62950 9e9930c 62798->62950 62802 9e996a9 62800->62802 62801 9e99aef 62801->62756 62946 9e99af4 RtlAllocateHeap RtlFreeHeap 62801->62946 62802->62801 62804 9e99916 CoUninitialize 62802->62804 62805 9e999ba CoSetProxyBlanket 62802->62805 62804->62801 62805->62804 62807 9e9c05b GetVolumeNameForVolumeMountPointW 62806->62807 62809 9e9c09e FindFirstVolumeW 62807->62809 62810 9e9c2ef 62809->62810 62815 9e9c0ba 62809->62815 62810->62760 62811 9e9c0d3 GetVolumePathNamesForVolumeNameW 62811->62815 62812 9e9c104 GetDriveTypeW 62812->62815 62813 9e9c1a5 CreateFileW 62813->62815 62814 9e9bfa8 GetLogicalDriveStringsW CreateThread ResumeThread GetExitCodeThread NtSetInformationThread 62814->62815 62815->62810 62815->62811 62815->62812 62815->62813 62815->62814 62820 9ea0151 62816->62820 62817 9ea01b6 62817->62766 62817->62780 62821 9ea0214 62817->62821 62818 9ea0186 CreateThread 62818->62820 62980 9e9fdd0 SetThreadPriority 62818->62980 62819 9e98614 NtSetInformationThread 62819->62820 62820->62817 62820->62818 62820->62819 62822 9ea0230 62821->62822 62987 9ea02ac 62822->62987 62824 9ea0286 62825 9ea028a 62824->62825 62826 9e986f8 RtlFreeHeap 62824->62826 62827 9ea2134 62825->62827 62826->62825 62828 9ea218e 62827->62828 62830 9ea2208 62828->62830 62991 9e987e4 62828->62991 62830->62774 62832 9ea1efd 62831->62832 62995 9e9be18 CreateThread 62832->62995 62834 9ea1f0f 62835 9ea1f15 62834->62835 62836 9e986d0 RtlAllocateHeap 62834->62836 62837 9ea210e 62835->62837 62839 9e986f8 RtlFreeHeap 62835->62839 62838 9ea1f27 62836->62838 62840 9ea211c 62837->62840 62842 9e986f8 RtlFreeHeap 62837->62842 62838->62835 62841 9e9be18 5 API calls 62838->62841 62839->62837 62843 9ea212a 62840->62843 62845 9e986f8 RtlFreeHeap 62840->62845 62844 9ea1f44 62841->62844 62842->62840 62843->62766 62844->62835 62846 9e986d0 RtlAllocateHeap 62844->62846 62845->62843 62847 9ea1f5f 62846->62847 62847->62835 62848 9e986d0 RtlAllocateHeap 62847->62848 62851 9ea1f7a 62848->62851 62850 9e987e4 RtlAllocateHeap 62852 9ea1fd6 CreateThread 62850->62852 62851->62835 62851->62850 62853 9e987e4 RtlAllocateHeap 62851->62853 63003 9e9bb34 CreateThread 62851->63003 63011 9e9cdf0 62851->63011 62852->62851 63017 9ea0f48 SetThreadPriority 62852->63017 62853->62851 62856 9ea1864 62855->62856 62857 9e986d0 RtlAllocateHeap 62856->62857 62858 9ea1871 62857->62858 62873 9ea187a 62858->62873 63137 9ea1400 RtlAllocateHeap RtlFreeHeap 62858->63137 62860 9ea1887 62865 9e986d0 RtlAllocateHeap 62860->62865 62860->62873 62861 9ea1b89 62863 9ea1b97 62861->62863 62866 9e986f8 RtlFreeHeap 62861->62866 62862 9e986f8 RtlFreeHeap 62862->62861 62864 9ea1ba5 62863->62864 62867 9e986f8 RtlFreeHeap 62863->62867 62864->62780 62868 9ea18a5 62865->62868 62866->62863 62867->62864 62869 9e986d0 RtlAllocateHeap 62868->62869 62868->62873 62870 9ea18c0 62869->62870 62871 9ea1170 NtSetInformationThread 62870->62871 62870->62873 62874 9e986f8 RtlFreeHeap 62870->62874 62875 9ea12ac NtSetInformationThread 62870->62875 62876 9e9cdf0 NtSetInformationThread 62870->62876 63138 9e98840 RtlAllocateHeap 62870->63138 62871->62870 62873->62861 62873->62862 62874->62870 62875->62870 62876->62870 62879 9e9a0ab 62877->62879 62882 9e9a0b0 62877->62882 62878 9e9a729 62881 9e986f8 RtlFreeHeap 62878->62881 62883 9e9a737 62878->62883 62879->62878 62880 9e986f8 RtlFreeHeap 62879->62880 62880->62878 62881->62883 62882->62879 63139 9ea26c4 62882->63139 62883->62789 62883->62790 62885 9e9a10d 62885->62879 62886 9e986d0 RtlAllocateHeap 62885->62886 62887 9e9a1ef 62886->62887 62887->62879 62888 9e9a221 62887->62888 62889 9e9a207 62887->62889 62891 9e98c54 RtlAllocateHeap 62888->62891 63151 9e98c54 62889->63151 62892 9e9a211 62891->62892 62892->62879 62893 9e9a254 62892->62893 62895 9e9a268 62892->62895 62894 9e986f8 RtlFreeHeap 62893->62894 62894->62879 62895->62879 62896 9e9a31b DrawTextW 62895->62896 62896->62879 62897 9e9a343 62896->62897 62897->62879 62898 9e9a47d CreateFileW 62897->62898 62898->62879 62899 9e9a4a6 WriteFile 62898->62899 62899->62879 62900 9e9a4c7 WriteFile 62899->62900 62900->62879 62901 9e9a4e5 WriteFile 62900->62901 62901->62879 62902 9e9a503 62901->62902 63145 9e98afc 62902->63145 62904 9e9a525 62904->62879 62905 9e9a5a8 RegCreateKeyExW 62904->62905 62905->62879 62906 9e9a5d9 62905->62906 62907 9e9a612 RegSetValueExW 62906->62907 62907->62879 62908 9e9a63f 62907->62908 62909 9e9a69e RegSetValueExW 62908->62909 62909->62879 62913 9ea25ed 62910->62913 62911 9ea2520 62916 9e9d660 62911->62916 62912 9e986f8 RtlFreeHeap 62912->62911 62915 9ea261c 62913->62915 63154 9e9e858 RtlAllocateHeap RtlFreeHeap 62913->63154 62915->62911 62915->62912 62917 9e9d695 62916->62917 62918 9e98c54 RtlAllocateHeap 62917->62918 62919 9e9d70d 62918->62919 62920 9e986d0 RtlAllocateHeap 62919->62920 62945 9e9d716 62919->62945 62923 9e9d72d 62920->62923 62921 9e9dadb 62922 9e9dae9 62921->62922 62925 9e986f8 RtlFreeHeap 62921->62925 62926 9e9daf7 62922->62926 62928 9e986f8 RtlFreeHeap 62922->62928 62923->62945 63155 9e9d4e4 62923->63155 62924 9e986f8 RtlFreeHeap 62924->62921 62925->62922 62929 9e9db05 62926->62929 62931 9e986f8 RtlFreeHeap 62926->62931 62928->62926 62929->62793 62930 9e9d75e 62932 9e9d77f GetTempFileNameW CreateFileW 62930->62932 62930->62945 62931->62929 62933 9e9d7c4 WriteFile 62932->62933 62932->62945 62934 9e9d7e0 CreateProcessW 62933->62934 62933->62945 62936 9e9d84a NtQueryInformationProcess 62934->62936 62934->62945 62937 9e9d86e 62936->62937 62936->62945 62938 9e98c54 RtlAllocateHeap 62937->62938 62937->62945 62939 9e9d89f 62938->62939 62940 9e9d92f NtWriteVirtualMemory 62939->62940 62939->62945 62941 9e9d949 62940->62941 62940->62945 62942 9e9d9ac NtDuplicateObject 62941->62942 62941->62945 62943 9e9d9d4 CreateNamedPipeW 62942->62943 62942->62945 62944 9e9da40 ResumeThread ConnectNamedPipe 62943->62944 62943->62945 62944->62945 62945->62921 62945->62924 62946->62756 62947->62776 62948->62786 62949->62791 62958 9e993e0 62950->62958 62952 9e993d0 62952->62798 62953 9e99324 62953->62952 62954 9e99356 FindFirstFileExW 62953->62954 62954->62952 62956 9e9937e 62954->62956 62955 9e993bc FindNextFileW 62955->62952 62955->62956 62956->62955 62962 9e994bc 62956->62962 62959 9e99400 FindFirstFileExW 62958->62959 62961 9e9945e 62959->62961 62961->62953 62963 9e994de 62962->62963 62964 9e99673 62963->62964 62965 9e986d0 RtlAllocateHeap 62963->62965 62964->62955 62970 9e994f6 62965->62970 62966 9e9964e 62967 9e99665 62966->62967 62968 9e986f8 RtlFreeHeap 62966->62968 62967->62964 62969 9e986f8 RtlFreeHeap 62967->62969 62968->62967 62969->62964 62970->62966 62971 9e9952e FindFirstFileExW 62970->62971 62971->62966 62977 9e99556 62971->62977 62972 9e99636 FindNextFileW 62972->62966 62972->62977 62973 9e986d0 RtlAllocateHeap 62973->62977 62974 9e995d0 GetFileAttributesW 62975 9e9961e DeleteFileW 62974->62975 62974->62977 62976 9e986f8 RtlFreeHeap 62975->62976 62976->62977 62977->62972 62977->62973 62977->62974 62978 9e986f8 RtlFreeHeap 62977->62978 62979 9e994bc 2 API calls 62977->62979 62978->62977 62979->62977 62983 9e9fde7 62980->62983 62981 9e9fe3a 62982 9e9fe49 ReadFile 62982->62983 62983->62981 62983->62982 62984 9ea0006 WriteFile 62983->62984 62985 9e9ff8d WriteFile 62983->62985 62986 9e986f8 RtlFreeHeap 62983->62986 62984->62983 62985->62983 62986->62983 62988 9ea02b8 62987->62988 62990 9ea02c5 62987->62990 62989 9e986d0 RtlAllocateHeap 62988->62989 62988->62990 62989->62990 62990->62824 62992 9e987fc 62991->62992 62993 9e98812 62992->62993 62994 9e986d0 RtlAllocateHeap 62992->62994 62993->62830 62994->62993 62996 9e9be5d 62995->62996 62997 9e9bebe 62995->62997 63015 9e9be00 GetLogicalDriveStringsW 62995->63015 62998 9e9be94 ResumeThread 62996->62998 62999 9e9cdf0 NtSetInformationThread 62996->62999 62997->62834 63000 9e9bea8 GetExitCodeThread 62998->63000 63001 9e9be6e 62999->63001 63000->62997 63001->62998 63002 9e9be72 63001->63002 63002->62834 63004 9e9bbcd 63003->63004 63005 9e9bb6c 63003->63005 63016 9e9bb24 GetDriveTypeW 63003->63016 63004->62851 63006 9e9bba3 ResumeThread 63005->63006 63007 9e9cdf0 NtSetInformationThread 63005->63007 63009 9e9bbb7 GetExitCodeThread 63006->63009 63008 9e9bb7d 63007->63008 63008->63006 63010 9e9bb81 63008->63010 63009->63004 63010->62851 63012 9e9ce02 63011->63012 63014 9e9cdff 63011->63014 63013 9e9ce49 NtSetInformationThread 63012->63013 63012->63014 63013->63014 63014->62851 63018 9ea0f60 63017->63018 63019 9e986d0 RtlAllocateHeap 63018->63019 63029 9ea0f7f 63019->63029 63022 9e986f8 RtlFreeHeap 63023 9ea0faf FindFirstFileExW 63022->63023 63023->63029 63024 9e986f8 RtlFreeHeap 63024->63029 63025 9ea1122 63026 9e986f8 RtlFreeHeap 63025->63026 63028 9ea1145 63026->63028 63027 9ea10ea FindNextFileW 63027->63029 63029->63022 63029->63024 63029->63025 63029->63027 63030 9ea0e08 RtlAllocateHeap 63029->63030 63032 9e9e130 63029->63032 63051 9ea0da4 63029->63051 63055 9ea0bac 63029->63055 63030->63029 63033 9e9e14c 63032->63033 63047 9e9e147 63032->63047 63086 9e98794 63033->63086 63036 9e9e164 GetFileAttributesW 63037 9e9e174 63036->63037 63038 9e9e1b9 63037->63038 63039 9e9e1d2 63037->63039 63042 9e9e220 5 API calls 63038->63042 63040 9e9e1e9 GetFileAttributesW 63039->63040 63041 9e9e1da 63039->63041 63044 9e9e202 CopyFileW 63040->63044 63045 9e9e1f6 63040->63045 63090 9e9e220 CreateFileW 63041->63090 63046 9e9e1c1 63042->63046 63049 9e986f8 RtlFreeHeap 63044->63049 63048 9e986f8 RtlFreeHeap 63045->63048 63050 9e986f8 RtlFreeHeap 63046->63050 63047->63029 63048->63041 63049->63047 63050->63047 63052 9ea0dbc 63051->63052 63053 9e986d0 RtlAllocateHeap 63052->63053 63054 9ea0dd2 63052->63054 63053->63054 63054->63029 63056 9ea0bcd 63055->63056 63057 9ea0d95 63055->63057 63101 9ea0308 63056->63101 63057->63029 63060 9ea0d8d 63061 9e986f8 RtlFreeHeap 63060->63061 63061->63057 63063 9ea0be5 63063->63060 63064 9ea0bf9 63063->63064 63065 9ea0c0c 63063->63065 63134 9ea0840 RtlAllocateHeap 63064->63134 63135 9ea0924 RtlAllocateHeap 63065->63135 63068 9ea0c27 MoveFileExW 63069 9ea0c39 63068->63069 63075 9ea0c07 63068->63075 63072 9ea0c91 CreateFileW 63069->63072 63081 9ea0cb5 63069->63081 63070 9ea0c74 63071 9e986f8 RtlFreeHeap 63070->63071 63071->63069 63074 9ea0cba 63072->63074 63072->63081 63073 9e986f8 RtlFreeHeap 63073->63075 63114 9ea0970 63074->63114 63075->63060 63075->63068 63075->63069 63075->63070 63075->63073 63136 9ea0924 RtlAllocateHeap 63075->63136 63076 9e986f8 RtlFreeHeap 63076->63060 63080 9ea0ce3 CreateIoCompletionPort 63082 9ea0cfa 63080->63082 63084 9ea0d1c 63080->63084 63081->63060 63081->63076 63083 9e986f8 RtlFreeHeap 63082->63083 63083->63081 63084->63081 63085 9e986f8 RtlFreeHeap 63084->63085 63085->63081 63087 9e987aa 63086->63087 63088 9e987c1 63087->63088 63089 9e986d0 RtlAllocateHeap 63087->63089 63088->63036 63088->63047 63089->63088 63091 9e9e381 63090->63091 63092 9e9e251 63090->63092 63091->63047 63093 9e9e289 WriteFile 63092->63093 63094 9e9e2ae 63093->63094 63095 9e9e2c0 WriteFile 63093->63095 63094->63047 63096 9e9e2f9 WriteFile 63095->63096 63097 9e9e2e7 63095->63097 63098 9e9e31e 63096->63098 63099 9e9e330 WriteFile 63096->63099 63097->63047 63098->63047 63099->63092 63100 9e9e357 63099->63100 63100->63047 63102 9ea0321 SetFileAttributesW CreateFileW 63101->63102 63103 9ea0367 63102->63103 63104 9ea034f 63102->63104 63103->63060 63106 9ea03b8 SetFileAttributesW CreateFileW 63103->63106 63104->63102 63104->63103 63105 9e9fda0 RtlAllocateHeap RtlFreeHeap NtTerminateProcess 63104->63105 63105->63104 63107 9ea03f8 SetFilePointerEx 63106->63107 63108 9ea0464 63106->63108 63107->63108 63109 9ea0417 ReadFile 63107->63109 63108->63063 63109->63108 63110 9ea0436 63109->63110 63111 9ea02ac RtlAllocateHeap 63110->63111 63112 9ea0447 63111->63112 63112->63108 63113 9e986f8 RtlFreeHeap 63112->63113 63113->63108 63115 9ea09a0 63114->63115 63116 9ea09d1 63115->63116 63117 9ea0214 RtlAllocateHeap RtlFreeHeap 63115->63117 63118 9e986d0 RtlAllocateHeap 63116->63118 63117->63116 63125 9ea09dd 63118->63125 63119 9ea0b77 63121 9ea0b85 63119->63121 63123 9e986f8 RtlFreeHeap 63119->63123 63120 9e986f8 RtlFreeHeap 63120->63119 63122 9ea0b93 63121->63122 63124 9e986f8 RtlFreeHeap 63121->63124 63122->63080 63122->63081 63123->63121 63124->63122 63126 9e986d0 RtlAllocateHeap 63125->63126 63133 9ea0b24 63125->63133 63127 9ea0a3a 63126->63127 63128 9e986d0 RtlAllocateHeap 63127->63128 63127->63133 63129 9ea0a69 63128->63129 63130 9e986d0 RtlAllocateHeap 63129->63130 63129->63133 63131 9ea0b1b 63130->63131 63132 9e986f8 RtlFreeHeap 63131->63132 63131->63133 63132->63133 63133->63119 63133->63120 63134->63075 63135->63075 63136->63075 63137->62860 63138->62870 63140 9ea270b 63139->63140 63141 9ea281a RegCreateKeyExW 63140->63141 63144 9ea2758 63140->63144 63142 9ea2847 63141->63142 63141->63144 63143 9ea28c2 RegDeleteKeyExW 63142->63143 63142->63144 63143->63144 63144->62885 63146 9e98b3a NtQueryInformationToken 63145->63146 63147 9e98b23 63145->63147 63149 9e98b35 63146->63149 63147->63146 63147->63149 63148 9e98b8c 63148->62904 63149->63148 63150 9e986f8 RtlFreeHeap 63149->63150 63150->63148 63152 9e986d0 RtlAllocateHeap 63151->63152 63153 9e98c65 63152->63153 63153->62892 63154->62915 63156 9e9d4fc 63155->63156 63157 9e986d0 RtlAllocateHeap 63156->63157 63158 9e9d51d 63157->63158 63158->62930 63209 9e9afe0 63159->63209 63165 9e98c54 RtlAllocateHeap 63164->63165 63166 9e9e014 63165->63166 63167 9e9e0ff 63166->63167 63168 9e986d0 RtlAllocateHeap 63166->63168 63169 9e986f8 RtlFreeHeap 63167->63169 63171 9e9e10d 63167->63171 63175 9e9e02b 63168->63175 63169->63171 63170 9e9e11b 63173 9e9e129 63170->63173 63174 9e986f8 RtlFreeHeap 63170->63174 63171->63170 63172 9e986f8 RtlFreeHeap 63171->63172 63172->63170 63174->63173 63175->63167 63176 9e986f8 RtlFreeHeap 63175->63176 63177 9e9e059 63176->63177 63178 9e986d0 RtlAllocateHeap 63177->63178 63179 9e9e069 63178->63179 63179->63167 63248 9e98d58 63179->63248 63182 9e986f8 RtlFreeHeap 63183 9e9e09c 63182->63183 63254 9e9df28 63183->63254 63186 9e9e0de 63188 9e9df28 7 API calls 63186->63188 63187 9e9cdf0 NtSetInformationThread 63187->63186 63189 9e9e0e9 63188->63189 63190 9e9df28 7 API calls 63189->63190 63191 9e9e0f4 63190->63191 63192 9e9df28 7 API calls 63191->63192 63192->63167 63197 9e99c84 63193->63197 63194 9e986d0 RtlAllocateHeap 63194->63197 63195 9e99c96 NtQuerySystemInformation 63195->63197 63196 9e986f8 RtlFreeHeap 63196->63197 63197->63194 63197->63195 63197->63196 63199 9e9b5d0 3 API calls 63198->63199 63201 9e9adb8 63199->63201 63200 9e9ae28 63202 9e9ae4d 63200->63202 63290 9e9ace4 RtlAllocateHeap RtlFreeHeap NtQuerySystemInformation 63200->63290 63201->63200 63203 9e9adcf NtSetInformationThread 63201->63203 63203->63200 63205 9e9ade3 63203->63205 63287 9e9abe0 OpenSCManagerW 63205->63287 63207 9e9adf8 63207->63200 63289 9e9aa18 RtlAllocateHeap RtlFreeHeap 63207->63289 63210 9e9b0c1 63209->63210 63211 9e9b285 RegCreateKeyExW 63210->63211 63212 9e9b2df RegCreateKeyExW 63211->63212 63218 9e9b2b9 63211->63218 63214 9e9b3fa 63212->63214 63215 9e9b3d4 63212->63215 63224 9e9aed4 63214->63224 63215->63214 63220 9e9b3fc OpenEventLogW 63215->63220 63216 9e9b2e4 RegCreateKeyExW 63217 9e9b312 RegSetValueExW 63216->63217 63216->63218 63217->63218 63219 9e9b334 RegSetValueExW 63217->63219 63218->63212 63218->63216 63219->63218 63221 9e9b352 OpenEventLogW 63219->63221 63220->63215 63222 9e9b414 ClearEventLogW 63220->63222 63221->63218 63223 9e9b36a ClearEventLogW 63221->63223 63222->63215 63223->63218 63231 9e9ae54 RtlAdjustPrivilege 63224->63231 63226 9e9afac 63227 9e9afcd 63226->63227 63228 9e9afc4 CloseServiceHandle 63226->63228 63228->63227 63229 9e9aeed 63229->63226 63234 9e9fbb8 63229->63234 63238 9e9b5d0 63231->63238 63233 9e9ae8c 63233->63229 63235 9e9fc12 63234->63235 63236 9e9fc2a 63235->63236 63237 9e9fc16 NtTerminateProcess 63235->63237 63236->63226 63237->63236 63239 9e986d0 RtlAllocateHeap 63238->63239 63242 9e9b5ee 63239->63242 63240 9e9b5f1 NtQuerySystemInformation 63241 9e9b607 63240->63241 63240->63242 63246 9e986f8 RtlFreeHeap 63241->63246 63242->63240 63243 9e9b624 63242->63243 63244 9e986f8 RtlFreeHeap 63243->63244 63245 9e9b62c 63244->63245 63245->63233 63247 9e9b66a 63246->63247 63247->63233 63249 9e98d7f 63248->63249 63263 9e98d00 63249->63263 63251 9e98d9f 63252 9e986f8 RtlFreeHeap 63251->63252 63253 9e98db3 63252->63253 63253->63182 63255 9e9df4d 63254->63255 63256 9e9dfe3 63255->63256 63258 9e986d0 RtlAllocateHeap 63255->63258 63257 9e9dff1 63256->63257 63259 9e986f8 RtlFreeHeap 63256->63259 63257->63186 63257->63187 63260 9e9df5f 63258->63260 63259->63257 63260->63256 63266 9e9de64 63260->63266 63271 9e9dbcc 63260->63271 63264 9e986d0 RtlAllocateHeap 63263->63264 63265 9e98d23 63264->63265 63265->63251 63267 9e98794 RtlAllocateHeap 63266->63267 63270 9e9de80 63267->63270 63268 9e9df1e 63268->63260 63269 9e986f8 RtlFreeHeap 63269->63268 63270->63268 63270->63269 63272 9e9dbf4 63271->63272 63276 9e986d0 RtlAllocateHeap 63272->63276 63285 9e9dbf8 63272->63285 63273 9e9de3e 63275 9e9de4c 63273->63275 63277 9e986f8 RtlFreeHeap 63273->63277 63274 9e9de35 DeleteDC 63274->63273 63275->63260 63278 9e9dc21 63276->63278 63277->63275 63279 9e9dc74 CreateDCW 63278->63279 63278->63285 63280 9e9dc91 63279->63280 63279->63285 63281 9e9dd32 StartDocW 63280->63281 63284 9e9dd62 63281->63284 63281->63285 63282 9e9dd80 63283 9e9de00 EndDoc 63282->63283 63283->63285 63284->63282 63286 9e9ddee EndPage 63284->63286 63285->63273 63285->63274 63286->63283 63286->63284 63288 9e9ac14 63287->63288 63288->63207 63289->63200 63290->63202 63292 9e98c54 RtlAllocateHeap 63291->63292 63293 9e98dd4 63292->63293 63294 9e990ab 63293->63294 63295 9e986d0 RtlAllocateHeap 63293->63295 63294->62545 63324 9e99edc 63294->63324 63299 9e98df1 63295->63299 63296 9e990a3 63297 9e986f8 RtlFreeHeap 63296->63297 63297->63294 63298 9e986f8 RtlFreeHeap 63298->63296 63299->63296 63300 9e986d0 RtlAllocateHeap 63299->63300 63301 9e98e74 63299->63301 63323 9e99095 63299->63323 63300->63301 63302 9e986d0 RtlAllocateHeap 63301->63302 63303 9e98ea7 63301->63303 63302->63303 63304 9e986d0 RtlAllocateHeap 63303->63304 63305 9e98eda 63303->63305 63304->63305 63306 9e986d0 RtlAllocateHeap 63305->63306 63308 9e98f0d 63305->63308 63306->63308 63307 9e98fa6 63314 9e98fdd 63307->63314 63315 9e986d0 RtlAllocateHeap 63307->63315 63309 9e986d0 RtlAllocateHeap 63308->63309 63310 9e98f40 63308->63310 63309->63310 63311 9e986d0 RtlAllocateHeap 63310->63311 63312 9e98f73 63310->63312 63311->63312 63312->63307 63313 9e986d0 RtlAllocateHeap 63312->63313 63313->63307 63316 9e986d0 RtlAllocateHeap 63314->63316 63314->63323 63315->63314 63317 9e99018 63316->63317 63318 9e98d58 2 API calls 63317->63318 63317->63323 63319 9e99040 63318->63319 63320 9e986d0 RtlAllocateHeap 63319->63320 63321 9e9905f 63320->63321 63322 9e986f8 RtlFreeHeap 63321->63322 63321->63323 63322->63323 63323->63298 63325 9e99ef1 NtQueryDefaultUILanguage 63324->63325 63326 9e99f17 63325->63326 63326->62545 63328 9e986d0 RtlAllocateHeap 63327->63328 63329 9e98bc1 63328->63329 63329->62543 63331 9e986d0 RtlAllocateHeap 63330->63331 63332 9e9db29 63331->63332 63332->62548 63334 9e9d089 63333->63334 63335 9e9b85e 63334->63335 63336 9e9d090 RtlAdjustPrivilege 63334->63336 63335->62553 63336->63334 63338 9e9cfff 63337->63338 63339 9e9d003 NtQueryInformationToken 63338->63339 63340 9e9b868 63338->63340 63339->63340 63340->62559 63341 9e9cdb8 63340->63341 63342 9e9b5d0 3 API calls 63341->63342 63343 9e9cdd5 63342->63343 63343->62562 63345 9e9e3ac 63344->63345 63346 9e9b8f8 63344->63346 63347 9e98c54 RtlAllocateHeap 63345->63347 63346->62566 63348 9e9e3bd 63347->63348 63348->63346 63349 9e986d0 RtlAllocateHeap 63348->63349 63353 9e9e3d9 63349->63353 63350 9e9e5d9 63351 9e986f8 RtlFreeHeap 63350->63351 63351->63346 63352 9e986f8 RtlFreeHeap 63352->63350 63353->63350 63354 9e9e42d CreateFileW 63353->63354 63356 9e9e5c1 63353->63356 63355 9e9e481 WriteFile 63354->63355 63354->63356 63355->63356 63357 9e9e49c RegCreateKeyExW 63355->63357 63356->63352 63357->63356 63358 9e9e4c5 RegSetValueExW 63357->63358 63358->63356 63360 9e9e4f7 RegCreateKeyExW 63358->63360 63360->63356 63362 9e9e572 RegSetValueExW 63360->63362 63362->63356 63364 9e9e5a6 SHChangeNotify 63362->63364 63364->63356 63365->62549 63366->62541 63367->62559 63368->62564 63369->62558 63370->62610 63371->62572 63372->62652 63373->62615
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $L$$L$(K$(fml$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$84kl$84kl$84kl$84kl$84kl$84kl$LK$LK$LK$LK$LK$Pq]q$Pq]q$Pq]q$Pq]q$XZ$XZ$XZ$^98!#$`9<!%$a9>!&$b9@!'$c9B!($lL$pK$pK$pj$pj$pj$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$x.^k$x.^k$x.^k$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$xJ$xJ$xJ$xfbl$$]q$$]q$$]q$-^k$-^k$-^k$rml$rml$cl$cl
                                                                                                                                            • API String ID: 0-2341897433
                                                                                                                                            • Opcode ID: 4f26d59197a39136f3b856ec5b03b79be0a1cbe236e4235bfe7a0df8a2001351
                                                                                                                                            • Instruction ID: b4e1b00771e2e12257901b6189d428bebd6bc4bc771764ee46eb10f894d3508e
                                                                                                                                            • Opcode Fuzzy Hash: 4f26d59197a39136f3b856ec5b03b79be0a1cbe236e4235bfe7a0df8a2001351
                                                                                                                                            • Instruction Fuzzy Hash: CC73A130A04214DFDB15DF68C851BAABBB6FF85300F1585A9E9099B391CB72ED81CF91

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1071 9e9d660-9e9d714 call 9e98c54 1078 9e9d71b-9e9d734 call 9e986d0 1071->1078 1079 9e9d716 1071->1079 1085 9e9d73b-9e9d74e call 9ea3ec4 1078->1085 1086 9e9d736 1078->1086 1080 9e9da94-9e9da9b 1079->1080 1082 9e9daa9-9e9dab0 1080->1082 1083 9e9da9d 1080->1083 1087 9e9dabe-9e9dac2 1082->1087 1088 9e9dab2 1082->1088 1083->1082 1097 9e9d750 1085->1097 1098 9e9d755-9e9d765 call 9e9d4e4 1085->1098 1086->1080 1090 9e9dacd-9e9dad1 1087->1090 1091 9e9dac4 1087->1091 1088->1087 1093 9e9dadb-9e9dadf 1090->1093 1094 9e9dad3-9e9dad6 call 9e986f8 1090->1094 1091->1090 1095 9e9dae9-9e9daed 1093->1095 1096 9e9dae1-9e9dae4 call 9e986f8 1093->1096 1094->1093 1101 9e9daef-9e9daf2 call 9e986f8 1095->1101 1102 9e9daf7-9e9dafb 1095->1102 1096->1095 1097->1080 1109 9e9d76c-9e9d7bd GetTempFileNameW CreateFileW 1098->1109 1110 9e9d767 1098->1110 1101->1102 1105 9e9dafd-9e9db00 call 9e986f8 1102->1105 1106 9e9db05-9e9db0b 1102->1106 1105->1106 1112 9e9d7bf 1109->1112 1113 9e9d7c4-9e9d7d9 WriteFile 1109->1113 1110->1080 1112->1080 1114 9e9d7db 1113->1114 1115 9e9d7e0-9e9d7f9 1113->1115 1114->1080 1117 9e9d7fb-9e9d800 1115->1117 1118 9e9d802-9e9d843 CreateProcessW 1117->1118 1119 9e9d804-9e9d806 1117->1119 1121 9e9d84a-9e9d867 NtQueryInformationProcess 1118->1121 1122 9e9d845 1118->1122 1119->1117 1123 9e9d869 1121->1123 1124 9e9d86e-9e9d88e 1121->1124 1122->1080 1123->1080 1126 9e9d890 1124->1126 1127 9e9d895-9e9d8a6 call 9e98c54 1124->1127 1126->1080 1130 9e9d8a8 1127->1130 1131 9e9d8ad-9e9d928 call 9ea6410 call 9ea62e8 call 9ea63bc 1127->1131 1130->1080 1139 9e9d92a 1131->1139 1140 9e9d92f-9e9d942 NtWriteVirtualMemory 1131->1140 1139->1080 1141 9e9d949-9e9d9a5 1140->1141 1142 9e9d944 1140->1142 1144 9e9d9ac-9e9d9cd NtDuplicateObject 1141->1144 1145 9e9d9a7 1141->1145 1142->1080 1146 9e9d9cf 1144->1146 1147 9e9d9d4-9e9da3c CreateNamedPipeW 1144->1147 1145->1080 1146->1080 1148 9e9da3e 1147->1148 1149 9e9da40-9e9da59 ResumeThread ConnectNamedPipe 1147->1149 1148->1080 1150 9e9da5b-9e9da66 1149->1150 1151 9e9da6a-9e9da87 1149->1151 1150->1151 1152 9e9da68 1150->1152 1154 9e9da89 1151->1154 1155 9e9da8b 1151->1155 1152->1080 1154->1080 1155->1080
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @%$D
                                                                                                                                            • API String ID: 0-3291477194
                                                                                                                                            • Opcode ID: fbd99ee8b9528eb810271947db7ba2ac89f65e390e0485329bf02ba83fcdc128
                                                                                                                                            • Instruction ID: 262c50830715402aa8a3546847a9805e536c11c9e046cab7a5c335a7a47c3f53
                                                                                                                                            • Opcode Fuzzy Hash: fbd99ee8b9528eb810271947db7ba2ac89f65e390e0485329bf02ba83fcdc128
                                                                                                                                            • Instruction Fuzzy Hash: 3AE11871914219EEEF21DF90CC49BEEBBBCAB04304F0050A9F609A61A0D7B55E98CF56

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1294 9e9afe0-9e9b2b3 call 9e91190 * 5 RegCreateKeyExW 1305 9e9b2b9 1294->1305 1306 9e9b395-9e9b399 1294->1306 1309 9e9b2c0-9e9b2dd 1305->1309 1307 9e9b39b 1306->1307 1308 9e9b3a4-9e9b3d2 RegCreateKeyExW 1306->1308 1307->1308 1310 9e9b42d-9e9b431 1308->1310 1311 9e9b3d4 1308->1311 1316 9e9b2df 1309->1316 1317 9e9b2e4-9e9b310 RegCreateKeyExW 1309->1317 1313 9e9b43c-9e9b43f 1310->1313 1314 9e9b433 1310->1314 1312 9e9b3db-9e9b3f8 1311->1312 1323 9e9b3fa 1312->1323 1324 9e9b3fc-9e9b412 OpenEventLogW 1312->1324 1314->1313 1316->1306 1318 9e9b38d-9e9b390 1317->1318 1319 9e9b312-9e9b332 RegSetValueExW 1317->1319 1318->1309 1321 9e9b37e-9e9b382 1319->1321 1322 9e9b334-9e9b350 RegSetValueExW 1319->1322 1321->1318 1328 9e9b384 1321->1328 1322->1321 1325 9e9b352-9e9b368 OpenEventLogW 1322->1325 1323->1310 1326 9e9b428-9e9b42b 1324->1326 1327 9e9b414-9e9b41f ClearEventLogW 1324->1327 1325->1321 1329 9e9b36a-9e9b375 ClearEventLogW 1325->1329 1326->1312 1327->1326 1328->1318 1329->1321
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 09E9B2AB
                                                                                                                                            • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 09E9B308
                                                                                                                                            • RegSetValueExW.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 09E9B32A
                                                                                                                                            • RegSetValueExW.KERNEL32(00000000,?,00000000,00000001,?,00000064), ref: 09E9B348
                                                                                                                                            • OpenEventLogW.ADVAPI32(00000000,?), ref: 09E9B35B
                                                                                                                                            • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 09E9B36F
                                                                                                                                            • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 09E9B3CA
                                                                                                                                            • OpenEventLogW.ADVAPI32(00000000,?), ref: 09E9B405
                                                                                                                                            • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 09E9B419
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Event$Create$ClearOpenValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4090462516-0
                                                                                                                                            • Opcode ID: 5e7ef846cd307073bbf19bc665a54d28b837800cf2b4f9eb85a900809f734e90
                                                                                                                                            • Instruction ID: 3bdf8dd032e10c066e75b578b2972f7497d7cae7e3896aa4bf108b7b37246a90
                                                                                                                                            • Opcode Fuzzy Hash: 5e7ef846cd307073bbf19bc665a54d28b837800cf2b4f9eb85a900809f734e90
                                                                                                                                            • Instruction Fuzzy Hash: 24C1F2B0450B04EFEB51DF51D989BA8BF78EB04300F168099E6196F2B2E3769A84CF51

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1605 9e994bc-9e994e3 1607 9e994e9-9e994fd call 9e986d0 1605->1607 1608 9e99673-9e99678 1605->1608 1611 9e99503-9e99550 call 9e916bc FindFirstFileExW 1607->1611 1612 9e99657-9e9965b 1607->1612 1611->1612 1622 9e99556-9e9955f 1611->1622 1613 9e9965d-9e99660 call 9e986f8 1612->1613 1614 9e99665-9e99669 1612->1614 1613->1614 1614->1608 1615 9e9966b-9e9966e call 9e986f8 1614->1615 1615->1608 1623 9e99565-9e9956b 1622->1623 1624 9e99636-9e99648 FindNextFileW 1622->1624 1623->1624 1626 9e99571-9e9959f call 9e986d0 1623->1626 1624->1622 1625 9e9964e 1624->1625 1625->1612 1626->1624 1631 9e995a5-9e995e1 GetFileAttributesW 1626->1631 1635 9e9961e-9e9962a DeleteFileW call 9e986f8 1631->1635 1636 9e995e3-9e995ee 1631->1636 1638 9e9962f 1635->1638 1640 9e995f0 1636->1640 1641 9e995f2-9e995fd 1636->1641 1638->1624 1642 9e9960d-9e9961c call 9e986f8 1640->1642 1643 9e99609 1641->1643 1644 9e995ff-9e9960b call 9e994bc 1641->1644 1642->1624 1643->1642 1644->1636
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E986D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09E99543
                                                                                                                                            • GetFileAttributesW.KERNELBASE(00000000), ref: 09E995D6
                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 09E99621
                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?), ref: 09E99640
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Find$AllocateAttributesDeleteFirstHeapNext
                                                                                                                                            • String ID: *
                                                                                                                                            • API String ID: 2270753430-163128923
                                                                                                                                            • Opcode ID: 4bebc2902e955a81901d17edc0678ee604d352a148e74d404fed57e788fc4858
                                                                                                                                            • Instruction ID: 3c07c71976140f5af70e261aca18d484e8c45e3e3a4118c4a8889f2a104e060c
                                                                                                                                            • Opcode Fuzzy Hash: 4bebc2902e955a81901d17edc0678ee604d352a148e74d404fed57e788fc4858
                                                                                                                                            • Instruction Fuzzy Hash: 96419A70C10218EBDF225FA5DC4DBAEBB79BF00385F005468E412A50B2D7B66E64DF86

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1650 9e97ac0-9e97ad1 1651 9e97ad3-9e97aed call 9e97988 1650->1651 1652 9e97af2-9e97af9 1650->1652 1651->1652 1654 9e97afb-9e97b15 call 9e97988 1652->1654 1655 9e97b1a-9e97b21 1652->1655 1654->1655 1658 9e97b23-9e97b3d call 9e97988 1655->1658 1659 9e97b42-9e97b49 call 9e9165c 1655->1659 1658->1659 1663 9e97b4e-9e97b52 1659->1663 1665 9e97b79-9e97b7c 1663->1665 1666 9e97b54-9e97b7e call 9e91190 1663->1666 1665->1663 1670 9e97b85-9e97ba0 FindFirstFileW 1666->1670 1671 9e97bf0-9e97bf4 1670->1671 1672 9e97ba2-9e97bb3 call 9e911f0 1670->1672 1673 9e97bf8-9e97c02 1671->1673 1674 9e97bf6-9e97c38 1671->1674 1682 9e97bd3-9e97be5 FindNextFileW 1672->1682 1683 9e97bb5-9e97bc7 FindClose call 9e978bc 1672->1683 1677 9e97c04-9e97c09 1673->1677 1678 9e97c27-9e97c2a 1673->1678 1680 9e97c0b-9e97c20 call 9e91190 1677->1680 1681 9e97c22-9e97c25 1677->1681 1678->1670 1680->1678 1681->1677 1682->1672 1684 9e97be7-9e97bea FindClose 1682->1684 1688 9e97bcc-9e97bd0 1683->1688 1684->1671
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,00000004), ref: 09E97B93
                                                                                                                                            • FindClose.KERNEL32(000000FF,?,00000000), ref: 09E97BB8
                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 09E97BDD
                                                                                                                                            • FindClose.KERNEL32(000000FF), ref: 09E97BEA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                            • String ID: 0vi}
                                                                                                                                            • API String ID: 1164774033-463007280
                                                                                                                                            • Opcode ID: 5bc3e13c21c5ddd94f8159042bcb25858366f23ae42f85bbb64e34c30d2c8509
                                                                                                                                            • Instruction ID: 8e321ef61aade0e852a9c00c76943ed89c0573fbedded657b002056f1adb99d4
                                                                                                                                            • Opcode Fuzzy Hash: 5bc3e13c21c5ddd94f8159042bcb25858366f23ae42f85bbb64e34c30d2c8509
                                                                                                                                            • Instruction Fuzzy Hash: 57417270C30244EFEF21AF61D889BA97B75EB04314F10A0A9E50A9A165E7769DCCCF52
                                                                                                                                            APIs
                                                                                                                                            • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 09EA0F55
                                                                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,09EADF10,003D0900), ref: 09EA0FC2
                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?), ref: 09EA10F4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$FirstNextPriorityThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 247853790-0
                                                                                                                                            • Opcode ID: a1385df6c9262eb1e8aea4faaa71957c51f7b9f4a0323e6162028584a794da4d
                                                                                                                                            • Instruction ID: cc3574eea9a26e406647abd1e9e07938f1371a457b535313d97b94d77d390e00
                                                                                                                                            • Opcode Fuzzy Hash: a1385df6c9262eb1e8aea4faaa71957c51f7b9f4a0323e6162028584a794da4d
                                                                                                                                            • Instruction Fuzzy Hash: DF51893080C289EFDF21AFA0CD89BAEBB74AF05345F10A195E5167A1F0C7706E81CB56
                                                                                                                                            APIs
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,?,09EA23C9), ref: 09E9D0C5
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,09EA23C9), ref: 09E9D0D7
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,09EA23C9), ref: 09E9D0EC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1801817001-0
                                                                                                                                            • Opcode ID: 3fdd6300276ae8a7ad0a9f3266912678ae7d12ad51da57300425577cf328e81f
                                                                                                                                            • Instruction ID: 71ac83c0996b98dec1bbbca1054023a0ff1477057f6812bb67b9cd9f655bc730
                                                                                                                                            • Opcode Fuzzy Hash: 3fdd6300276ae8a7ad0a9f3266912678ae7d12ad51da57300425577cf328e81f
                                                                                                                                            • Instruction Fuzzy Hash: 80F030B1240264ABFF21AB94CCC9F65379C9B06720F505360B331DD1E5C7B09844C723
                                                                                                                                            APIs
                                                                                                                                            • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09E9ADA2
                                                                                                                                              • Part of subcall function 09E9B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 09E9ADD9
                                                                                                                                              • Part of subcall function 09E9ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09E9AC01
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1715806643-0
                                                                                                                                            • Opcode ID: ec6d5c7a43033d5a524febf58665f92a2a4edcf79a71743eb75f7618251bcef6
                                                                                                                                            • Instruction ID: de7c3dd86b3a9a04778accd4863bcf436126b7d9a26f6f8b6a5497bdc069daa7
                                                                                                                                            • Opcode Fuzzy Hash: ec6d5c7a43033d5a524febf58665f92a2a4edcf79a71743eb75f7618251bcef6
                                                                                                                                            • Instruction Fuzzy Hash: CE216230A10309BBEF11AFE0DC4DF9E7ABC9F00704F5051A4B904A61E0EBB49E80C751
                                                                                                                                            APIs
                                                                                                                                            • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09E9ADA2
                                                                                                                                              • Part of subcall function 09E9B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,EBF9D5BF), ref: 09E9ADD9
                                                                                                                                              • Part of subcall function 09E9ABE0: OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09E9AC01
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Information$AdjustManagerOpenPrivilegeQuerySystemThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1715806643-0
                                                                                                                                            • Opcode ID: 9584187ff6fcf19af493e95a27bbd46cbbed19e9cfa70c9f8ba0b4cb32064583
                                                                                                                                            • Instruction ID: c202e158ab785f871fc3003145e1ada2ee9e2a64bbef58155aa33fce09f55711
                                                                                                                                            • Opcode Fuzzy Hash: 9584187ff6fcf19af493e95a27bbd46cbbed19e9cfa70c9f8ba0b4cb32064583
                                                                                                                                            • Instruction Fuzzy Hash: D9214F70A10309BBEF11AFE0DC4DF9E7ABCAF04705F5051A4BA05A61E0EBB49E84CB51
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E993E0: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09E9944F
                                                                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09E9936F
                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?), ref: 09E993C6
                                                                                                                                              • Part of subcall function 09E994BC: FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 09E99543
                                                                                                                                              • Part of subcall function 09E994BC: GetFileAttributesW.KERNELBASE(00000000), ref: 09E995D6
                                                                                                                                              • Part of subcall function 09E994BC: FindNextFileW.KERNELBASE(000000FF,?), ref: 09E99640
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Find$First$Next$Attributes
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 407996502-0
                                                                                                                                            • Opcode ID: cebe54ac5bb3090bdf2649fcffd28456a74fc0bc898c6049e2c5fa042eabf50f
                                                                                                                                            • Instruction ID: fa239d374ec41f9a8b4535411d437496757dbe2ffbdd0b7a82c8adf6dab02838
                                                                                                                                            • Opcode Fuzzy Hash: cebe54ac5bb3090bdf2649fcffd28456a74fc0bc898c6049e2c5fa042eabf50f
                                                                                                                                            • Instruction Fuzzy Hash: FA211F7194020CABDF21EFA0DD49FD9777CAB14305F0044A9A609E2192E775AF588B62
                                                                                                                                            APIs
                                                                                                                                            • NtQueryDefaultUILanguage.NTDLL(?), ref: 09E99EF8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DefaultLanguageQuery
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1532992581-0
                                                                                                                                            • Opcode ID: a0498e97e2211e9e252612385931f8a24241a03aa1ccb99c3917357171c770a9
                                                                                                                                            • Instruction ID: 27663235bb99b85c8359044ce5cdd80b3c45438965f672c1ada4e9ac536dc1f3
                                                                                                                                            • Opcode Fuzzy Hash: a0498e97e2211e9e252612385931f8a24241a03aa1ccb99c3917357171c770a9
                                                                                                                                            • Instruction Fuzzy Hash: 2E310C16BB69068BFF75EA5092427F6E288FB017A8DCD312FE44F53643681D0C918663
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E986D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E99CA2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeapInformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3114120137-0
                                                                                                                                            • Opcode ID: 69d43bec5653ef7992940f1fdab8b6b3ac140a8db12e95b7feaa70158542f6b2
                                                                                                                                            • Instruction ID: 93da57c0f986b6444029a563c566668003d706e50f9834998000e2760e62ae90
                                                                                                                                            • Opcode Fuzzy Hash: 69d43bec5653ef7992940f1fdab8b6b3ac140a8db12e95b7feaa70158542f6b2
                                                                                                                                            • Instruction Fuzzy Hash: 3A215A70D10208EFDF119F91CD84BDEBBB8EF04308F109199E515AA166D7769E45CF91
                                                                                                                                            APIs
                                                                                                                                            • NtQueryInformationToken.NTDLL(00000000,00000001,?,00000028,?,?,?,?,?,00000000), ref: 09E98B47
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQueryToken
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4239771691-0
                                                                                                                                            • Opcode ID: fad93a3ae21ea7c13c1a6b6219441f6471064251521d03411b3acdb29749da75
                                                                                                                                            • Instruction ID: 00e1a47cc71f0d1c9410841cc94482ca686716e92651c0af414f5377cc60c13b
                                                                                                                                            • Opcode Fuzzy Hash: fad93a3ae21ea7c13c1a6b6219441f6471064251521d03411b3acdb29749da75
                                                                                                                                            • Instruction Fuzzy Hash: 0A114AB5910209AAEF108E91DC88FEEBB78FB05758F085169F512A21A0E7719E48CB51
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E986D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E99CA2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeapInformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3114120137-0
                                                                                                                                            • Opcode ID: 1f4b77e369168f781afa6f6855859ffd572135b995e6751f836960c46fa22adf
                                                                                                                                            • Instruction ID: 2cd8146c7c2b81a7ff92c2230051c03843f15c5fdded6d95d41e1d2bba2e58bb
                                                                                                                                            • Opcode Fuzzy Hash: 1f4b77e369168f781afa6f6855859ffd572135b995e6751f836960c46fa22adf
                                                                                                                                            • Instruction Fuzzy Hash: 1D213B70910208EFDF11CF91CC88BDEBBB8EF04308F109099E515AA1A6D7B69E45CF92
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 09E9944F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                            • Opcode ID: 2747af4496a3fe247aa1b50a58f91425fa8d07d54685ea66fc0bdcc013cd0994
                                                                                                                                            • Instruction ID: 6727bb6e31b46c9fa286e63b33e690a2cebd8a0c1624b8d45eb0c040383e4e90
                                                                                                                                            • Opcode Fuzzy Hash: 2747af4496a3fe247aa1b50a58f91425fa8d07d54685ea66fc0bdcc013cd0994
                                                                                                                                            • Instruction Fuzzy Hash: 57211F70800208FFDF11DF90DD4CB9DBBB8EF04705F1081A9E908A6161D775AA99DF55
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E986D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeapInformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3114120137-0
                                                                                                                                            • Opcode ID: 5fc1d54660b678783a85bde2d9fdd3448565cb8f7226f3ef5187f883dc1c6bd9
                                                                                                                                            • Instruction ID: 023d74b44e9ddcc02bb0ffbd4133acdecb7ed4fb2ca7052751c0cff58ba82902
                                                                                                                                            • Opcode Fuzzy Hash: 5fc1d54660b678783a85bde2d9fdd3448565cb8f7226f3ef5187f883dc1c6bd9
                                                                                                                                            • Instruction Fuzzy Hash: 56118C71D10108FBCF11DF94E880BDDBB74EF05354F14A196EA11AA261D772AE90DF94
                                                                                                                                            APIs
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E99CA2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3562636166-0
                                                                                                                                            • Opcode ID: 9680aab5a4871947ee04b401bb50c0c25adaea71bcd1d35ae534ff50432a7d30
                                                                                                                                            • Instruction ID: 67d143561a692b2d2238b278d766ef5a5042d61fee532883fa0b93e64b8a44ff
                                                                                                                                            • Opcode Fuzzy Hash: 9680aab5a4871947ee04b401bb50c0c25adaea71bcd1d35ae534ff50432a7d30
                                                                                                                                            • Instruction Fuzzy Hash: 81210870910208EFDF02CF91C988BDEBBB8AF04308F10909DE505AA166D7769E45CF92
                                                                                                                                            APIs
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E99CA2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3562636166-0
                                                                                                                                            • Opcode ID: 279fdd62fa06aea3b7204721fa035fc53e774ec057659ba68400dd5d22fffac0
                                                                                                                                            • Instruction ID: 67d143561a692b2d2238b278d766ef5a5042d61fee532883fa0b93e64b8a44ff
                                                                                                                                            • Opcode Fuzzy Hash: 279fdd62fa06aea3b7204721fa035fc53e774ec057659ba68400dd5d22fffac0
                                                                                                                                            • Instruction Fuzzy Hash: 81210870910208EFDF02CF91C988BDEBBB8AF04308F10909DE505AA166D7769E45CF92
                                                                                                                                            APIs
                                                                                                                                            • NtSetInformationThread.NTDLL(00000000,00000005,00000000,00000004), ref: 09E9CE54
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4046476035-0
                                                                                                                                            • Opcode ID: 092d5d7f8801cf9dbee6a01720c5edbcefb53524419ebc79ae0ab591751d2a8d
                                                                                                                                            • Instruction ID: 446606f5a17aba459dce31a21e3fa389fb4122d5bccaa760c9070df540272252
                                                                                                                                            • Opcode Fuzzy Hash: 092d5d7f8801cf9dbee6a01720c5edbcefb53524419ebc79ae0ab591751d2a8d
                                                                                                                                            • Instruction Fuzzy Hash: 02018F70510208EFEB10DF40CC89FAABBBCFB00708F108168F9099B1A1D3B59E08CB91
                                                                                                                                            APIs
                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 09E9790D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Load
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                            • Opcode ID: 09b03d2b05f347d06ee65234ed1f0d0cc11cc27322f94022a6f8f287dd69acb5
                                                                                                                                            • Instruction ID: 090c671e1124a0c0a0025c187e9d04cc4481a3cd6f44357c3bf809295004a5b3
                                                                                                                                            • Opcode Fuzzy Hash: 09b03d2b05f347d06ee65234ed1f0d0cc11cc27322f94022a6f8f287dd69acb5
                                                                                                                                            • Instruction Fuzzy Hash: AAF0317691011DFEDF10EA94D844FDEB7BCEB04354F0091A2E908A7040D631AA0C8BA1
                                                                                                                                            APIs
                                                                                                                                            • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 09E9D012
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQueryToken
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4239771691-0
                                                                                                                                            • Opcode ID: d2c75268e543fbb0c707ff04ab84e49b76aa0a94d9929decdac61cd36c2a04d7
                                                                                                                                            • Instruction ID: 1647b1df7849a9d8ae98014ba8420fca1f6ba310ca9852a6ebf60593dd28028a
                                                                                                                                            • Opcode Fuzzy Hash: d2c75268e543fbb0c707ff04ab84e49b76aa0a94d9929decdac61cd36c2a04d7
                                                                                                                                            • Instruction Fuzzy Hash: 37F03031A05208EFEF10CBA5EC85E9DB7BDEB04314F500165FA14D21E0E761AE44C651
                                                                                                                                            APIs
                                                                                                                                            • NtTerminateProcess.NTDLL(09E9AFAC,00000000), ref: 09E9FC1B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProcessTerminate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 560597551-0
                                                                                                                                            • Opcode ID: 7a21341d5aa0e39321d464282f5ffc125404cbb97b91aa63829473b2a0f8f71e
                                                                                                                                            • Instruction ID: 23b16b770916bd7d191772c67dab7637370b2d4198f3cb88de4a8eb85512e286
                                                                                                                                            • Opcode Fuzzy Hash: 7a21341d5aa0e39321d464282f5ffc125404cbb97b91aa63829473b2a0f8f71e
                                                                                                                                            • Instruction Fuzzy Hash: C6019A71900208AFDB01CF91C958BDEBBB8FB05318F148599E904AB291D7B69A46DF91
                                                                                                                                            APIs
                                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(00000104,?), ref: 09E992CF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DriveLogicalStrings
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2022863570-0
                                                                                                                                            • Opcode ID: 09a11de86a212bdd540bd4e8f89e1461273fa00ed9ac1b24da202b3e63d117cd
                                                                                                                                            • Instruction ID: 631b1232d5bc63a9ed9e7ae508bcd7580e637edf5ded29a68a0214404f2e6dcb
                                                                                                                                            • Opcode Fuzzy Hash: 09a11de86a212bdd540bd4e8f89e1461273fa00ed9ac1b24da202b3e63d117cd
                                                                                                                                            • Instruction Fuzzy Hash: 25E02B7250072A57CF24A9D56CC59EB735CDB09305F000158FE48D2053CF50AD8585D2
                                                                                                                                            APIs
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3562636166-0
                                                                                                                                            • Opcode ID: dd468ecc254b2e3be7b0a34e6b256ea716fe14878b9bac43347d01e9779a90e8
                                                                                                                                            • Instruction ID: cdd0c57cb5fca3a787776b1761f68cf0e154a963bc81cee3a22c990ab563ae9d
                                                                                                                                            • Opcode Fuzzy Hash: dd468ecc254b2e3be7b0a34e6b256ea716fe14878b9bac43347d01e9779a90e8
                                                                                                                                            • Instruction Fuzzy Hash: 23F03A31A10108EBCF11DF95E980BECB775EB04344F58A092EA02AA162D371EE90DB51
                                                                                                                                            APIs
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3562636166-0
                                                                                                                                            • Opcode ID: b007ef3bc5203ac29d357e46cd41c48895201430f3d5460c1d8bce2a58ed019c
                                                                                                                                            • Instruction ID: cdd0c57cb5fca3a787776b1761f68cf0e154a963bc81cee3a22c990ab563ae9d
                                                                                                                                            • Opcode Fuzzy Hash: b007ef3bc5203ac29d357e46cd41c48895201430f3d5460c1d8bce2a58ed019c
                                                                                                                                            • Instruction Fuzzy Hash: 23F03A31A10108EBCF11DF95E980BECB775EB04344F58A092EA02AA162D371EE90DB51
                                                                                                                                            APIs
                                                                                                                                            • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,09EA01A7,00000000), ref: 09E98635
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4046476035-0
                                                                                                                                            • Opcode ID: 47df13737796268a9cae132f9d6573e3b7df460b2491f5cdb4bc7ec9d17e3a1f
                                                                                                                                            • Instruction ID: 532db906ea27229e1723c6677c1e25f18c2536ddd990c1737048a4f7031849ce
                                                                                                                                            • Opcode Fuzzy Hash: 47df13737796268a9cae132f9d6573e3b7df460b2491f5cdb4bc7ec9d17e3a1f
                                                                                                                                            • Instruction Fuzzy Hash: 72D0A7729A020CAEDB149B54EC05FF6336CD306345F005164B107C90A1D7B0BC50C654

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1156 9e9a050-9e9a0a9 1157 9e9a0ab 1156->1157 1158 9e9a0b0-9e9a0bf 1156->1158 1159 9e9a6d9-9e9a6dd 1157->1159 1165 9e9a0c1 1158->1165 1166 9e9a0c6-9e9a0d6 1158->1166 1160 9e9a6e8-9e9a6ec 1159->1160 1161 9e9a6df 1159->1161 1163 9e9a6fd-9e9a701 1160->1163 1164 9e9a6ee-9e9a6f2 1160->1164 1161->1160 1167 9e9a70c-9e9a710 1163->1167 1168 9e9a703 1163->1168 1164->1163 1169 9e9a6f4 1164->1169 1165->1159 1173 9e9a0d8 1166->1173 1174 9e9a0dd-9e9a0ed 1166->1174 1171 9e9a71b-9e9a71f 1167->1171 1172 9e9a712 1167->1172 1168->1167 1169->1163 1175 9e9a729-9e9a72d 1171->1175 1176 9e9a721-9e9a724 call 9e986f8 1171->1176 1172->1171 1173->1159 1184 9e9a0ef 1174->1184 1185 9e9a0f4-9e9a10f call 9ea26c4 1174->1185 1178 9e9a72f-9e9a732 call 9e986f8 1175->1178 1179 9e9a737-9e9a73b 1175->1179 1176->1175 1178->1179 1182 9e9a73d 1179->1182 1183 9e9a746-9e9a74a 1179->1183 1182->1183 1186 9e9a74c 1183->1186 1187 9e9a755-9e9a759 1183->1187 1184->1159 1194 9e9a139-9e9a1c9 call 9e91190 1185->1194 1195 9e9a111-9e9a136 1185->1195 1186->1187 1188 9e9a75b 1187->1188 1189 9e9a764-9e9a768 1187->1189 1188->1189 1191 9e9a76a-9e9a76d 1189->1191 1192 9e9a775-9e9a77b 1189->1192 1191->1192 1202 9e9a1cb 1194->1202 1203 9e9a1d0-9e9a1de 1194->1203 1195->1194 1202->1159 1205 9e9a1e0 1203->1205 1206 9e9a1e5-9e9a1f6 call 9e986d0 1203->1206 1205->1159 1209 9e9a1f8 1206->1209 1210 9e9a1fd-9e9a205 call 9e91568 1206->1210 1209->1159 1213 9e9a221-9e9a232 call 9e98c54 1210->1213 1214 9e9a207-9e9a218 call 9e98c54 1210->1214 1221 9e9a239-9e9a252 1213->1221 1222 9e9a234 1213->1222 1219 9e9a21a 1214->1219 1220 9e9a21f 1214->1220 1219->1159 1220->1221 1224 9e9a268-9e9a27b 1221->1224 1225 9e9a254-9e9a263 call 9e986f8 1221->1225 1222->1159 1229 9e9a27d 1224->1229 1230 9e9a282-9e9a298 1224->1230 1225->1159 1229->1159 1232 9e9a29a 1230->1232 1233 9e9a29f-9e9a2ad 1230->1233 1232->1159 1235 9e9a2af 1233->1235 1236 9e9a2b4-9e9a307 call 9e91568 1233->1236 1235->1159 1242 9e9a309-9e9a316 1236->1242 1243 9e9a318 1236->1243 1244 9e9a31b-9e9a33c DrawTextW 1242->1244 1243->1244 1245 9e9a33e 1244->1245 1246 9e9a343-9e9a3eb 1244->1246 1245->1159 1250 9e9a3ed 1246->1250 1251 9e9a3f2-9e9a41f 1246->1251 1250->1159 1254 9e9a421 1251->1254 1255 9e9a426-9e9a49f call 9e916bc call 9e91190 CreateFileW 1251->1255 1254->1159 1263 9e9a4a1 1255->1263 1264 9e9a4a6-9e9a4c0 WriteFile 1255->1264 1263->1159 1265 9e9a4c2 1264->1265 1266 9e9a4c7-9e9a4de WriteFile 1264->1266 1265->1159 1267 9e9a4e0 1266->1267 1268 9e9a4e5-9e9a4fc WriteFile 1266->1268 1267->1159 1269 9e9a4fe 1268->1269 1270 9e9a503-9e9a527 call 9e98afc 1268->1270 1269->1159 1274 9e9a529 1270->1274 1275 9e9a52e-9e9a5d2 call 9e916bc call 9e91190 RegCreateKeyExW 1270->1275 1274->1159 1281 9e9a5d9-9e9a638 call 9e91190 RegSetValueExW 1275->1281 1282 9e9a5d4 1275->1282 1286 9e9a63a 1281->1286 1287 9e9a63f-9e9a6c0 call 9e91190 RegSetValueExW 1281->1287 1282->1159 1286->1159 1291 9e9a6c2 1287->1291 1292 9e9a6c4-9e9a6c8 1287->1292 1291->1159 1292->1159 1293 9e9a6ca-9e9a6d1 1292->1293 1293->1159
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ($BM
                                                                                                                                            • API String ID: 0-2980357723
                                                                                                                                            • Opcode ID: 55b0b2bf323491b661300ca257afb2e060d658699b6ec16051f7aa684d6eb004
                                                                                                                                            • Instruction ID: 65e8b63a92a5b5651d82d730a23577907f371a83d6fadc15cd0ec07ae45cdbd3
                                                                                                                                            • Opcode Fuzzy Hash: 55b0b2bf323491b661300ca257afb2e060d658699b6ec16051f7aa684d6eb004
                                                                                                                                            • Instruction Fuzzy Hash: BB223471910208EFEF119FA1DC49BEDBBB4BF08345F109069E106BA1A1D7B19E84DF66

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1330 9e9c034-9e9c0b4 GetVolumeNameForVolumeMountPointW FindFirstVolumeW 1334 9e9c2f8-9e9c2fd 1330->1334 1335 9e9c0ba-9e9c0c0 1330->1335 1336 9e9c2c7-9e9c2e9 1335->1336 1337 9e9c0c6-9e9c0cd 1335->1337 1336->1335 1344 9e9c2ef 1336->1344 1337->1336 1338 9e9c0d3-9e9c0ea GetVolumePathNamesForVolumeNameW 1337->1338 1338->1336 1340 9e9c0f0-9e9c0f4 1338->1340 1340->1336 1341 9e9c0fa-9e9c0fe 1340->1341 1341->1336 1343 9e9c104-9e9c10e GetDriveTypeW 1341->1343 1345 9e9c119-9e9c121 call 9e91568 1343->1345 1346 9e9c110-9e9c113 1343->1346 1344->1334 1349 9e9c19f-9e9c1c5 call 9e916ec CreateFileW 1345->1349 1350 9e9c123-9e9c16b 1345->1350 1346->1336 1346->1345 1354 9e9c1cb-9e9c1f1 1349->1354 1355 9e9c2be 1349->1355 1358 9e9c18b-9e9c18f 1350->1358 1359 9e9c16d-9e9c186 call 9e9bfa8 1350->1359 1354->1355 1360 9e9c1f7-9e9c1fe 1354->1360 1355->1336 1361 9e9c19a 1358->1361 1362 9e9c191 1358->1362 1359->1358 1363 9e9c200-9e9c20c 1360->1363 1364 9e9c264-9e9c26b 1360->1364 1361->1336 1362->1361 1367 9e9c22b-9e9c231 1363->1367 1368 9e9c20e-9e9c215 1363->1368 1364->1355 1366 9e9c26d-9e9c274 1364->1366 1366->1355 1370 9e9c276-9e9c27d 1366->1370 1372 9e9c250-9e9c25d call 9e916bc call 9e9bfa8 1367->1372 1373 9e9c233-9e9c23a 1367->1373 1368->1367 1371 9e9c217-9e9c21e 1368->1371 1370->1355 1374 9e9c27f-9e9c299 call 9e916bc 1370->1374 1371->1367 1375 9e9c220-9e9c227 1371->1375 1383 9e9c262 1372->1383 1373->1372 1376 9e9c23c-9e9c243 1373->1376 1387 9e9c29b-9e9c2a2 1374->1387 1388 9e9c2b2-9e9c2b9 call 9e9bfa8 1374->1388 1375->1367 1379 9e9c229 1375->1379 1376->1372 1380 9e9c245-9e9c24c 1376->1380 1379->1383 1380->1372 1384 9e9c24e 1380->1384 1383->1355 1384->1383 1389 9e9c2b0 1387->1389 1390 9e9c2a4-9e9c2ab call 9e9bfa8 1387->1390 1388->1355 1389->1355 1390->1389
                                                                                                                                            APIs
                                                                                                                                            • GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 09E9C07E
                                                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104), ref: 09E9C0A7
                                                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000040,00000000), ref: 09E9C0E2
                                                                                                                                            • GetDriveTypeW.KERNEL32(?), ref: 09E9C105
                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 09E9C1B8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Volume$Name$CreateDriveFileFindFirstMountNamesPathPointType
                                                                                                                                            • String ID: '
                                                                                                                                            • API String ID: 2925825261-1997036262
                                                                                                                                            • Opcode ID: c80d442310df9276e435e9cf3b5a760818dccb3e2ec845a98674379c80981829
                                                                                                                                            • Instruction ID: 5134e6612cdafe4b98ee14922c994926c2c4a5bfd025c44a5def41b002cd1f17
                                                                                                                                            • Opcode Fuzzy Hash: c80d442310df9276e435e9cf3b5a760818dccb3e2ec845a98674379c80981829
                                                                                                                                            • Instruction Fuzzy Hash: 0071E330C10A14EFDF31AF51EC09B9A7BB8AF06719F249099F689A60E1D7705E84CF56

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1393 9e9e38c-9e9e3a6 1394 9e9e3ac-9e9e3c1 call 9e98c54 1393->1394 1395 9e9e5df-9e9e5e8 1393->1395 1394->1395 1398 9e9e3c7-9e9e3dd call 9e986d0 1394->1398 1401 9e9e5d9-9e9e5da call 9e986f8 1398->1401 1402 9e9e3e3-9e9e3f4 call 9ea3ec4 1398->1402 1401->1395 1406 9e9e3fa-9e9e47b call 9e916bc CreateFileW 1402->1406 1407 9e9e5d3-9e9e5d4 call 9e986f8 1402->1407 1406->1407 1413 9e9e481-9e9e496 WriteFile 1406->1413 1407->1401 1414 9e9e5ca 1413->1414 1415 9e9e49c-9e9e4bf RegCreateKeyExW 1413->1415 1414->1407 1415->1414 1416 9e9e4c5-9e9e4f1 RegSetValueExW 1415->1416 1418 9e9e5c1 1416->1418 1419 9e9e4f7-9e9e570 RegCreateKeyExW 1416->1419 1418->1414 1419->1418 1422 9e9e572-9e9e5a4 RegSetValueExW 1419->1422 1422->1418 1424 9e9e5a6-9e9e5ba SHChangeNotify 1422->1424 1424->1418
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E986D0: RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 09E9E46E
                                                                                                                                            • WriteFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 09E9E48E
                                                                                                                                            • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 09E9E4B7
                                                                                                                                            • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 09E9E4E9
                                                                                                                                            • RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 09E9E568
                                                                                                                                            • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,?,00000000), ref: 09E9E59C
                                                                                                                                            • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 09E9E5B4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Create$FileValue$AllocateChangeHeapNotifyWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2786709897-0
                                                                                                                                            • Opcode ID: 9b00818661ba41df55fd5744583b6202c324c57790349c08cd2af9d2e441ccee
                                                                                                                                            • Instruction ID: 3edbbf0669096cb4addfd43103d3f77c0d774ed127ab50f49a81b9be2a7d7662
                                                                                                                                            • Opcode Fuzzy Hash: 9b00818661ba41df55fd5744583b6202c324c57790349c08cd2af9d2e441ccee
                                                                                                                                            • Instruction Fuzzy Hash: 1C518170A00209BBEB11DFA1DC4AF9E7B7DBB04704F104168F615EA0D1E7B1AE54CBA5

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1425 7b82cc8-7b82cf1 1426 7b83672-7b83677 1425->1426 1427 7b82cf7-7b82cfc 1425->1427 1428 7b82cfe-7b82d04 1427->1428 1429 7b82d14-7b82d1e 1427->1429 1430 7b82d08-7b82d12 1428->1430 1431 7b82d06 1428->1431 1429->1426 1432 7b82d1f-7b82d29 1429->1432 1430->1429 1431->1429 1434 7b82d2b-7b82d31 1432->1434 1435 7b82d41-7b82d4b 1432->1435 1436 7b82d33 1434->1436 1437 7b82d35-7b82d3f 1434->1437 1435->1426 1439 7b82d51-7b82d56 1435->1439 1436->1435 1437->1435 1440 7b82d58-7b82d5e 1439->1440 1441 7b82d6e 1439->1441 1442 7b82d60 1440->1442 1443 7b82d62-7b82d6c 1440->1443 1444 7b82d71-7b82d7b 1441->1444 1442->1441 1443->1441 1444->1426 1446 7b82d81-7b82d86 1444->1446 1448 7b82d88-7b82d8e 1446->1448 1449 7b82d9e-7b82dbc 1446->1449 1450 7b82d90 1448->1450 1451 7b82d92-7b82d9c 1448->1451 1452 7b82dea-7b82df4 1449->1452 1453 7b82dbe-7b82de7 1449->1453 1450->1449 1451->1449 1452->1426 1454 7b82dfa-7b82dff 1452->1454 1453->1452 1456 7b82e01-7b82e07 1454->1456 1457 7b82e17-7b82e71 1454->1457 1459 7b82e09 1456->1459 1460 7b82e0b-7b82e15 1456->1460 1467 7b83656-7b83662 1457->1467 1468 7b82e77-7b82e97 1457->1468 1459->1457 1460->1457 1471 7b82e9a-7b82ea6 1468->1471 1472 7b82ea8 1471->1472 1473 7b82eaf-7b82eca 1471->1473 1472->1473 1474 7b8311d-7b83138 1472->1474 1475 7b82ecc-7b82eeb 1473->1475 1476 7b82ef3-7b82efd 1473->1476 1479 7b8313a-7b83159 1474->1479 1480 7b83161-7b8316b 1474->1480 1475->1476 1477 7b8345c-7b83496 1476->1477 1478 7b82f03-7b82f08 1476->1478 1477->1471 1523 7b8349b-7b8356d 1477->1523 1481 7b82f0a-7b82f10 1478->1481 1482 7b82f20-7b82f29 1478->1482 1479->1480 1480->1477 1483 7b83171-7b83176 1480->1483 1486 7b82f12 1481->1486 1487 7b82f14-7b82f1e 1481->1487 1482->1477 1490 7b82f2f-7b82f3a 1482->1490 1488 7b83178-7b8317e 1483->1488 1489 7b8318e-7b8319a 1483->1489 1486->1482 1487->1482 1492 7b83180 1488->1492 1493 7b83182-7b8318c 1488->1493 1489->1477 1494 7b831a0-7b831a8 1489->1494 1495 7b82f3c-7b82f42 1490->1495 1496 7b82f52-7b82fbc 1490->1496 1492->1489 1493->1489 1499 7b831aa-7b831b0 1494->1499 1500 7b831c0-7b831cc 1494->1500 1501 7b82f44 1495->1501 1502 7b82f46-7b82f50 1495->1502 1496->1477 1524 7b82fc2-7b82fc7 1496->1524 1503 7b831b2 1499->1503 1504 7b831b4-7b831be 1499->1504 1500->1477 1506 7b831d2-7b831da 1500->1506 1501->1496 1502->1496 1503->1500 1504->1500 1510 7b831dc-7b831e2 1506->1510 1511 7b831f2-7b83249 1506->1511 1512 7b831e4 1510->1512 1513 7b831e6-7b831f0 1510->1513 1511->1477 1531 7b8324f-7b83254 1511->1531 1512->1511 1513->1511 1527 7b8356f-7b8358e 1523->1527 1528 7b83596-7b835a0 1523->1528 1529 7b82fc9-7b82fcf 1524->1529 1530 7b82fdf-7b83010 1524->1530 1527->1528 1528->1426 1534 7b835a6-7b835ab 1528->1534 1532 7b82fd1 1529->1532 1533 7b82fd3-7b82fdd 1529->1533 1530->1477 1546 7b83016-7b83021 1530->1546 1535 7b8326c-7b8329d 1531->1535 1536 7b83256-7b8325c 1531->1536 1532->1530 1533->1530 1538 7b835ad-7b835b3 1534->1538 1539 7b835c3-7b835cf 1534->1539 1535->1477 1554 7b832a3-7b832ae 1535->1554 1541 7b8325e 1536->1541 1542 7b83260-7b8326a 1536->1542 1544 7b835b5 1538->1544 1545 7b835b7-7b835c1 1538->1545 1539->1426 1547 7b835d5-7b835dc 1539->1547 1541->1535 1542->1535 1544->1539 1545->1539 1550 7b83039-7b83048 1546->1550 1551 7b83023-7b83029 1546->1551 1552 7b835de-7b835e4 1547->1552 1553 7b835f4-7b83651 1547->1553 1550->1477 1558 7b8304e-7b83116 1550->1558 1556 7b8302b 1551->1556 1557 7b8302d-7b83037 1551->1557 1559 7b835e8-7b835f2 1552->1559 1560 7b835e6 1552->1560 1553->1444 1561 7b832b0-7b832b6 1554->1561 1562 7b832c6-7b832cf 1554->1562 1556->1550 1557->1550 1558->1474 1559->1553 1560->1553 1563 7b832b8 1561->1563 1564 7b832ba-7b832c4 1561->1564 1562->1477 1565 7b832d5-7b832e0 1562->1565 1563->1562 1564->1562 1570 7b832f8-7b833ca 1565->1570 1571 7b832e2-7b832e8 1565->1571 1570->1477 1595 7b833d0-7b833d5 1570->1595 1572 7b832ea 1571->1572 1573 7b832ec-7b832f6 1571->1573 1572->1570 1573->1570 1596 7b833ed-7b8345a 1595->1596 1597 7b833d7-7b833dd 1595->1597 1596->1523 1598 7b833df 1597->1598 1599 7b833e1-7b833eb 1597->1599 1598->1596 1599->1596
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q
                                                                                                                                            • API String ID: 0-3877577046
                                                                                                                                            • Opcode ID: 0ce35727e8da594d98eb42415f154a182fa300720dd47496750b6d308a6075ee
                                                                                                                                            • Instruction ID: 2f916adb738688393eea749e43b07280a622cea1c0bba1d6d40bd13978fa00e6
                                                                                                                                            • Opcode Fuzzy Hash: 0ce35727e8da594d98eb42415f154a182fa300720dd47496750b6d308a6075ee
                                                                                                                                            • Instruction Fuzzy Hash: B8427BB0B002059FE754DB98C940AAABBF2FF88704F15C199D9099F765CB72EC46CB91

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1689 9e9dbcc-9e9dbf6 1691 9e9dbf8 1689->1691 1692 9e9dbfd-9e9dc14 1689->1692 1693 9e9de20-9e9de24 1691->1693 1699 9e9dc1b-9e9dc28 call 9e986d0 1692->1699 1700 9e9dc16 1692->1700 1694 9e9de2f-9e9de33 1693->1694 1695 9e9de26 1693->1695 1697 9e9de3e-9e9de42 1694->1697 1698 9e9de35-9e9de38 DeleteDC 1694->1698 1695->1694 1701 9e9de4c-9e9de50 1697->1701 1702 9e9de44-9e9de47 call 9e986f8 1697->1702 1698->1697 1708 9e9dc2a 1699->1708 1709 9e9dc2f-9e9dc8a call 9e91190 CreateDCW 1699->1709 1700->1693 1706 9e9de5b-9e9de60 1701->1706 1707 9e9de52 1701->1707 1702->1701 1707->1706 1708->1693 1713 9e9dc8c 1709->1713 1714 9e9dc91-9e9dd5b call 9e91190 StartDocW 1709->1714 1713->1693 1725 9e9dd5d 1714->1725 1726 9e9dd62-9e9dd6d call 9e9171c 1714->1726 1725->1693 1729 9e9dd72-9e9dd7e 1726->1729 1731 9e9dd80 1729->1731 1732 9e9dd82-9e9ddfa EndPage 1729->1732 1733 9e9de00-9e9de0f EndDoc call 9e9171c 1731->1733 1732->1729 1732->1733 1736 9e9de14-9e9de17 1733->1736 1736->1693
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Delete
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1035893169-0
                                                                                                                                            • Opcode ID: dd7c0ec98f1584dd705d5ab0d032facf39441a1b9df05f4476ab2ff91088b883
                                                                                                                                            • Instruction ID: c63919e619e25f2db6318a07ec6576eef82eb98f5146b2e044b80bcd04985eac
                                                                                                                                            • Opcode Fuzzy Hash: dd7c0ec98f1584dd705d5ab0d032facf39441a1b9df05f4476ab2ff91088b883
                                                                                                                                            • Instruction Fuzzy Hash: 0D811570D10218EFEF129FA0CD49BAEBB75FB08305F204498F605AA1A0D7729E94DF52

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1741 9ea22e0-9ea22ed 1742 9ea2318-9ea231f call 9e9ce84 1741->1742 1743 9ea22ef-9ea2315 call 9e98948 1741->1743 1747 9ea237d-9ea238e call 9e992b8 call 9e9967c 1742->1747 1748 9ea2321-9ea2328 1742->1748 1743->1742 1761 9ea2390 call 9e99af4 1747->1761 1762 9ea2395-9ea239c 1747->1762 1749 9ea232a-9ea233f CreateThread 1748->1749 1750 9ea2342-9ea2349 1748->1750 1749->1750 1750->1747 1753 9ea234b-9ea2367 CreateThread 1750->1753 1753->1747 1756 9ea2369-9ea2374 1753->1756 1756->1747 1761->1762 1764 9ea239e-9ea23b3 CreateThread 1762->1764 1765 9ea23b6-9ea23bd 1762->1765 1764->1765 1766 9ea23bf call 9e9c034 1765->1766 1767 9ea23c4-9ea23eb call 9e9d0a8 call 9ea0144 1765->1767 1766->1767 1774 9ea23ed-9ea23f4 1767->1774 1775 9ea2425-9ea2439 1767->1775 1776 9ea240a-9ea2411 1774->1776 1777 9ea23f6-9ea2405 call 9ea0214 call 9ea2134 call 9ea0214 call 9ea1ee8 1774->1777 1785 9ea247b-9ea2482 1775->1785 1786 9ea243b-9ea243f 1775->1786 1778 9ea241d-9ea2420 call 9ea01cc 1776->1778 1779 9ea2413-9ea2418 call 9ea0214 call 9ea1838 1776->1779 1777->1776 1778->1775 1779->1778 1788 9ea248d-9ea2494 1785->1788 1789 9ea2484 1785->1789 1791 9ea245c-9ea2476 call 9e98948 call 9e9f994 1786->1791 1792 9ea2441-9ea2455 1786->1792 1794 9ea24b0-9ea24bf call 9ea0214 1788->1794 1795 9ea2496-9ea249a 1788->1795 1789->1788 1791->1785 1792->1791 1811 9ea254a-9ea2551 call 9ea333c call 9ea2e98 1794->1811 1812 9ea24c5-9ea24d3 call 9e9a050 1794->1812 1795->1794 1801 9ea249c-9ea24a7 1795->1801 1801->1794 1822 9ea2556-9ea2559 1811->1822 1818 9ea2500-9ea2507 1812->1818 1819 9ea24d5-9ea24ee CreateThread 1812->1819 1820 9ea251b-9ea253b call 9ea25c4 call 9e9d660 1818->1820 1821 9ea2509-9ea2510 1818->1821 1819->1818 1823 9ea24f0-9ea24f9 1819->1823 1826 9ea2540-9ea2548 ExitProcess 1820->1826 1821->1820 1824 9ea2512-9ea2519 1821->1824 1823->1818 1824->1820 1824->1826 1826->1822
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A440,00000000,00000000,00000000), ref: 09EA2339
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009D80,00000000,00000000,00000000), ref: 09EA235A
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00008C7C,00000000,00000000,00000000), ref: 09EA23AD
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000CFF8,00000000,00000000,00000000,00000001), ref: 09EA24E4
                                                                                                                                            • ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 09EA2542
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread$ExitProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3195946472-0
                                                                                                                                            • Opcode ID: 79e2b0c512398021b1f32421fd5378b9b9e274b81e845da3d90c91ef1e25cdc7
                                                                                                                                            • Instruction ID: f80844ae0a75db1d729fd98bc10e1b4885062a9072dbb88c114dd716c8036dc9
                                                                                                                                            • Opcode Fuzzy Hash: 79e2b0c512398021b1f32421fd5378b9b9e274b81e845da3d90c91ef1e25cdc7
                                                                                                                                            • Instruction Fuzzy Hash: F361B070D48385BEEF226BB19C0DBAC3EA4AB05715F14A159F225792F5C7B47C80CB22

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1830 9e9e220-9e9e24b CreateFileW 1831 9e9e381-9e9e387 1830->1831 1832 9e9e251-9e9e26a 1830->1832 1833 9e9e270-9e9e282 call 9e917a8 1832->1833 1836 9e9e289-9e9e2ac WriteFile 1833->1836 1837 9e9e2ae-9e9e2bd 1836->1837 1838 9e9e2c0-9e9e2e5 WriteFile 1836->1838 1839 9e9e2f9-9e9e31c WriteFile 1838->1839 1840 9e9e2e7-9e9e2f6 1838->1840 1841 9e9e31e-9e9e32d 1839->1841 1842 9e9e330-9e9e355 WriteFile 1839->1842 1844 9e9e369-9e9e376 1842->1844 1845 9e9e357-9e9e366 1842->1845 1844->1836 1848 9e9e37c 1844->1848 1848->1833
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 09E9E23E
                                                                                                                                            • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,09EAF000,?,?,?,00000000), ref: 09E9E29F
                                                                                                                                            • WriteFile.KERNEL32(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 09E9E2D8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Write$Create
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1602526932-0
                                                                                                                                            • Opcode ID: 8f97f5ebcb577402151185a1183558c94cb6789053f51cfa492dac997c9bd8ab
                                                                                                                                            • Instruction ID: 41631ec10e67227a66cce23664ff181cc7d8258ead584132799566ec1ecf4633
                                                                                                                                            • Opcode Fuzzy Hash: 8f97f5ebcb577402151185a1183558c94cb6789053f51cfa492dac997c9bd8ab
                                                                                                                                            • Instruction Fuzzy Hash: AC412B31E0014CEFDF01DB95E845BEEFB7AEB48322F5041AAE604E21A1D7711E54DBA6

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1850 9f455dc-9f4563c 1852 9f458e4-9f45912 1850->1852 1853 9f45642-9f45647 1850->1853 1861 9f45914-9f45919 1852->1861 1862 9f4595f-9f45999 1852->1862 1854 9f4565f-9f45663 1853->1854 1855 9f45649-9f4564f 1853->1855 1859 9f45889-9f45893 1854->1859 1860 9f45669-9f4566d 1854->1860 1856 9f45651 1855->1856 1857 9f45653-9f4565d 1855->1857 1856->1854 1857->1854 1863 9f45895-9f4589e 1859->1863 1864 9f458a1-9f458a7 1859->1864 1865 9f45680 1860->1865 1866 9f4566f-9f4567e 1860->1866 1869 9f45931-9f45949 1861->1869 1870 9f4591b-9f45921 1861->1870 1882 9f459b8 1862->1882 1883 9f4599b-9f459b6 1862->1883 1871 9f458ad-9f458b9 1864->1871 1872 9f458a9-9f458ab 1864->1872 1867 9f45682-9f45684 1865->1867 1866->1867 1867->1859 1874 9f4568a-9f4568e 1867->1874 1887 9f45957-9f4595c 1869->1887 1888 9f4594b-9f4594d 1869->1888 1876 9f45925-9f4592f 1870->1876 1877 9f45923 1870->1877 1873 9f458bb-9f458e1 1871->1873 1872->1873 1878 9f45690-9f4569f 1874->1878 1879 9f456a1 1874->1879 1876->1869 1877->1869 1886 9f456a3-9f456a5 1878->1886 1879->1886 1884 9f459ba-9f459bc 1882->1884 1883->1884 1890 9f45a52-9f45a5c 1884->1890 1891 9f459c2-9f459eb 1884->1891 1886->1859 1892 9f456ab-9f456b8 1886->1892 1888->1887 1894 9f45a5e-9f45a65 1890->1894 1895 9f45a68-9f45a6e 1890->1895 1911 9f45aa1-9f45aa6 1891->1911 1912 9f459f1-9f459f3 1891->1912 1896 9f45770-9f457bf 1892->1896 1897 9f456be-9f456cf 1892->1897 1900 9f45a74-9f45a80 1895->1900 1901 9f45a70-9f45a72 1895->1901 1944 9f457c6-9f457cc 1896->1944 1908 9f456d1-9f456d7 1897->1908 1909 9f456e9-9f45708 1897->1909 1904 9f45a82-9f45a9e 1900->1904 1901->1904 1913 9f456d9 1908->1913 1914 9f456db-9f456e7 1908->1914 1909->1896 1920 9f4570a-9f4572a 1909->1920 1911->1912 1917 9f459f5-9f459fb 1912->1917 1918 9f45a0d-9f45a28 1912->1918 1913->1909 1914->1909 1922 9f459fd 1917->1922 1923 9f459ff-9f45a0b 1917->1923 1930 9f45a2e-9f45a4c 1918->1930 1931 9f45aab-9f45ae0 1918->1931 1932 9f45744-9f4575d 1920->1932 1933 9f4572c-9f45732 1920->1933 1922->1918 1923->1918 1930->1890 1939 9f45af0 1931->1939 1940 9f45ae2-9f45aee 1931->1940 1945 9f4575f-9f45761 1932->1945 1946 9f4576b-9f4576e 1932->1946 1936 9f45734 1933->1936 1937 9f45736-9f45742 1933->1937 1936->1932 1937->1932 1942 9f45af2-9f45af4 1939->1942 1940->1942 1947 9f45af6-9f45af8 1942->1947 1948 9f45b32-9f45b3c 1942->1948 1949 9f457ce-9f457d7 1944->1949 1950 9f457ef 1944->1950 1945->1946 1946->1944 1954 9f45b08 1947->1954 1955 9f45afa-9f45b06 1947->1955 1951 9f45b47-9f45b4d 1948->1951 1952 9f45b3e-9f45b44 1948->1952 1956 9f457de-9f457eb 1949->1956 1957 9f457d9-9f457dc 1949->1957 1953 9f457f2-9f457fb 1950->1953 1958 9f45b53-9f45b5f 1951->1958 1959 9f45b4f-9f45b51 1951->1959 1960 9f457fd-9f45800 1953->1960 1961 9f4580a-9f45825 1953->1961 1962 9f45b0a-9f45b0c 1954->1962 1955->1962 1963 9f457ed 1956->1963 1957->1963 1965 9f45b61-9f45b7a 1958->1965 1959->1965 1960->1961 1975 9f45828 call 9f2fa20 1961->1975 1976 9f45828 call 9f2fa19 1961->1976 1962->1948 1966 9f45b0e-9f45b2f 1962->1966 1963->1953 1971 9f4582a-9f45886 1975->1971 1976->1971
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $L$84kl$XZ$XZ$tP]q
                                                                                                                                            • API String ID: 0-1262075152
                                                                                                                                            • Opcode ID: caac86d35c8cce18ad48fc1dad20e2376d02a98b5af67c7b3fb877d99d70ea59
                                                                                                                                            • Instruction ID: 70e1da0c8810395ad0341b2f5310a5b625b68d33974b412b3f7904d81a2ef6c8
                                                                                                                                            • Opcode Fuzzy Hash: caac86d35c8cce18ad48fc1dad20e2376d02a98b5af67c7b3fb877d99d70ea59
                                                                                                                                            • Instruction Fuzzy Hash: 5451C131A00208DFDB14EF58C581AAABFF2EF85315F1994AAF8159F291CB71DC50CBA1

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1977 9e9fdd0-9e9fde1 SetThreadPriority 1978 9e9fde7-9e9fe06 1977->1978 1980 9e9fe08-9e9fe10 1978->1980 1981 9e9fe36-9e9fe38 1978->1981 1980->1981 1984 9e9fe12 1980->1984 1982 9e9fe3a-9e9fe3d 1981->1982 1983 9e9fe3e-9e9fe43 1981->1983 1985 9e9fe49-9e9fe7b ReadFile 1983->1985 1986 9e9fef8-9e9fefb 1983->1986 1987 9e9fe19-9e9fe2e 1984->1987 1988 9e9fe7d-9e9fe88 1985->1988 1989 9e9feee 1985->1989 1990 9e9fffd-9ea0000 1986->1990 1991 9e9ff01-9e9ff4a call 9e920d0 1986->1991 1997 9e9fe30-9e9fe34 1987->1997 1998 9e9fe32 1987->1998 1988->1989 1996 9e9fe8a-9e9fe92 1988->1996 1995 9ea00dc-9ea00fb 1989->1995 1993 9ea008d-9ea0090 1990->1993 1994 9ea0006-9ea0045 WriteFile 1990->1994 2034 9e9ff4c-9e9ff61 1991->2034 2035 9e9ff63-9e9ff6b 1991->2035 1993->1995 2004 9ea0092-9ea0096 1993->2004 1999 9ea0089 1994->1999 2000 9ea0047-9ea0052 1994->2000 2011 9ea00ff-9ea0107 1995->2011 2012 9ea00fd 1995->2012 2001 9e9feb0-9e9fed7 1996->2001 2002 9e9fe94-9e9feae 1996->2002 1997->1978 1998->1987 1999->1995 2000->1999 2006 9ea0054-9ea0072 2000->2006 2030 9e9fed9-9e9fee4 2001->2030 2031 9e9feea 2001->2031 2002->1989 2009 9ea0098-9ea009e 2004->2009 2010 9ea00ac-9ea00da call 9e91074 call 9e986f8 2004->2010 2043 9ea0074-9ea007f 2006->2043 2044 9ea0085 2006->2044 2015 9ea00a2-9ea00aa 2009->2015 2016 9ea00a0 2009->2016 2010->1995 2057 9ea013c 2010->2057 2021 9ea0109 2011->2021 2022 9ea012d 2011->2022 2019 9ea012f-9ea0131 2012->2019 2015->2009 2016->2010 2026 9ea0133-9ea0136 2019->2026 2027 9ea0137 2019->2027 2029 9ea0110-9ea0125 2021->2029 2022->1995 2022->2019 2027->1983 2045 9ea0129 2029->2045 2046 9ea0127-9ea012b 2029->2046 2040 9e9fee8 2030->2040 2041 9e9fee6 2030->2041 2031->1989 2036 9e9ff8d-9e9ffa9 WriteFile 2034->2036 2038 9e9ff7a-9e9ff86 2035->2038 2039 9e9ff6d-9e9ff6f 2035->2039 2048 9e9ffab-9e9ffb6 2036->2048 2049 9e9fff3 2036->2049 2038->2036 2039->2038 2047 9e9ff71-9e9ff78 2039->2047 2040->2001 2041->1989 2051 9ea0083 2043->2051 2052 9ea0081 2043->2052 2044->1999 2045->2029 2046->1995 2047->2036 2048->2049 2054 9e9ffb8-9e9ffdc 2048->2054 2049->1995 2051->2006 2052->1999 2059 9e9ffef 2054->2059 2060 9e9ffde-9e9ffe9 2054->2060 2057->1978 2059->2049 2061 9e9ffeb 2060->2061 2062 9e9ffed 2060->2062 2061->2049 2062->2054
                                                                                                                                            APIs
                                                                                                                                            • SetThreadPriority.KERNEL32(000000FE,00000002), ref: 09E9FDE1
                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?,?), ref: 09E9FE73
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FilePriorityReadThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3643687941-0
                                                                                                                                            • Opcode ID: e7aca78f1fe16ec0bc4bc8e49456727ce9a44b6091535d1103b96e1492672b3a
                                                                                                                                            • Instruction ID: 49a668e6909ac14fcdb1b820a77c019551c8a612ec6243f91b2741ffdf7e716f
                                                                                                                                            • Opcode Fuzzy Hash: e7aca78f1fe16ec0bc4bc8e49456727ce9a44b6091535d1103b96e1492672b3a
                                                                                                                                            • Instruction Fuzzy Hash: A0A16E71910244EFEF228F50C8C9BE537BCFB09359F106566F906DA0AAD770AE44CB52

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 2063 9ea03b8-9ea03f6 SetFileAttributesW CreateFileW 2064 9ea03f8-9ea0415 SetFilePointerEx 2063->2064 2065 9ea046d-9ea0474 2063->2065 2066 9ea0417-9ea0434 ReadFile 2064->2066 2067 9ea0464 2064->2067 2066->2067 2068 9ea0436-9ea044b call 9ea02ac 2066->2068 2067->2065 2068->2067 2071 9ea044d-9ea0455 2068->2071 2072 9ea045e-9ea045f call 9e986f8 2071->2072 2073 9ea0457 2071->2073 2072->2067 2073->2072
                                                                                                                                            APIs
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 09EA03D1
                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 09EA03E9
                                                                                                                                            • SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 09EA040D
                                                                                                                                            • ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 09EA042C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCreatePointerRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4170910816-0
                                                                                                                                            • Opcode ID: abc6809c5efbea74af8559a2c91a68693f7c8982fb3a32873747a4755d27c5e2
                                                                                                                                            • Instruction ID: 5e2950c8323b7297cf60369807cfd837db508a0709f0e80f19b4a3d42c6cc034
                                                                                                                                            • Opcode Fuzzy Hash: abc6809c5efbea74af8559a2c91a68693f7c8982fb3a32873747a4755d27c5e2
                                                                                                                                            • Instruction Fuzzy Hash: 58114F30A40309FBEF219FA1CC45FA97BBDBB05705F1080A4B604AA0F1EB70AE54CB15

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 2075 9e9967c-9e996ab 2077 9e99aef-9e99af2 2075->2077 2078 9e996b1-9e99914 call 9e91190 * 10 2075->2078 2100 9e9991b-9e99933 2078->2100 2101 9e99916 2078->2101 2108 9e9993a-9e99949 call 9e98cc0 2100->2108 2109 9e99935 2100->2109 2102 9e99aa5-9e99aa9 2101->2102 2103 9e99aab-9e99ab0 2102->2103 2104 9e99ab6-9e99aba 2102->2104 2103->2104 2106 9e99abc-9e99ac1 2104->2106 2107 9e99ac7-9e99acb 2104->2107 2106->2107 2110 9e99ad8-9e99adc 2107->2110 2111 9e99acd-9e99ad2 2107->2111 2116 9e9994b-9e9997d 2108->2116 2117 9e9998e-9e999b3 2108->2117 2109->2102 2114 9e99ae9 CoUninitialize 2110->2114 2115 9e99ade-9e99ae3 2110->2115 2111->2110 2114->2077 2115->2114 2125 9e9997f 2116->2125 2126 9e99984-9e99987 2116->2126 2120 9e999ba-9e999d3 CoSetProxyBlanket 2117->2120 2121 9e999b5 2117->2121 2123 9e999da-9e999fd 2120->2123 2124 9e999d5 2120->2124 2121->2102 2128 9e999ff 2123->2128 2129 9e99a04-9e99a23 2123->2129 2124->2102 2125->2102 2126->2117 2128->2102 2130 9e99a29-9e99a2b 2129->2130 2131 9e99a2d 2130->2131 2132 9e99a2f-9e99a57 2130->2132 2131->2102 2135 9e99a59-9e99a8e 2132->2135 2136 9e99a95-9e99aa0 2132->2136 2135->2136 2136->2129
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Uninitialize
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 3861434553-2766056989
                                                                                                                                            • Opcode ID: 8f677e8cdd75b2b308cc65016ac43c341e5373036996b70507e6ee6bea20564e
                                                                                                                                            • Instruction ID: 6b62935987e9d74d74b45a7d0aee092e6a4136287e47c6b380a52ae3da4e0d1e
                                                                                                                                            • Opcode Fuzzy Hash: 8f677e8cdd75b2b308cc65016ac43c341e5373036996b70507e6ee6bea20564e
                                                                                                                                            • Instruction Fuzzy Hash: F1D126B4910209EFEB11DF91C889FAABB78FF04304F119199E518AF2A2D771DA45CF61
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$tP]q$tP]q
                                                                                                                                            • API String ID: 0-818060052
                                                                                                                                            • Opcode ID: 09c62bfc6b0ab72e1d98ce9ab6b38d35c887417b7485d4ebd613b1c468aa7a48
                                                                                                                                            • Instruction ID: e99c49b53098edf568a4db9e43dff43b665b1c09769d531ea25214d5a7dbe81a
                                                                                                                                            • Opcode Fuzzy Hash: 09c62bfc6b0ab72e1d98ce9ab6b38d35c887417b7485d4ebd613b1c468aa7a48
                                                                                                                                            • Instruction Fuzzy Hash: F69147F1B002168FEB55AF69C8806EABBE5FF85310F1888AADC45DB241DB31DD41C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: [92! $d4$d4$d4
                                                                                                                                            • API String ID: 0-2864869579
                                                                                                                                            • Opcode ID: 064ad3cb3de9af23f11a70de4c7ace13861678e715761679d4f1f8114d9e65e0
                                                                                                                                            • Instruction ID: 9e97561b1d05bd2afd539ab64e563b6f25a5a8411fcb4540dab2d6cc17f3aabc
                                                                                                                                            • Opcode Fuzzy Hash: 064ad3cb3de9af23f11a70de4c7ace13861678e715761679d4f1f8114d9e65e0
                                                                                                                                            • Instruction Fuzzy Hash: 33719E34A02214DFDB14CF68CC45BAABBB2AF85304F14D4AAD90AAB356D7319D42CF91
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09EA0308: SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09EA0329
                                                                                                                                              • Part of subcall function 09EA0308: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09EA0341
                                                                                                                                              • Part of subcall function 09EA03B8: SetFileAttributesW.KERNEL32(00000000,00000080,?), ref: 09EA03D1
                                                                                                                                              • Part of subcall function 09EA03B8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 09EA03E9
                                                                                                                                              • Part of subcall function 09EA03B8: SetFilePointerEx.KERNEL32(000000FF,-00000084,00000000,00000000,00000002), ref: 09EA040D
                                                                                                                                              • Part of subcall function 09EA03B8: ReadFile.KERNEL32(000000FF,?,00000084,?,00000000), ref: 09EA042C
                                                                                                                                            • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09EA0C2F
                                                                                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09EA0CF0
                                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09EA0CA6
                                                                                                                                              • Part of subcall function 09E986F8: RtlFreeHeap.NTDLL(?,00000000,00000000,?,09EA00CF,?,?,00000000,?), ref: 09E98714
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Create$Attributes$CompletionFreeHeapMovePointerPortRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 97630321-0
                                                                                                                                            • Opcode ID: 567aedee25f84125b095321ecb0f81e939da9480ed675738b375e2c6b4472441
                                                                                                                                            • Instruction ID: ecb692fbd4689cf681184d3a7d7c98a56fcd5f87b1b3c97484dea3a49103215f
                                                                                                                                            • Opcode Fuzzy Hash: 567aedee25f84125b095321ecb0f81e939da9480ed675738b375e2c6b4472441
                                                                                                                                            • Instruction Fuzzy Hash: 80515530900248FBEF226FA1DC08B9D7B79AB06346F10A168F5166D0B1D775AE94DF05
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0eba7d43acabab27b080a12a36215db109fb6342e65b2a75b26f10db38de99d4
                                                                                                                                            • Instruction ID: 21db57d3b369e655a2b7d045ed6f28b1ba419cd5388d3db5d5eef4de93c262cf
                                                                                                                                            • Opcode Fuzzy Hash: 0eba7d43acabab27b080a12a36215db109fb6342e65b2a75b26f10db38de99d4
                                                                                                                                            • Instruction Fuzzy Hash: 2621F430814148EFCF12EBA5EE45B9C7B71BF06319F10A1A8E616651B5D7721FA0AB06
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,09E9BE00,?,00000004,00000000,?,?,?,?,00000000), ref: 09E9BE4E
                                                                                                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,00000000), ref: 09E9BE97
                                                                                                                                            • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 09E9BEAF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Thread$CodeCreateExitResume
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4070214711-0
                                                                                                                                            • Opcode ID: 2b82b3d337b0167366ab03a83e8ffe41adbfeeb6f1e8b2e159e18a2372330b6b
                                                                                                                                            • Instruction ID: 62704e3f63eace65ce3a199e279a86732ac3167ad2d55dcce06f6f7f406d89df
                                                                                                                                            • Opcode Fuzzy Hash: 2b82b3d337b0167366ab03a83e8ffe41adbfeeb6f1e8b2e159e18a2372330b6b
                                                                                                                                            • Instruction Fuzzy Hash: 4E213B35904208FFDF11DF95ED09B9DBB78EB08325F20416AF608A21A0D7712E54DB51
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000AB24,?,00000004,00000000,00000000,00000000,?,?,00000000), ref: 09E9BB5D
                                                                                                                                            • ResumeThread.KERNEL32(00000000,?,?,00000000), ref: 09E9BBA6
                                                                                                                                            • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,00000000), ref: 09E9BBBE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Thread$CodeCreateExitResume
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4070214711-0
                                                                                                                                            • Opcode ID: 7e682d9d62d368f9b7dc9f67003475e4dff06b862d94ab38cc65900891a6824d
                                                                                                                                            • Instruction ID: 1bf4f3f587d29f337ff7d6b25e578324b357a0a1c15d20327dab8204b0e0c85a
                                                                                                                                            • Opcode Fuzzy Hash: 7e682d9d62d368f9b7dc9f67003475e4dff06b862d94ab38cc65900891a6824d
                                                                                                                                            • Instruction Fuzzy Hash: 45115E35904208FFEF119F95ED09B9DBB78EB44326F2041A9F505A11F4D7712E50EB51
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread
                                                                                                                                            • String ID: $
                                                                                                                                            • API String ID: 2422867632-1286703891
                                                                                                                                            • Opcode ID: c3d2a49c7c51152e5a307b803add8c98a5de7af62e3fa4122d91e5535f9cb18f
                                                                                                                                            • Instruction ID: 4d36a757ceba3bcee3455cde52f05fdd42181962000f01346ca60506c0b95976
                                                                                                                                            • Opcode Fuzzy Hash: c3d2a49c7c51152e5a307b803add8c98a5de7af62e3fa4122d91e5535f9cb18f
                                                                                                                                            • Instruction Fuzzy Hash: 5B616A30D0424AEBDF219F91DC85BAEBB74FB14315F106129E622BA2B0D7757E40CB96
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,00020119,00000000,?,00000000), ref: 09EA2839
                                                                                                                                            • RegDeleteKeyExW.KERNEL32(80000002,?,00000100,00000000,000000FF,00000000), ref: 09EA28D5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateDelete
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2606249652-0
                                                                                                                                            • Opcode ID: c55df49444f25ca2914cb36c43bdf5a2e30633cb766817b2bce8ba022d8505c7
                                                                                                                                            • Instruction ID: 344235491df3af6a856cf1b685f5f69de874ba0914a59eba7a62cad4fe1c2f6c
                                                                                                                                            • Opcode Fuzzy Hash: c55df49444f25ca2914cb36c43bdf5a2e30633cb766817b2bce8ba022d8505c7
                                                                                                                                            • Instruction Fuzzy Hash: 7E510871950219AFEB11DF91DC49FEDBBBCFB08704F0040A9B614AA1A1E774AA54CF62
                                                                                                                                            APIs
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09EA0329
                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09EA0341
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                            • Opcode ID: 736940adbf5fa011cfc4f7b70db83f34a2f749c19281974f0b3c1c14247d3949
                                                                                                                                            • Instruction ID: 917029e53a757b2d59f9c2574253997f66ab97b8f18da3e14e75e1da9134931b
                                                                                                                                            • Opcode Fuzzy Hash: 736940adbf5fa011cfc4f7b70db83f34a2f749c19281974f0b3c1c14247d3949
                                                                                                                                            • Instruction Fuzzy Hash: 7E118230904208FFEF218B95DC457AD7B78EB027A6F10A266F516B90F1C3B17E48CA42
                                                                                                                                            APIs
                                                                                                                                            • MoveFileExW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,00000000,?,00000000,?), ref: 09EA0C2F
                                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000,00000000,?,00000000,?), ref: 09EA0CA6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CreateMove
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3198096935-0
                                                                                                                                            • Opcode ID: 8fc40b472b5e3eaeb31d3c33130f6b5f1f348d740580ff9b7f6f2e625975a465
                                                                                                                                            • Instruction ID: f8c114c5585d899c1b4e9fed21b5ea6f2e4aba719efd5b6469fa709668cdf7a5
                                                                                                                                            • Opcode Fuzzy Hash: 8fc40b472b5e3eaeb31d3c33130f6b5f1f348d740580ff9b7f6f2e625975a465
                                                                                                                                            • Instruction Fuzzy Hash: 48F04931E40208FADF229F54EC04BDCBB74AB02756F20A2A6B5167C0F0C7757E50DA0A
                                                                                                                                            APIs
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,?,?,?), ref: 09EA0329
                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?), ref: 09EA0341
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                            • Opcode ID: e1f5cf4a16db5ca0226e1f291b346f508dab743c09e9f8c75b5c7a885d600dd5
                                                                                                                                            • Instruction ID: 97197e39df300b6a7cee8cf46a4e926e65a7c30adbde22c83332f7d3cdc5b579
                                                                                                                                            • Opcode Fuzzy Hash: e1f5cf4a16db5ca0226e1f291b346f508dab743c09e9f8c75b5c7a885d600dd5
                                                                                                                                            • Instruction Fuzzy Hash: 4AE01A30544204FBEF321B61DD46BA83B28AB06B96F10A161F716BC0F1C7B4BD488A46
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$tP]q
                                                                                                                                            • API String ID: 0-274140881
                                                                                                                                            • Opcode ID: 328e18ae63925193a03de52c84d3cfe55066e94d9d84f35204f492470a187652
                                                                                                                                            • Instruction ID: 19de1632c6e4643885199ffcab1a44b38f7613b8e7740d54f901e3eca647eaf4
                                                                                                                                            • Opcode Fuzzy Hash: 328e18ae63925193a03de52c84d3cfe55066e94d9d84f35204f492470a187652
                                                                                                                                            • Instruction Fuzzy Hash: 0741D5B0B093959FD7219F648850B65BFB1EF8A210F1984DBE5849F2D2C6319845C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: h2`k
                                                                                                                                            • API String ID: 0-1201988217
                                                                                                                                            • Opcode ID: 5afd18d831a6c960581d649e8288f32acbf09df81b41b651cc9dd9e33df4e511
                                                                                                                                            • Instruction ID: 21d88faba621ad620517da8f6206498055d9743277423cf08a4ff976d748dfd3
                                                                                                                                            • Opcode Fuzzy Hash: 5afd18d831a6c960581d649e8288f32acbf09df81b41b651cc9dd9e33df4e511
                                                                                                                                            • Instruction Fuzzy Hash: 9D7225B4B002159FEB60DF18C980B69BBB2EF89704F15C199D9099B351CB72ED86CF91
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7093d045ac9883d88774f6ef7525ebbe4603f1536966d9cb957cc48f916599b2
                                                                                                                                            • Instruction ID: 2881c256d4b867b66155d8f4d973ceaf934c32100075cd8acb94380550c89af7
                                                                                                                                            • Opcode Fuzzy Hash: 7093d045ac9883d88774f6ef7525ebbe4603f1536966d9cb957cc48f916599b2
                                                                                                                                            • Instruction Fuzzy Hash: B8515C70D80204ABEF11AFA5DC4AB9D7B74EB04705F106054F606BA1F0D7B57E84CB66
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 09E9BA3F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                            • Opcode ID: 043b101e186d23a04ef667168b1c7b8c4e620856b8eeb9ea8d60625535978e7d
                                                                                                                                            • Instruction ID: 6f007523745c222d6f9f5c7a98db0502a9e1585a03a31d672e27f2d6cc5869c3
                                                                                                                                            • Opcode Fuzzy Hash: 043b101e186d23a04ef667168b1c7b8c4e620856b8eeb9ea8d60625535978e7d
                                                                                                                                            • Instruction Fuzzy Hash: 2041497585E3C49FDB438BB0AC656993FB1AF07224F1B00D7D080CA4B3E2A91D4AC722
                                                                                                                                            APIs
                                                                                                                                            • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09EA6480,?,00000001,?), ref: 09E981E5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 10892065-0
                                                                                                                                            • Opcode ID: 90c31f471527cb09d337bc55267c696e1e4c4453959ea3a944433c285663b132
                                                                                                                                            • Instruction ID: 02a70076c27ba7e3f6dbc87b2c3e8500fe951cd6bada412252b82b4772d7d311
                                                                                                                                            • Opcode Fuzzy Hash: 90c31f471527cb09d337bc55267c696e1e4c4453959ea3a944433c285663b132
                                                                                                                                            • Instruction Fuzzy Hash: 353139102F13A475DD3076A64D0FF8F5E288FD7E65B90B518BD047A0B389AA6C46C0F6
                                                                                                                                            APIs
                                                                                                                                            • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09EA6480,?,00000001,?), ref: 09E981E5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 10892065-0
                                                                                                                                            • Opcode ID: ac442da63c5c7f1debcadd51e6ab85ef91bf617c2cb22411d61ff03708413d9a
                                                                                                                                            • Instruction ID: e8016bf399c381e3d6b18c5d5d0bf469c9f89c3a6e473df027f21dc4c10c9442
                                                                                                                                            • Opcode Fuzzy Hash: ac442da63c5c7f1debcadd51e6ab85ef91bf617c2cb22411d61ff03708413d9a
                                                                                                                                            • Instruction Fuzzy Hash: C021A5502B1364745D7076AB4D0EF9F0D2C8FE7E99785B4187C08B90B388AAAC4AC4F6
                                                                                                                                            APIs
                                                                                                                                            • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,?,?,09EA6480,?,00000001,?), ref: 09E981E5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 10892065-0
                                                                                                                                            • Opcode ID: c9bf54ac457d6ae22d9574324d1a6c735bacd4aac135408939df2bee031cd933
                                                                                                                                            • Instruction ID: 8ab2bea84faa71bdcb68c670fa6fe012cc6f1214fcaf863bd5461fa046d744c5
                                                                                                                                            • Opcode Fuzzy Hash: c9bf54ac457d6ae22d9574324d1a6c735bacd4aac135408939df2bee031cd933
                                                                                                                                            • Instruction Fuzzy Hash: 6321C5102F13A4745D7076A74D0EF9F0D288FE7E997C1B408BC08790B388AA6C4AC0F6
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 09E9AE54: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09E9AE76
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 09E9AFC7
                                                                                                                                              • Part of subcall function 09E9FBB8: NtTerminateProcess.NTDLL(09E9AFAC,00000000), ref: 09E9FC1B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3176663195-0
                                                                                                                                            • Opcode ID: 958cf3a8fef32f2ea8a7f65dafcdb7e6618883309d3176a8a4ae71cce8813dae
                                                                                                                                            • Instruction ID: 924bfa17cb30c0913b22c61cd4d39e2951d60c0bb7b0130721e5864abb40879c
                                                                                                                                            • Opcode Fuzzy Hash: 958cf3a8fef32f2ea8a7f65dafcdb7e6618883309d3176a8a4ae71cce8813dae
                                                                                                                                            • Instruction Fuzzy Hash: D2313670950208EFEF11AF91EC49B9DBFB9BF04705F0490A8F905A61E1E7B19E94DB12
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 09E9AC01
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                            • Opcode ID: dadeae1bf03b978affb3ed0cee266509e6f01302f37f6af535ce1583c83638f5
                                                                                                                                            • Instruction ID: 62162baa5e8c81078f259ed2a4fd844c9b2dc8be57f1a973368e5e1fbccc0f13
                                                                                                                                            • Opcode Fuzzy Hash: dadeae1bf03b978affb3ed0cee266509e6f01302f37f6af535ce1583c83638f5
                                                                                                                                            • Instruction Fuzzy Hash: 43310C70910208EFDF15DF91D949BADBBB8EF04705F2091A9F501AE2A0E775AE44CF85
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000EDD0,00000000,00000000,00000000), ref: 09EA0195
                                                                                                                                              • Part of subcall function 09E98614: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,09EA01A7,00000000), ref: 09E98635
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Thread$CreateInformation
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 425492364-0
                                                                                                                                            • Opcode ID: 59e74ee26251a73321c18dce2b1e6623a3696e8be99766bc3ee999f439ccf762
                                                                                                                                            • Instruction ID: 058cef4206acc4c0f25d90cc758bdcfc741868cef60af9db0fc9b0bc90c92690
                                                                                                                                            • Opcode Fuzzy Hash: 59e74ee26251a73321c18dce2b1e6623a3696e8be99766bc3ee999f439ccf762
                                                                                                                                            • Instruction Fuzzy Hash: 0D01D630B40314BBF721AA55AC8DB8E7268DB16715F201214F915BB2F1DBB07D00869A
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexW.KERNEL32(0000000C,00000001,?), ref: 09E9BA3F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                            • Opcode ID: ee7ae5f74adb7cacd74d55638c8e3ab1e1bbcc01eb38f3445a3474fb0afcedb3
                                                                                                                                            • Instruction ID: 8182079dda95749c501c5809b2248889d008dc041231690ef733d452c361f69a
                                                                                                                                            • Opcode Fuzzy Hash: ee7ae5f74adb7cacd74d55638c8e3ab1e1bbcc01eb38f3445a3474fb0afcedb3
                                                                                                                                            • Instruction Fuzzy Hash: C1012974C24288EEEF12DFA5EC49BAD7BB4FB05704F05515AE510A11E8E7B16E80DB42
                                                                                                                                            APIs
                                                                                                                                            • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 09E9AE76
                                                                                                                                              • Part of subcall function 09E9B5D0: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 09E9B5FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AdjustInformationPrivilegeQuerySystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4254901982-0
                                                                                                                                            • Opcode ID: 82c067c06bfd5d70091ee9086c61a52ed207af3f4d643db8be3af27b55300315
                                                                                                                                            • Instruction ID: 2b10b4076aaff3daa6a0937fc88fbd9916c844cdbf1e0ccdb0dac680d6d0c616
                                                                                                                                            • Opcode Fuzzy Hash: 82c067c06bfd5d70091ee9086c61a52ed207af3f4d643db8be3af27b55300315
                                                                                                                                            • Instruction Fuzzy Hash: 33014470E51308BBEF119FD5CC4DF9E7ABC9B00718F105194BA14A62E0E7B59E84C751
                                                                                                                                            APIs
                                                                                                                                            • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,?), ref: 09E9D09B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AdjustPrivilege
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3260937286-0
                                                                                                                                            • Opcode ID: db12cd259bd46c16b5eb6ab67cc93e58fc38460114201d8ae1fe9f39b00f7932
                                                                                                                                            • Instruction ID: 4a1c668df3592a73bd75227cda5e4753fde10bd725d2983512a45cd1af24ca92
                                                                                                                                            • Opcode Fuzzy Hash: db12cd259bd46c16b5eb6ab67cc93e58fc38460114201d8ae1fe9f39b00f7932
                                                                                                                                            • Instruction Fuzzy Hash: F3D02B71938225E6CE2017543C01BE6735EC340310F000316BD07D60C0EA936E5581D2
                                                                                                                                            APIs
                                                                                                                                            • RtlFreeHeap.NTDLL(?,00000000,00000000,?,09EA00CF,?,?,00000000,?), ref: 09E98714
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                            • Opcode ID: a431d930e401607a3d1c88b42df5cfebdb67841d7b5ccd63f9e0302ded0f44d9
                                                                                                                                            • Instruction ID: 1818cabe07b53406b2cecceb18c38a5f2012b8f449345b7c88858b1d19f62d8c
                                                                                                                                            • Opcode Fuzzy Hash: a431d930e401607a3d1c88b42df5cfebdb67841d7b5ccd63f9e0302ded0f44d9
                                                                                                                                            • Instruction Fuzzy Hash: 0AD01271150308AFCB119F69A805F9A3718AB10604F855015F6098B1B5D775EC60DB55
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000008,?,?,09E9B5EE,00000400), ref: 09E986EC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: d15d044b3498f8c09bbad098ca254ab32881fb5b535990ddc8ddc713dea2e22b
                                                                                                                                            • Instruction ID: 79fde661128cdd6210413bea7adca003727089b2a8e4bedbcdca234f81fb4266
                                                                                                                                            • Opcode Fuzzy Hash: d15d044b3498f8c09bbad098ca254ab32881fb5b535990ddc8ddc713dea2e22b
                                                                                                                                            • Instruction Fuzzy Hash: B0D01231154708AFCB519F59A805F9A7B58AB20604F859015B6085B173CB75ECA0EB51
                                                                                                                                            APIs
                                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 09E9BE0B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DriveLogicalStrings
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2022863570-0
                                                                                                                                            • Opcode ID: d3e35c2402e2dc47e7f48c3d4f1d20a15c878bb22257f360cf45676238002fd3
                                                                                                                                            • Instruction ID: 9d102f4194993d26e452cc80ac1bb5eb33a50a93837677dedaa4b9170353ba8e
                                                                                                                                            • Opcode Fuzzy Hash: d3e35c2402e2dc47e7f48c3d4f1d20a15c878bb22257f360cf45676238002fd3
                                                                                                                                            • Instruction Fuzzy Hash: 01C09236400208EF8B029F89E808C85BFEDFB58B017048061F6084B131CB32FC20EB9A
                                                                                                                                            APIs
                                                                                                                                            • GetDriveTypeW.KERNEL32(?), ref: 09E9BB2A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DriveType
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 338552980-0
                                                                                                                                            • Opcode ID: 06010a9af02f8a01562ba21dbf031af690485ccac0c266b8dc872fec4f13caaf
                                                                                                                                            • Instruction ID: 1f13ceaaa65a66e8f14cb1f4fb7255da0d3b5ad25450218ae140262e6c69fe82
                                                                                                                                            • Opcode Fuzzy Hash: 06010a9af02f8a01562ba21dbf031af690485ccac0c266b8dc872fec4f13caaf
                                                                                                                                            • Instruction Fuzzy Hash: 98B0123140010CA786051A42E8048457F5CD710A517008021F508000318B3268209596
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: _'7g
                                                                                                                                            • API String ID: 0-3438920770
                                                                                                                                            • Opcode ID: e830536cbd9db95a1ba788c50fe3549d66db5e5d2ed7991c0940dfc5ae7f6443
                                                                                                                                            • Instruction ID: 685c6082951ea4dfe11bcee22138665b004cb9e4cbe1a2345bbb5a973d8909c5
                                                                                                                                            • Opcode Fuzzy Hash: e830536cbd9db95a1ba788c50fe3549d66db5e5d2ed7991c0940dfc5ae7f6443
                                                                                                                                            • Instruction Fuzzy Hash: D2118676C002098FDB20DFAAC545BEEBFF1EF88320F20842AD419A7240CB389545CFA4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: _'7g
                                                                                                                                            • API String ID: 0-3438920770
                                                                                                                                            • Opcode ID: bcc298cd91c7997908c3d7c65f19573811e466186251d46633b0c7c76ccd78f6
                                                                                                                                            • Instruction ID: 35bce4e9eed118cf551f0101758472d29f565e393e5d2a9002fbd8888d6c387d
                                                                                                                                            • Opcode Fuzzy Hash: bcc298cd91c7997908c3d7c65f19573811e466186251d46633b0c7c76ccd78f6
                                                                                                                                            • Instruction Fuzzy Hash: F21149768002099FDB10DFAAC545BEEFBF5EF88320F248429D519A7240CB78A545CFA5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d8fcf317de138eff6703e6c5122bd5dbc15b93a07d7bd47440c9d6cc5241b9a6
                                                                                                                                            • Instruction ID: 9252196e739b704643c3eb06df7d3e2e866e4482d557c9bb7f0ff0587b4faf5d
                                                                                                                                            • Opcode Fuzzy Hash: d8fcf317de138eff6703e6c5122bd5dbc15b93a07d7bd47440c9d6cc5241b9a6
                                                                                                                                            • Instruction Fuzzy Hash: 1E7223B4B002159FEB60DB18C980B69BBB2EF89704F15C199D9099B351CB72ED86CF91
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 84d2f217034a9b185d1c957176766607245b8c685a8d8a15a316803671dd4657
                                                                                                                                            • Instruction ID: f482e2b369719162930a75256a094bffe829008ef13c8fd63c2142fc7890fe43
                                                                                                                                            • Opcode Fuzzy Hash: 84d2f217034a9b185d1c957176766607245b8c685a8d8a15a316803671dd4657
                                                                                                                                            • Instruction Fuzzy Hash: 4FC14C34A04209DFDB45DF98D484AAEBBB2FF88310F248159E805AB365C775ED86CB90
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 69af88f1bf69cc549ecf713d3390a242d176c7408cc23b60347a1b019dcd79e7
                                                                                                                                            • Instruction ID: 1034ecc8428b9e6ef98ac277d779ff808418648099b8deed1a47f7c40938d83e
                                                                                                                                            • Opcode Fuzzy Hash: 69af88f1bf69cc549ecf713d3390a242d176c7408cc23b60347a1b019dcd79e7
                                                                                                                                            • Instruction Fuzzy Hash: 5491B07094A3869FCB07DF6CC8A14EA7FB1AF4622471941D7C481CB2A3D7789C46CBA1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 50320ab65a3c932e24e848fb4187d6653edb2b9175d0b2c0d2a58386964a2888
                                                                                                                                            • Instruction ID: e089266b77897c56a4d7924580336dda5d2684cb02bb833b00df9d78d86e5323
                                                                                                                                            • Opcode Fuzzy Hash: 50320ab65a3c932e24e848fb4187d6653edb2b9175d0b2c0d2a58386964a2888
                                                                                                                                            • Instruction Fuzzy Hash: 34919B74A00205AFCB15CF58C5989AEFBF2FF48310B2589A9D855AB365C735FC91CBA0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b69fe4781a0159085e6ea03cbaa92f4985d33ce3cf728cb71a119d9bcaa3100a
                                                                                                                                            • Instruction ID: 22056e0ccd08f0d27d8b7a1ef272186b82c8f21f0074104c50f02993463c4885
                                                                                                                                            • Opcode Fuzzy Hash: b69fe4781a0159085e6ea03cbaa92f4985d33ce3cf728cb71a119d9bcaa3100a
                                                                                                                                            • Instruction Fuzzy Hash: 7C51FA74A00209DFDB45DF98D584AAEBBF6FF88310F248559E805AB365C735ED82CB90
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: de5cc6d2150d4577187fb7c0204fbadcfbf11fb4f609a4192e2817ebac0ba38e
                                                                                                                                            • Instruction ID: 79066767159946f3f57108b383107c1d43c270b6a2025bd57f7906491b393be7
                                                                                                                                            • Opcode Fuzzy Hash: de5cc6d2150d4577187fb7c0204fbadcfbf11fb4f609a4192e2817ebac0ba38e
                                                                                                                                            • Instruction Fuzzy Hash: DA414A74A06244DFCB15CF98C8849AEBBF2FF89310B2585A9D855EB3A5D335EC41CB50
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c217b5691f9881fa9d8b0b9efc5fe2dd5086722fe78d3797b261b683a16b6377
                                                                                                                                            • Instruction ID: 891c2e513a683fc25da76b6ca8cbed341ddde1929749f0d7472651fb4d7e0908
                                                                                                                                            • Opcode Fuzzy Hash: c217b5691f9881fa9d8b0b9efc5fe2dd5086722fe78d3797b261b683a16b6377
                                                                                                                                            • Instruction Fuzzy Hash: 11412774A00505AFCB05CF58C598DAAFBF2FF48310B158999D955AB364C732FD91CBA0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7fdf386a35f80fc5f69d432f4b48c66ffdd4d16866355764102495384ec25d89
                                                                                                                                            • Instruction ID: 83221c32379f1509b4c741e1138c9975e915d609a957fe1abbc64b35b0c13991
                                                                                                                                            • Opcode Fuzzy Hash: 7fdf386a35f80fc5f69d432f4b48c66ffdd4d16866355764102495384ec25d89
                                                                                                                                            • Instruction Fuzzy Hash: 63417E74A04649CFCB15CF9CC8919AEBBB1FF89310B248699D455EB3A1D331EC52CB90
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bf2f767925d74683400417bbad8d204a75bb71bc99574e7413c541f5138873e6
                                                                                                                                            • Instruction ID: 94c08b25333f7e9835f8f83ae27dfe8df6525850a3c2c20634e3f5c1da862997
                                                                                                                                            • Opcode Fuzzy Hash: bf2f767925d74683400417bbad8d204a75bb71bc99574e7413c541f5138873e6
                                                                                                                                            • Instruction Fuzzy Hash: C4414D74A01205DFCB14CF5CC884AAEBBF2FF89310B248569E955A73A5D735EC41CB54
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2b5986745314632fb7c04e3ad0ac54166dd054af0d0c6a4f4cf08162c59b1f3c
                                                                                                                                            • Instruction ID: 8201805204950d28007e6a7b24675b1468d40be130f332217e14d85d7ebf8a8a
                                                                                                                                            • Opcode Fuzzy Hash: 2b5986745314632fb7c04e3ad0ac54166dd054af0d0c6a4f4cf08162c59b1f3c
                                                                                                                                            • Instruction Fuzzy Hash: EB415974A006098FCB15CF9CC4819AEBBB2FF88310B248659D855EB3A5D731EC52CF90
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2c5ee6f31e3d64c7e248ba48961a288fbacfe8cbe5c6c6de4f2bb758723ca4cd
                                                                                                                                            • Instruction ID: 70966c6e2421b042b62f2a8f7e6b75382c6b7c917bb52dd887ff4f04f0ef0b69
                                                                                                                                            • Opcode Fuzzy Hash: 2c5ee6f31e3d64c7e248ba48961a288fbacfe8cbe5c6c6de4f2bb758723ca4cd
                                                                                                                                            • Instruction Fuzzy Hash: B7316F75A093859FCB02DF68D89099ABFB0EF4A310B1544DAD844DB363C635ED45CBA1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bf78cf23be6312c8e9909d492c3edabb685e9f4d7c1e0c4c43e28443a50e0771
                                                                                                                                            • Instruction ID: b8b5d3c80eee413d5a0aed52fc3cd93f3412d6e5c0dc555fa02c369ee63bb3c6
                                                                                                                                            • Opcode Fuzzy Hash: bf78cf23be6312c8e9909d492c3edabb685e9f4d7c1e0c4c43e28443a50e0771
                                                                                                                                            • Instruction Fuzzy Hash: 3F1108B63102168BD768AE7ED45056AF7D6FFC562271CC87ED986C7340CA35D841CBA0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 26cec2895f9e1a50c55688687f611e3d36e9510b8798a852283a7d678ee445d8
                                                                                                                                            • Instruction ID: 1fcc3cc87ab5c88610ec666b19c7b5c763c2f418e3f5604b9cafe30a53fac0f8
                                                                                                                                            • Opcode Fuzzy Hash: 26cec2895f9e1a50c55688687f611e3d36e9510b8798a852283a7d678ee445d8
                                                                                                                                            • Instruction Fuzzy Hash: B4211774A002099FCB04DF98D5809AEBBF5FF89310B15859AE909EB352C735FD41CBA1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 38f51734f911f08b838c3674b5ed94fd3298f401217b7c6beb11ba821c7bfbc3
                                                                                                                                            • Instruction ID: 4bb6dd6daca1894cea239143de4eb14b699a79f6da59b7153139cf1add8899b1
                                                                                                                                            • Opcode Fuzzy Hash: 38f51734f911f08b838c3674b5ed94fd3298f401217b7c6beb11ba821c7bfbc3
                                                                                                                                            • Instruction Fuzzy Hash: 63214A74A042499FCB00CF98D5809AAFBF5FF89310B15859AD809AB352C735FD41CBA5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 916ec0b158c0f004caa2059b3537f963581f33d73a05ca374e0971e163c21272
                                                                                                                                            • Instruction ID: 9f1952792dcfde54970624010a0becb0211605a894a35021faf84a9191a0ef34
                                                                                                                                            • Opcode Fuzzy Hash: 916ec0b158c0f004caa2059b3537f963581f33d73a05ca374e0971e163c21272
                                                                                                                                            • Instruction Fuzzy Hash: BA1148B66083828FC3068A3ED8A0191BFF1AFC311131D44E7D495CB3D3D628E800C762
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2b1756208ce7ca09de136e38358fe5ea2e4e01b298c247f77bb30c604c6f92a9
                                                                                                                                            • Instruction ID: daf3d8287cda09956381c0156f7b0466cf1e0702307ac73e7fe4d14c66b22937
                                                                                                                                            • Opcode Fuzzy Hash: 2b1756208ce7ca09de136e38358fe5ea2e4e01b298c247f77bb30c604c6f92a9
                                                                                                                                            • Instruction Fuzzy Hash: 4611D735A14209EFDB45DF98D884E9EBBB2FF88314F288158E405AB365C775E986CB40
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2555546126.0000000004BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BED000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4bed000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d8dc1cca133c6c5d6e0558e51dc48e314229c6dce47b8181d0b2c78620f679a6
                                                                                                                                            • Instruction ID: a2ec483524696da237e516a625864103fb77c06258aa70922c9682e39027b544
                                                                                                                                            • Opcode Fuzzy Hash: d8dc1cca133c6c5d6e0558e51dc48e314229c6dce47b8181d0b2c78620f679a6
                                                                                                                                            • Instruction Fuzzy Hash: 3E01F7311043419ED7208E37D984B77BF9CEF86320F1CC4A9ED480A247D3B9A841C6B5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2555546126.0000000004BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BED000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4bed000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0b733dc5586fdd8015830a928feeaaf7da76cad5d7c4f89dc60c06208f0c639a
                                                                                                                                            • Instruction ID: 6dde73b29fff60082128b3140a57fba8790b4d0bca05d2f61cb2c15cb3153852
                                                                                                                                            • Opcode Fuzzy Hash: 0b733dc5586fdd8015830a928feeaaf7da76cad5d7c4f89dc60c06208f0c639a
                                                                                                                                            • Instruction Fuzzy Hash: 08012D7100E3C09FD7128B3599A4B62BFB8EF43224F1D85DBD9888F2A7C2695845C772
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 50d4d782575edfdb1afa7ba0eec7e45883812c0dc56481acfb19520ced8b3eaf
                                                                                                                                            • Instruction ID: 8469f1343e3b9c20d191ced660f9d837dea2ea7d51f0768ef2d384507faab989
                                                                                                                                            • Opcode Fuzzy Hash: 50d4d782575edfdb1afa7ba0eec7e45883812c0dc56481acfb19520ced8b3eaf
                                                                                                                                            • Instruction Fuzzy Hash: 75E14176E20D468BE715CE29E890735B3A2FB8E700F09853ADA0587B46D775FD60CAC0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 88e9ff1ed3b96751307a620e2c224142e6f594033d410f7dd3e6c37961869cd1
                                                                                                                                            • Instruction ID: 41e70a29134bf036473e486544f1e1c0474213d8a0447f4bd474c8c3bedcb6b9
                                                                                                                                            • Opcode Fuzzy Hash: 88e9ff1ed3b96751307a620e2c224142e6f594033d410f7dd3e6c37961869cd1
                                                                                                                                            • Instruction Fuzzy Hash: D0D11276E2058A8BDB15CEA9E8E0B7AB372FB8D300F058539C71197746D774AE11CB90
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 76ccca19021443beb39fdc07d354475ef7b2a98e7b658e5e71904bbd35a82b81
                                                                                                                                            • Instruction ID: a26f357e5240855f2411b3bdb4773b125c74fb0db82842c9c8c2bdf5daddbc5d
                                                                                                                                            • Opcode Fuzzy Hash: 76ccca19021443beb39fdc07d354475ef7b2a98e7b658e5e71904bbd35a82b81
                                                                                                                                            • Instruction Fuzzy Hash: 4EA172B4905205DFEB18DF11C95179A7BA2FF86349F14D06AE8058F3A0DB7AAC12CF91
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 07557b1e7c6c01b200d7e742baaccaec7457918d2b8f0c8d29616e9c150abb3d
                                                                                                                                            • Instruction ID: 373353947bf09f44b7d3cfe87f776f448c1d52324c10e79d3e4778e4afcffab1
                                                                                                                                            • Opcode Fuzzy Hash: 07557b1e7c6c01b200d7e742baaccaec7457918d2b8f0c8d29616e9c150abb3d
                                                                                                                                            • Instruction Fuzzy Hash: 6C611BB1609660DFC36CCE39C041A2ABFF6AB96B483098C7DD487DBB41D765EC029B44
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fa7d18e51332b0e9644e79016880dbedc8adbb6d2a117ca2e314ad2bb1dc2062
                                                                                                                                            • Instruction ID: f2928c02b0ae786b631876ee78b12ea043a593316b6a8a55b7874265dcc10487
                                                                                                                                            • Opcode Fuzzy Hash: fa7d18e51332b0e9644e79016880dbedc8adbb6d2a117ca2e314ad2bb1dc2062
                                                                                                                                            • Instruction Fuzzy Hash: 863158B6A21A069BD328CF1AD484A25F7B2FF5D300B15CA2AD959C7B52D770F950CBC0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                                                            • Instruction ID: 2ba620953f67fa5eec12d2d3120a42d1d08d2b19a8c0e89e7d7d7d6f87a929b9
                                                                                                                                            • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                                                                                                                            • Instruction Fuzzy Hash: F3E04FBB70D3425FFE28861174533A78387C780579E25849EF446DF2C0EF1BE8A52045
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$Pq]q$Pq]q$pj$x.^k$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$xJ$-^k
                                                                                                                                            • API String ID: 0-2275867026
                                                                                                                                            • Opcode ID: b74a0732680bb90d6f1439fcfddc97ceede37bd018e7f84c89a7806c508b7fd6
                                                                                                                                            • Instruction ID: 4af829a4a7dfa1f88642f732d756656972cc7e5d6185ce468eb8f936dff75151
                                                                                                                                            • Opcode Fuzzy Hash: b74a0732680bb90d6f1439fcfddc97ceede37bd018e7f84c89a7806c508b7fd6
                                                                                                                                            • Instruction Fuzzy Hash: 90226170A00214DFD765CB18C991BA9BBB6FB89300F11D1D9E9096B395CB72EE81CF91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$Pq]q$pj$x.^k$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$x@$xJ$-^k
                                                                                                                                            • API String ID: 0-1437309101
                                                                                                                                            • Opcode ID: 9663a286bf4a9b02205af6433273ec8432493052a1fb5d6f185460d4b4fdd5df
                                                                                                                                            • Instruction ID: 709e30ab1db9b9d61988fc8ce5dd154f6b971ac575153be9e4a03bbffb90cbaf
                                                                                                                                            • Opcode Fuzzy Hash: 9663a286bf4a9b02205af6433273ec8432493052a1fb5d6f185460d4b4fdd5df
                                                                                                                                            • Instruction Fuzzy Hash: A1C1D670A002149FD715DB28C951BAEBBF6FF84304F1184A9D5096F3A5CB76AE81CF92
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$84kl$84kl$<,ak$TQbq$TQbq$TQbq$tP]q$tP]q
                                                                                                                                            • API String ID: 0-3382979671
                                                                                                                                            • Opcode ID: e130dda25409525624e742f25210dd1650c9b7c9fc74ac2a9811b0f01a9c8569
                                                                                                                                            • Instruction ID: d40a8ba8c887a961835bd67873c2585912965e07f0f4ba811faf788fdf98c69d
                                                                                                                                            • Opcode Fuzzy Hash: e130dda25409525624e742f25210dd1650c9b7c9fc74ac2a9811b0f01a9c8569
                                                                                                                                            • Instruction Fuzzy Hash: 29D108B1B00206CFEB64AF68D4546BAB7E6EF85310F2484EAD841EB355DB31DC45CBA1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$<5$<5$<5$<5$<5$<5$<5$<5$<5$<5$<5$<5$`$x.^k$-^k$y$y
                                                                                                                                            • API String ID: 0-3140260450
                                                                                                                                            • Opcode ID: d707f04d24293818e4945543af0285cffb5b05fc682923e7817b122e7685c6f7
                                                                                                                                            • Instruction ID: 832d59129174966e49d1acb10df429fe602db2360ca73b34e757d0362f6b1f80
                                                                                                                                            • Opcode Fuzzy Hash: d707f04d24293818e4945543af0285cffb5b05fc682923e7817b122e7685c6f7
                                                                                                                                            • Instruction Fuzzy Hash: A2D16EB4A002188FD754DB18C995BA9FBB2FF88304F1095E9D5096B391CB71EE82CF95
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$cl$cl$cl$cl
                                                                                                                                            • API String ID: 0-1156831293
                                                                                                                                            • Opcode ID: 8eef169f6bcd56d95e220fcde567e38019c49e4e98e61f2dc495f33aa20e240d
                                                                                                                                            • Instruction ID: a0b5151386adacf85bd7f85dd788ebd54ebe1541674d7b62c94f946d2f5a7764
                                                                                                                                            • Opcode Fuzzy Hash: 8eef169f6bcd56d95e220fcde567e38019c49e4e98e61f2dc495f33aa20e240d
                                                                                                                                            • Instruction Fuzzy Hash: 03026EF0B00206DBE754EF58C450A6ABBB6EF89714F14C5DAD815AB754CB32E842CBB1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4'$4'$84kl$84kl$84kl$84kl$X'$]$tP]q$tP]q$tP]q$tP]q$|'$|'
                                                                                                                                            • API String ID: 0-1126490560
                                                                                                                                            • Opcode ID: 9b62434b4d54f522a93d611990db26cc404ce39efd192b1d0bdcbebf2597d1da
                                                                                                                                            • Instruction ID: 0373ef89ac7737ee6a5059c6d0d7ab7652a47c9b43481c7cac862d50802deb29
                                                                                                                                            • Opcode Fuzzy Hash: 9b62434b4d54f522a93d611990db26cc404ce39efd192b1d0bdcbebf2597d1da
                                                                                                                                            • Instruction Fuzzy Hash: F4E15830B052549FC711CF68C851AAABBF6EFC5315F1884AAE946DF252CB31DD06CBA1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: <5$<5$<5$<5$<5$<5$<5$<5$<5$<5$<5$Pq]q$h2`k
                                                                                                                                            • API String ID: 0-1816405575
                                                                                                                                            • Opcode ID: 3100eed0455f2d8d9aab46c6f81d8989284ef8176fc26b92a21e1690eed4544e
                                                                                                                                            • Instruction ID: 08d2e8229f90329c64d2d4fed35adda23a46e90952473dfcbe2d5103267b1d56
                                                                                                                                            • Opcode Fuzzy Hash: 3100eed0455f2d8d9aab46c6f81d8989284ef8176fc26b92a21e1690eed4544e
                                                                                                                                            • Instruction Fuzzy Hash: 1FE12DB4A012188FD754CB18C891BA9F7B2FB89304F54D1E9D9099B352CB71EE82CF95
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2643886433.0000000009E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 09E91000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9e91000_powershell.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountTick$CreateDialogMenuParam$BrushColorCommandHandleLineLoadModuleTextWindow
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 354372533-0
                                                                                                                                            • Opcode ID: 918bffce4974e0b502f1134cd0777f8c39500ba710388a713d53df64b3ff9f76
                                                                                                                                            • Instruction ID: 89e32de306699feddc66812c6d939d6e0dc895d4d26b36af33fcb3f40a74eb7d
                                                                                                                                            • Opcode Fuzzy Hash: 918bffce4974e0b502f1134cd0777f8c39500ba710388a713d53df64b3ff9f76
                                                                                                                                            • Instruction Fuzzy Hash: FBF0F624C647A8F88D0677FA500131EA8142CD0522798F4AAF0804C93F0FF13C4CA137
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$XX]q$XX]q$_$tP]q$tP]q$$]q
                                                                                                                                            • API String ID: 0-3768405551
                                                                                                                                            • Opcode ID: 4ac61e4c2c349636705eb151dd18439bfc60886fd8aba2a668b2fadd69d25bfc
                                                                                                                                            • Instruction ID: 6e176c2a2c52fade00119cf8b1894cafa4d9e572504e065197652d72fc4bcd1d
                                                                                                                                            • Opcode Fuzzy Hash: 4ac61e4c2c349636705eb151dd18439bfc60886fd8aba2a668b2fadd69d25bfc
                                                                                                                                            • Instruction Fuzzy Hash: 09F137F17142059FEB64AF69C841B7ABBE6EF85300F1484AAD811DB392DB71DC50CBA1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$L$pj$pj$tP]q$tP]q$&
                                                                                                                                            • API String ID: 0-1892777953
                                                                                                                                            • Opcode ID: bb31afac5c77a0e796797d4d774d44ad3b466727c9627d5985a7a4932e3b9f94
                                                                                                                                            • Instruction ID: 0760c420c4bc05cd5da3c0107ebbcc9d411efcf7054b20fad02937518c121b22
                                                                                                                                            • Opcode Fuzzy Hash: bb31afac5c77a0e796797d4d774d44ad3b466727c9627d5985a7a4932e3b9f94
                                                                                                                                            • Instruction Fuzzy Hash: 52915A30B02219CFCB25CF68C8416AABBF2EFC6315F18946AD9568B251DB31DD42C7E1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: (K$(o]q$(o]q$84kl$LK$LK$LK$tP]q
                                                                                                                                            • API String ID: 0-1848451763
                                                                                                                                            • Opcode ID: 510024e4a281947a9196f3463327f98dc1f41543abe78710af0421194fffcb5a
                                                                                                                                            • Instruction ID: 192eebb4f84138380435228adfbf3a2d3a7c8d3513ea44b84bf5b08f55610544
                                                                                                                                            • Opcode Fuzzy Hash: 510024e4a281947a9196f3463327f98dc1f41543abe78710af0421194fffcb5a
                                                                                                                                            • Instruction Fuzzy Hash: B5819331A04204DFD714CF58C445AAABFF6EF88751F1984AAEA059B351CF71EC45CB91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$4']q$4']q$H-_k$cl$cl
                                                                                                                                            • API String ID: 0-737594824
                                                                                                                                            • Opcode ID: 4a9395a991f4606ec3bedf6209c52890122e2ba674b0bf026e3d7e6d878bce6a
                                                                                                                                            • Instruction ID: 195776af85833917206b195393b488f96a79b9acbeea3132b942d8f8e082a489
                                                                                                                                            • Opcode Fuzzy Hash: 4a9395a991f4606ec3bedf6209c52890122e2ba674b0bf026e3d7e6d878bce6a
                                                                                                                                            • Instruction Fuzzy Hash: A9F14CF1B04215CFE765AF68D4046AABBE6EFC1319F1884BBD445CB252DB31D841C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$D3$tP]q$c]q$c]q$c]q$c]q
                                                                                                                                            • API String ID: 0-2908228499
                                                                                                                                            • Opcode ID: 93244b054bf21f5cd3bef9b39324792895d05f4663dedb403cde692b092a40e5
                                                                                                                                            • Instruction ID: ccf70322a53c4dd67f8ab19e9d337ed952d1c93f423c37a9a1b97201cf3a477b
                                                                                                                                            • Opcode Fuzzy Hash: 93244b054bf21f5cd3bef9b39324792895d05f4663dedb403cde692b092a40e5
                                                                                                                                            • Instruction Fuzzy Hash: B651A530A0A215DFCB28CF59C580A69F7F2BF84714F19D6AAE8059B351DB31EC42CB90
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $$$$$$$$cl$cl
                                                                                                                                            • API String ID: 0-2661949258
                                                                                                                                            • Opcode ID: 402f560701337eb06dca3de3ed2fea7c2988353bd03143e2b33efd39c203b90f
                                                                                                                                            • Instruction ID: 2c1200b37c6c7299883a880fe06679c0e1ee37067099bfcb10eabb09db110096
                                                                                                                                            • Opcode Fuzzy Hash: 402f560701337eb06dca3de3ed2fea7c2988353bd03143e2b33efd39c203b90f
                                                                                                                                            • Instruction Fuzzy Hash: EAD1E232B042158FCB10AF6884016BAFFE5EF85311F14C4BAD919CB261EB35DD56CBA2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                                                                                                            • API String ID: 0-471056614
                                                                                                                                            • Opcode ID: 3a6b4e0e790a66ca9715f5205b5512b587b074d4624a74a7c235370278a1e5f2
                                                                                                                                            • Instruction ID: 92d46412de99adf1506416233160f765f4355ad33ec27d685eba21c31aa4c143
                                                                                                                                            • Opcode Fuzzy Hash: 3a6b4e0e790a66ca9715f5205b5512b587b074d4624a74a7c235370278a1e5f2
                                                                                                                                            • Instruction Fuzzy Hash: 1BD116F1B00206CFEBA4AE79D8506BAB7E6EFC5310F1485BAD806CB254DB31D941C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ,'$@'$T'$h'$|'$'
                                                                                                                                            • API String ID: 0-2369617260
                                                                                                                                            • Opcode ID: c0b6433bf706a4db0f021db191a17c975f2382b04bfd232fd9e7bd1ecd069d28
                                                                                                                                            • Instruction ID: 45cdfc0d4fc9cc92496c5a551562713f7d12979a04613efd7f7f7dd2fee98180
                                                                                                                                            • Opcode Fuzzy Hash: c0b6433bf706a4db0f021db191a17c975f2382b04bfd232fd9e7bd1ecd069d28
                                                                                                                                            • Instruction Fuzzy Hash: 59E14670B002408FCB09DF78D585AAE7BF2AF88704B60856DD44ADB365DF799D078B92
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: p$4p$Hp$\p$pp$p
                                                                                                                                            • API String ID: 0-3791128137
                                                                                                                                            • Opcode ID: 800a6553552da2f54395e32a49212585f1953568c024db426b55b22c1db27ded
                                                                                                                                            • Instruction ID: 2c4d43744d221a57adf26df1f440cabf9ab724c029ec3ab86af133571c3d7231
                                                                                                                                            • Opcode Fuzzy Hash: 800a6553552da2f54395e32a49212585f1953568c024db426b55b22c1db27ded
                                                                                                                                            • Instruction Fuzzy Hash: 07C11A70B002448FDB15DF68D985BAE7BE6AFC8344F10446EE44A8F3A5DB35AD02CB52
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$Te]q$$]q$$]q$$]q
                                                                                                                                            • API String ID: 0-2343653831
                                                                                                                                            • Opcode ID: a35392c87ca77e98894a311621f29a51ba5834bbd9923c82d5ab9cd52fd8ec46
                                                                                                                                            • Instruction ID: 06b05e74fd1d8b809db65cbd25a90157dba91de1042efc5bca56839fe288d3be
                                                                                                                                            • Opcode Fuzzy Hash: a35392c87ca77e98894a311621f29a51ba5834bbd9923c82d5ab9cd52fd8ec46
                                                                                                                                            • Instruction Fuzzy Hash: 196168F17142078FEB74AF699880676BBE6EFC6210F1484FBD819CB251EA31C815C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: `Q]q$`Q]q$`Q]q$`Q]q$`Q]q$dDaq
                                                                                                                                            • API String ID: 0-3329183305
                                                                                                                                            • Opcode ID: fe432fa08a42dd66058d7cc4dd4e508a1566f9f6060a8e444e5937b1da7253a4
                                                                                                                                            • Instruction ID: 05fe286cc9d5aa3e1709961ebcca78ffc408c336c0cbeeb9f8e86c57b0f4bb9a
                                                                                                                                            • Opcode Fuzzy Hash: fe432fa08a42dd66058d7cc4dd4e508a1566f9f6060a8e444e5937b1da7253a4
                                                                                                                                            • Instruction Fuzzy Hash: C1515BB63043069FE765AA799440637BBE6DFCA611B18C4BBD485CB2D2CA36C805C3A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$Te]q$Te]q$tP]q$tP]q
                                                                                                                                            • API String ID: 0-3679634314
                                                                                                                                            • Opcode ID: 43934170ea3c6b6e3f9a4699ae414479474d7a01af55d4234bcce8b3f8e19f3c
                                                                                                                                            • Instruction ID: e856705141d84c706528aa441000cb27996fd7538c2e698a0e258571a637d3e3
                                                                                                                                            • Opcode Fuzzy Hash: 43934170ea3c6b6e3f9a4699ae414479474d7a01af55d4234bcce8b3f8e19f3c
                                                                                                                                            • Instruction Fuzzy Hash: 9A71C3F4A10205DBEB74DF58C584B69F7E2EF88710F6984A9E815AB390CB71EC50CB91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$84kl$TQbq$TQbq$tP]q
                                                                                                                                            • API String ID: 0-469261910
                                                                                                                                            • Opcode ID: 02a8831469fa5a8ff4e9171f9e80592f23824bf5182eb7b8fc45452b252a9c4d
                                                                                                                                            • Instruction ID: 14095983563c4a1e09d9aae92a21bcc0524780c37fec622ea53d0cd88cc73eaf
                                                                                                                                            • Opcode Fuzzy Hash: 02a8831469fa5a8ff4e9171f9e80592f23824bf5182eb7b8fc45452b252a9c4d
                                                                                                                                            • Instruction Fuzzy Hash: 1E5192F0A00206DFEB64EE18C148BBAB7F1EF85711F1580E6D805AB291D775DC40CBA1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$X?$tP]q$tP]q$|?
                                                                                                                                            • API String ID: 0-1835463160
                                                                                                                                            • Opcode ID: 22c092ec8601031de268fe4f66298c3078626c9c4c31f9b2bd1ca600650f8ea6
                                                                                                                                            • Instruction ID: 63fa603542e884132c2f700f6b74814a0f7c8da1894ca07a2accea91cbd86449
                                                                                                                                            • Opcode Fuzzy Hash: 22c092ec8601031de268fe4f66298c3078626c9c4c31f9b2bd1ca600650f8ea6
                                                                                                                                            • Instruction Fuzzy Hash: 0C315B307053449FC7259F6C8849B66BFF6AF86754F1484AAF9449F292C671DC01C7E1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 0T$DT$XT$lT$S
                                                                                                                                            • API String ID: 0-918420041
                                                                                                                                            • Opcode ID: a00d1e8b093b01ebdcfa47b5fbbcb7da5513036877755fde02d1ad426a3c6f80
                                                                                                                                            • Instruction ID: aafe29ce0e729e646fd0da447ec6a4ff8fa0e9164c823641e5fa3c80178d9be5
                                                                                                                                            • Opcode Fuzzy Hash: a00d1e8b093b01ebdcfa47b5fbbcb7da5513036877755fde02d1ad426a3c6f80
                                                                                                                                            • Instruction Fuzzy Hash: 16F1F774B042548FCB59CF28D455BAE7BF2AF88305F2080AAE54ADB365DF349D428F52
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646137811.0000000009F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $4 $H $\ $p
                                                                                                                                            • API String ID: 0-1315259468
                                                                                                                                            • Opcode ID: 290fc760e2311b8afc8f808304761bcbc00c44b0a7c088aebe4590b6ef1bd01e
                                                                                                                                            • Instruction ID: 73bbd71f32780cfda3d34fe8814834d1ef97774919297d4a3dc0dd862bca0155
                                                                                                                                            • Opcode Fuzzy Hash: 290fc760e2311b8afc8f808304761bcbc00c44b0a7c088aebe4590b6ef1bd01e
                                                                                                                                            • Instruction Fuzzy Hash: D6C10870B002548FCB59DF68D595BAE7BF3AF88304F208469D55ACB359DF34AD028B92
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$LK$LK$LK$tP]q
                                                                                                                                            • API String ID: 0-1231533234
                                                                                                                                            • Opcode ID: 5ccef8dc378fd88ccbde74c944c4b621e3add0513740cf78313195ca78e5bf6a
                                                                                                                                            • Instruction ID: 8c2d139f7a71b7296ecf9a3851b8b8f798d74c7d156256fff4cb74f4c8041350
                                                                                                                                            • Opcode Fuzzy Hash: 5ccef8dc378fd88ccbde74c944c4b621e3add0513740cf78313195ca78e5bf6a
                                                                                                                                            • Instruction Fuzzy Hash: 55617F31A00204DFDB14CF58C485A6ABBF6EB88750F1DD46AEA05AB351CF72EC85CB91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$l2$tP]q$tP]q
                                                                                                                                            • API String ID: 0-2109944025
                                                                                                                                            • Opcode ID: 3a6ae03c88b52281057a3ceedd98624dcc47b68144d1c067fbb30176f433160d
                                                                                                                                            • Instruction ID: 9d6654c5f484c73a70ebb4ff9b7e8ca400522310eed3810174f784a6073b9791
                                                                                                                                            • Opcode Fuzzy Hash: 3a6ae03c88b52281057a3ceedd98624dcc47b68144d1c067fbb30176f433160d
                                                                                                                                            • Instruction Fuzzy Hash: B0514B317093549FD7288E6C884176AFBF6EF85714F18C46AE8859F391CA31DC42C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $]q$$]q$$]q$cl$cl
                                                                                                                                            • API String ID: 0-4273473488
                                                                                                                                            • Opcode ID: 74a9c25ada1e69736cb0b88028817d776bede767e24383428ca92cef6a1f7eaa
                                                                                                                                            • Instruction ID: 4c4c0d3fd59820980f3e518ae467d77c688b7e30bf8fbcc16b716d9632596d8f
                                                                                                                                            • Opcode Fuzzy Hash: 74a9c25ada1e69736cb0b88028817d776bede767e24383428ca92cef6a1f7eaa
                                                                                                                                            • Instruction Fuzzy Hash: 1211E9B13003979FFB786D6ED800F67B7AAEFC1721F2484AAE8498B250DA71C841C355
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$tP]q$tP]q
                                                                                                                                            • API String ID: 0-818060052
                                                                                                                                            • Opcode ID: 9ddbc10b12617f75cb1c58a86d6f9a5fb96329cbb4c0e324182ebe8f3ac8f7cf
                                                                                                                                            • Instruction ID: 74876a535cd489721f3787e4e9ee2e67be570ddb269e519103979d347a091165
                                                                                                                                            • Opcode Fuzzy Hash: 9ddbc10b12617f75cb1c58a86d6f9a5fb96329cbb4c0e324182ebe8f3ac8f7cf
                                                                                                                                            • Instruction Fuzzy Hash: 4DF19EB064A3859FD7579B24C865A51BFB1EF8B204F09C0DBD484CF2E7CA75980AC792
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646852014.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $$8$L$p
                                                                                                                                            • API String ID: 0-418534466
                                                                                                                                            • Opcode ID: 6698f9ac53f1ad00cd5d61fa4ac1598deba265aaa36656046c5fc8a58601d5ef
                                                                                                                                            • Instruction ID: 9200bcacdbdddb1d4960925f673c7d135007716cc48f161a7a221e4ee4f7a527
                                                                                                                                            • Opcode Fuzzy Hash: 6698f9ac53f1ad00cd5d61fa4ac1598deba265aaa36656046c5fc8a58601d5ef
                                                                                                                                            • Instruction Fuzzy Hash: DAE14A71B002448FCB59DF68D585AAE7BF2AF88304B64806ED44ACB365DF349D06CF62
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: DI$T($'$'
                                                                                                                                            • API String ID: 0-4226537304
                                                                                                                                            • Opcode ID: 481b15497bbc71902fe18da99d5e8afc59218e42238abd2601286557c0afb642
                                                                                                                                            • Instruction ID: 74c383f8c290fe025ec23a264360dee2af0d1cfb33208106a237177dbd0b3d55
                                                                                                                                            • Opcode Fuzzy Hash: 481b15497bbc71902fe18da99d5e8afc59218e42238abd2601286557c0afb642
                                                                                                                                            • Instruction Fuzzy Hash: 95B1F230A063458FD715CF6888516AABBA1EFC2319F1DD4ABD406CB262DA35DC47C7A2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: PA$PA$tA$tA
                                                                                                                                            • API String ID: 0-3212899828
                                                                                                                                            • Opcode ID: 6436fe9950b9bf117363e700cbec8466da11747c683335165f0c81aa3789a10f
                                                                                                                                            • Instruction ID: bbd00169b7da33d2823be2acaab8f9d4e1a9f5afc96c15cd7c4917c82cd03173
                                                                                                                                            • Opcode Fuzzy Hash: 6436fe9950b9bf117363e700cbec8466da11747c683335165f0c81aa3789a10f
                                                                                                                                            • Instruction Fuzzy Hash: 599127317152108FC715DB6898516BABBE6DFC6310B18887BE946CF2A2DB36DC07C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$tP]q$tP]q
                                                                                                                                            • API String ID: 0-818060052
                                                                                                                                            • Opcode ID: 45fc9b367a58b66d95989e1b5473957a43d274eb7bde1a450e933a78e09989aa
                                                                                                                                            • Instruction ID: 05c974046aec27e13e667676d379e56a0fe3d14dfea4ea330f1a5a67ae0bb124
                                                                                                                                            • Opcode Fuzzy Hash: 45fc9b367a58b66d95989e1b5473957a43d274eb7bde1a450e933a78e09989aa
                                                                                                                                            • Instruction Fuzzy Hash: D8615632B042158FC7218FA88451A7ABFE6DFC5351B1C847ADA55CB291EF71DC11CBA2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$tP]q$tP]q
                                                                                                                                            • API String ID: 0-3637193552
                                                                                                                                            • Opcode ID: 1f9722c0fe105e106ea6d7cf2c42ca4384c827c108d3164a2bbda242d4978b53
                                                                                                                                            • Instruction ID: 89985fea535716b0ede354ff8614608fc87e5ff182d138dcca41f39cd1dd362a
                                                                                                                                            • Opcode Fuzzy Hash: 1f9722c0fe105e106ea6d7cf2c42ca4384c827c108d3164a2bbda242d4978b53
                                                                                                                                            • Instruction Fuzzy Hash: E051AFB07043058FE714AFA8C844B6ABFA6EFC2714F2884EAD5548F295DE31DD45C3A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$84kl$tP]q
                                                                                                                                            • API String ID: 0-3224892463
                                                                                                                                            • Opcode ID: 432ee8cce7e073fec36f51da936b4d0be0c56e146bd4771ea902959ff91ac3e3
                                                                                                                                            • Instruction ID: c89af54670de159409e864813bee20e26072dc15fe8dc45e398b973cf2fd8fd6
                                                                                                                                            • Opcode Fuzzy Hash: 432ee8cce7e073fec36f51da936b4d0be0c56e146bd4771ea902959ff91ac3e3
                                                                                                                                            • Instruction Fuzzy Hash: 585193F0A0120ADFEBA4BF18C484BAAB7F1EF85751F1580E6E8156B251C771EC88CB51
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$84kl$tP]q$tP]q
                                                                                                                                            • API String ID: 0-818060052
                                                                                                                                            • Opcode ID: 6d5e11ee68aea3f04cb5cc795ec7893184ba664eff6befeffdcf60e6a95499d4
                                                                                                                                            • Instruction ID: ffc2455e92faf770c913c5b5e3ebdf46edebd6b5bf709e6b3bd836a4fdfaed79
                                                                                                                                            • Opcode Fuzzy Hash: 6d5e11ee68aea3f04cb5cc795ec7893184ba664eff6befeffdcf60e6a95499d4
                                                                                                                                            • Instruction Fuzzy Hash: 444129F0A043459FD7619BA88850B26BFF5EF86304F2885EAD444CF292CE31EC45C7A2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$84kl$dfqq$tP]q
                                                                                                                                            • API String ID: 0-2197430562
                                                                                                                                            • Opcode ID: b6ef22ab5bc966d7b54f509ec100e821bca5d78ea4ed8fc8f06149493d85a9c5
                                                                                                                                            • Instruction ID: daddd2ef5fa028deb5b6e0f3ea91649a8c987dea48c0a8ecff857570224a0bd7
                                                                                                                                            • Opcode Fuzzy Hash: b6ef22ab5bc966d7b54f509ec100e821bca5d78ea4ed8fc8f06149493d85a9c5
                                                                                                                                            • Instruction Fuzzy Hash: 7141C634B02204EBDB648F59C58DB69B7E2BF84758F18D4ADE8456F250C731ED42CB91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: m^$m^$m^$m^
                                                                                                                                            • API String ID: 0-3502344340
                                                                                                                                            • Opcode ID: f8f2c3e1d62def97160ed0f1902b8c710c63f98188e1b4d9082da68d444c8a37
                                                                                                                                            • Instruction ID: 5e20d294bc8c7126b0788b2a8ee9a697ed6166079b3f2324fff0c633671831d9
                                                                                                                                            • Opcode Fuzzy Hash: f8f2c3e1d62def97160ed0f1902b8c710c63f98188e1b4d9082da68d444c8a37
                                                                                                                                            • Instruction Fuzzy Hash: 9E31AFE2E0D3C15FD7024A299CAA7D13F60BF22285F5A40D6C8C44F0E3FC59585ACB96
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2556295284.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_4c90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: m^$m^$m^$m^
                                                                                                                                            • API String ID: 0-3502344340
                                                                                                                                            • Opcode ID: 36bd23bdb5a831aa49bd50e4f27933773beca5ce92b728860976ac241ab6eddf
                                                                                                                                            • Instruction ID: 1fcbe233e623c1a3a8cbae500e017f65280c42e867a04a046744285bef2a51e5
                                                                                                                                            • Opcode Fuzzy Hash: 36bd23bdb5a831aa49bd50e4f27933773beca5ce92b728860976ac241ab6eddf
                                                                                                                                            • Instruction Fuzzy Hash: D9214FD1A8D3D15FDB069A285DE97C03F60BF62295F4A4093D4C44F0E3EDA4980AC756
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: `$`$`$`
                                                                                                                                            • API String ID: 0-2287037162
                                                                                                                                            • Opcode ID: 1c31cb3fbe2b688e4e39c8dea14a97d7949f90c31cd82a3a83e461487cb9b5f1
                                                                                                                                            • Instruction ID: af103f93aca74ab6a26015d03096383a38672b3e2c6390ef2180a77a5acb4298
                                                                                                                                            • Opcode Fuzzy Hash: 1c31cb3fbe2b688e4e39c8dea14a97d7949f90c31cd82a3a83e461487cb9b5f1
                                                                                                                                            • Instruction Fuzzy Hash: 08213E33B0026487DF249D69D8803AAF7EAEBC5314F0484BEDA0E97291DB719E55C791
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2645031552.0000000009ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09ED0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9ed0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 84kl$h3$tP]q$c]q
                                                                                                                                            • API String ID: 0-1900870541
                                                                                                                                            • Opcode ID: f3533bb2bfcd481e8f2be6011035a8e064a3048f9bf3e8ccdc8fb87c9a56664d
                                                                                                                                            • Instruction ID: d7219b6e924814f289fd5621c90f84ef8a2258a3b1fa7e6ad344dc2f21562e20
                                                                                                                                            • Opcode Fuzzy Hash: f3533bb2bfcd481e8f2be6011035a8e064a3048f9bf3e8ccdc8fb87c9a56664d
                                                                                                                                            • Instruction Fuzzy Hash: FC21D231A01215DBCB348E59C981B6AF7E2AF44794F18C529E7256B341C772DC43C7A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2646342689.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_9f40000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: `$`$`$`
                                                                                                                                            • API String ID: 0-2287037162
                                                                                                                                            • Opcode ID: ea00a933fd13be5aa492ac53fc52a1a900e037434fc8e048d266b1c381dc37ee
                                                                                                                                            • Instruction ID: 92f69065da42fedf472f7fbed65f82f1bdfb3301523c473b4dcdf12e9f1134c0
                                                                                                                                            • Opcode Fuzzy Hash: ea00a933fd13be5aa492ac53fc52a1a900e037434fc8e048d266b1c381dc37ee
                                                                                                                                            • Instruction Fuzzy Hash: 66112B319043944FDF268E6088903A5BFF9AF82300F0614FBC50ADB1A1C7781E89C762
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: `Q]q$`Q]q$`Q]q$dDaq
                                                                                                                                            • API String ID: 0-2299005101
                                                                                                                                            • Opcode ID: 0d0326adaf91b95f367713a5e516f01195b690b73d3806063258eb48649b982a
                                                                                                                                            • Instruction ID: 2d10f0c4315cb93939aef6de467c5408852ba963fdaf919ad9240826e6497f83
                                                                                                                                            • Opcode Fuzzy Hash: 0d0326adaf91b95f367713a5e516f01195b690b73d3806063258eb48649b982a
                                                                                                                                            • Instruction Fuzzy Hash: 1201F2F6300A0FAB6BA43D6B8180637A7E9EBCA76175980B7984DC32C4DA31C844C361
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4']q$4']q$$]q$$]q
                                                                                                                                            • API String ID: 0-978391646
                                                                                                                                            • Opcode ID: 3fde86eb69cdeaef1c8e96530b5d1e50c2be9687291fe97d9de8cc63b65c6a37
                                                                                                                                            • Instruction ID: 21f633e810158cac0ef8b8fa817eef03fc066e0033b3a1013e3054807861c705
                                                                                                                                            • Opcode Fuzzy Hash: 3fde86eb69cdeaef1c8e96530b5d1e50c2be9687291fe97d9de8cc63b65c6a37
                                                                                                                                            • Instruction Fuzzy Hash: B001A77170D3924FE76B2A6818606656FB59FC3A5072A05E7C480CB397C9558C09C3A7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.2604103683.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_7b80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: onl$ onl$Lml$Lml
                                                                                                                                            • API String ID: 0-3054368033
                                                                                                                                            • Opcode ID: bfb9536d89947d17958349c63bf2e9f523b0a5110d8d7454f902f535fd155612
                                                                                                                                            • Instruction ID: 98df5819426231c59af6f4f30091a307ea4d35e85f358dea71c14991fe3a87de
                                                                                                                                            • Opcode Fuzzy Hash: bfb9536d89947d17958349c63bf2e9f523b0a5110d8d7454f902f535fd155612
                                                                                                                                            • Instruction Fuzzy Hash: 21F02BF37242098F82105A8DD4019667A9BDFC56547310067DE00CF724DEB1DC02C7EB

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:40.2%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:1%
                                                                                                                                            Total number of Nodes:196
                                                                                                                                            Total number of Limit Nodes:8
                                                                                                                                            execution_graph 877 403983 881 40389c 877->881 890 402a78 881->890 883 403903 885 403914 26 API calls 883->885 920 40362e 883->920 934 4028ba 890->934 891 402a9e 891->885 895 4026c0 891->895 893 402af0 CreateMutexW 893->891 948 4024f8 895->948 897 402729 897->883 897->885 901 402f18 897->901 898 4026e7 CreateFileW 898->897 899 40270b ReadFile 898->899 899->897 902 402f2e 901->902 902->902 952 40227c FindFirstFileExW 902->952 903 402f67 CreateFileW 905 402f57 903->905 908 402faf 903->908 904 402faa 907 4030c5 NtFreeVirtualMemory 904->907 909 4030ed 904->909 905->903 905->904 906 402fb4 NtAllocateVirtualMemory 906->908 915 402fe8 906->915 907->904 908->906 908->915 910 4030f3 NtClose 909->910 911 4030ff 909->911 910->911 954 402e10 911->954 913 40311f 913->883 914 40304b WriteFile 914->915 916 403068 SetFilePointerEx 914->916 915->904 915->914 917 403095 SetFilePointerEx 915->917 916->914 916->915 917->915 921 40365e 920->921 958 403144 921->958 923 403673 923->885 924 403678 GetLogicalDriveStringsW 924->923 927 403695 924->927 925 40371d GetDriveTypeW 925->927 926 4037c6 928 403809 926->928 931 4037f9 NtClose 926->931 927->923 927->925 927->926 930 40375a CreateThread 927->930 963 40217c 927->963 928->923 929 40381e Sleep 928->929 929->928 930->927 974 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 930->974 931->928 931->931 935 4028dd 934->935 938 402760 CreateFileW 935->938 939 402797 938->939 944 4027da 938->944 939->944 946 4020bc 939->946 940 402802 940->891 940->893 941 4027f6 NtClose 941->940 942 4027b7 943 4027c0 ReadFile 942->943 942->944 943->944 944->940 944->941 947 4020c8 RtlAllocateHeap 946->947 947->942 949 402512 948->949 951 402760 4 API calls 949->951 950 402522 950->897 950->898 951->950 953 4022af 952->953 953->905 956 402e2e 954->956 955 402e37 DeleteFileW 955->913 956->955 957 402e7c MoveFileExW 956->957 957->955 957->956 961 403155 958->961 959 40318d CreateThread 959->961 970 403478 SetThreadPriority 959->970 960 4031c6 960->923 960->924 961->959 961->960 967 401d94 961->967 965 402192 963->965 964 40222a 964->927 965->964 966 40221b CreateDirectoryW 965->966 966->964 968 401da8 NtSetInformationThread 967->968 968->961 973 40348b 970->973 971 4034af 972 4034f0 WriteFile 972->973 973->971 973->972 975 403349 GetTempFileNameW CreateFileW 974->975 976 4033a9 DeviceIoControl 975->976 979 4033a4 975->979 981 403258 976->981 978 4033fd CreateIoCompletionPort 978->979 982 40326d 981->982 984 4020bc RtlAllocateHeap 982->984 983 403283 983->978 983->979 984->983 1103 4032e4 1104 4032e8 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW 1103->1104 1105 403349 GetTempFileNameW CreateFileW 1104->1105 1106 4033a9 DeviceIoControl 1105->1106 1109 4033a4 1105->1109 1110 403258 RtlAllocateHeap 1106->1110 1107 4033e9 1108 4033fd CreateIoCompletionPort 1107->1108 1107->1109 1108->1109 1110->1107 985 403956 986 403963 985->986 987 403976 985->987 994 4019d4 986->994 1032 4016b4 994->1032 997 4016b4 9 API calls 998 4019f4 997->998 999 4016b4 9 API calls 998->999 1000 401a05 999->1000 1001 4016b4 9 API calls 1000->1001 1002 401a16 1001->1002 1003 4016b4 9 API calls 1002->1003 1004 401a27 1003->1004 1005 4016b4 9 API calls 1004->1005 1006 401a38 1005->1006 1007 401b70 RtlCreateHeap 1006->1007 1008 401ba1 1007->1008 1009 401ba6 RtlCreateHeap 1007->1009 1024 402812 1008->1024 1028 402836 1008->1028 1009->1008 1010 401bcb 1009->1010 1010->1008 1080 401a40 1010->1080 1012 401c03 1012->1008 1013 401a40 RtlAllocateHeap 1012->1013 1014 401c59 1013->1014 1014->1008 1015 401a40 RtlAllocateHeap 1014->1015 1016 401caf 1015->1016 1016->1008 1017 401a40 RtlAllocateHeap 1016->1017 1018 401d05 1017->1018 1018->1008 1019 401a40 RtlAllocateHeap 1018->1019 1020 401d55 1019->1020 1020->1008 1022 401d94 NtSetInformationThread 1020->1022 1021 401d7a 1085 401dc2 1021->1085 1022->1021 1025 402836 1024->1025 1026 402850 RtlAdjustPrivilege 1025->1026 1027 40284e 1025->1027 1026->1025 1026->1027 1027->987 1029 402849 1028->1029 1030 402850 RtlAdjustPrivilege 1029->1030 1031 40284e 1029->1031 1030->1029 1030->1031 1031->987 1033 40176f 1032->1033 1034 4016cf 1032->1034 1033->997 1035 4016f5 NtAllocateVirtualMemory 1034->1035 1058 401000 1034->1058 1035->1033 1037 40172f NtAllocateVirtualMemory 1035->1037 1037->1033 1039 401752 1037->1039 1043 40152c 1039->1043 1041 401000 3 API calls 1042 40175f 1041->1042 1042->1033 1042->1041 1044 401540 1043->1044 1045 401558 1043->1045 1046 401000 3 API calls 1044->1046 1047 40157e 1045->1047 1048 401000 3 API calls 1045->1048 1046->1045 1049 401000 3 API calls 1047->1049 1051 4015a4 1047->1051 1048->1047 1049->1051 1050 4015ed FindFirstFileExW 1050->1051 1051->1050 1052 40166c 1051->1052 1053 401649 FindNextFileW 1051->1053 1054 40162a FindClose 1051->1054 1052->1042 1053->1051 1056 40165d FindClose 1053->1056 1066 401474 1054->1066 1056->1051 1057 401641 1057->1042 1059 401012 1058->1059 1060 40102a 1058->1060 1061 401000 3 API calls 1059->1061 1062 401000 3 API calls 1060->1062 1063 401050 1060->1063 1061->1060 1062->1063 1064 4010fb 1063->1064 1069 401394 1063->1069 1064->1035 1067 40148a 1066->1067 1068 4014b8 LdrLoadDll 1067->1068 1068->1057 1070 4013ee 1069->1070 1071 4013be 1069->1071 1070->1064 1071->1070 1072 401474 LdrLoadDll 1071->1072 1073 4013d2 1072->1073 1073->1070 1075 4014d8 1073->1075 1076 4014ee 1075->1076 1077 40150f LdrGetProcedureAddress 1075->1077 1079 4014fa LdrGetProcedureAddress 1076->1079 1078 401521 1077->1078 1078->1070 1079->1078 1081 401a5d RtlAllocateHeap 1080->1081 1082 401a79 1081->1082 1083 401a85 1081->1083 1082->1012 1083->1081 1084 401b5b 1083->1084 1084->1012 1086 401de9 1085->1086 1087 401e12 1086->1087 1088 401df2 NtProtectVirtualMemory 1086->1088 1087->1008 1088->1087 1111 402126 1112 402141 1111->1112 1113 402158 1112->1113 1114 4020bc RtlAllocateHeap 1112->1114 1114->1113 1089 4019b7 1090 4019e0 1089->1090 1091 4016b4 9 API calls 1089->1091 1092 4016b4 9 API calls 1090->1092 1091->1090 1093 4019f4 1092->1093 1094 4016b4 9 API calls 1093->1094 1095 401a05 1094->1095 1096 4016b4 9 API calls 1095->1096 1097 401a16 1096->1097 1098 4016b4 9 API calls 1097->1098 1099 401a27 1098->1099 1100 4016b4 9 API calls 1099->1100 1101 401a38 1100->1101 1102 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                                                                                                                            Callgraph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            • Opacity -> Relevance
                                                                                                                                            • Disassembly available
                                                                                                                                            callgraph 0 Function_004026C0 39 Function_004024F8 0->39 1 Function_00401A40 40 Function_00401E78 1->40 2 Function_00401DC2 3 Function_004024C2 4 Function_00402B44 5 Function_00403144 38 Function_00403478 5->38 55 Function_00401D94 5->55 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 83 Function_004020BC 15->83 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_0040205C 19 Function_00401F5C 20 Function_004022DC 21 Function_004020DE 22 Function_00402760 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 26->15 27 Function_004032E8 27->15 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->1 33->2 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 39->22 62 Function_00401E28 40->62 42 Function_0040217C 43 Function_0040227C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 49 Function_00402104 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->43 58->51 59 Function_00401F9A 60->0 60->37 60->58 69 Function_0040362E 60->69 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->18 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69->5 69->27 69->42 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->40 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorInfoLastLocaleObjectSelect
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1586701277-0
                                                                                                                                            • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                                                            • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                                                                                                                            • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                                                                                                                            • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 4 402f18-402f2b 5 402f2e-402f33 4->5 5->5 6 402f35-402f5b call 40227c 5->6 8 402f67-402f8c CreateFileW 6->8 9 402f5d-402f61 6->9 11 402f8e-402f96 8->11 12 402faf-402fb1 8->12 9->8 10 4030bb-4030bd 9->10 13 4030c0-4030c3 10->13 14 402f98-402fa6 11->14 15 402faa 11->15 16 402fb4-402fe0 NtAllocateVirtualMemory 12->16 17 4030c5-4030e4 NtFreeVirtualMemory 13->17 18 4030e7-4030eb 13->18 14->15 30 402fa8 14->30 15->10 19 402fe2-402fed 16->19 20 402fe8 16->20 17->18 18->13 23 4030ed-4030f1 18->23 25 403000-403003 19->25 26 402fef-402ffe 19->26 22 40301b-403020 20->22 29 403023-40302e 22->29 27 4030f3-4030fc NtClose 23->27 28 4030ff-40311d call 402e10 DeleteFileW 23->28 31 403015-403019 25->31 32 403005-403010 25->32 26->31 27->28 37 403126-40312a 28->37 38 40311f 28->38 33 403030-40303a 29->33 34 40303c 29->34 30->8 31->16 31->22 32->31 36 403041-403048 33->36 34->36 39 40304b-403064 WriteFile 36->39 40 403138-403141 37->40 41 40312c-403132 37->41 38->37 42 403066 39->42 43 403068-403088 SetFilePointerEx 39->43 41->40 44 40308a-403091 42->44 43->39 43->44 45 403093 44->45 46 403095-4030b6 SetFilePointerEx 44->46 45->10 46->29
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                                                                                                                            • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                                                                                                                            • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                                                                                                                            • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                                                                                                                            • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                                                                                                                            • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 590822095-0
                                                                                                                                            • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                                                            • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                                                                                                                            • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                                                                                                                            • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                                                            • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                                                            • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2011835681-0
                                                                                                                                            • Opcode ID: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                                                            • Instruction ID: c3badfffa75a89a0abcd59fd2fd34812244497566a58eab59887ac76a1f04a4a
                                                                                                                                            • Opcode Fuzzy Hash: 229209989839885a3588f396d77e0cdc96e3fac898d9f41ca49139373efe7470
                                                                                                                                            • Instruction Fuzzy Hash: D6510A71A01209AFDB00DF90DD49F9EBB79FF08700F2092A5E611BA2A1D730AE45DF95

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                                                                                                                            • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                                                                                                                            • FindClose.KERNEL32(000000FF), ref: 00401660
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                            • String ID: C:\Windows\System32\*.dll
                                                                                                                                            • API String ID: 1164774033-1305136377
                                                                                                                                            • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                                                            • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                                                                                                                            • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                                                                                                                            • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 102 40362e-403671 call 403144 105 403673 102->105 106 403678-40368e GetLogicalDriveStringsW 102->106 107 403886-40388a 105->107 108 403690 106->108 109 403695-4036af 106->109 110 403898-40389b 107->110 111 40388c-403892 107->111 108->107 113 4036b1 109->113 114 4036b6-4036cd 109->114 111->110 113->107 116 4036d4-4036eb 114->116 117 4036cf 114->117 119 4036f2-40371a 116->119 120 4036ed 116->120 117->107 121 40371d-40372a GetDriveTypeW 119->121 120->107 122 403735-403749 call 40217c 121->122 123 40372c-40372f 121->123 129 40374c-40374f 122->129 123->122 124 4037ba-4037c0 123->124 124->121 125 4037c6-4037ca 124->125 127 403809-40381a 125->127 128 4037cc-4037d2 125->128 130 40381c-40382b 127->130 131 40381e-403829 Sleep 127->131 132 4037d5-4037d8 128->132 133 403751-403775 CreateThread 129->133 134 403755-403758 129->134 140 40382e-403831 130->140 131->127 136 4037da-4037db 132->136 137 4037dc-4037de 132->137 133->124 139 403777-40378b 133->139 134->129 136->137 137->132 141 4037e0-4037f6 137->141 139->124 142 40378d-4037b7 139->142 143 403833-403854 140->143 144 403835-40384e 140->144 147 4037f9-403807 NtClose 141->147 142->124 150 403862-403866 143->150 151 403856-40385c 143->151 144->140 147->127 147->147 152 403874-403878 150->152 153 403868-40386e 150->153 151->150 152->107 154 40387a-403880 152->154 153->152 154->107
                                                                                                                                            APIs
                                                                                                                                            • GetLogicalDriveStringsW.KERNELBASE(00000068,?), ref: 00403687
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DriveLogicalStrings
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2022863570-0
                                                                                                                                            • Opcode ID: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                                                            • Instruction ID: 4dd69471dbc29d4f16846e3344e2d9633d6215cd74752d72760f366e6b0bc30a
                                                                                                                                            • Opcode Fuzzy Hash: b400b6a985817d68bb33d17dbc945ad3f7ed75c1c6e1d9200f5b880ce86a855b
                                                                                                                                            • Instruction Fuzzy Hash: 33815CB590160ADFDB10DF90D948BAFBB75FF08306F1086AAE511772A0D7399A41CF98

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 179 402760-402795 CreateFileW 180 4027f0-4027f4 179->180 181 402797-4027a9 179->181 182 402802-40280b 180->182 183 4027f6-4027ff NtClose 180->183 181->180 185 4027ab-4027be call 4020bc 181->185 183->182 185->180 187 4027c0-4027d8 ReadFile 185->187 188 4027e4-4027ea 187->188 189 4027da-4027e2 187->189 188->180 189->180
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                                                                                                                            • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                                                                                                                            • NtClose.NTDLL(000000FF), ref: 004027FF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1419693385-0
                                                                                                                                            • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                                                            • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                                                                                                                            • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                                                                                                                            • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 191 40286c-4028b9 NtSetInformationProcess * 3
                                                                                                                                            APIs
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                                                                                                                            • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1801817001-0
                                                                                                                                            • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                                                            • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                                                                                                                            • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                                                                                                                            • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 192 401dc2-401df0 194 401e21-401e27 192->194 195 401df2-401e10 NtProtectVirtualMemory 192->195 195->194 196 401e12-401e1f 195->196 196->194
                                                                                                                                            APIs
                                                                                                                                            • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2706961497-3916222277
                                                                                                                                            • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                                                            • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                                                                                                                            • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                                                                                                                            • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 289 4016b4-4016c9 290 401859-401862 289->290 291 4016cf-4016d6 289->291 292 4016f5-401729 NtAllocateVirtualMemory 291->292 293 4016d8-4016f0 call 401000 291->293 292->290 295 40172f-40174c NtAllocateVirtualMemory 292->295 293->292 295->290 297 401752-40175a call 40152c 295->297 299 40175f-401761 297->299 299->290 300 401767-40176d 299->300 301 401774-401781 call 401000 300->301 302 40176f 300->302 305 401851-401854 301->305 306 401787-401798 call 401e78 301->306 302->290 305->300 309 4017c9-4017cc 306->309 310 40179a-4017c4 call 401e78 306->310 312 4017fa-4017fd 309->312 313 4017ce-4017f8 call 401e78 309->313 310->305 316 401815-401818 312->316 317 4017ff-401813 312->317 313->305 318 401830-401833 316->318 319 40181a-40182e 316->319 317->305 318->305 321 401835-40184b 318->321 319->305 321->305
                                                                                                                                            APIs
                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                            • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                                                            • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                                                                                                                            • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                                                                                                                            • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                            • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                                                            • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                                                                                                                            • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                                                                                                                            • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                                                                                                                            APIs
                                                                                                                                            • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4046476035-0
                                                                                                                                            • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                                                            • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                                                                                                                            • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                                                                                                                            • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 159 4032e4-4033a2 SetThreadPriority GetDiskFreeSpaceW GetDiskFreeSpaceExW GetTempFileNameW CreateFileW 162 4033a4 159->162 163 4033a9-4033ed DeviceIoControl call 403258 159->163 164 40346f-403472 162->164 166 4033fd-403415 CreateIoCompletionPort 163->166 167 4033ef-4033fb 163->167 168 403417-40342d 166->168 169 40342f-403447 166->169 167->164 168->164 173 403461-403467 169->173 174 403449-40345f 169->174 173->164 174->164
                                                                                                                                            APIs
                                                                                                                                            • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 004032FB
                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(?,?,?,00000000,00000000), ref: 00403313
                                                                                                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000,?), ref: 00403332
                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00403375
                                                                                                                                            • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000), ref: 00403398
                                                                                                                                            • DeviceIoControl.KERNELBASE(000000FF,0009C040,00000000,00000002,00000000,00000000,?,00000000), ref: 004033CD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DiskFileFreeSpace$ControlCreateDeviceNamePriorityTempThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2011835681-0
                                                                                                                                            • Opcode ID: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                                                            • Instruction ID: db71fdc1c22404a5b670ef955f883ff194a6135e3213665c05072d4c5e51ce30
                                                                                                                                            • Opcode Fuzzy Hash: 2bb202560a6aa134e71a635a3921368a9451dbb9fce4d81eab453209c020e30b
                                                                                                                                            • Instruction Fuzzy Hash: 3621F871901209AFDB10DF94DD45F9EBBB9FF08710F208265F610BA2A1D770AA41CF94

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 197 401b70-401b9f RtlCreateHeap 198 401ba1 197->198 199 401ba6-401bc4 RtlCreateHeap 197->199 200 401d8a-401d90 198->200 201 401bc6 199->201 202 401bcb-401be7 199->202 201->200 204 401be9 202->204 205 401bee-401c05 call 401a40 202->205 204->200 208 401c07 205->208 209 401c0c-401c3d 205->209 208->200 212 401c44-401c5b call 401a40 209->212 213 401c3f 209->213 216 401c62-401c93 212->216 217 401c5d 212->217 213->200 220 401c95 216->220 221 401c9a-401cb1 call 401a40 216->221 217->200 220->200 224 401cb3 221->224 225 401cb8-401ce9 221->225 224->200 228 401cf0-401d07 call 401a40 225->228 229 401ceb 225->229 232 401d09 228->232 233 401d0b-401d3c 228->233 229->200 232->200 236 401d40-401d57 call 401a40 233->236 237 401d3e 233->237 240 401d59 236->240 241 401d5b-401d80 call 401d94 call 401dc2 236->241 237->200 240->200 244 401d83 241->244 244->200
                                                                                                                                            APIs
                                                                                                                                            • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                                                                                                                            • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 10892065-0
                                                                                                                                            • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                                                            • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                                                                                                                            • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                                                                                                                            • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 247 403478-403488 SetThreadPriority 248 40348b-4034ad 247->248 250 4034b3-4034b5 248->250 251 4034af-4034b2 248->251 252 4034b7-4034bf 250->252 253 4034e8-4034ee 250->253 252->253 256 4034c1 252->256 254 4034f0-403513 WriteFile 253->254 255 403533-403535 253->255 257 403515-403520 254->257 258 40352e 254->258 259 4035d4-4035d7 255->259 260 40353b-40354f 255->260 261 4034c8-4034e0 256->261 257->258 262 403522-40352a 257->262 263 403629 258->263 259->263 266 4035d9-403625 259->266 264 403551-403561 260->264 265 403598-40359c 260->265 273 4034e2-4034e6 261->273 274 4034e4 261->274 262->258 270 40352c 262->270 263->248 271 403563-40356a 264->271 272 40356c-40358f 264->272 268 4035ad 265->268 269 40359e-4035a2 265->269 266->263 276 4035b4-4035cc 268->276 269->268 275 4035a4-4035ab 269->275 270->256 277 403596 271->277 272->277 273->248 274->261 275->276 283 4035d0 276->283 284 4035ce-4035d2 276->284 277->276 283->276 284->263
                                                                                                                                            APIs
                                                                                                                                            • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00403488
                                                                                                                                            • WriteFile.KERNELBASE(?,?,?,?,?), ref: 0040350E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FilePriorityThreadWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3596769661-0
                                                                                                                                            • Opcode ID: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                                                            • Instruction ID: 02d7b4ff8a3576d09fe5cde13513df6eb5b6ce77b27be8b8a28bc97f0a3a62b9
                                                                                                                                            • Opcode Fuzzy Hash: 0fcde9d867e2c8e00a33e5a4b04594799b7cacc31207ed4f9c9132c7825b27dd
                                                                                                                                            • Instruction Fuzzy Hash: E75128B1101601EBDB10CF50DD84B577BB8FF08305F2052AAE905AE2A6D379DE95CF89

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 322 4026c0-4026e5 call 4024f8 324 402730-402734 322->324 325 4026e7-402709 CreateFileW 322->325 327 402742-402746 324->327 328 402736-40273c 324->328 325->324 326 40270b-402727 ReadFile 325->326 326->324 329 402729 326->329 330 402754-40275a 327->330 331 402748-40274e 327->331 328->327 329->324 331->330
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                                                                                                                            • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CreateRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3388366904-0
                                                                                                                                            • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                                                            • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                                                                                                                            • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                                                                                                                            • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 333 401a40-401a5a 334 401a5d-401a77 RtlAllocateHeap 333->334 335 401a85-401a94 call 401e78 334->335 336 401a79-401a82 334->336 339 401ac5-401ac8 335->339 340 401a96-401ac0 call 401e78 335->340 342 401af6-401af9 339->342 343 401aca-401af4 call 401e78 339->343 348 401b4d-401b55 340->348 346 401b11-401b14 342->346 347 401afb-401b0f 342->347 343->348 350 401b16-401b2a 346->350 351 401b2c-401b2f 346->351 347->348 348->334 352 401b5b-401b6b 348->352 350->348 351->348 353 401b31-401b47 351->353 353->348
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                                                            • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                                                                                                                            • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                                                                                                                            • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 354 402e10-402e35 356 402e37 354->356 357 402e39-402e4e 354->357 358 402eab-402eb7 356->358 362 402e50 357->362 363 402e52-402e57 357->363 359 402ec5-402eca 358->359 360 402eb9-402ebf 358->360 360->359 362->358 364 402e5c-402e6d 363->364 366 402e70-402e7a 364->366 366->366 367 402e7c-402e8f MoveFileExW 366->367 368 402e91 367->368 369 402e93-402ea9 367->369 368->358 369->358 369->364
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                                                            • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                                                                                                                            • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                                                                                                                            • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                                                                                                                            APIs
                                                                                                                                            • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00402227
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4241100979-0
                                                                                                                                            • Opcode ID: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                                                            • Instruction ID: 9ce072fc3005d4f78cf2e49f7f895573a995d668e844b6c98341eda9cf3d519c
                                                                                                                                            • Opcode Fuzzy Hash: aec36a0482896fdefc261f9a8e4ed8b8fffad9c6a154dc279330f3fd88b4ab19
                                                                                                                                            • Instruction Fuzzy Hash: 81117CB5601105EFD700DF94ED88A87BBA8FF08300B1092B9EA15AB262D731D955CFD9
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00003478,00000000,00000000,00000000), ref: 004031A2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                            • Opcode ID: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                                                            • Instruction ID: e5ec22d449c3d307afb1fc97fd659449252656cd0b8efbbc1ce39923ac99279f
                                                                                                                                            • Opcode Fuzzy Hash: 9e58d635c8bd693d4c2dc2c3a668e721e6aa14a97984da7d58b39bf4f406ce1f
                                                                                                                                            • Instruction Fuzzy Hash: B5115E75741B05ABD310AF94ED89B8BB768FF08711F2043B5EA10BA2E1D7749D418F98
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                                                            • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                                                                                                                            • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                                                                                                                            • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                                                                                                                            APIs
                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Load
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                            • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                                                            • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                                                                                                                            • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                                                                                                                            • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                                                                                                                            APIs
                                                                                                                                            • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AdjustPrivilege
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3260937286-0
                                                                                                                                            • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                                                            • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                                                                                                                            • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                                                                                                                            • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000D.00000002.3282809981.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000D.00000002.3282655789.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3282961541.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283113606.0000000000405000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            • Associated: 0000000D.00000002.3283229357.0000000000406000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_F43.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                                                            • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                                                                                                                            • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                                                                                                                            • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4